Radio Credit Cards Move Closer

← Back to Stories (view on slashdot.org)

Radio Credit Cards Move Closer

Posted by timothy on Saturday December 13, 2003 @11:39AM from the walk-by-mugging dept.

pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)

23 of 295 comments (clear)

Min score:

Reason:

Sort:

Well lets see... by AuMatar · 2003-12-13 11:40 · Score: 4, Insightful

We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

--
I still have more fans than freaks. WTF is wrong with you people?
1. Re:Well lets see... by whovian · 2003-12-13 11:52 · Score: 3, Insightful
  
  Not only that, but this part is the key:
  
  Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and ensure that a consumer won't be limited by the cash in his wallet .
  
  Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US.
  
  --
  To-do List: Receive telemarketing call during a tornado warning. Check.
2. Re:Well lets see... by cpu_fusion · 2003-12-13 12:19 · Score: 5, Insightful
  
  > you better damn well believe
  > it's gonna be as secure as possible
  
  Oh yes, like the wonderfully secure state of credit card use on the Net right now.
  
  It won't be *secure as possible* ... it will in fact, be as *secure as deemed needed* by beancounters. Those beancounters offset the minor inconvenience of a few hundred thousand people who have to deal with the shock & scare of being ripped off by holes in the new technology with the economic boost of a few more million people using their particular flavor of credit card.
  
  Sure, the credit card companies might cover the losses (*might, after you fight*), but there's nothing like seeing a huge charge on your credit card, that you didn't make, and having to go through the hassle of getting it resolved.
  
  Don't blindly think they make things "as secure as possible." That's not the economics of it.
3. Re:Well lets see... by Midnight+Thunder · 2003-12-13 12:33 · Score: 3, Insightful
  
  Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned.
  
  Lets just hope they get the issues sorted out, so we don't have a scenario where that even though one card was scanned that it picks up the signal from another card and hence charges the wrong one.
  
  I have not played with the technology, but I feel that the onous is always on the technology to prove itself safe. Until then it is hard to assume the customer will be comfortable with it.
  
  --
  Jumpstart the tartan drive.
4. Re:Well lets see... by SurgeonGeneral · 2003-12-13 12:42 · Score: 5, Insightful
  
  We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....
  
  I see a great number of redundant posts all throughout stating this same idea.
  
  I think you guys are being more than just a little shortsighted. You read something about a RFID credit card and jump to a horrendous number of conclusions about how this technology will be used. Give it a little thought:
  
  The most likely candidate for a technology to be paired with this is Biometrics. We're all quite familiar with this technology, and its easy to see how it would be coupled with RFID CCs.
  
  But we can come up with something a little less "futuristic". I belong to a tennis club that uses RFID encoded cards for entry in to the building, but they are also used for purchasing food. What happens? You swipe your wallet (containing the card), and the computer in front of the salesperson (yes we have those nowadays) brings up a picture of me and all my personal information. If anything seems fishy, they ask for a signiture.
  
  Now considering that this technology is not going to be immediately implemented, and will not be forced upon the general public, I think we can give at the very least a few more years before it becomes ubiquitous. In that case, use your imagination (I know its hard since tech evolves so quickly) to come up with some solutions to the pedantic and generally trivial questions just like this one that everyone is posing.
  
  --
  -- "Man is born free, and everywhere he is in chains." Jean Jacques Rousseau
5. Re:Well lets see... by TwistedSpring · 2003-12-13 12:49 · Score: 2, Insightful
  
  Haha you're funny. Let's take a look at, say, Yahoo's instant messenger protocol, or practically any other protocol out there that uses challenge-response: It's cracked in under a few months. I'm not saying the CC companies are going to use a challenge-response method as simplistic as an instant messenger program, but RFIDs will not exactly be able to perform a large amount of calculation, they just don't have the power to provide a truely safe challenge/response mechanism, and let's face it if this system comes in, there will be plenty of opportunity for RFID sniffers to lurk around and pick up a ton of valid challenges and responses in order to reverse engineer the system.
  
  This system demonstrates an incredible amount of faith in the stupidity of fraudsters, which is completely unfounded. Cracking is an incredibly well-known and well documented phenomena, look at DeCSS, C-DILLA and all those games you ripped off in the past 20 years. When the chances of getting at someone's cash are involved, the incentive becomes so much greater.
6. Re:Well lets see... by Ryosen · 2003-12-13 13:14 · Score: 2, Insightful
  
  I don't think that the issue is so much one of someone using your keychain to make purchases. Rather, it's some criminal scanning your tag as you walk past and using the information for fraudulent purchases of their own. I'm more worried about getting scammed this way than finding out that I supposedly bought a shirt the last time that I was walking through Macy's.
  
