Slashdot Mirror
DoCoMo Starts Cell Phone Smart Card Trial
virtualXTC writes "The Japanese phone company NTT DoCoMo and electronics giant Sony will begin a trial of cell phones with embedded smart cards with speed pass-like capabilities that will allow the user to purchase anything from travel passes to movie tickets just by placing their cell phone near an electronic reader. Potentially the smart card 'can serve as an ID card, travel pass, or login for a corporate computer network, all at the same time'. If they'd just attach a money clip to it, I could get rid of my wallet entirely."
Sure, electronic payment is convenient, but nothing says anonymous like cash.
While I love this idea in principle, I do have a few concerns before I welcome our new overlords.
What about standards? The article compares the smart chip technique to credit cards, but credit cards use a pseudo-standardized magnetic strip methodology. Are retailers to have 10 different receivers sitting at their POS terminals for 10 different cell phone/smart card providers? Along these lines - adopting early could be dangerous as one may invest in hardware that does not conform to the final standard and therefore be useless.
What about security? Until more information about how the protocol works, how security is maintained, and exactly how one can control what information is broadcasted is released, can we really trust this technology with our personal information? And this doesn't even begin to cover eavesdropping. (My tinfoil hat may be disrupting my thinking here)
When I hand my credit card to a clerk, I know exactly what information will be gleaned by the scanner from the magnetic strip. It doesn't change. What happens when I get a firmware upgrade on my phone? Can I trust that I am still secure from unauthorized access or even that my phone/ID/credit card gizmo is still only transmitting information that I approve?
One interesting alternative to this close-contact technology would be an internet-based alternative. In this scenario, my phone would use XML over SSL or some other standardized system to tell my provider to tell the POS that I am there and to relay what other information is necessary. Using this method, software-based upgrades could take care of standardization without any modification to hardware.
How many roads must a man walk down? 42.
DirecTV calls all of these "smart cards readers" pirate devices. DirecTV Defense
serve as an ID card, travel pass
behold, they know your every move
#
#\ @ ? Colonize Mars
#
Most cell phones already have more memory than this.
..sew your cellphone to your hand.
Guy 2: Sure, why not. My night minutes are free anyway.
Guy 1: *Swipe* Thanks.
Guy 2: Hey, did you just buy movie tickets?
Slashdotter are stupid and biased.
My wife loses/destroys cell phones like crazy. Much less her wallet... I would not like this one for her...
...remember good 'ol times when IP used to mean Internet Protocol....
Cellphone allows users to swipe and go
15:23 16 December 03
NewScientist.com news service
A trial starting on Wednesday will allow thousands of Japanese mobile phone owners to use their phones as a swipe card to pay for purchases, as travel passes, and as concert and movie tickets.
The trial is the first to embed smart cards within the phones, and has been set up by phone company NTT DoCoMo and electronics giant Sony.
Like other "contactless" smartcards, the user simply has to place their phone near a reader to exchange information. This does away with the need to have printed tickets or passes. So, for example, a cinema ticket could be bought using the phone's online features, with a swipe of the phone giving entry to the screening.
The convergence of these two technologies is attractive and technically quite straightforward, says Rob Bamforth, an analyst with Bloor Research in Bletchley, Buckinghamshire, UK.
"Mobile phone systems are already built to be secure and already have different payment models," he says, and most people now carry them in developed countries.
Multiple functions
The cards in the trial are capable of storing about two kilobytes of information, enough for it to perform multiple functions. For example it can serve as an ID card, travel pass, or login for a corporate computer network, all at the same time.
As people increase their use of phones for retail purposes, the role of the mobile phone operator may change, Bamforth told New Scientist. "It makes them more analogous to credit card companies."
The Japanese trial will run until summer 2004 and during this time thousands of specially adapted phones will be handed out to employees of the 25 companies that are participating in the scheme. Services will include being able to buy tickets and check-in at airports using their phone.
Swipe cards have long been used on public transport systems in Japan. The smartcard technology being used in the phones, called FeliCa, was originally developed by Sony in 1988.
