Slashdot Mirror
Radio Credit Cards Move Closer
pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)
They better be sure their encryption is up to scratch. I was reading just the other day ( I believe it was on Slashdot) that there are supercomputers now that can break 128bit encryption in a matter of minutes.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
Now someone can pickpocket me by just bumping into me on the subway. It would be relatively simple to just read the card with a device in my pocket from someone else's pocket. How hard could it be to make your own RFID device that gives out the same number?
The idea that the merchant doesn't have to touch the card makes it pretty unlikely that they'll check the id and the signature of the buyer, so this encourages fraud. It should at least require a PIN.
Also, there is no way for the customer to control access to the card. My sister recently picked me up at Kennedy airport, and as she was holding the parking fee money out the window, the attendant charged the fee to her EZpass because he was too lazy to look up. There wasn't enough room on the pass so she got hit with a penalty. He wouldn't even look up from his paper when she complained.
So you'll have to keep your card in a metalic wallet, because the lack of physical contact means you can't really control when it's accessed.
It's interesting that I can build a wand and get someone's information off the license in their pocket. Now you could potentially get their credit card number too.
It may be slightly faster, but beyond that I don't see how it's better for the consumer or the business.
How long before they decide to make one of these into an implant? I bet they have scientists working around the clock inventing new ways to spend money. So imagine when your credit runs out; They don't just cut up your card, they give you surgery. Obligatory aphorism: A fool and his money are soon parted.
I ran a benchmark on my quantum computer, now I can't find it anywhere!
Hey, guess who doesn't understand how a credit card works?
Credit card fraud costs the creditors more money than it costs the consumers. Remember, when you buy something on credit, it's not your money you're spending. It only costs you money when the monthly bill comes. If they are going to make a system for exchanging credit for goods, you better damn well believe it's gonna be as secure as possible.
I am always suspicious of any new technology whose benefit isn't readily obvious to its potential market. So the value of RFID cards are that you don't "fumble" as much? That's ridiculous. Most outlets allow the customer to swipe their own credit cards, so what is the difference between holding it in front of a reader and swiping it? I know some idiots can't line up the mag stripe on their card sometimes, but do we really need a whole new technology because of that?
It's obvious where the benefit of this is: surreptitious extraction of information and account data. Sit down on a bench with a reader in it, and all your credit card data was just captured. Walk in the door of an establishment and your RFID cards are scanned and the next day you get junk mail.
I feel the same way about "debit cards". These afford the consumer less protection and security than credit cards (which are protected under the Fair Credit Billing Act of 1976) yet this new gimmick was foisted upon consumers offering more convenience. BS.
No thanks. This is not any technology that benefits consumers from any angle I can see.
The biggest security issue that I can think of off the top of my head (other than theft or loosing your wallet) is if there are scanners set up that might intercept your credit card information.
So here's a concept. When you make a purchase using the RFID credit card, these steps happen:
1. the cash register sends a HELO type signal
2. the credit card responds and requests an encryption key
3. the cash register randomly generates an asymmetric encryption key valid for that transaction only, and send the 'public' portion of the key to the credit card
4. the credit card encrypts the transaction information using the 'public' key it received and send it to the cash register
5. the cash register uses the 'private' key to decrypt the information and process the transaction.
This way, the only information being transmitted is either encrypted, or a public key which isn't useful in decrypting the information.
The other concern I can think of off the top of my head would be people carrying devices that could fake a transaction -- so a thief would just be walking behind somebody, making a transaction through a device in their pocket, and walk away without a trace. Not sure about this one, though the first step would be high security on the transaction protocol.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
You know, currently theres a problem with waiters and waitresses and other service industry folk (a few) that take your credit card while you are paying your check and read the card with a pocket reader, storing the info for later for credit card fraud. I can see pick pockets now: You are bumped into while walking, you check to make sure your wallet is there, which it is, but your info has been stolen by a contactless RFID system.
no i can beat you.
was in the post office buying stamps last week and a woman was with her daughter. she wanted four 28p stamps and couldn't work out how much to tell her daughter to put in the machine. she had written down 28+28+28+28 on a piece of paper and was adding it up manually...8+8, carry 1, um....
seriously...it made me realise i take some things for granted....
