Slashdot Mirror
RFID MasterCard
starburst writes "MasterCard introduces a
RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"
How long until I can buy a wallet with a woven copper grid liner?
NetInfo connection failed for server 127.0.0.1/local
If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??
If I am at the store, they compare my photo to me?
However I guess some people would not like carrying an ID card (which it could make the Credit Card?) around with them??
Just my two bits (0&1)
You know, people make fun of us tin-foil-heat-wearing paranoid psychos...
But then people invent stuff like this. Which just makes us even crazier.
Never attribute to malice that which can be explained by mere idiocy.
time for a tin foil hat for my wallet.
Evolution or ID?
Tank of gas - $22.47
Pack of cheetos - $1.25
1 Liter of Mountain Dew - $1.50
Stolen card # via RFID - Priceless (or your max on the card)
I'm haven't read much on RFID tags, but I thought the power came from the reader, so the only thing that would have to be more powerful for the cards to be read from more than an inch away would be the reader, not the card.
Banaaaana!
How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?
Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
The thing is, this really won't make anything more secure. Cashiers will probably still take the card to swipe it in front of the reader, and dishonest people will still be able to use hacked readers to steal your card's info. It won't make any difference whether the card is swiped through a slot or merely moved in front of it.
nigritude ultramarine
I checked out their web site - no details on security other than the assertion that it is "secure". Right. I am assuming that the RFID tag is a passive one and that the paypass terminal needs to authenticate in some way. I do hope so, anyway, because if not, criminals are indeed going to have lots of fun with this. Would anyone be able to tell me how secure communication between a tag and a reader can be obtained?
----- One learns to itch where one can scratch.
We need to not forget that us tin-foil-hat wearing geeks are the security folks at the credit card companies.
Evolution or ID?
Sure, it'd have to be within an inch of their reader, but couldn't someone make a higher power transmitter to ping the rfid chip in the card from a longer range? Or will the return signal dissapate quickly over longer distances?
I'd think that if a strong signal was used to ping the card initially, a strong signal would be returned, but maybe they have taken measures to stop that? Can anyone answer this?
Can't they couple a code with the card?
Sweep the card AND punch in your personal code.
That way, you need to have something (the card) and need to know something (the code).
It's also better then putting your signature on a piece of paper. Everyone can fake a signature. Don't tell me they always verify it. With a code the machine always verifies it for you.
There's something similiar in Canada called Dexit. But it's not a credit card. It's a type of debit card with a $100 limit so if you lose it or anything you're not really out all that much. You can refill it anytime online, over the phone, or automatically from your account. It's used for fast food, candy, newspapers, whatever.
Support the First Amendment. Read at -1
From the site:
Your card never leaves your hand. And, of course, you get the same level of security that you've been accustomed to: $0 liability on unauthorized purchases and a receipt for every purchase.If it's really possible to grab numbers from a crowd, this one could get expensive for them. You'd think they'd be smarter than that. But companies have messed up before.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
I think that's a make up on the current insecure credit card framework, which is hopeless. Credit cards are so propagated through the world, and it would be very costly (and disastrous) to build a brand new security mechanism so anyone can understand why MasterCard does such kind of show-off, without doing actually anything.
This quote is worth any comment:
"PayPass is guaranteed as safe and secure as all MasterCards."
Oh, then that gave me a very strong and confident feeling. (Read this as: secure my ass)
This card is not about RFID, it's about making card use in scenarios like drive-throughs easier. Also, it's currently limited to <$25 transactions currently according to the FAQ.
Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.
See previous post's reference to simoniger.
"Now I've got enough money to build my robot. My girl robot. This is going to be the best prom ever."
How long till plainclothes cops walk the malls carrying detectors that sense the self-incriminating probe of the would-be pickpacket?
Seeing bad movies only encourages them. Watch responsibly
The kind of contacts I'm talking about would be the ones that measure the resistance across two contacts a few mm apart, in order to use the card your finger(s) have to be on the contacts, otherwise your card doesn't send or receive RFID crap.
da w00t. mtfnpy?
Once again, just because something can be done, it has been, totally without regard to whether or not it is actually a _good_ idea.
...". The same thing happened to microprocessors in the mid-80's, and we started seeing truly idiotic applications, uP-based Toasters, Staplers, Golf Tees, etc.
RFID's on personal ID's or credit cards have to be a security nightmare. How easy would it be to hide a collection device under a bus or train seat and collect ID's for a whole day or two?