But what sets the new trial apart from other smartcard systems and from previous electronic wallet schemes is the ability of the phone to store a receipt of a purchase on the smartcard chip within the phone.
Duncan Graham-Rowe
HOW'S MY POSTING? CALL 1-800-POSTING
Welcome our new SMARTER cellular overloards
This will be great for the phone sex hotlines.
Will make it easier for thieves to steal but limit and possibly track them as well. All the thief would have to do is walk up to the register and the victims card is charged. KA CHING It becomes a race, how long can the thief use it before it's discovered stolen and they have to leave it in the submway? Do the police keep the phone running and charges piling up but use the phone to trace the thief to his residence? Is the encryption used by the phone/wireless any better than the encryption used by standard wireless cards (ie how easy is it to sniff for credit card numbers).
The world of thievery just got more interesting
AngryPeopleRule
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
I am not sure if I want it suddenly to hold all of my cash as well. It holds all of my personal information, dates and phone numbers, and if someone was clever they could find out alot about my servers. So currently, I believe that I have too many eggs in one basket with the functions that it carries out now. To expand those to include purchasing seems to be inviting disaster.
What the hell do I do if I lose it?
who grabs your phone from using to purchase lots of things all on your dime until you can properly report it stolen (assuming you're not in a coma from the blows to your head)?
I'm going to print up a tshirt that says on the front back and sleeves
"By reading this shirt or walking within 3 feet of me, your obligated to play me 1 cent. I'll then just carry a small antenna that'll attempt to connect to the nearest smart card device and charge it 1 cent."
I know the figures in the high 80's for the number of people who now own cell phones. I can now quit my job and just walk around the mall collecting my "toll".
Yes Francis, the world has gone crazy.
"Sure, electronic payment is convenient, but nothing says anonymous like cash."
Comfort is a full wallet. Broke is an empty bank account. Prosperity is a job.
We might never have to use our wallets or purses again... walk into a shop and pull out your cellphone to pay. You could use it as a cheque book or a credit card. But there is a possibility of crackers stealing your hard earned funds. The designers will need to think about adding extra security to stop the crackers.
----- Friends, l33tists, l4m3z0rs! Lend me thy keyboards.
As a retailer, I can say that there is no way I'd spend money accepting something like this. At least not for many, many years. Look at the current retail environment... it's being destroyed by people shopping online, cutting into margins. Most retailers STILL don't accept Amex (I do), even though accepting Amex takes a 5 minute telephone call, and $0 additional investment. Hell, it took the fast food chains many years to ever take credit cards. Considering how much $$ this is going to cost us as retailers, I can say that there's no way in hell I'd do this until it becomes very, very universal, and a large number of customers start asking for it (no, 1 or 2 geeks doesn't count as a large number of customers). Credit cards work just fine, anyway. This is another solution to a non-existent problem.
Well you can get her some kind of identity/money carrier that she will not lose...like a husband.
"If they'd just attach a money clip to it, I could get rid of my wallet entirely." .. ehm, yeah, that was a clever thing to say, seeing how the point of this new technology is to get rid of change, and the need to carry cash around...
"These devices will be test marketed to the nigger community, who will buy anything that's featured in a hip-hop video."
Nothing says 'anonymous' more than cash, and cash still goes places where American Express/Visa/whatever have not been, and probably never will be. Bills still talk a lot louder than plastics...
And it doesn't cost anything for the 'privlege' of spending your own damn money when you use cash...
Kinda tells you something, when the world of 'credit' is starting to favor people who the creditors know will default and be indentured for years upon years to come......
There's no wrong way, to eat a Rhesus...
On the upper west side of manhattan, they tried a "money on a card" program. Chase and Citibank. You could put it on an ATM card with a smartchip or, like I did, just ask for a card, give them cash which value they xfer'd to the card and leave. No names, no signing anything, etc.
It was a huge P.I.T.A. to use it, but I put that down to testing where clerical help are not necessarily the brightest sticks in the bundle :)
However I never renewed mainly because this was cash equivalent. Exactly. With no PIN on the card or ANY protection, you swipe my card, you have my cash and can use it. The minor addition of a PIN would have made the better than cash in that it's not a theft target.
