Slashdot Mirror

← Back to Stories (view on slashdot.org)

Radio Credit Cards Move Closer

Posted by timothy on from the walk-by-mugging dept.

pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)

68 of 295 comments (clear)

  1. Well lets see... by AuMatar · · Score: 4, Insightful

    We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

    --
    I still have more fans than freaks. WTF is wrong with you people?
    1. Re:Well lets see... by whovian · · Score: 3, Insightful
      Not only that, but this part is the key:

      Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely to increase sales because they are so easy to use and ensure that a consumer won't be limited by the cash in his wallet .


      Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US.
      --
      To-do List: Receive telemarketing call during a tornado warning. Check.
    2. Re:Well lets see... by cpu_fusion · · Score: 5, Insightful

      > you better damn well believe
      > it's gonna be as secure as possible

      Oh yes, like the wonderfully secure state of credit card use on the Net right now.

      It won't be *secure as possible* ... it will in fact, be as *secure as deemed needed* by beancounters. Those beancounters offset the minor inconvenience of a few hundred thousand people who have to deal with the shock & scare of being ripped off by holes in the new technology with the economic boost of a few more million people using their particular flavor of credit card.

      Sure, the credit card companies might cover the losses (*might, after you fight*), but there's nothing like seeing a huge charge on your credit card, that you didn't make, and having to go through the hassle of getting it resolved.

      Don't blindly think they make things "as secure as possible." That's not the economics of it.

    3. Re:Well lets see... by asr_man · · Score: 5, Informative

      Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned. Also, card includes challenge/response authentication (AMEX at least, MC we aren't told). As the article clearly states, knowing the RFID card number does not give a thief any practical means to use it.

    4. Re:Well lets see... by Midnight+Thunder · · Score: 3, Insightful

      Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned.

      Lets just hope they get the issues sorted out, so we don't have a scenario where that even though one card was scanned that it picks up the signal from another card and hence charges the wrong one.

      I have not played with the technology, but I feel that the onous is always on the technology to prove itself safe. Until then it is hard to assume the customer will be comfortable with it.

      --
      Jumpstart the tartan drive.
    5. Re:Well lets see... by SurgeonGeneral · · Score: 5, Insightful

      We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

      I see a great number of redundant posts all throughout stating this same idea.

      I think you guys are being more than just a little shortsighted. You read something about a RFID credit card and jump to a horrendous number of conclusions about how this technology will be used. Give it a little thought:

      The most likely candidate for a technology to be paired with this is Biometrics. We're all quite familiar with this technology, and its easy to see how it would be coupled with RFID CCs.

      But we can come up with something a little less "futuristic". I belong to a tennis club that uses RFID encoded cards for entry in to the building, but they are also used for purchasing food. What happens? You swipe your wallet (containing the card), and the computer in front of the salesperson (yes we have those nowadays) brings up a picture of me and all my personal information. If anything seems fishy, they ask for a signiture.

      Now considering that this technology is not going to be immediately implemented, and will not be forced upon the general public, I think we can give at the very least a few more years before it becomes ubiquitous. In that case, use your imagination (I know its hard since tech evolves so quickly) to come up with some solutions to the pedantic and generally trivial questions just like this one that everyone is posing.

      --
      -- "Man is born free, and everywhere he is in chains." Jean Jacques Rousseau
    6. Re:Well lets see... by toast0 · · Score: 2, Informative

      If the merchant accepts cash and credit, there is no apparent difference to me (the consumer) in regards to sticker price; unless the merchant offers a cash discount (since merchant agreements usually prohibit credit charges)

      Of course, factoring in the time value of money, it's cheaper for me to buy with credit, since I don't have to actually pay for it for 30-50 days.

      --
      Need a Catering Connection
    7. Re:Well lets see... by TwistedSpring · · Score: 2, Insightful

      Haha you're funny. Let's take a look at, say, Yahoo's instant messenger protocol, or practically any other protocol out there that uses challenge-response: It's cracked in under a few months. I'm not saying the CC companies are going to use a challenge-response method as simplistic as an instant messenger program, but RFIDs will not exactly be able to perform a large amount of calculation, they just don't have the power to provide a truely safe challenge/response mechanism, and let's face it if this system comes in, there will be plenty of opportunity for RFID sniffers to lurk around and pick up a ton of valid challenges and responses in order to reverse engineer the system.

      This system demonstrates an incredible amount of faith in the stupidity of fraudsters, which is completely unfounded. Cracking is an incredibly well-known and well documented phenomena, look at DeCSS, C-DILLA and all those games you ripped off in the past 20 years. When the chances of getting at someone's cash are involved, the incentive becomes so much greater.