  The technology is nothing new, of course. Mobil/Exxon has had this for several years in the form of SpeedPass. I've never used it, however, and never will. I'm more than willing to sacrifice the convenience of saving 10 seconds waving the little wand in front of the reader instead of scanning my card at the pump. I am a technologist. I know the limitations. I know the track-records of similar systems as well as those of the parties involved. Until this becomes mandatory (cards replaced by RFID devices), I won't have to worry about any problems, because I won't have one.
  
  And, until the credit card companies pay every merchant on the face of the earth for the new devices, it will not become mandatory.
  
  You'll notice that there aren't any "Speedpass-Only" Exxon stations around.
  
  --
  
  Ryosen
  One man's "Troll, +1" is another man's "Insightful, +1".
7. Re:Well lets see... by Sneftel · 2003-12-13 13:26 · Score: 2, Insightful
  
  How is that any different than current credit cards?
  
  --
  The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
8. Re:Well lets see... by SuperMo0 · 2003-12-13 13:30 · Score: 3, Insightful
  
  With current credit cards, you actually have to pull out the card and THINK. "Hmm... do I REALLY need this enough to charge it?" This doesn't apply to everyone, but to enough people that it makes a dent in sales.
  
  However, with this radio card, you wouldn't even have to remove the card from your wallet/purse/whatever, so a lot of the effort is removed and therefore you don't have as much time to think about whether you "really need" what you're buying.
9. Re:Well lets see... by SpaceRook · 2003-12-13 13:38 · Score: 4, Insightful
  
  I think this will help push sales if customer's spend less time in line. There have \been times where I've been waiting in line and thought, "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to put it back on the shelf."
easier to steal cc number by jbplou · 2003-12-13 11:43 · Score: 3, Insightful

Won't this make it easier to steal someones cc number now. Since all some will have to do is hide a sensor of some type in a mall or someplace that can pick up the radio frequency?
Scanners by alset_tech · 2003-12-13 11:43 · Score: 4, Insightful

Another reason to sniff the wireless frequencies. You may not be able to get into most cell networks these days, but this will bring all kinds of fun the the quest. Someone will figure out how to hack this inside three months. At least right now I have to match a signature (though nobody checks the card) and my debit card has my picture on it. God knows I won't want to get one of these.

--
Standing on the shoulders of giants.
1. Re:Scanners by KrispyKringle · 2003-12-13 11:58 · Score: 3, Insightful
  
  It's not very hard to make this secure. This isn't done with current credit cards, but so long as we're building a new system, make 'em smart cards. Put a chip in them that stores a cryptographically random private key. When sent data (say, some random chunk to prevent a playback attack), it spits out the encrypted version. Then the credit card company can verify against the known public key (or give them a copy of the private key as well, so it's more like challenge-response) to make sure you really have the private key. Perfectly secure (at least until someone perfects quantum computing, or unless the NSA--who really doesn't need to waste time cracking my credit card--develops a way to factor large numbers).
  Of course, for traditional use, like online, you could use the traditional CC#.
There is a (sort of) working example by jonbryce · 2003-12-13 11:46 · Score: 3, Insightful

Transport for London's Oyster Card is a contactless ticketing system for the London Underground and London Buses.

At the moment, it can only hold season tickets, so it isn't a great problem if you accidently use it. From next year, you can hold other types of ticket in there as well.

It has some advantages, like being able to recharge it over the phone or online without having to wait for the tickets to arrive through the post.

You can get through the ticket barriers without taking it out your bag, though you have to hold the bag petty close to the sensor.

People don't like it because it allows TFL to trace your travel habits much more than they could before.

In the case of credit cards, I can't see how just holding it close to a sensor could be evidence of your approval of the transaction. You would need some sort of verification process like a signature or a PIN/password.
Re:How safe are they? by Anonymous Coward · 2003-12-13 12:19 · Score: 1, Insightful

Bullshit, Sir Whacksalot. Nobody breaks 128 bit encryption to steal credit cards when there are much easier ways to do it.
The Raw Facts... by AsnFkr · 2003-12-13 12:21 · Score: 4, Insightful

..are that your credit card number is everywhere. If people want numbers, they will get them. If they get yours - then thats bad luck. All you have to do is keep an eye on your credit card statements and make sure all the charges are yours. If they aren't call the credit card company and tell them. It's easy as pie. I kills me when I see people overly paranoid about thier CC#'s. I mean, comeon...you go to a restraunt and GIVE your waitress or waiter your card to carry across the room away from your eyes and run it through the machine. If they wanted, it wouldnt be hard for them to copy the numbers. Then..up on the net in a flash. Point being...security for this type of thing is nice, but don't let yourself get lazy depending on it. Keep checking those statements!