A friend who did this on his ATM card played with it and said: "Oh wait, my ATM card now has value to a mugger? Great."
So in the end, its big feature was what a friend called: "Just like cash, only you can only use it in certain places and it's a pain in the ass." Pathetically, their only marketing point was "you don't have to dig for the right change anymore." (as using currency is really hard for people to handle after 3000 years.)
I'm going to presume that with DoCoMo, you have to AUTHENTICATE the transaction. That someone with a reader can't walk by you or sit in front of your seat and transact your money to them.
There is an opportunity to do it well: anonymously and correctly.
A GSM chip needn't be attached to a phone or an ID (so the guy whose wife kills phones would be fine - all european phones I've used are chipped.) Move the chip to another phone and it's "your phone" immediately.
Do that with a cash chip, and I can send money from one phone to another.
I can rePIN it and pass the chip to Mom and just tell her the (new) PIN.
I can do this all untracably, but verifiably. This isn't new. Electronics help, but it's been doable for quite some time. Again, David Chaum has done good writings on this topic.
"We hope the United States will open more to China, especially in the high-tech sector."
I will set up a merchant account, and create a portable reader with enhanced sensitivity. I will then walk around in crowded areas, and my reader will automatically charge every enabled cell phone it can contact. The victims will never know what happened, until they look at their statement. This is even better than identity theft!
Just walk close to a person utilizing one of these devices and receive the signal.
Easy use being the key, all I hear is that you just "wave your phone" at the point of purchse to conduct the transaction.
Nothing about entering a PIN or pressing a key to "accept" the transaction....that would reduce the level of ease to the current one where you slide a card and enter a PIN.
So just like card "phishers" quickly took advantage of handheld card readers to swipe credit cards in restaraunts during the time the card was supposedly being taken by the waiter to pay for the meal, portable RFID readers (that's essentially what these things are) will crop up to steal any freely broadcast or "in-response to query" signals these things send.
Sometimes technology makes things more complicated.
Possibly the need to enter a PIN on the keypad.
It would be easy for examaple, to have the phone require a PIN to decrypt a key stored in the phone, which stores your CC number. After you enter the PIN, you have 30 seconds to swipe the phone before it expires the PIN.
Those features aren't so far fetched. In fact, why does any of that require "smartcards" in the phone? How about just the crypto features on an authentication vCard + credit card number, and a standard protocol over Bluetooth, IR, SMS, or 3G-HTTP? Scandanavians can buy snacks and pay parking meters with their phones, so why jump through a "smartcard" hoop just to get a talking wallet?
--
make install -not war
So let me get this straight:
I carry around an object that broadcasts what is functionally equivalent to my credit card info to any reader within close proximity?
And so the guys that usually pull credit card numbers out of the garbage, or from lost/stolen card, or from bank records, and make dummy cards that they use in stores* will now be able to set up a portable reader, put it in a pocket, and wander through a crowded subway car picking up credit card numbers without anyone noticing?
Why would anyone want this?
Oh, yeah. Because they want it to be more convenient to make purchases.
Sigh.
*this has happened to me THREE TIMES, including once by a ring of thieves that successfully used the dummy cards in three different airports in three different countries simultaneously, even as my bank's fraud department watched via computer with me on the other end)
I was under the impression that this is like the speed-pass thing, which just involves swiping and has no other actions. And there is no mention of passwords/pins in the article.
So someone gets their hands on a reader for these devices. This can be done by borrowing/stealing a reader from a store that has one installed or by someone who works at the manufacturing plant. Setup a power source and stick it in a backpack. Run a cable down to the reader which could either be in the pack or, if small enough, palmed in your hand.
As you walk through the streets, wave your hand across the phones of people standing around or as they walk by you. A laptop or PDA could be hooked up to the read recording in all the information.
The protocol/encryption is taken care of by the stolen hardware. No need to worry about cracking it.