    8. Re:Well lets see... by Ryosen · · Score: 2, Informative

      Well, this is news to me. We pay 1.5% commission to Amex. In fact, of the major cards, they are the lowest commission rate, with Visa/MC charging 2.5%. Restaurants can pay upwards of 4.5% but that's as high as it gets.

      Mods, please, downgrade the parent to over-rated. The AC has no idea what he is talking about. None.

      --

      Ryosen
      One man's "Troll, +1" is another man's "Insightful, +1".
    9. Re:Well lets see... by Ryosen · · Score: 2, Insightful

      I don't think that the issue is so much one of someone using your keychain to make purchases. Rather, it's some criminal scanning your tag as you walk past and using the information for fraudulent purchases of their own. I'm more worried about getting scammed this way than finding out that I supposedly bought a shirt the last time that I was walking through Macy's.

      The technology is nothing new, of course. Mobil/Exxon has had this for several years in the form of SpeedPass. I've never used it, however, and never will. I'm more than willing to sacrifice the convenience of saving 10 seconds waving the little wand in front of the reader instead of scanning my card at the pump. I am a technologist. I know the limitations. I know the track-records of similar systems as well as those of the parties involved. Until this becomes mandatory (cards replaced by RFID devices), I won't have to worry about any problems, because I won't have one.

      And, until the credit card companies pay every merchant on the face of the earth for the new devices, it will not become mandatory.

      You'll notice that there aren't any "Speedpass-Only" Exxon stations around.

      --

      Ryosen
      One man's "Troll, +1" is another man's "Insightful, +1".
    10. Re:Well lets see... by KrispyKringle · · Score: 4, Informative
      Yes, let's look at protocols that use challenge-response. Kerberos uses a modified challenge-response method. Windows NT prior to 2K and XP used challenge reponse, now they use a modificaiton of the Kerberos method. VNC uses challenge-response, if I remember right. HTTP digest authentication uses challenge-response. Many mailservers, (POP and IMAP, as well as SMTP) use challenge-response (CRAM MD5). The notion of challenge-response is itself secure, if implemented properly.

      Offhand, I can think of two big ways to screw up the implentation:

      Replay attacks - if the challenge is consistent through multiple authentication sessions, an attacker can reuse a hash response from a previous session. The solution is simple; better psuedo-randomness (using the date/time is a pretty poor idea, since an attacker can simply challenge the card with a date in the future and retrieve the needed response).

      Poor hashing - if the hash used on the response is reversible, the password is right there for the taking. Solution, use something known to be strong, like blowfish or MD5.

      Assuming the makers aren't stupid, they have a cryptographically secure system on-hand. You make an assumption based on a few out-of-context or unrelated cases that all security is useless. This is silly; while I don't have a lot of faith in secure systems as a whole, the flaw is rarely in the cryptography backing them, if it is implemented correctly. The reason for this is obvious; cryptography, and computing complexity, are easily-understood enough that developing mathematical models for security is easy. For example, we know--or rather, we believe very fervently, but cannot prove--that factoring large numbers is very, very difficult. Therefore, we trust RSA when implemented properly. Similarly, we know--or at least believe very strongly--that certain algorithms are very, very difficult to reverse. Therefore, we trust that if a bad guy gets our password file, he can only try to find our passwords via brute-force.

      The difficulty of sniffing and cracking the protocol used is probably much greater than that of simply getting a waiter at a restaurant to swipe the cards of customers through a skimmer (traditional cards, that is). And security is really not about absolute security; it's simply about making sure that defeating is is more trouble than it's worth (I believe Bruce Schnieder said this, but I could be mistaken).

    11. Re:Well lets see... by thebes · · Score: 2, Informative
      Ummm, Hello? That's called, memorizing a credit card number, expiry, and buying stuff on the internet.

      A 16 digit number is nothing to memorize, and the expiry date can be pretty easy as well. There's lots of people out there (more so in the mathematics/physics field) that can just look at a number, and a few moments later, be able to write it down.

      So really, what's to prevent someone who works at a restaurant who takes your CC and memorizes the number, let alone write it down?

      Af far as security for internet purchases is made, there's no real change.

    12. Re:Well lets see... by Sneftel · · Score: 2, Insightful

      How is that any different than current credit cards?

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    13. Re:Well lets see... by SuperMo0 · · Score: 3, Insightful

      With current credit cards, you actually have to pull out the card and THINK. "Hmm... do I REALLY need this enough to charge it?" This doesn't apply to everyone, but to enough people that it makes a dent in sales.

      However, with this radio card, you wouldn't even have to remove the card from your wallet/purse/whatever, so a lot of the effort is removed and therefore you don't have as much time to think about whether you "really need" what you're buying.

    14. Re:Well lets see... by SpaceRook · · Score: 4, Insightful

      I think this will help push sales if customer's spend less time in line. There have \been times where I've been waiting in line and thought, "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to put it back on the shelf."