Not to mention that a transmitter generates EM fields, which might be strong enough to erase your other mag-stripe cards in proximity.
RFID technology is now getting into the "buzzword" phase of electronic manufacturing/production, it's now cheap and common enough to start getting idiotic designers thinking "gee, wouldn't it be neat if we put an RFID in
History repeats itself once again.
-- You are in a maze of little, twisty passages, all different... --
Sorry to say, but this collective fear against RFID is just ignorance. The bus company where I live in Sweden has RFID bus-passes and it works like a charm. You don't even need to pull them out of the wallet! It's extremely convenient. I'm a person that's used the technology for over a year so I know what I am talking about. Sure, a bus-pass is different from a credit card, then again, I suspect that you still need to enter your code to charge it.
What's so bad about being lazy? What if there was a war and nobody showed up?
Europeans are smart and use "smart-cards" already. Why are Americans still playing around with new-fangled passive devices which are just not secure?
The reality of the situation is you can't trust the reader. Ever. This is why it's easy to scam debit [get their card no and pin], why it's easy to charge credit cards, etc...
Sure it might cost more per card but the cards would be subject to *less* abuse and you'd have to pay out *less* ultimately in fraud.
Tom
Someday, I'll have a real sig.
"no more swiping or giving your card to cashiers."
riiight.... so they wont be checking your signature anymore? ok... so no mag stripe to wear out... (this has only happened to me once in 32 years) but i think they are forgetting the Keep It Simple rule.... complications without benefits. tech for tech sake. reminds me of the time a synth voice from the coke machine thanked me for my patronage...
Suppossedly one of the leaders in RFID development?. htm#reference
http://www.ti.com/tiris/docs/docntr
Alot you ever wanted to know, or not know....
Great, so the card stays in my wallet that I wave near the proximity reader ... so my signature and photo on the card remain a mystery to the hurried cashier.
Looks similar to the failed technology Mobile used at its gas pumps, only flatter and provides more opportunities for nere-do-wells.
--- have you healed your church website?
Hey, I live in Orlando. I've seen these readers at Chevron gas stations and a few other places for months now. MasterCard isn't planning to roll these out, they've had them set up for quite a while already. This makes the story what--a localized dupe?
Q: "Why do sound techs say 'check 1, 2'?"
A: "Cause if they could count any higher they'd be lighting techs."
This would be better with a Smart MasterCard and a microswitch on the card.
The Smart MasterCard would exchange single-use credit card numbers a la Citibank's Virtual Account Numbers. That way the number would be useless as soon as the retailer has charged it, so that a bystander "sniffing" the information would not get anything of value.
The microswitch would simply allow you to control WHEN the card can be interrogated, so that passersby can't much with it. You'd squeeze a spot on the card when you held it up to the retailer's reader, and thereby allow the transaction.
Don't know... Looking at the picture on that website, I'm fairly sure we use something very similar with the public transportation at least here in Helsinki. You can get one of these transportation cards and have it loaded up with either money or time that can then be used to pay for public transportation travel fares. In the past we just had picture-equipped travel cards that were the equivalent of the time option in the new cards. The money option equivalent was, naturally, real money(you can still do that, don't get me wrong) or buying little paper tickets that allow for multiple trips. Imho the new system has worked a lot better and I don't see people complaining about any lack of privacy or other junk like that. I've never heard of anyone's travel card id or whatever they use to identify those cards being stolen so I don't know if there's any real risk of something like that PayPass being read either without the consent of the owner. Of course people may have a lot more motivation develop ways to read a mastercard than a transportation card. Still, you have to keep the transport cards pretty still while they're being read or the reader will fail. Thus I don't think I'd feel exceptionally insecure carrying one of those in my wallet. Dunno.
It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?
a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.
b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.
Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).
BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).
Before I'd go for such a card, I would most definetely like THAT question answered...
If you want to steal credit card numbers, wouldn't it be easier just to look over people's shoulder at the supermarket?
I had my credit card number stolen - still no idea how. May have been random card number generation for all I know - I did nothing particularly unsafe (using your credit card at all is pretty unsafe). I was immediately contacted by my bank who were suspicious because the charges were (a) out of line with my current spending pattern (b) in a completely different country to my previous charges. I simply verified that no, I hadn't been to Spain recently, they faxed me some forms (basically just signing to say that no, the following charges were not made by me) and 3 days later my new credit card arrived by courier. everything else was handled by the bank.