--
Now if this system is based upon it's own network, then the reader doesn't have to do any decryption of the data. It can just be forwarded down the line to the network's core. The readers essentially become dumb terminals.
But I doubt this is the case. Every smart-card reader system that has a core data store includes storage space in individal readers to store transactions in case the core goes down.
--
What this type of system REALLY needs, as do exsiting ones such as smart pass or that gas station token thing, is some sort of activation button that must be depressed in order for information to be transmitted from the card. This would make it much more secure.
This New Scientist article doesn't cover if such a function exists with these new phones but given past devices that we've seen, I doubt it.
I love you for not caring about it.
There's a lot of love in this room.
Visiting this past summer I saw a similar system in South Korea. The receiver looks like a big black eyeball (think HAL-9000) with a bright blue LED on top. They have these things all over - fast food joints, small markets (think 7-11), and on buses. Just put your phone near it, hit a button, and the charge goes onto your cell phone bill.
Seems like it was getting well adopted. I googled for it, but I can't remember the name exactly.
one observation I had when I was in Japan (Tokyo, specifically), was how everything was mostly done in cash, and I never saw a single person using credit card. That's not to say it doesn't exist, of course, but it seemed to me, a visitor, that Japanese are much more comfortable using cash for transactions, and credit card usage is not nearly as common as in the U.S.
That being said, then I wonder if they will take to the "smart card cell phone for financial transactions" thing readily. Most people do have phones, and the large number of vending machines and pay phones, and rail ticket machines that uses cash makes it unlikely that the people will abandon cash at all. So, unless they get to use this on the ticket machines and the millions of "conveniently placed and available everywhere" vending machines, I suspect it will not fly.
Cell phones now debit cards in S. Korea
Infrared lifestyle: South Koreans pay using cellphones
You swipe your phone next to it, and the thing spits back a message like "Chances are good for this purchase"?
As someone blessed to work with American Express as a client and a customer (both through business) I'd like to toss in a THEY ARE THE WORST COMPANY EVER. I don't have any idea why retailers actually agree to work with them, their rates are <b>HIGH</b> and their cards are barely more common then the Dinners Club or the Discover card. As a customer I am buried in an avalanch of marketing promotions and *special deals* on luggage or travelours insurance. This is the one company that single handedly remindes me that spam isn't solely an internet related problem.
Of course its a good thing their rates are high, because flooding our mailbox must cost them a pretty penny.
</rant>
Quack, quack.
No keypad tampering / double readers (one real, one scam / double swipes. Scan, enter pin and wait for confirmation. If it fails, just try resending the same confirmation. If it *was* high-jacked by a fake signal which you erroneously approved, you'd notice because the store would continue to refuse it.
Throw in a little failsafe, like "Warning: Remote fingerprint changed compared to previous session X seconds ago" and maybe ultimarely over GSM, like "Automatically contest this claim if someone tries this transaction, it was not completed successfully" to the bank.
I'd never accept confirmation-free, it could fire on anything from a brush-pass or the guy next to me on the bus/train/tram/subway. Even if it did work when the keypad was not locked, it'd take just as long to hit "Menu, *, "scan", menu, *" as it would take to do a 4-digit pin + "OK"...
Kjella
Live today, because you never know what tomorrow brings
Foo: What about security? ... And this doesn't even begin to cover eavesdropping.
Bar: From the description, this thing works just like Esso Speedpass dongles, in that, the thing needs to be within around 2 cm ( 1 inch ) for it to trigger and transmit the needed data/
However, when Mobil first introduced the Speedpass, they also had a "Car Tag" version (still mentioned in the FAQ). It was larger, and mounted on the back window near the fuel cap. All you had to do was pull up to the pump, and an antenna above the pump would do the work. That implies an active distance of 6-10 feet, with a greatly increased vulnerability to eavesdropping.
I haven't seen the antennas lately, and this page implies that they stopped deploying the car tag after the Mobil/Exxon merger -- except in New Jersey, where mandatory full service would reduce the problem of tag spoofing.