    15. Re:Well lets see... by The+Clockwork+Troll · · Score: 2, Funny

      I suspect there are no Hardee's or Carl's Jr. chains in San Marino or Burkina Faso.

      --

      There are no karma whores, only moderation johns
    16. Re:Well lets see... by TopShelf · · Score: 3, Interesting

      Are people really grabbing a product off the shelf, walking up to the register, and ONLY AS THEY'RE PULLING THEIR CREDIT CARD OUT start thinking, "gee, can I afford this?" If so, then I say fleece the morons for all they are worth. RFID in this instance provides a quicker transaction, and is thus a very very good thing.

      As for the concerns about fraud, the credit card banks addressed this a couple years back by exposing most cardholders to only $50 liability in the event of false chargers, and many cards have taken that down to zero on many accounts.

      --
      Stop by my site where I write about ERP systems & more
    17. Re:Well lets see... by Anonymous+Coed · · Score: 2, Funny

      Actually what I do is "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to drop it wherever I happen to be standing and just leave the store."

    18. Re:Well lets see... by Dark+Bard · · Score: 2, Funny

      I use to have something that could bleed my account dry without any input from me. It was called a wife.

  2. How safe are they? by Pingular · · Score: 3, Interesting

    They better be sure their encryption is up to scratch. I was reading just the other day ( I believe it was on Slashdot) that there are supercomputers now that can break 128bit encryption in a matter of minutes.

    --

    When anger rises, think of the consequences.
    Confucius (551 BC - 479 BC)
    1. Re:How safe are they? by filtersweep · · Score: 2, Informative

      Yeah, and my office building handles much more sensitive data than a CC and it has much more, shall we say, more "mature" technology in the access cards used. I don't think it is that big of a deal. As it is, anyone with rudimentary "Radio Shack skills" can program a magnetic strip for an ordinary non-smart-card CC.

      --


      Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
    2. Re:How safe are they? by xpl_the_myst · · Score: 2, Interesting

      Quote from the article --
      "
      In theory, the transaction could be intercepted without a consumer's knowledge by a technologically savvy thief intent on cloning a card. That's because RFID transmissions themselves are not encrypted.
      "

      But there's also -
      "
      American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. ...
      MasterCard says it uses a different security system but would not provide specifics.
      "

      I don't know what the two mean when put together, but I sure as hell hope they are encrypted.

      --
      This sig is empty.
  3. Rejoice! by drewbradford · · Score: 5, Funny

    This will make charging people to walk past my house much easier. In the past it's been tough for me to collect the $50 that I charge.

    1. Re:Rejoice! by G-funk · · Score: 4, Funny

      Sigh, why did this guy get marked as a troll?

      Yeah I agree... Sure, if he wanted to charge people to walk over his bridge, but past his house? Cummon, people! :-)

      --
      Send lawyers, guns, and money!
  4. Faster than cash? by Isopropyl · · Score: 5, Funny
    "In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."

    I agree. Nothing's more annoying than handing someone $10.15 for a $5.15 bill and watching the other person take out a calculator.

    1. Re:Faster than cash? by rbbs · · Score: 2, Interesting

      no i can beat you.
      was in the post office buying stamps last week and a woman was with her daughter. she wanted four 28p stamps and couldn't work out how much to tell her daughter to put in the machine. she had written down 28+28+28+28 on a piece of paper and was adding it up manually...8+8, carry 1, um....

      seriously...it made me realise i take some things for granted....

  5. easier to steal cc number by jbplou · · Score: 3, Insightful

    Won't this make it easier to steal someones cc number now. Since all some will have to do is hide a sensor of some type in a mall or someplace that can pick up the radio frequency?

  6. Scanners by alset_tech · · Score: 4, Insightful

    Another reason to sniff the wireless frequencies. You may not be able to get into most cell networks these days, but this will bring all kinds of fun the the quest. Someone will figure out how to hack this inside three months. At least right now I have to match a signature (though nobody checks the card) and my debit card has my picture on it. God knows I won't want to get one of these.

    --
    Standing on the shoulders of giants.
    1. Re:Scanners by KrispyKringle · · Score: 3, Insightful
      It's not very hard to make this secure. This isn't done with current credit cards, but so long as we're building a new system, make 'em smart cards. Put a chip in them that stores a cryptographically random private key. When sent data (say, some random chunk to prevent a playback attack), it spits out the encrypted version. Then the credit card company can verify against the known public key (or give them a copy of the private key as well, so it's more like challenge-response) to make sure you really have the private key. Perfectly secure (at least until someone perfects quantum computing, or unless the NSA--who really doesn't need to waste time cracking my credit card--develops a way to factor large numbers).

      Of course, for traditional use, like online, you could use the traditional CC#.