In some ways I got lucky because the nature of the spending raised flags, and because my bank actually has incredibly good service. The catch is, it is up to the credit card companies to wear the cost of stolen cards etc. presuming you take reasonable precautions. If they want to embed easily readable RFID tags and have to cover a shitload of costs for easily stolen card numbers... well, more power to them. They'll be out of that business soon enough.
Jedidiah.
Craft Beer Programming T-shirts
I use exxon speedpass and it's handy. I don't think you can just ask the thing what the code is and it echos back. I'm pretty sure it's going to require a cypher handshake be done to authenticate.
Thats a lie. It takes a moving magnetic field several times that of the earth to erase a magnetic strip.
Strong magnets, sure. But ordinary ones? No way.
If you don't like it, don't use it. Similar technology has been in use in Speedway gas stations for a few years now. They give you a little stick that goes on your keychain and you wave it in front of the pump at the gas station to pay for your gas. I'm told that the same speedway pass also works at certain McDonalds that have the readers installed. The only real difference between this and the MasterCard product is that MasterCard is used in far more locations than SpeedWay prepaid gas cards, so the cards will actually be useful in more locations. Just like the SpeedPass, those who want it because it's got a cool gimick will get one; those who wear tinfoil hats will continue to pay cash.
I recently spoke with an RFID engineer about how easy it is to read RFID tags. Basicaly, the readers are very sensitive to the position of the tag, as well as distance. Move the tag out of the ideal plane for the antenna and it becomes unreadable. Sheild it and the reader must be much closer to read it. Great technology for tracking shipments - anything that takes away people entering data via a keyboard and replaces it with people holdining recievers to spots on containers should help greatly reduce tracking errors - as well as allow shippers to track temperatures, if a container has been openned, etc.
OTOH, what makes things easier when you can train a person to perform a task in a set way is not always better for mass consumption. Look at how often people have to reswipe cards becuse they put the strip on the wrong side of the reader - no imagine someone trying to align the RFID tag with a reader - all you've done is replace one motion with another. Mobil (ExxonMobil - the Mobile is silent) has SpeedPass - which never really caught on - that is esentially the same idea. They tried to push it for fast food purchase as well - ever see a SpeedPass enabled drive through? Which brings up th eissue - how much will it cost for companies to replace/upgrade existing readers to handle the new cards? Without a lot of cards, there's no incentive for companies to spend the money. Without readers, why have the card?
I've had one CC strip go bad - and all the clerck did was key in the info - this RFID idea sounds like a solution to a non-problem. Now, if they could add a biometric reader that required my thumb on the card to validate it - and it read the first thumb placed on the card as the right one when you get the card, then I'd be interested.
A switch that activates the tag sounds neat - but now I must not only get the RFID tag close to the reader but hold the card in a special way - forget it - not to mention some people may have trouble doing that due to physical constraints.
I'm a consultant - I convert gibberish into cash-flow.
All of your credits are belonging to us!!!
The power consumption of the cryptographic circuits explains the limited read range. The amount of power that an ISO 14443 tag needs to operate cannot be transferred across more than about 10 cm using allowable field strengths.
Has the world completely given up on checking signitures?
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Some company policies require that all cashwrap associates hold the card until it is signed and the signature compared, other companies have policies that the card be given directly back to the customer after it has been swiped. There are good reasons and bad reasons for doing each. Practise one may help reduce fraud on the customer side but it can induce fraud on the associate side, whereas it's a flip in the other situation.
If you really want to feel safe using your credit card, you should find out a stores policies regarding them before making a purchase. You wouldn't make an online purchase without knowing how they handled your card, why would you make one in person that way?
In the end it is not the stores responsibilty but the responsibilty of the cardholder and the issuing bank. Read your fine print.
Not since Marie-Antoinette played milkmaid has looking simple and honest been so fake and complicated.
Every time someone tells me a story of their maginetic credit cards being erased by speakers or their eel skin wallet I wonder again why barcodes aren't used. Easy to scan. Not easy to erase.
*shrugs*
Yes, I'm still anonymous you evil hackers you.
I have seen a boosted reader read a card (which has this magical "2 centimetre" reading distance) several metres away. It was an experiement, and the reader emitted so much energy that it certainly wouldn't pass any certifications but I strongly doubt criminals care about that.
You could quite easily set such a transmitter up in a window overlooking a busy street, and you will be able to scan most people that pass by.
