Slashdot Mirror

← Back to Stories (view on slashdot.org)

Radio Credit Cards Move Closer

Posted by timothy on from the walk-by-mugging dept.

pvt_medic writes "CNN.com has an article about research that some major credit card companies (MasterCard and American Express) are putting into creating 'contactless' credit cards. These are similar to the Speedpass that ExxonMobil has been using for six years. What to people think about the prospect of this more widespread use of RFID? Is this something that will only lead to more credit card fraud, or will it provide more secure means of payment?" (The article comes from the Associated Press.)

17 of 295 comments (clear)

  1. Well lets see... by AuMatar · · Score: 4, Insightful

    We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

    --
    I still have more fans than freaks. WTF is wrong with you people?
    1. Re:Well lets see... by cpu_fusion · · Score: 5, Insightful

      > you better damn well believe
      > it's gonna be as secure as possible

      Oh yes, like the wonderfully secure state of credit card use on the Net right now.

      It won't be *secure as possible* ... it will in fact, be as *secure as deemed needed* by beancounters. Those beancounters offset the minor inconvenience of a few hundred thousand people who have to deal with the shock & scare of being ripped off by holes in the new technology with the economic boost of a few more million people using their particular flavor of credit card.

      Sure, the credit card companies might cover the losses (*might, after you fight*), but there's nothing like seeing a huge charge on your credit card, that you didn't make, and having to go through the hassle of getting it resolved.

      Don't blindly think they make things "as secure as possible." That's not the economics of it.

    2. Re:Well lets see... by asr_man · · Score: 5, Informative

      Wrong. RTFA. Consumer gets to make final "accept/reject" on purchase after card is scanned. Also, card includes challenge/response authentication (AMEX at least, MC we aren't told). As the article clearly states, knowing the RFID card number does not give a thief any practical means to use it.

    3. Re:Well lets see... by SurgeonGeneral · · Score: 5, Insightful

      We have a method of payment that can subtract electronic mone from your account, with no input from you, and without your card ever leaving your wallet? Yeah, thats a great idea....

      I see a great number of redundant posts all throughout stating this same idea.

      I think you guys are being more than just a little shortsighted. You read something about a RFID credit card and jump to a horrendous number of conclusions about how this technology will be used. Give it a little thought:

      The most likely candidate for a technology to be paired with this is Biometrics. We're all quite familiar with this technology, and its easy to see how it would be coupled with RFID CCs.

      But we can come up with something a little less "futuristic". I belong to a tennis club that uses RFID encoded cards for entry in to the building, but they are also used for purchasing food. What happens? You swipe your wallet (containing the card), and the computer in front of the salesperson (yes we have those nowadays) brings up a picture of me and all my personal information. If anything seems fishy, they ask for a signiture.

      Now considering that this technology is not going to be immediately implemented, and will not be forced upon the general public, I think we can give at the very least a few more years before it becomes ubiquitous. In that case, use your imagination (I know its hard since tech evolves so quickly) to come up with some solutions to the pedantic and generally trivial questions just like this one that everyone is posing.

      --
      -- "Man is born free, and everywhere he is in chains." Jean Jacques Rousseau
    4. Re:Well lets see... by KrispyKringle · · Score: 4, Informative
      Yes, let's look at protocols that use challenge-response. Kerberos uses a modified challenge-response method. Windows NT prior to 2K and XP used challenge reponse, now they use a modificaiton of the Kerberos method. VNC uses challenge-response, if I remember right. HTTP digest authentication uses challenge-response. Many mailservers, (POP and IMAP, as well as SMTP) use challenge-response (CRAM MD5). The notion of challenge-response is itself secure, if implemented properly.

      Offhand, I can think of two big ways to screw up the implentation:

      Replay attacks - if the challenge is consistent through multiple authentication sessions, an attacker can reuse a hash response from a previous session. The solution is simple; better psuedo-randomness (using the date/time is a pretty poor idea, since an attacker can simply challenge the card with a date in the future and retrieve the needed response).

      Poor hashing - if the hash used on the response is reversible, the password is right there for the taking. Solution, use something known to be strong, like blowfish or MD5.

      Assuming the makers aren't stupid, they have a cryptographically secure system on-hand. You make an assumption based on a few out-of-context or unrelated cases that all security is useless. This is silly; while I don't have a lot of faith in secure systems as a whole, the flaw is rarely in the cryptography backing them, if it is implemented correctly. The reason for this is obvious; cryptography, and computing complexity, are easily-understood enough that developing mathematical models for security is easy. For example, we know--or rather, we believe very fervently, but cannot prove--that factoring large numbers is very, very difficult. Therefore, we trust RSA when implemented properly. Similarly, we know--or at least believe very strongly--that certain algorithms are very, very difficult to reverse. Therefore, we trust that if a bad guy gets our password file, he can only try to find our passwords via brute-force.

      The difficulty of sniffing and cracking the protocol used is probably much greater than that of simply getting a waiter at a restaurant to swipe the cards of customers through a skimmer (traditional cards, that is). And security is really not about absolute security; it's simply about making sure that defeating is is more trouble than it's worth (I believe Bruce Schnieder said this, but I could be mistaken).

    5. Re:Well lets see... by SpaceRook · · Score: 4, Insightful

      I think this will help push sales if customer's spend less time in line. There have \been times where I've been waiting in line and thought, "Y'know, I don't REALLY need this 25 pack of CD-R's right now. I'm going to put it back on the shelf."

  2. Rejoice! by drewbradford · · Score: 5, Funny

    This will make charging people to walk past my house much easier. In the past it's been tough for me to collect the $50 that I charge.