  7. No Problemo by the+eric+conspiracy · · Score: 5, Funny

    I predict a booming market in shielded wallets.

    1. Re:No Problemo by niko9 · · Score: 3, Funny

      Bah, the hackers will make their own

      Scroll to the middle of the page.

  8. Bad Idea by wsloand · · Score: 2, Interesting

    Now someone can pickpocket me by just bumping into me on the subway. It would be relatively simple to just read the card with a device in my pocket from someone else's pocket. How hard could it be to make your own RFID device that gives out the same number?

  9. Bring'em On! by Jah-Wren+Ryel · · Score: 2, Funny

    I have *the* patent on lead-lined wallets (and tin-foiled lined ones too) so I say the sooner these wireless cards come to market the sooner I can become a rich man!

    --
    When information is power, privacy is freedom.
  10. There is a (sort of) working example by jonbryce · · Score: 3, Insightful

    Transport for London's Oyster Card is a contactless ticketing system for the London Underground and London Buses.

    At the moment, it can only hold season tickets, so it isn't a great problem if you accidently use it. From next year, you can hold other types of ticket in there as well.

    It has some advantages, like being able to recharge it over the phone or online without having to wait for the tickets to arrive through the post.

    You can get through the ticket barriers without taking it out your bag, though you have to hold the bag petty close to the sensor.

    People don't like it because it allows TFL to trace your travel habits much more than they could before.

    In the case of credit cards, I can't see how just holding it close to a sensor could be evidence of your approval of the transaction. You would need some sort of verification process like a signature or a PIN/password.

  11. Widely used in Hong Kong by G4from128k · · Score: 2, Informative

    The Octopus card is widely used in Hong Kong. Its a stored value card, so its anonymous. It started life in the MTR (the local mass transit system) and has since expanded to convenience stores, Macdonalds, Starbucks, etc.

    --
    Two wrongs don't make a right, but three lefts do.
  12. In other news... by JiggsJedi · · Score: 2, Funny

    ...tin foil panties being showcased in VictoRFID's Secret...

    --
    Women are like internet domains. All the ones I like are taken, but I can still get one from a strange country.
  13. The merchant never touches it? by rMortyH · · Score: 4, Interesting

    The idea that the merchant doesn't have to touch the card makes it pretty unlikely that they'll check the id and the signature of the buyer, so this encourages fraud. It should at least require a PIN.

    Also, there is no way for the customer to control access to the card. My sister recently picked me up at Kennedy airport, and as she was holding the parking fee money out the window, the attendant charged the fee to her EZpass because he was too lazy to look up. There wasn't enough room on the pass so she got hit with a penalty. He wouldn't even look up from his paper when she complained.

    So you'll have to keep your card in a metalic wallet, because the lack of physical contact means you can't really control when it's accessed.

    It's interesting that I can build a wand and get someone's information off the license in their pocket. Now you could potentially get their credit card number too.

    It may be slightly faster, but beyond that I don't see how it's better for the consumer or the business.

    1. Re:The merchant never touches it? by sonamchauhan · · Score: 3, Interesting

      Also, there is no way for the customer to control access to the card.

      Seriously though, excellent point.
      I made a similar point here in the article on fake ATMs -- even smartcards (contactless or otherwise) with PK crypto are susceptible to attack by fake-front ATMs unless they present an on-board interface so that the buyer can control the transaction.

      Otherwise, the buyer will just see the seller make a "big sucking sound".

    2. Re:The merchant never touches it? by egarrido16 · · Score: 2, Interesting

      Few merchants checks credit card signatures.

      Here's a funny link posted to slashdot some time ago: the credit card prank..

      --
      "Brevity is the soul of wit." -Polonius, Hamlet.
  14. Coming soon... by adept256 · · Score: 2, Interesting

    How long before they decide to make one of these into an implant? I bet they have scientists working around the clock inventing new ways to spend money. So imagine when your credit runs out; They don't just cut up your card, they give you surgery. Obligatory aphorism: A fool and his money are soon parted.

    --

    I ran a benchmark on my quantum computer, now I can't find it anywhere!
  15. prove it by mabu · · Score: 4, Interesting

    I am always suspicious of any new technology whose benefit isn't readily obvious to its potential market. So the value of RFID cards are that you don't "fumble" as much? That's ridiculous. Most outlets allow the customer to swipe their own credit cards, so what is the difference between holding it in front of a reader and swiping it? I know some idiots can't line up the mag stripe on their card sometimes, but do we really need a whole new technology because of that?

    It's obvious where the benefit of this is: surreptitious extraction of information and account data. Sit down on a bench with a reader in it, and all your credit card data was just captured. Walk in the door of an establishment and your RFID cards are scanned and the next day you get junk mail.