So, to answer your question. The reading distance mostly related to the power of the transmitter. The card itself cannot determine how far away the reader is.
That said, I would assume that MasterCard uses smarscards for this. The card would actually perform a cryptographic signature check using some form of challenge response algorithm. This prevents anyone from reading your card number, but it won't protect against a malicious store charging customers passing by on the street outside his store. :-)
If they work exactly like a magnetic card, only sending the number on the card (like most rfid-based key cards do) then they are plain stupid.
The idea is right, on this one. With my current plastic card, if you can see it and/or photograph it, you have all the information you need to create another card, including magnetic stripe. The magnetic stripe just has the same information as on the card itself: Name, account number, and expiration date.
http://money.howstuffworks.com/credit-card3.htm
The RFID would allow me to authenticate my purchase without unauthorized persons seeing the critical information needed to make another card. The problem is, these RFID tags are so dumb, they will respond to any request that matches the RFID's frequency. Even if they do work only within an inch, that's plenty of room if you are in a crowded place.
A shield would help (as noted earlier), but I think that just reduces the effective range, no? Maybe what I really need is a small jammer: a device in my wallet (or on my keychain) that generates interference on the same frequency (frequencies?) used by my RFID credit cards. As long as the transmitter is close to the RFID tag, it would not have to be very powerful.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
It seems that competing security issues have been in play wrt to the credit card processes. First, the credit card companies want to know if a purchaser and seller are using a physical credit card. This is the swipe. Second, many firms would like the employees, most of whom are minimally paid with no incentives such as healthcare or retirement, to not handle the card. This is another benefit of the card holder to swipe the card. So for a long time, all a card holder had to do was swipe.
However, this did apparently did not provide enough security against fake and stolen cards. Some places want additional information such as a zip code. Other want to inspect the card and enter the check digits.
I do not see the universal possibility of just passing your card by a reader. I do not see the possibility of just passing you wallet past a reader, unless you only have one card. The shops that currently want to see the card will continue to so do.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I know there is a lot of hysteria about RFID cards, but a well implemented RFID card can be a lot more secure than the current system. Say the card does an encrypted challenge response, is limiting itself to one transaction per second, _and_ you still need a pin.
For example:
purchase
enter pin
terminal hashes to pin with some random number
card responds to the challenge by hashing the random number with the time and your card ID number (public key)
card puts itself into sleep mode for a second
terminal sends the card response to MasterCard computer which uses MC's private key to verify the response
I haven't done a deep analysis of this, so it might not be totally secure, or you might not need the random number and could just challenge with the time up to a millisecond, but I still think this is more secure than giving everyone your credit card or swipe through a magnetic reader.
The huge advantage is that the sales person does not see your credit card number or your security code, and it would be almost impossible to copy the card with magnetic stripe readers.
I love the Shielded cap. All the benefits of an aluminum foil beanie, without the strange looks.
With a credit card, you're only liable for $50 anyway under US Federal Law.
Understand your rights and don't spend money to use them.
Right now, I can walk to the DC Metro, slap my whole wallet on the reader, and it gets the correct signal, and deducts my account.
If I could rub my crotch against this reader, have the reader ask:
Which card would you like to use?
* MBNA Mastercard
* BofA Visa (Checkcard)
* Citibank Visa
so I'd never have to take cards out of my wallet? That would rule. In addition, you could probably build a system where a single chip could store (encrypted, with the challenge-response system purported/suggested to be used in this case) all my cards, so I could carry a single mini card on my keychain, that would rock. Of course, I would want a master pin that would give me access to my cards, so that even if my card was stolen, they couldn't use it without knowing the pin.
If they can get there, then I'm in.
TossableDigits.com: Temporary Phone Numb
In the US, Federal Laws limits liability of lost cards to $50. It also gives us the right to dispute any charge on a credit cards, essentially giving us the right to withhold payment at will on credit card purchases.
That's why smart cards have never taken off; there's simply no advantage for users.
Yes, a lot of people around here still do write checks. At it is painful to watch!
The London underground already uses RFID style cards for the ticket gates.
http://www.oystercard.com/
There isn't any hysteria over people stealing your oyster ID, which is worth money in the form of a season ticket, or pay as you go billing.
And they are much faster when you're commuting, those few seconds less it takes to get through the gates has saved me from missing a lot of trains already.
Nokia also announced recently they have software & hardware that can turn your cellphone into a tag reader.