--

adventure-today.com
That's Narrow-Minded by cjsnell · 2003-12-13 12:36 · Score: 4, Insightful

Who says that it has to be that insecure? I envision a little device that goes on a keychain (similar in that respect to SpeedPass), which has a little button on the side of it. You squeeze the button as you pass it over the scanner. Only when the button is squeezed does the transmitter in the device emit anything.

BTW, why are you so paranoid about a contactless credit card? Do you eat at restaurants and pay with a credit card? Chances are, if you do, some potentially sleazy waiter has taken your credit card out of your sight for a few minutes. Not only can he copy your card, chances are that he knows what city you live in and can then get your home (think billing) address out of the phone book. On top of that, he can look at what kind of clothes you wear and car you drive and make a guesstimate about your credit line.
Re:Only more stupidity by mabu · 2003-12-13 12:47 · Score: 2, Insightful

Where you really get screwed is not the change in the technology from mag stripe to RFID. It's the banks switching you from a true credit card, to an ATM/debit account. Then you're not protected by law for the consequences of fradulent transactions.
Security.. bah. by mindstrm · 2003-12-13 12:54 · Score: 3, Insightful

Look. Here is what I care about with my credit card:

- If reasonable proof can't be shown that I personally authorized a transaction, I will not be held responsible for it.

That's it. That's all. The line of credit is between me and the issuer... the card is simply a token that represents that. Historically, you had to be there in PERSON to use one.. but everyone looks the other way for convenience, online work, etc.

I don't care what method visa or whoever comes up with to represent that token. If it's less convenient for me, I won't use it. If it somehow rips me off, I won't use it. If it makes me more liable for fraud, I won't use it. If they take all the risks, I don't care if it's a smart card or a credit card or a proximity card.

Now.. that said.. having proximity cards / RFID type cards does bother me.. it seems like a bad move. It doesn't give ME, the customer, anything I really want. So.. it simply won't fly.

I won't have my credit card dictated to me.. its' not about the card, it's about the agreement... and about credit.
Re:PIN by toast0 · 2003-12-13 13:06 · Score: 2, Insightful

The card itself (checked a mastercard and a non-credit atm card) says 'Not valid unless signed', which would lead me to believe a merchant should refuse transactions from people with Check ID written on the card, unless they happen to be named 'Check ID'

The merchants who really care about the id of their purchasers ask to see my fake id when i use a stolen card anyhow.

--
Need a Catering Connection
In Store Sensors by nurb432 · 2003-12-13 14:00 · Score: 2, Insightful

With those things, the store could identify you as you come in, and target in store ads for you, using previous purchases as a guide.

Or once we have tagged currency, they can see if you can even afford to be in the store or not..

And provide records to the government, ' ya he was in our store at such-and-such a time date' ...

--
---- Booth was a patriot ----
RFID = symptom of the real problem by carcosa30 · 2003-12-13 15:06 · Score: 2, Insightful

You know, I share the concerns about RFID and pervasive cameras. But these are symptoms of the true problem, which is a spiralling police state in the US (as well as elsewhere) which is arrogating more and more authority to itself and behaving more belligerently.

It's also starting to intimidate dissidents.

If we could trust the government and corporations (yeah right) RFID would be no problem at all.

Since we can't, attacking RFID and other intrusive surveillance technologies is only applying a bandage to a gangrenous wound.

--
Intolerance for ambiguity is the mark of the authoritarian personality.
Re:Unless it's encrypted ... by pjwhite · 2003-12-13 16:07 · Score: 2, Insightful

I have a Speedpass, and it doesn't activate the "hot spot" on the pump until it's less than an inch away. There's really not that much difference between the Speedpass and a credit card with no visible markings, except that you don't have to remember which way up to put it in the card reader.

Security concerns about someone "scanning" a credit card using this radio technology from a distance is probably unfounded, unless you have it in your wallet and sit on the scanner.