Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoCoMo Starts Cell Phone Smart Card Trial

Posted by michael on from the swipe-and-run dept.

virtualXTC writes "The Japanese phone company NTT DoCoMo and electronics giant Sony will begin a trial of cell phones with embedded smart cards with speed pass-like capabilities that will allow the user to purchase anything from travel passes to movie tickets just by placing their cell phone near an electronic reader. Potentially the smart card 'can serve as an ID card, travel pass, or login for a corporate computer network, all at the same time'. If they'd just attach a money clip to it, I could get rid of my wallet entirely."

16 of 130 comments (clear)

  1. Me, I'm keeping my wallet by Anonymous Coward · · Score: 5, Insightful

    Sure, electronic payment is convenient, but nothing says anonymous like cash.

    1. Re:Me, I'm keeping my wallet by trentblase · · Score: 5, Funny

      Just don't get any dna on your bills

    2. Re:Me, I'm keeping my wallet by RazzleFrog · · Score: 3, Informative

      Bank robbers are not caught using serial numbers. They are convicted with serial numbers. When I was a teller (many years ago now so it may have changed) they used to have a stack of 100's that we kept logged in our drawer. If we were robbed the log of numbers went to the cops to aid in conviction. There are far too many places to pass off bills for it to be an effective way to actually catch anybody.

  2. Just a few concerns I have by digitalvengeance · · Score: 5, Interesting

    While I love this idea in principle, I do have a few concerns before I welcome our new overlords.

    What about standards? The article compares the smart chip technique to credit cards, but credit cards use a pseudo-standardized magnetic strip methodology. Are retailers to have 10 different receivers sitting at their POS terminals for 10 different cell phone/smart card providers? Along these lines - adopting early could be dangerous as one may invest in hardware that does not conform to the final standard and therefore be useless.

    What about security? Until more information about how the protocol works, how security is maintained, and exactly how one can control what information is broadcasted is released, can we really trust this technology with our personal information? And this doesn't even begin to cover eavesdropping. (My tinfoil hat may be disrupting my thinking here)

    When I hand my credit card to a clerk, I know exactly what information will be gleaned by the scanner from the magnetic strip. It doesn't change. What happens when I get a firmware upgrade on my phone? Can I trust that I am still secure from unauthorized access or even that my phone/ID/credit card gizmo is still only transmitting information that I approve?

    One interesting alternative to this close-contact technology would be an internet-based alternative. In this scenario, my phone would use XML over SSL or some other standardized system to tell my provider to tell the POS that I am there and to relay what other information is necessary. Using this method, software-based upgrades could take care of standardization without any modification to hardware.

    --
    How many roads must a man walk down? 42.
    1. Re:Just a few concerns I have by pbox · · Score: 3, Informative

      Taking into account the fact that Japan is possibly the last of the developed countries where you can use your ATM card ONLY at your bank's machine, it is more han likely that DoCoMo's smartcard would only work at DoCoMo's POS terminals, plus other places which have (possibly exclusive) business relationship (ie. clients) with DoCoMo.

      Let's wait for ISO, ASA, or some standarization body, this won't cut it.

      BTW, in Finland and most of Western Europe, (and in Japan too) you can pay for your snack purchases by you phone (no need for the smartcard), so what is exactly news about this??

      --
      Code poet, espresso fiend, starter upper.
    2. Re:Just a few concerns I have by brunes69 · · Score: 3, Interesting
      What about security? Until more information about how the protocol works, how security is maintained, and exactly how one can control what information is broadcasted is released, can we really trust this technology with our personal information? And this doesn't even begin to cover eavesdropping. (My tinfoil hat may be disrupting my thinking here)

      From the description, this thing works just like Esso Speedpass dongles, in that, the thing needs to be within around 2 cm ( 1 inch ) for it to trigger and transmit the needed data.

      The only way anyone could eavesdrop on or steal your CC number using this system is if he has his hands in your pants. And if some unknown guy has his hands down your pants, you've got much bigger problems than your credit info.