Wonder how long until the later gets "improved" upon by "outside independent researchers", the kind of dudes who wear darker colored chapeaus.....
Right now in the U.S. debit/credit card fraud is such a small part of the overall use of debit/credit cards that the issuing banks are paying for it.
If fraud and lack of security were such a big issue in the U.S., Visa/MC would have moved away from magnetic stripe to smart cards a LONG time ago.
So switching to contactless, (payment systems are not all RFID) gives the card companies a "new" product. Security be damned.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Maybe they should first optimize other aspects of the transaction, like uselessly asking me "credit or debit" every time I use my ATM card (it's not linked to a credit card).
The people working for mastercard and other financial credit companies are as smart as we are, and they stand to lose millions in fraud if they don't secure their customer's cards.
I would be very surprised if the cards didn't have built in challenge/response cryptography to send the information. These cards are available now, and cheaply in bulk. Further, they would likely only contain a database link to the credit information which can probably be invalidated without changing the credit card number.
Of course, this means the bad guys only need to break one (or maybe a few) keys to gain access to everyone's card, but then they have to go around and collect them by hand.
The assumption that companies are stupid or lazy is actually based on the fact that they have to make cost/performance decisions. What seems stupid to us generally is cheaper including all the incidental and security costs. I doubt that the cost/performance ratio here would favor a 'stupid' solution.
-Adam
I don't see why people are so worried about their card numbers being read from a distance--it's not like your card number is a secret anyway.
The act of swiping your credit card number is proof to the merchant that you possess a physical token, nothing more; it is the merchant's good name with the credit card company that then lets them get the money that was promised to them.
What matters from the consumer's point of view is how hard it is to duplicate the token. If they picked the right RFID (something with a zero knowledge proof), it would be very hard to duplicate. Even if they picked the simplest RFID tag possible (something that just transmits a fixed number in the clear), it will still be better than magnetic stripes.
In different words, the problem right now is not the lack of secrecy of the CC#, it's the ease with which the physical token is duplicated.
Even better would be a store of time, transaction count or dollar amount limited account numbers usable for situations where you don't trust the vendor or the transaction environment completely.
Going to Moscow? Grab a new account limited for the length of your stay, good for up to $5000. If your number is stolen, they have until the expiry date or your allotment is spent.
Of course, I don't think that Visa/Mastercard care, actually, since they get a cut of the transactions, and limiting transactions would cost them money. They'd sooner nail vendors with chargebacks and take away their MC/Visa privs if they don't like it.
its used by mobil, i have one and i use it at the station up the street all the time for gas and the occasional snack... it really only saves about 10 seconds over using a credit card, but there really isnt a downside to it at this point... stays on keychain with the car keys... no fumbling through my 20 different cards... its not really super great, but its a small improvement ;)
I love it when people solve problems that don't exist. It saves me the trouble of being annoyed by the problem before it's overcome. I just can't imagine anyone is all that distressed over having to swipe their card, maybe quadriplegics but no one else. Then when you add in the security factor... well you have an all together insecure solution to a problem that never existed. Bravo MasterCard!
... YOU make an "atypical" purchase as the first one in a new country you just flew into. Card issuer tries to call you or speak to you via the handset on the merchant's terminal, equipment in new country doesn't know how to handle this, result: transaction declined and card blocked for the rest of the trip.
I make it a point to ask card issuers about whether they have such a policy and if they admit it, I don't deal with them. Some have recently taken to saying "if you plan on going abroad, tell us in advance and we'll remove the 'unusual transactions' filter from your account for 30 days."
Yeah, I'll really tell an underpaid call centre drone when my house will be unoccupied for weeks because I'm out of the country.
Cash is so much less hassle these days...
Today when you try to buy something with a swipe card over there, they look at you funny, and some merchant don't even know how to handle your magnetic card. I wonder why, nearly 20 years later, smartcards are not more widely used elsewhere...
Was it because until recently, there was a French patent on the design (a guy called Jean Moreno is the inventor, and the patent is now expired).
Surely, the cost of implementation is less than that of credit card fraud?
RFID as a cash-only card is useful and very successful in places like Hong Kong where you can buy your paper, pay the bus or your cinema ticket, but credit card information should not be available from RFID as there is no way to control who has access to the card information and when.
Having said that, I suppose the card company has made its studies and deemed that while there is a risk of card info being stolen, it is probably no worse than the current scheme. It should be easy enough to confirm: the merchant fee should be lower or the same as with the good old swipe method.