    I feel the same way about "debit cards". These afford the consumer less protection and security than credit cards (which are protected under the Fair Credit Billing Act of 1976) yet this new gimmick was foisted upon consumers offering more convenience. BS.

    No thanks. This is not any technology that benefits consumers from any angle I can see.

  16. Re:Credit Card Theft? by KrispyKringle · · Score: 4, Informative
    That's now how challenge/response works. See here.

    Basically, the idea is that if both you and the authenticator know the secret password, but you don't want to transmit it, the authenticator sends you some random chunk of data, say message M. You encrypt it using some (presumably one-way) algorithm, using your password as the encryption key to create W. The authenticator also encrypts the same chunk, and, when you send back your W, compares it do his own known-good W. Assuming they match, it means you have the password. The password itself is never sent plaintext.

    You seem to be assuming that there is one secret key for the whole system. This would be completely useless, and is obviously not the case. You would need one secret key per person, as I'm sure American Express knows.

  17. Screw Credit by gmhowell · · Score: 2, Funny

    Screw credit cards, I always carry plenty of cash.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  18. security concept by LuxFX · · Score: 3, Interesting

    The biggest security issue that I can think of off the top of my head (other than theft or loosing your wallet) is if there are scanners set up that might intercept your credit card information.

    So here's a concept. When you make a purchase using the RFID credit card, these steps happen:
    1. the cash register sends a HELO type signal
    2. the credit card responds and requests an encryption key
    3. the cash register randomly generates an asymmetric encryption key valid for that transaction only, and send the 'public' portion of the key to the credit card
    4. the credit card encrypts the transaction information using the 'public' key it received and send it to the cash register
    5. the cash register uses the 'private' key to decrypt the information and process the transaction.

    This way, the only information being transmitted is either encrypted, or a public key which isn't useful in decrypting the information.

    The other concern I can think of off the top of my head would be people carrying devices that could fake a transaction -- so a thief would just be walking behind somebody, making a transaction through a device in their pocket, and walk away without a trace. Not sure about this one, though the first step would be high security on the transaction protocol.

    --
    Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
    1. Re:security concept by swillden · · Score: 2, Informative

      Asking an RFID tag to encrypt something is like asking a new born baby to do calculus. You can't ask a device which has no battery of its own to compute something.

      What does having a battery have to do with it? They're powered by the reader.

      Both contact and contactless smart cards (which are not the same as RFIDs, although the difference is one of complexity rather than technology) do have the capability to perform cryptographic operations, both symmetric and asymmetric, and with sufficiently large keys to be secure.

      If you'd like to know what these devices can really do, rather than guessing, take a look at the specifications for this one. Dual interface (contact or RF usage), on-card fingerprint matcher, 2048-bit RSA, 168-bit 3DES, SHA-1 and MD-5 secure hashes, hardware random number generator, on-board Java VM for executing user programs, six different comm protocols supported, with comm speeds ranging from 9600bps to 424kbps. It performs a 1024-bit RSA public key operation in 18ms, a private key operation in 163ms and 168-bit DES operations in nanoseconds.

      Oh, but it doesn't have a battery.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  19. Pick Pockets by cybercuzco · · Score: 3, Interesting

    You know, currently theres a problem with waiters and waitresses and other service industry folk (a few) that take your credit card while you are paying your check and read the card with a pocket reader, storing the info for later for credit card fraud. I can see pick pockets now: You are bumped into while walking, you check to make sure your wallet is there, which it is, but your info has been stolen by a contactless RFID system.

    --

  20. Probably based on ISO 14443 Secure RFID spec by Anonymous Coward · · Score: 3, Informative

    The spec has successfully been used by the German transmit authority to curtail fraud in their system.
    It uses challenge-response encryption so it is very resistant to "man in the middle" attacks and snooping. Operates on a near-field magnetic-load method of communication.
    This means that the main transmitter senses changes in the energy load as a method communication. The RFID tag just gets its power from the magnetic carrier and changes the magnetic load to communicate. This makes it more difficult to snoop than RF because the energy and communication transfer is bound into a closed loop.
    One other point, magnetic load technology has a range that is proportional to the antenna. A 18 centimeter antenna has a range of 18 centimenters if it is built correctly. With a fundamental frequency of 13.56Mhz, the theoretical maximum range is 3 meters (16% of wavelength is the maximum range for the near field). This means that you would need a 3 meter (~10 foot) antenna to reach ten feet. People would tend to notice this.

    Just some info.

  21. The Raw Facts... by AsnFkr · · Score: 4, Insightful

    ..are that your credit card number is everywhere. If people want numbers, they will get them. If they get yours - then thats bad luck. All you have to do is keep an eye on your credit card statements and make sure all the charges are yours. If they aren't call the credit card company and tell them. It's easy as pie. I kills me when I see people overly paranoid about thier CC#'s. I mean, comeon...you go to a restraunt and GIVE your waitress or waiter your card to carry across the room away from your eyes and run it through the machine. If they wanted, it wouldnt be hard for them to copy the numbers. Then..up on the net in a flash. Point being...security for this type of thing is nice, but don't let yourself get lazy depending on it. Keep checking those statements!