The two most common threats to consumers who would use the system would seem to be:
1. Charge Theft: the thief charges your card by bringing a payment terminal near you. This depends on the security of the payment terminals. If the credit card processing system authenticates the terminal, then it would be hard for the thief to use the terminal to get the money. Even if the thief steals a terminal, the only thing that would happen is that the money would go to the retailer where the thief obtained the payment terminal. The real threat comes from a home-made or modded terminal. But this approach also requires a break in to the credit card processor to hack a record for the hacked terminal to ensure that charges to that terminal goes to a destination of the thief's choosing.
2. Card Theft: the thief remotely steals a person's card. This seems highly unlikely. The card would need to provide enough data in a reasonable number of monitored transactions to enable the thief to deduce how the card would respond to any future transaction. I would assume that the system would use a highly encrypted challenge-response system that would make it hard to reverse engineer the parameters for the response from a reasonable number of data points. But if someone hacks or steals the algorithm that is used to create the cards, then all bets are off.
It seems like the system could be secure if the encryption is sufficiently good and the data terminals are well controlled.
Two wrongs don't make a right, but three lefts do.
There's lots of discussion about how someone can just sniff the transaction or plant hidden RFID readers, and they are being debunked by the fact that there's some sort of challenge/response encryption.
Fine, except given that some thieves have gone as far as to obtain a legitimate ATM machine to steal ATM card/PIN numbers, how much more difficult would it be to obtain an RFID credit card reader? Whatever public keys or key database a scanner needs would be taken care of, as it would all be purchased/leased for a seeminly legal purpose. At this point it would be trivial to plant the reader in a location that people tend to walk by, and unless there's some kind of PIN verification, you've got all you need.
Thus, the user doesn't even have to knowingly make a transaction as with the ATM scams.
If there's PIN verification, an on/off switch, or a lead protective storage pouch... then we're in the same place we're at now; but if all it takes is the user to click "OK" on the scanner, then obviously there's no security there (only against accidental scans at a legitimate establishment).
Any thoughs?
NGWave - Fast Sound Editor for Windows
This is just IMO FWIW but I believe RFID is one of many types of new services that really are more dangerous and insecure than they are beneficial. Technologies such as this shift the burden of responsibility from the merchant to the consumer. The big corporations have a vested interest in doing this and they engage in PR campaigns to snow-job consumers into thinking that their new products are better, when they are worse.
Here's a sampling of examples of things I'm talking about that consumers should avoid:
* RFID
Tremendous security & exploitation potential; virtually no discernable advantage to using this technology. Corporate interests claim the adoption of RFID will help reduce costs and curtail shoplifting and fraud. There is no real evidence to support this and consumers should be suspicious of this technology.
* Debit and ATM cards
Tremendous security and fraud potential. Not covered under many existing laws regarding credit card fraud. Regular credit cards are much more useful as the consumer shifts the burden to the merchant to prove a transaction was valid before paying for anything unauthorized (generally speaking but some banks have similar "consumer protections" they *claim* but credit card fraud protection is covered by Federal law). With debit cards, you lose and the burden is on you to prove the transaction is illegitimate. These are gimmicks designed to make money for the credit companies and give consumers less fraud protection. All the hype about identity and credit card theft is blown out of proportion and further used to scare consumers into, ironically, using technology that actually is less secure.
* Rebates
Misleading advertising; basically a tax on laziness. People should avoid purchasing anything that offers a rebate unless it's instant at the POS.
* Considated utility services
It's really bad to have multiple cards from the same bank, or use a single company for internet, cable and local phone service. The first time there is a billing snafu, every single one of your credit cards will be declined (if they're from the same bank - Citicorp loves to do that shit) or you lose phone, internet and cable TV if you're foolish enough to use one company for all these things.
In addition to that, there's the huge security and privacy issue of having one large company handle so many of your essential financial services and utilities. It's much more likely the information will be used against you than to enhance the quality/convenience of your life, so don't buy into the hype these companies spew about the "all on one bill convenience" they offer if you use one company for multiple services.