In the FAQ, they also imply that any payment above $25 would require the card owner's signature, so the risk of fraud remains low, but still higher than with a smartcard I think.
For our own safety, why doesn't everyone get an RFID chip implanted into either their forehead or hand. No more credit card fraud.. unless you are decapitated.
I for one Welcome our new apacalyptic overloards
Really? You're kidding right? Actually we've had paypass for about 18 months now. Still no one uses it.
Everyone's gonna say that they've used their card dozens of times without the vendor checking the signature. There was a 20/20 story that showed, additionally, they don't even check the photo. Top it all off, they once questioned my photo (I had dropped a lot of weight, but they took it eventually anyway, so what was the point). Bottom line, this is all pointless. Minor fraud comes in under the radar for everyone. The vendor doesn't want to annoy a customer, the credit card company doesn't want you to be hassled and have you use another card (Hey, I dumped CitiBank Visa after the guy questioned my photo -- no point in keeping it), and everyone ends up paying for $50 worth of fraud that happens everyday. How much does counterfiting of currency cost all of us? Does anyone really care, if it's pennies on the dollar. Everyone in the world pays tons more in taxes. Obstensibly, we get something for taxes, but is it always our money's worth?
"how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"
/. readers to turn every development of a modern convenience into a sensational security/privacy issue.
Hopefully longer than it takes paranoid
I am reminded of the subways in Hong Kong. You buy a pass and you can put as much money on it as you want. And you slide it over/ put it close to the reader and it auto-deducts fare. I kept mine in my wallet the whole time and just slid my wallet over the reader. My cousin kept his in his pants pocket and jumped up and sat on the reader every time we used the subway. I think he had the right idea.
In other words this is both safer and more convinient than a traditional credit card. Of course here on /. simply mentioning that something MIGHT be RFID (and that it will be the end of privacy!) without backing it up is enough to get a submission on the front page. Slashdot should have one of the editors take smart cards 101 and RFID 101 so that they can filter all the chicken little submissions more effectively. Most the people posting here haven't the slightest clue about the technology involved, what the protections are, and what it takes to break one of these versus a a normal card.
You had all better get used to it anyhow. EMV is getting implemented all over the world to reduce fraud. Pretty soon the USA will be the place to go to commit credit card fraud since we aren't widely using smart cards. Once the fraud rate goes up the banks will be forced to implement EMV and we'll all be using smart cards as credit cards. Then the fraud rates will go down again. This process will play itself out in the next five years, so you have a little time to construct your tinfoil hats and wallets.
Lasers Controlled Games!
There is a gas company that already has the trademark on PayPass for a small RFID dongle that is read by the gas pumps to pay for gas.
They don't use Cheques - they use Checks ( see the post)
So if you are in a country that hasn't switched to smart cards yet, your bank is the low hanging fruit. Once fraud rates go up in your country, your bank will switch to EMV as well and you'll have a smart card as well, because it saves the bank money. Simple economics, right? There are advantages to contactless cards (including cost) that might make them the most attractive option to some banks and merchants. That might be more complex economics though, so we will ignore that in this lesson.
Lasers Controlled Games!
Keep out of jail device
I suppose that with RFID credit cards you really don't have to even pull the card out of your pocket. Winona Ryder should get one As soon as she walks of the store everything is paid for
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
- The system operates at 13.56MHz using the ISO 14443B spec.
- 13.56MHz RFID technology uses magentic induction to communicate.
* One tag can only comminicate with one reader at a time.
* Range is limited to near field. No amount of high gain antenna can change this (not RF based).
* The process of easedropping disturbs the reader antenna impedance and communication fails.
- Each reader contains an encryption ASIC to decipher the comunication. Challenge response method is used with no unencypted data taveling between tag and reader.
- The tags are passive and get power from the reader via near field induction. (The reader antenna and the tag form a transformer like connection.)
- Each tag contains a 64 bit factory given ID. ID is ROM and cannot be changed.
- Tag user space depends on the vendor but is typically less than 2000 bits.
- The bitrate of communication is ~100 Kbits/sec.
- Typical available radiated power is ~200mWatts.
(Limits range on purpose.)
I'm sure they're going to use smart RFID cards. They make dumb RFID cards and tags that just spit out their number and smart ones that essentially have the same chip that's in your Amex Blue or DirecTV receiver system card but connected to and antenna coil instead of gold contacts. They have enough processor power to run challenge response encryption.