      Assuming it's also tied to a PIN you enter on your phone, it's also much more secure than the old swipe, where the waitress/retailer has full access to your card #, expiry date, and name.

  3. Possible tomfollery. by Prince_Ali · · Score: 3, Insightful
    Guy 1: Hey, can I use your cell for a second. I need to call home.

    Guy 2: Sure, why not. My night minutes are free anyway.

    Guy 1: *Swipe* Thanks.

    Guy 2: Hey, did you just buy movie tickets?

    --
    Slashdotter are stupid and biased.
  4. you would not want to lose this one... by fedork · · Score: 3, Insightful

    My wife loses/destroys cell phones like crazy. Much less her wallet... I would not like this one for her...

    --
    ...remember good 'ol times when IP used to mean Internet Protocol....
  5. Oh yeah! by Omni+Magnus · · Score: 4, Funny

    This will be great for the phone sex hotlines.

  6. Great idea by cluge · · Score: 3, Insightful

    Will make it easier for thieves to steal but limit and possibly track them as well. All the thief would have to do is walk up to the register and the victims card is charged. KA CHING It becomes a race, how long can the thief use it before it's discovered stolen and they have to leave it in the submway? Do the police keep the phone running and charges piling up but use the phone to trace the thief to his residence? Is the encryption used by the phone/wireless any better than the encryption used by standard wireless cards (ie how easy is it to sniff for credit card numbers).

    The world of thievery just got more interesting

    AngryPeopleRule

    --
    "Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
  7. Don't our phones do too much already? by mr_lithic · · Score: 4, Interesting
    I currently use my phone as a multi-mode commuication device. It allows me to use it for email, sms and voice,. It also has fuctions as a PDA, gamepad and camera. It alerts me if my servers go down or the comms room is flooded and it allows a number of people to keep track of where I am all the time.

    I am not sure if I want it suddenly to hold all of my cash as well. It holds all of my personal information, dates and phone numbers, and if someone was clever they could find out alot about my servers. So currently, I believe that I have too many eggs in one basket with the functions that it carries out now. To expand those to include purchasing seems to be inviting disaster.

    What the hell do I do if I lose it?

  8. Sweet... by Mysticalfruit · · Score: 3, Funny

    I'm going to print up a tshirt that says on the front back and sleeves

    "By reading this shirt or walking within 3 feet of me, your obligated to play me 1 cent. I'll then just carry a small antenna that'll attempt to connect to the nearest smart card device and charge it 1 cent."

    I know the figures in the high 80's for the number of people who now own cell phones. I can now quit my job and just walk around the mall collecting my "toll".

    --
    Yes Francis, the world has gone crazy.
  9. 'Convenient' for who? by Mu*puppy · · Score: 3, Insightful
    I mean, really. Time it, cash transaction versus the credit swipe... the approval... waiting for the receipt... singing the receipt. Want to leave the table after a nice dinner? Fine, slip your bills into the payment binder thing, use your change for the server's tip (provided you don't have only big bills), get up, get out. No signatures, no electronic trails.

    Nothing says 'anonymous' more than cash, and cash still goes places where American Express/Visa/whatever have not been, and probably never will be. Bills still talk a lot louder than plastics...

    And it doesn't cost anything for the 'privlege' of spending your own damn money when you use cash...

    Kinda tells you something, when the world of 'credit' is starting to favor people who the creditors know will default and be indentured for years upon years to come......

    --
    There's no wrong way, to eat a Rhesus...
  10. Digital Cash and anonymity can work by MrChuck · · Score: 3, Insightful
    read a little David Chaum (google for him yourself).

    On the upper west side of manhattan, they tried a "money on a card" program. Chase and Citibank. You could put it on an ATM card with a smartchip or, like I did, just ask for a card, give them cash which value they xfer'd to the card and leave. No names, no signing anything, etc.