    1. Re:Rejoice! by G-funk · · Score: 4, Funny

      Sigh, why did this guy get marked as a troll?

      Yeah I agree... Sure, if he wanted to charge people to walk over his bridge, but past his house? Cummon, people! :-)

      --
      Send lawyers, guns, and money!
  3. Faster than cash? by Isopropyl · · Score: 5, Funny
    "In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."

    I agree. Nothing's more annoying than handing someone $10.15 for a $5.15 bill and watching the other person take out a calculator.

  4. Scanners by alset_tech · · Score: 4, Insightful

    Another reason to sniff the wireless frequencies. You may not be able to get into most cell networks these days, but this will bring all kinds of fun the the quest. Someone will figure out how to hack this inside three months. At least right now I have to match a signature (though nobody checks the card) and my debit card has my picture on it. God knows I won't want to get one of these.

    --
    Standing on the shoulders of giants.
  5. No Problemo by the+eric+conspiracy · · Score: 5, Funny

    I predict a booming market in shielded wallets.

  6. The merchant never touches it? by rMortyH · · Score: 4, Interesting

    The idea that the merchant doesn't have to touch the card makes it pretty unlikely that they'll check the id and the signature of the buyer, so this encourages fraud. It should at least require a PIN.

    Also, there is no way for the customer to control access to the card. My sister recently picked me up at Kennedy airport, and as she was holding the parking fee money out the window, the attendant charged the fee to her EZpass because he was too lazy to look up. There wasn't enough room on the pass so she got hit with a penalty. He wouldn't even look up from his paper when she complained.

    So you'll have to keep your card in a metalic wallet, because the lack of physical contact means you can't really control when it's accessed.

    It's interesting that I can build a wand and get someone's information off the license in their pocket. Now you could potentially get their credit card number too.

    It may be slightly faster, but beyond that I don't see how it's better for the consumer or the business.

  7. prove it by mabu · · Score: 4, Interesting

    I am always suspicious of any new technology whose benefit isn't readily obvious to its potential market. So the value of RFID cards are that you don't "fumble" as much? That's ridiculous. Most outlets allow the customer to swipe their own credit cards, so what is the difference between holding it in front of a reader and swiping it? I know some idiots can't line up the mag stripe on their card sometimes, but do we really need a whole new technology because of that?

    It's obvious where the benefit of this is: surreptitious extraction of information and account data. Sit down on a bench with a reader in it, and all your credit card data was just captured. Walk in the door of an establishment and your RFID cards are scanned and the next day you get junk mail.

    I feel the same way about "debit cards". These afford the consumer less protection and security than credit cards (which are protected under the Fair Credit Billing Act of 1976) yet this new gimmick was foisted upon consumers offering more convenience. BS.

    No thanks. This is not any technology that benefits consumers from any angle I can see.

  8. Re:Credit Card Theft? by KrispyKringle · · Score: 4, Informative
    That's now how challenge/response works. See here.

    Basically, the idea is that if both you and the authenticator know the secret password, but you don't want to transmit it, the authenticator sends you some random chunk of data, say message M. You encrypt it using some (presumably one-way) algorithm, using your password as the encryption key to create W. The authenticator also encrypts the same chunk, and, when you send back your W, compares it do his own known-good W. Assuming they match, it means you have the password. The password itself is never sent plaintext.

    You seem to be assuming that there is one secret key for the whole system. This would be completely useless, and is obviously not the case. You would need one secret key per person, as I'm sure American Express knows.

  9. The Raw Facts... by AsnFkr · · Score: 4, Insightful

    ..are that your credit card number is everywhere. If people want numbers, they will get them. If they get yours - then thats bad luck. All you have to do is keep an eye on your credit card statements and make sure all the charges are yours. If they aren't call the credit card company and tell them. It's easy as pie. I kills me when I see people overly paranoid about thier CC#'s. I mean, comeon...you go to a restraunt and GIVE your waitress or waiter your card to carry across the room away from your eyes and run it through the machine. If they wanted, it wouldnt be hard for them to copy the numbers. Then..up on the net in a flash. Point being...security for this type of thing is nice, but don't let yourself get lazy depending on it. Keep checking those statements!

    --


    adventure-today.com
  10. That's Narrow-Minded by cjsnell · · Score: 4, Insightful

    Who says that it has to be that insecure? I envision a little device that goes on a keychain (similar in that respect to SpeedPass), which has a little button on the side of it. You squeeze the button as you pass it over the scanner. Only when the button is squeezed does the transmitter in the device emit anything.

    BTW, why are you so paranoid about a contactless credit card? Do you eat at restaurants and pay with a credit card? Chances are, if you do, some potentially sleazy waiter has taken your credit card out of your sight for a few minutes. Not only can he copy your card, chances are that he knows what city you live in and can then get your home (think billing) address out of the phone book. On top of that, he can look at what kind of clothes you wear and car you drive and make a guesstimate about your credit line.

  11. this would actually be easy to make secure by sbma44 · · Score: 4, Interesting
    RFID is inherently a passive technology. But don't confuse passive with always-on.

    Why can't we just put a button on the little RFID dongle you would put on your keychain? Answer: we can. And this is what the CC companies should do. I know, speedpass doesn't implement it. But it would be very, very simple to do and go a long way toward easing my fears about this. I'm envisioning something similar to a Photon light.

    Even better, why not pair it with an always-on RFID in your wallet, and only allow transactions when both are present? This'd prevent simple theft by valets, pursesnatchers, etc.