Unless MC is massively stupid, these cards should be more secure than the unencrypted magstrip.
...
http://www.skyetek.com/readers_H1.html
RFID war-frottage anyone?
Are there any documented cases of Mobil Speedpass RFID's being stolen and cloned? I do recall reading a slashdot story about a product that could be used for this purpose.
There are already millions of these out, and the infrastructure for using them has already been in place for years (atleast in my neck of the woods).
Chip and PIN as it's called here in the UK, where you will HAVE to type in your PIN every time you use your card, will drastically reduce fraud/theft from stolen or lost cards. For one thing, you can't forge the number (not visible on the card), whereas a signature is easy - it's shown on the card so any fool can copy it after a couple of practice attempts. Signatures aren't checked (I write my own signature quite badly sometimes and it's not even looked at) but entering a PIN means that a check will be made 100% of the time. I don't think it's a hassle to have to remember your PIN - you have to do it to get cash out of a machine, so why not for a credit card? In fact my card (a 'debit' card) is used for both purposes so I have to remember the number anyway. Counterfeiting may cost us little as a percentage game, but, like a plane crash, it's when you are personally affected that it hurts, so I'll go with entering a PIN if it reduces the risk of me losing all my cash if someone else gets hold of my card. The card companies can use the money saved on fraud (which they guarantee to give back to the customers to cover any losses if your card is abused) and use to for the Chip and PIN scheme. And before anyone says 'well if they cover you you'll never lose your cash', that's fine if you can wait (days? weeks?) until they refund the money into your account, not so good if you need that money 'right now'.
Watch my YouTube atheist video blog (user NickGisburne2000) for arguments against religion
It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?
Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.
Then a little careful observation as you enter your PIN and your account is toast.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This is exactly why it's wrong for stores to ask for ID. VISA prohibits it in their license. The stores do it to cover their own ass, not to protect the customer.
In Hong Kong, I was at the local equivalent of the 7-11 where I saw the people where just waving their wallets in front of a panel by the cash register. It turns out that they have something called the Octopus card. This is a short range RFID cash card that works much like a prepaid phone card. You go to a ATM like station where you can purchase the card and/or add money to the card. If the card gets stolen, you loose the money on the card. Lots of people had it, and it made the line at the store FLY. It must have been 3 time as fast as "normal"
The possibility of electronic pick pocketing is interesting, but at some point you have to convert the codes into money. A criminal would look very suspicious then. (unless they also owned a 7-11.... HMMMM)
Dr. Null
Will I get double charged if I have two Mastercards? If I only get charged once, won't I have to tell the cashier which one to charge? And to do that, I would have to take the card out of my wallet which defeats the whole convenience angle of having it in the first place.
Um, it's still a hassle to call them up, get the charges taken off, etc...
It's also bad for the credit card company which then has to clean up the trouble.
Tom
Someday, I'll have a real sig.
This in no way makes it "safe". The entire problem with radio is that all you need to hear something further away is a better antenna. WiFi only useable 100 feet away? Fine, strap on an 18dbi antenna. Can't hear the pulsing of that quasar? Fine, use Aracebo.
There is no 'power boost' needed, just bigger ears...or more directional ears (same difference).
Oklahoma.
Maybe you should also mention that is for a motorcycle's tank of gas too.
It's known as 'Express Pay'. Mobil gas stations had it even earlier than that for gasoline purchases. They called it speed pass.
Mastercard finally gets it and NOW you all are concerned?
IMZombie
How about improving that 5 - 10 second delay required to authorize the card over the network/dialup and getting rid of that signature BS that no cashier ever checks. Those are the real bottlenecks to the transaction, not the swiping itself...
What about those degaussers (I believe they are degaussers) they have at most retail stores to deactivate the antitheft device tag? (You know, inside CDs, DVDs, etc.) Why is it that when a corner of my card was once dropped on the pad by a retail clerk for a second or two, the card was immediately unusable and needed replacement? Answer? There was a very strong magnetic field that demagnetized that portion of the strip. I agree that it would be unlikely or difficult for an ambient field to degauss your cards - or that the chances of someone maliciously walking by with a degausser with the intent of rendering your cards unusuable are slim to none. But I'd think about buying a Farraday wallet just so my cards don't get zapped due to an accident that is entirely possible.
At least it is the same as smart cards were going to be implemented in the US initially. There were essentially two accounts and you had to manually move money (credit) into the smart card side from the magstrip side.