The only way anyone could eavesdrop on or steal your CC number using this system is if he has his hands in your pants.
True with the keychain dongle, not true with the Car Tag version. And even if I were willing to use a Speedpass, I'd steer clear of the new Speedpass-enabled Timex Watch! Like the song says:
Beware, beware of the handshake / That hides the snake...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I, for one, welcome our new, corporate overlords.
Seriously, how can this sound like a good idea?
-- atomly
...the fact that they put it in a phone. You can already get electronic cash cards to use at some AM/PM convenience stores in Japan, and JR is going to expand their Suica rail pass system to be used for purchases in station stores (that uses the same Felica technology). Even two years ago, you could use a phone to buy pop at some vending machines by showing it a two dimensional bar code.
From my perspective, something like "this" could provide a great deal of value to consumers. Personally, I'd very much like to be able to consolidate a wide variety of physical access devices into a single token.
Case in point, right now I am carrying:
Car keys
Keys to my house
An ID badge for work
2 credit cards
drivers license
I would strong prefer to replace these with a single charm. More over, a secure physical token makes key distribution much easier. With this said and done, there look to be some clear problems the SONY / NTT DoCoMo implementation.
First: I don't think that they have the form factor right. Its too easy to lose a cell phone. They are bulky and annoying. I understand why SONY wants to promote a model in which people need to carry a cell phone 24 hours a day, but its just not my cup of tea. I would much rather be able to embed this functionality within a class ring, and ear right, or even an implantable microchip.
Second: I worry about the security implications. Today, the prevailing wisdom is that a layer authorization model is required to prove identity. Authorization is based on
(a) Who you are
(b) Something you know
(c) Something you have
The SONY phone is OK as a physical token, however, I didn't see much about the other two dimensions to the problem.
you lose the damn thing, or it gets stolen, then your fscked, royally.
It takes much more effort to lose your wallet or get it stolen than to lose a cell phone that would replace your wallet.
Not only will they leave you with a huge phone bill, they'll buy all sorts of crap and charge it to you.
To the inventor of this concept, MINUS 5, STUPID...
Chapter 3: Non-standard embedded java implementations....
"If I decide to go to a Steakhouse, I have three choices for payment:"
1) Interac, which is essentialy a mini-ATM which moves the exact amount from your bank account to the store/restraunt's bank account.
2) Credit card (everything's usually accepted).
3) Cash, which is the same as the ATM methods above (perhaps it's 2 options to some..).
I'm still surprised that the US has nothing like Interac in widespread deployment. Everywhere in Canada has had Interac for 8 or more years, yet US banks still only have it deployed in some US cities as a test case. Crazy.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Speedpass systems have a fixed ID. These will most likely read something from your SIM card to facilitate switching handsets, as many users do. With today's phone supporting SMS, GPRS, BlueTooth, etc, how long before someone finds a way to read your charging information from afar? 30' bluetooth range? Getting an SMS from Russia?
Before all that other tomfoolery. Look at your wallet: it has your ID cards, money, a Diners' Club credit card, and pictures of your family.
What the hell do you do if you lose it?
I believe the wallet is having too many eggs in one basket.. but people have been getting along with those fine for centuries. The simple solution is to not be a careless fop with things that are valuable to you.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The big question is will this save retailers money? The grand allure of "digital cash" is that you can do transactions and they won't cost $0.70 each and the credit companies won't get 3% of the transaction value from the merchant. They're more or less free!
In the world of commerce this is what counts. If it was just about "consumer convenience" we'd all just have credit cards and the credit companies would be dirty rich. Wait, that is how it is. Sickening.