    --


    adventure-today.com
  22. This could be secure if..... by G4from128k · · Score: 2, Interesting

    The two most common threats to consumers who would use the system would seem to be:

    1. Charge Theft: the thief charges your card by bringing a payment terminal near you. This depends on the security of the payment terminals. If the credit card processing system authenticates the terminal, then it would be hard for the thief to use the terminal to get the money. Even if the thief steals a terminal, the only thing that would happen is that the money would go to the retailer where the thief obtained the payment terminal. The real threat comes from a home-made or modded terminal. But this approach also requires a break in to the credit card processor to hack a record for the hacked terminal to ensure that charges to that terminal goes to a destination of the thief's choosing.

    2. Card Theft: the thief remotely steals a person's card. This seems highly unlikely. The card would need to provide enough data in a reasonable number of monitored transactions to enable the thief to deduce how the card would respond to any future transaction. I would assume that the system would use a highly encrypted challenge-response system that would make it hard to reverse engineer the parameters for the response from a reasonable number of data points. But if someone hacks or steals the algorithm that is used to create the cards, then all bets are off.

    It seems like the system could be secure if the encryption is sufficiently good and the data terminals are well controlled.

    --
    Two wrongs don't make a right, but three lefts do.
  23. ATM Fraud by sfe_software · · Score: 2, Interesting

    There's lots of discussion about how someone can just sniff the transaction or plant hidden RFID readers, and they are being debunked by the fact that there's some sort of challenge/response encryption.

    Fine, except given that some thieves have gone as far as to obtain a legitimate ATM machine to steal ATM card/PIN numbers, how much more difficult would it be to obtain an RFID credit card reader? Whatever public keys or key database a scanner needs would be taken care of, as it would all be purchased/leased for a seeminly legal purpose. At this point it would be trivial to plant the reader in a location that people tend to walk by, and unless there's some kind of PIN verification, you've got all you need.

    Thus, the user doesn't even have to knowingly make a transaction as with the ATM scams.

    If there's PIN verification, an on/off switch, or a lead protective storage pouch... then we're in the same place we're at now; but if all it takes is the user to click "OK" on the scanner, then obviously there's no security there (only against accidental scans at a legitimate establishment).

    Any thoughs?

    --
    NGWave - Fast Sound Editor for Windows
  24. That's Narrow-Minded by cjsnell · · Score: 4, Insightful

    Who says that it has to be that insecure? I envision a little device that goes on a keychain (similar in that respect to SpeedPass), which has a little button on the side of it. You squeeze the button as you pass it over the scanner. Only when the button is squeezed does the transmitter in the device emit anything.

    BTW, why are you so paranoid about a contactless credit card? Do you eat at restaurants and pay with a credit card? Chances are, if you do, some potentially sleazy waiter has taken your credit card out of your sight for a few minutes. Not only can he copy your card, chances are that he knows what city you live in and can then get your home (think billing) address out of the phone book. On top of that, he can look at what kind of clothes you wear and car you drive and make a guesstimate about your credit line.

    1. Re:That's Narrow-Minded by toast0 · · Score: 2, Interesting

      I think the reason to get paranoid is that the new technology may make the card issuer more reluctant to refund fradulent charges.

      For instance, on verified by visa/mastercard authenticode transactions, the merchant is not liable for chargebacks if the card holder says they didn't make the purchase.

      --
      Need a Catering Connection
  25. 2066 by Dylancable · · Score: 2, Funny

    In next issue, How to create a wifi cc reader.

  26. Things that consumers should avoid by mabu · · Score: 2, Interesting

    This is just IMO FWIW but I believe RFID is one of many types of new services that really are more dangerous and insecure than they are beneficial. Technologies such as this shift the burden of responsibility from the merchant to the consumer. The big corporations have a vested interest in doing this and they engage in PR campaigns to snow-job consumers into thinking that their new products are better, when they are worse.

    Here's a sampling of examples of things I'm talking about that consumers should avoid:

    * RFID

    Tremendous security & exploitation potential; virtually no discernable advantage to using this technology. Corporate interests claim the adoption of RFID will help reduce costs and curtail shoplifting and fraud. There is no real evidence to support this and consumers should be suspicious of this technology.