I think the reason to get paranoid is that the new technology may make the card issuer more reluctant to refund fradulent charges.
For instance, on verified by visa/mastercard authenticode transactions, the merchant is not liable for chargebacks if the card holder says they didn't make the purchase.
Need a Catering Connection
It is ONE LESS form of identification for someone to have. Instead of having a credit card with your signature and possibly picture on it, now you have a little piece of plastic with some embedded silicon that the sales person doesn't even have to LOOK at to verify you.
How is having some bits in a RFID chip any stronger security-wise than having bits on a magnetic stripe?
There is no consumer benefit to this. The only one who benefits is the company making the sale because it makes things easier to buy. That's just what we need. As if things werent' easy enough to buy already.
The only POSSIBLE benefit I can see to this for a consumer is it sounds more durable; no stripe to get worn down.
-- Having a Creationist Museum is like having an Atheist place of worship
Why can't we just put a button on the little RFID dongle you would put on your keychain? Answer: we can. And this is what the CC companies should do. I know, speedpass doesn't implement it. But it would be very, very simple to do and go a long way toward easing my fears about this. I'm envisioning something similar to a Photon light.
Even better, why not pair it with an always-on RFID in your wallet, and only allow transactions when both are present? This'd prevent simple theft by valets, pursesnatchers, etc.
Are people really grabbing a product off the shelf, walking up to the register, and ONLY AS THEY'RE PULLING THEIR CREDIT CARD OUT start thinking, "gee, can I afford this?" If so, then I say fleece the morons for all they are worth. RFID in this instance provides a quicker transaction, and is thus a very very good thing.
As for the concerns about fraud, the credit card banks addressed this a couple years back by exposing most cardholders to only $50 liability in the event of false chargers, and many cards have taken that down to zero on many accounts.
Stop by my site where I write about ERP systems & more
...but this is slashdot, after all.
However, the thief would have to get quite close to his target or have a very sensitive reader.
Hmmm. Build a powerful RFID reader and walk through a large crowd of people collecting RFID numbers. Warwalking!
Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.
But you could use it in person - build a RFID transmitter. After, the key fob never has to leave your pocket - how does the clerk know if it's real or the PDA-sized RIFD cloner in your pocket.
American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.
It's good to know that some people have a clue in designing a secure system.
MasterCard says it uses a different security system but would not provide specifics.
I'll reserve judgment.
Although it is no joking matter, I for one welcome our new government "Patriot Scanning System" overloards.
Seriously, this technology is so dangerous it is not possible to be paranoid about it. We're concerned about a technology that will allow governments to track all its citizens at will, without their permission or knowledge. Here is a scenario:
You are walking down a street and a passive RFID detector senses your card. The RFID sensor belongs to the Homeland Security Administration's new "Patriot Scanning System" and the data is fed to a government computer that says you, Joe Blow, is in front of the opposition political party's office (or the gun shop or the AIDS clinic, the police station, or the Right to Life office - you take your pick). And it does that thousands of times a day for thousands of people. It also knows who you are with so the government now knows your associates. The next time you go to a government building you are stopped and held for questioning because...? You went to a right-to-life meeting and then to a gun shop and then to a hardware store. All of those were perfectly legal actions, yet you now have a red flag on your name in the computer that shouts "potential terrorist".
You just won't carry credit cards, you say? Riggght, but even then so what? All the RFID tags in your clothes from Eddie Bauer or KMart will have RFID tags in them so the government computers can track you with those as well. All you have to do is walk by a single detector and all your RFID tags are thereafter associated with you forever, and each tag "infects" any new tags each time you walk by the government's "Patriot Scanning System".
The government can know whenever you go to an anti-war rally or an anti-abortion rally or a pro-abortion rally or an airport or a train station or a protest against the administration...or, or, or. Think about it - is it so outlandish to think of the government having agents walking through the crowds at political rallies gathering ID information from credit cards?
And PLEASE, don't anyone give me that absurd argument that "if you're not doing anything wrong why do you mind the government knowing everything you do?". I'm a patriot and that WHY I mind.