Slashdot Mirror
Radio Credit Cards Move Closer
pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)
They better be sure their encryption is up to scratch. I was reading just the other day ( I believe it was on Slashdot) that there are supercomputers now that can break 128bit encryption in a matter of minutes.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
The idea that the merchant doesn't have to touch the card makes it pretty unlikely that they'll check the id and the signature of the buyer, so this encourages fraud. It should at least require a PIN.
Also, there is no way for the customer to control access to the card. My sister recently picked me up at Kennedy airport, and as she was holding the parking fee money out the window, the attendant charged the fee to her EZpass because he was too lazy to look up. There wasn't enough room on the pass so she got hit with a penalty. He wouldn't even look up from his paper when she complained.
So you'll have to keep your card in a metalic wallet, because the lack of physical contact means you can't really control when it's accessed.
It's interesting that I can build a wand and get someone's information off the license in their pocket. Now you could potentially get their credit card number too.
It may be slightly faster, but beyond that I don't see how it's better for the consumer or the business.
I am always suspicious of any new technology whose benefit isn't readily obvious to its potential market. So the value of RFID cards are that you don't "fumble" as much? That's ridiculous. Most outlets allow the customer to swipe their own credit cards, so what is the difference between holding it in front of a reader and swiping it? I know some idiots can't line up the mag stripe on their card sometimes, but do we really need a whole new technology because of that?
It's obvious where the benefit of this is: surreptitious extraction of information and account data. Sit down on a bench with a reader in it, and all your credit card data was just captured. Walk in the door of an establishment and your RFID cards are scanned and the next day you get junk mail.
I feel the same way about "debit cards". These afford the consumer less protection and security than credit cards (which are protected under the Fair Credit Billing Act of 1976) yet this new gimmick was foisted upon consumers offering more convenience. BS.
No thanks. This is not any technology that benefits consumers from any angle I can see.
The biggest security issue that I can think of off the top of my head (other than theft or loosing your wallet) is if there are scanners set up that might intercept your credit card information.
So here's a concept. When you make a purchase using the RFID credit card, these steps happen:
1. the cash register sends a HELO type signal
2. the credit card responds and requests an encryption key
3. the cash register randomly generates an asymmetric encryption key valid for that transaction only, and send the 'public' portion of the key to the credit card
4. the credit card encrypts the transaction information using the 'public' key it received and send it to the cash register
5. the cash register uses the 'private' key to decrypt the information and process the transaction.
This way, the only information being transmitted is either encrypted, or a public key which isn't useful in decrypting the information.
The other concern I can think of off the top of my head would be people carrying devices that could fake a transaction -- so a thief would just be walking behind somebody, making a transaction through a device in their pocket, and walk away without a trace. Not sure about this one, though the first step would be high security on the transaction protocol.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
You know, currently theres a problem with waiters and waitresses and other service industry folk (a few) that take your credit card while you are paying your check and read the card with a pocket reader, storing the info for later for credit card fraud. I can see pick pockets now: You are bumped into while walking, you check to make sure your wallet is there, which it is, but your info has been stolen by a contactless RFID system.
It is ONE LESS form of identification for someone to have. Instead of having a credit card with your signature and possibly picture on it, now you have a little piece of plastic with some embedded silicon that the sales person doesn't even have to LOOK at to verify you.
How is having some bits in a RFID chip any stronger security-wise than having bits on a magnetic stripe?
There is no consumer benefit to this. The only one who benefits is the company making the sale because it makes things easier to buy. That's just what we need. As if things werent' easy enough to buy already.
The only POSSIBLE benefit I can see to this for a consumer is it sounds more durable; no stripe to get worn down.
-- Having a Creationist Museum is like having an Atheist place of worship
Why can't we just put a button on the little RFID dongle you would put on your keychain? Answer: we can. And this is what the CC companies should do. I know, speedpass doesn't implement it. But it would be very, very simple to do and go a long way toward easing my fears about this. I'm envisioning something similar to a Photon light.
Even better, why not pair it with an always-on RFID in your wallet, and only allow transactions when both are present? This'd prevent simple theft by valets, pursesnatchers, etc.
Are people really grabbing a product off the shelf, walking up to the register, and ONLY AS THEY'RE PULLING THEIR CREDIT CARD OUT start thinking, "gee, can I afford this?" If so, then I say fleece the morons for all they are worth. RFID in this instance provides a quicker transaction, and is thus a very very good thing.
As for the concerns about fraud, the credit card banks addressed this a couple years back by exposing most cardholders to only $50 liability in the event of false chargers, and many cards have taken that down to zero on many accounts.
Stop by my site where I write about ERP systems & more
...but this is slashdot, after all.
However, the thief would have to get quite close to his target or have a very sensitive reader.
Hmmm. Build a powerful RFID reader and walk through a large crowd of people collecting RFID numbers. Warwalking!
Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.
But you could use it in person - build a RFID transmitter. After, the key fob never has to leave your pocket - how does the clerk know if it's real or the PDA-sized RIFD cloner in your pocket.
American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.
It's good to know that some people have a clue in designing a secure system.
MasterCard says it uses a different security system but would not provide specifics.
I'll reserve judgment.