    * Debit and ATM cards

    Tremendous security and fraud potential. Not covered under many existing laws regarding credit card fraud. Regular credit cards are much more useful as the consumer shifts the burden to the merchant to prove a transaction was valid before paying for anything unauthorized (generally speaking but some banks have similar "consumer protections" they *claim* but credit card fraud protection is covered by Federal law). With debit cards, you lose and the burden is on you to prove the transaction is illegitimate. These are gimmicks designed to make money for the credit companies and give consumers less fraud protection. All the hype about identity and credit card theft is blown out of proportion and further used to scare consumers into, ironically, using technology that actually is less secure.

    * Rebates

    Misleading advertising; basically a tax on laziness. People should avoid purchasing anything that offers a rebate unless it's instant at the POS.

    * Considated utility services

    It's really bad to have multiple cards from the same bank, or use a single company for internet, cable and local phone service. The first time there is a billing snafu, every single one of your credit cards will be declined (if they're from the same bank - Citicorp loves to do that shit) or you lose phone, internet and cable TV if you're foolish enough to use one company for all these things.

    In addition to that, there's the huge security and privacy issue of having one large company handle so many of your essential financial services and utilities. It's much more likely the information will be used against you than to enhance the quality/convenience of your life, so don't buy into the hype these companies spew about the "all on one bill convenience" they offer if you use one company for multiple services.

  27. My Wallet by KalvinB · · Score: 3, Funny

    now wears a tinfoil hat.

    Ben

    --
    Work Safe Porn
  28. Re:Only more stupidity by mabu · · Score: 2, Insightful

    Where you really get screwed is not the change in the technology from mag stripe to RFID. It's the banks switching you from a true credit card, to an ATM/debit account. Then you're not protected by law for the consequences of fradulent transactions.

  29. Security.. bah. by mindstrm · · Score: 3, Insightful

    Look. Here is what I care about with my credit card:

    - If reasonable proof can't be shown that I personally authorized a transaction, I will not be held responsible for it.

    That's it. That's all. The line of credit is between me and the issuer... the card is simply a token that represents that. Historically, you had to be there in PERSON to use one.. but everyone looks the other way for convenience, online work, etc.

    I don't care what method visa or whoever comes up with to represent that token. If it's less convenient for me, I won't use it. If it somehow rips me off, I won't use it. If it makes me more liable for fraud, I won't use it. If they take all the risks, I don't care if it's a smart card or a credit card or a proximity card.

    Now.. that said.. having proximity cards / RFID type cards does bother me.. it seems like a bad move. It doesn't give ME, the customer, anything I really want. So.. it simply won't fly.

    I won't have my credit card dictated to me.. its' not about the card, it's about the agreement... and about credit.

  30. Re:DoS vulnerable ? by KrispyKringle · · Score: 3, Informative
    I'm not an electrical engineer, but Google turns up this page for security proximity cards, which are essentially the same product.

    The card is usually passive (without an internal battery) and consists of an antenna and an RFID ASIC (Application Specific Integrated Circuit). During operation, the transmitter sends out an electro-magnetic wave to establish a zone of surveillance. When a card enters this zone, the electromagnetic energy from the reader begins to energize the IC in the tag. Once the IC is energized, it goes through an initialization process and begins to broadcast its identity.

    So it seems like the cards use induction to get just enough juice from the radio waves to power their internal circuitry. No battery needed.

  31. Well lets see...Moo...ving money. by Anonymous Coward · · Score: 2, Funny

    "Nothing like tapping into the cowstomer's (sic) impulse buying, especially in the US."

    I believe that Gateway has a patent on that.

  32. Bad deal by acidrain69 · · Score: 3, Interesting

    It is ONE LESS form of identification for someone to have. Instead of having a credit card with your signature and possibly picture on it, now you have a little piece of plastic with some embedded silicon that the sales person doesn't even have to LOOK at to verify you.

    How is having some bits in a RFID chip any stronger security-wise than having bits on a magnetic stripe?

    There is no consumer benefit to this. The only one who benefits is the company making the sale because it makes things easier to buy. That's just what we need. As if things werent' easy enough to buy already.

    The only POSSIBLE benefit I can see to this for a consumer is it sounds more durable; no stripe to get worn down.

    --
    -- Having a Creationist Museum is like having an Atheist place of worship
  33. Re:PIN by toast0 · · Score: 2, Insightful

    The card itself (checked a mastercard and a non-credit atm card) says 'Not valid unless signed', which would lead me to believe a merchant should refuse transactions from people with Check ID written on the card, unless they happen to be named 'Check ID'

    The merchants who really care about the id of their purchasers ask to see my fake id when i use a stolen card anyhow.

    --
    Need a Catering Connection
  34. this would actually be easy to make secure by sbma44 · · Score: 4, Interesting
    RFID is inherently a passive technology. But don't confuse passive with always-on.