    It was a huge P.I.T.A. to use it, but I put that down to testing where clerical help are not necessarily the brightest sticks in the bundle :)

    However I never renewed mainly because this was cash equivalent. Exactly. With no PIN on the card or ANY protection, you swipe my card, you have my cash and can use it. The minor addition of a PIN would have made the better than cash in that it's not a theft target.

    A friend who did this on his ATM card played with it and said: "Oh wait, my ATM card now has value to a mugger? Great."

    So in the end, its big feature was what a friend called: "Just like cash, only you can only use it in certain places and it's a pain in the ass." Pathetically, their only marketing point was "you don't have to dig for the right change anymore." (as using currency is really hard for people to handle after 3000 years.)

    I'm going to presume that with DoCoMo, you have to AUTHENTICATE the transaction. That someone with a reader can't walk by you or sit in front of your seat and transact your money to them.

    There is an opportunity to do it well: anonymously and correctly.

    A GSM chip needn't be attached to a phone or an ID (so the guy whose wife kills phones would be fine - all european phones I've used are chipped.) Move the chip to another phone and it's "your phone" immediately.

    Do that with a cash chip, and I can send money from one phone to another.
    I can rePIN it and pass the chip to Mom and just tell her the (new) PIN.

    I can do this all untracably, but verifiably. This isn't new. Electronics help, but it's been doable for quite some time. Again, David Chaum has done good writings on this topic.

  11. Pointing Out Vulnerabilities by _bug_ · · Score: 3, Insightful

    So someone gets their hands on a reader for these devices. This can be done by borrowing/stealing a reader from a store that has one installed or by someone who works at the manufacturing plant. Setup a power source and stick it in a backpack. Run a cable down to the reader which could either be in the pack or, if small enough, palmed in your hand.

    As you walk through the streets, wave your hand across the phones of people standing around or as they walk by you. A laptop or PDA could be hooked up to the read recording in all the information.

    The protocol/encryption is taken care of by the stolen hardware. No need to worry about cracking it.

    --

    Now if this system is based upon it's own network, then the reader doesn't have to do any decryption of the data. It can just be forwarded down the line to the network's core. The readers essentially become dumb terminals.

    But I doubt this is the case. Every smart-card reader system that has a core data store includes storage space in individal readers to store transactions in case the core goes down.

    --

    What this type of system REALLY needs, as do exsiting ones such as smart pass or that gas station token thing, is some sort of activation button that must be depressed in order for information to be transmitted from the card. This would make it much more secure.

    This New Scientist article doesn't cover if such a function exists with these new phones but given past devices that we've seen, I doubt it.

  12. Inaccuracies about smartcards by fuzheado · · Score: 3, Informative
    Lots of the discussion here are addressing things already solved. Here in Hong Kong, the Octopus system is the largest deployment of contactless FeliCa cards in the world -- 10 million issued, 8 million transactions a day.
    1. Contactless smart cards are DIFFERENT than Speedpass RFID systems. Speedpass is a cookie - it does nothing other than provide a unique key for some other database to look up information. FeliCa has stored value and can be read from/written to. So the Slashdot intro stating "speed pass-like capabilities," is inaccurate.

    2. It is anonymous already. Vast majority of users use cash to top up, no personal info, not linked to bank accounts, nothing. Add value to the card at 7-11 stores (open 24 hours) or subway stations.

    3. E-theft is not a problem. You cannot steal money by passing handheld readers over peoples' back pockets. Card readers are not readily available and there is an encryption system to them even if you could get your hands on a vanilla reader. Also, the key to Octopus/FeliCa is a nightly settlement system, of which you must be an approved vendor. This requires contacting the central system and authenticating. Can't be done by a plain Joe.

    4. Been there, done that. We had FeliCa-in-cell-phone pilot last year, with a Nokia 3300 series phone with a FeliCa chip embedded. Cute, but no real practical application. People change cell phones here like shoes, so why tie your e-cash to a phone?