Doesnt cost ME anything for using my credit card either, so long as I pay the balance by the due date. Granted the buisness that accepts my card pays a small % to the card company (and/or maybe a flat fee as well), I still pay nothing. I actually GET money for using the card too. There is a big misconception of people who never use a card and always hear about the horrors of credit card debt. You wont accumulate the debt unless you spend more than you can afford to pay off once the billing cycle ends. You also do not get charged anything if you dont carry a balance and your card has no anual fee, and dont use it to get cash advance via ATM, and dont go over your limit (if you do, you need to re-evaluate your finances). Just pay off the balance in full, not just minimum payment, and you pay only what you spent. If you shop around for a good card, you even get "rewards" for using the card instead of cash, like a % back, or points/miles towards purchases/plane tix. In the 8 years or so of using ccards for payment the only time I had to pay more than what I spent was for a laptop I let half the cost ride the card for an extra month as I couldnt pay in full on the due date.
Tm
Support TBI Research: http://www.raisinhope.org
Gee... these guys are sure behind the cutting edge, Toronto's had this for a while -- it's called DEXIT. Head on over to DEXIT and have a look.
No, you can use your cash card at multiple banks' machines. Japan may be backward in terms of ATMs only having hours of business from 8am to 7pm or so on average, or most refusing to accept foreign-issued credit cards, but for the major banks, all have usage agreements with one or more competitor.
The difference is that this smart card is off-line, an electronic wallet type idea, not an online transaction, so it has all the speed benefits associated with it. The main use, I suspect, is going to be for commuter passes and other pre-paid train cards (see the current FeLiCa/Suica/Icoca system in use by JR, for instance), so you don't want to have to wait for 1 minute while trying to dial up to confirm you are allowed to go through the ticket gate.
...why not check out the Seimens Xelibri 7 phone; it actually is a clip.
that the phones are wirelessly connected to the internet. Otherwise this is nothing more than a smart card. The point is, when you buy a ticket online using this phone, the phone WILL BECOME THE TICKET. That's the main advantage of putting this thing in a cell phone rather than having a separate smart card (of course the same functionality is included). You will never have to make a line to buy a ticket.
The "beep" you hear passing a nerds oversized backpack is the sound of your bank account being emptied.
"KA-CHINK"
1. E-Gold
2. Evo Cash
3. NetPay
4. PayByGold etc.
Also see The Home Page of J. Orlin Grabbe ( ". . . inspecting the global underbelly: privacy, money laundering, espionage.") for more info
...would NOT want to carry money around on a smart card. Those things too easily altered/messed up. Case in point - my apartment complex uses smart cards to store money for the laundry machines (you recharge it with your credit or debit card at a machine) and one day mine inexplicably stopped working for some reason. 20 bucks down the drain. When I went to the office to get a replacement they said that the cards have been known to do that.
I belong to the ______ generation.
I find it amusing that so many features are being packed into mobile phones when, realistically, they are so easy to steal. Wallets are hard to steal because they are only taken out at the point of sale, but people are always waving their mobiles around and losing them. This to me seems like another case of packing more complexity into the telephone network while making sensitive data more available to thieves. My boss recently lost his phone (stolen) at an XMAS party of only employees and he has had a really hard time getting back his numbers for overseas business contacts. Don't get me wrong, I think this is a good idea on principal, but I think before further telephone application development is made, perhaps more effort should be made in integrating telephone retreival with local police authorities in locating stolen telephones... alternatively, like the kind folks at Miribalis eventually realised, that data be stored on the network rather than on the phones so the impact of having a stolen handset is not so devastating to consumers.
Credit cards were more convenient than cash, especially online. Now a better distributed transaction platform is needed that's more convenient than the cards, or typing their number + authentication data. Inconvenience represents a prohibitive cost barrier to entry, especially for small transactions where the overhead dwarfs the transaction value. A more scalable transaction protocol will allow scaling up of the transaction pool. Meanwhile, consumers are in the purchasing "business" and retailers are in the "sales" business. Banks are in the "finance" business, and these transactions are going to be mediated by something like them for the foreseeable future. But 3% transaction cost is scalable, while "45 seconds of typing" is not. The question is "will retailers make more profit?", which is a big "YES" when the transactions scale up. I want to be sure that the scaling doesn't leave respect for the value of my privacy and security behind, in the name of economy and convenience. A bit more smarts on the client will make the system more trustworthy, and contribute to the rational scaling of the techniques.
--
make install -not war