    Why can't we just put a button on the little RFID dongle you would put on your keychain? Answer: we can. And this is what the CC companies should do. I know, speedpass doesn't implement it. But it would be very, very simple to do and go a long way toward easing my fears about this. I'm envisioning something similar to a Photon light.

    Even better, why not pair it with an always-on RFID in your wallet, and only allow transactions when both are present? This'd prevent simple theft by valets, pursesnatchers, etc.

  35. In Store Sensors by nurb432 · · Score: 2, Insightful

    With those things, the store could identify you as you come in, and target in store ads for you, using previous purchases as a guide.

    Or once we have tagged currency, they can see if you can even afford to be in the store or not..

    And provide records to the government, ' ya he was in our store at such-and-such a time date' ...

    --
    ---- Booth was a patriot ----
  36. Liability by mindstrm · · Score: 2, Informative

    Actually, the liability is usually $50 MAX *if* the card is stolen, and then, only before you report it.

    If it's just fraudulent use, but your card wasn't stolen, you are not liable for a penny.

    Further, this $50 liability is somewhat misleading, as the credit card company cannot charge you unless they can prove that you authorized the transaction....

    If there is no signature, and no evidence that you yourself received the goods... (say they had no signature because it was an internet purchase, but the shipping address was your house..... thats' good evidence that you authorized it)

    they can't charge you a dime.

    If your agreement says something other than that, you need to shop around.

  37. I wish you people would read the article first... by Anonymous Coward · · Score: 3, Interesting

    ...but this is slashdot, after all.

    However, the thief would have to get quite close to his target or have a very sensitive reader.

    Hmmm. Build a powerful RFID reader and walk through a large crowd of people collecting RFID numbers. Warwalking!

    Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.

    But you could use it in person - build a RFID transmitter. After, the key fob never has to leave your pocket - how does the clerk know if it's real or the PDA-sized RIFD cloner in your pocket.

    American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.

    It's good to know that some people have a clue in designing a secure system.

    MasterCard says it uses a different security system but would not provide specifics.

    I'll reserve judgment.

  38. RFID = symptom of the real problem by carcosa30 · · Score: 2, Insightful

    You know, I share the concerns about RFID and pervasive cameras. But these are symptoms of the true problem, which is a spiralling police state in the US (as well as elsewhere) which is arrogating more and more authority to itself and behaving more belligerently.

    It's also starting to intimidate dissidents.

    If we could trust the government and corporations (yeah right) RFID would be no problem at all.

    Since we can't, attacking RFID and other intrusive surveillance technologies is only applying a bandage to a gangrenous wound.

    --
    Intolerance for ambiguity is the mark of the authoritarian personality.
  39. Re:Unless it's encrypted ... by pjwhite · · Score: 2, Insightful

    I have a Speedpass, and it doesn't activate the "hot spot" on the pump until it's less than an inch away. There's really not that much difference between the Speedpass and a credit card with no visible markings, except that you don't have to remember which way up to put it in the card reader.

    Security concerns about someone "scanning" a credit card using this radio technology from a distance is probably unfounded, unless you have it in your wallet and sit on the scanner.

  40. It is NOT paranoia!!! by instarx · · Score: 2, Interesting

    Although it is no joking matter, I for one welcome our new government "Patriot Scanning System" overloards.

    Seriously, this technology is so dangerous it is not possible to be paranoid about it. We're concerned about a technology that will allow governments to track all its citizens at will, without their permission or knowledge. Here is a scenario:

    You are walking down a street and a passive RFID detector senses your card. The RFID sensor belongs to the Homeland Security Administration's new "Patriot Scanning System" and the data is fed to a government computer that says you, Joe Blow, is in front of the opposition political party's office (or the gun shop or the AIDS clinic, the police station, or the Right to Life office - you take your pick). And it does that thousands of times a day for thousands of people. It also knows who you are with so the government now knows your associates. The next time you go to a government building you are stopped and held for questioning because...? You went to a right-to-life meeting and then to a gun shop and then to a hardware store. All of those were perfectly legal actions, yet you now have a red flag on your name in the computer that shouts "potential terrorist".

    You just won't carry credit cards, you say? Riggght, but even then so what? All the RFID tags in your clothes from Eddie Bauer or KMart will have RFID tags in them so the government computers can track you with those as well. All you have to do is walk by a single detector and all your RFID tags are thereafter associated with you forever, and each tag "infects" any new tags each time you walk by the government's "Patriot Scanning System".

    The government can know whenever you go to an anti-war rally or an anti-abortion rally or a pro-abortion rally or an airport or a train station or a protest against the administration...or, or, or. Think about it - is it so outlandish to think of the government having agents walking through the crowds at political rallies gathering ID information from credit cards?

    And PLEASE, don't anyone give me that absurd argument that "if you're not doing anything wrong why do you mind the government knowing everything you do?". I'm a patriot and that WHY I mind.