The reason for this is that the smart card side was fully automated. For example, you were going to be able to put your card in a pop machine and get a Coke without signing anything or any human around to verify you weren't scamming by using a cloned or borrowed card.
Also, the Smart Card side worked without any phone call involved. This also makes fraud detection problematic, as machines weren't going to report their charges until the stocker came by to refill them.
I don't know why all this got killed, but now that we have cellular up and running and cellular data transmission, it's not as important to be able to clear credit charges without a data transaction.
Ever been on the paris metro or Tokyo subway.
One inch is a dream you'll never realize.
If Wal*Mart can save an average of one second of cashier time per customer,
And concern over whether or not the security of the customer is compromised, or threatened, is certainly NOT the number one priority.
Is this the value that must rule our lives?
It's what led to the airlines' sloppy security measures before 9-11: making security and safety more effective was just too INEFFICIENT and TOO COSTLY, WHAA-WHAA, WHINE-WHINE. So security was lax and compromised, so its 'cut into profits' would be minimized.
Gee, ain't capitalism terrific?
And don't get me started on the protective measures passed by our (?) representatives in Congress who jumped to prevent the airlines from being sued. Heaven forbid that the airline executives might ever be held responsible for their management mistakes!
If EVERYTHING in life must take take second place to the 'making of money', then what are we left with: Would you pimp your own sister so you can buy gas for your SUV?
The GOP's morals and ethics: all bullshit, all the time.
Why doesn't anyone seem to realize that this means nothing good and potentially a bit of bad?
:) I won't even touch on the possibility of duplication of both based on insecure storage. Authentic online/phone orders not possible.
You have magnetic-stripe cards now. They contain the information necessary to identify the account of the card owner.
If you move to RFID-based cards, they will (*GASP*) contain the information necessary to identify the account of the card holder.
That doesn't, in either case, mean that the person actually presenting the card for reading *IS* the account holder. The same marchant negligence issues apply. See: not checking signature or ID, insecure storage methodologies (e.g. keeping customer card information in a batch queue until it's sent, paper/data trails, etc).
Solution: Implant the cardholder with an RFID chip of their own and cross-check.
Drawback: I don't imagine many people would accept this as a plausible solution. I sure as hell am not going to have ANYTHING implanted in me unless it's a shot to prevent a disease or to have my blood drawn
Solution: Have another card or driver's license with RFID and cross-check.
Drawback: Duplication based on insecure storage OR Someone could just freaking steal both of them at the same time and physically use them. Authentic online/phone orders not possible.
Solution: Same as above except force merchants to check "the other card" or driver's license PHOTO.
Drawback: Merchants in high-volume sales locations will get lazy VERY fast and not do it. Photos can be duplicated and inserted. Not possible for athentic online/phone orders.
WORKING SOLUTION:
Do not tie credit information to SSNs anymore. Instead, assign everyone a Currency/Credit ID. In a centralized location, have the IDs securely tied to a strong public key-based encryption scheme. Use the key system to generate a working end-to-end encryption system. Require a combination of a matching fingerprint or retina scan along with a passphrase WITH COMPLEXITY REQUIREMENTS that the consumer MUST just freaking remember. None of this "oh, I forgot" crap with convenience loopholes at the merchant location. Require the passphrase to be entered within a certain amount of time at the merchant location, and do not allow for entry to be cancelled. Even if the consumer wants to cancel the transaction, they must enter the passphrase unconditionally to do so. The penalty for entering a passphrase incorrectly two times OR not within the amount of time allowed OR failing to provide the proper retina scan/fingerprint match along with the passphrase will result in the passphrase being invalidated. At that time, the consumer will have to go to a CCID service center and have their retina/fingerprint/photo identity verified with the information on file and provide a new passphrase. The penalty for attempting to defraud the system intentionally is life in prison (deterrent).
Drawbacks: Cost to merchant, cost to financial institutions, cost to gov't (and ultimately consumers) and the following, which is very important:
IF someone wants to commit fraud, they will. They will find a way. Merchants can leak information such as retina scan matches, fingerprint images, passphrase and keypair data, and photographic information to the hacking community at large, who will invariably find a weakness and exploit it.
One final point that overshadows and provides direction to all of my points: The current credit industry is based on profit, loss, risk, and mitigation. They expend a certain amount doing background checks on new applicants, a certain amount on equipment, a certain amount on fraud prevention, a GREAT amount to successful fraud and delinquency, a GREAT amount on chronic delinquency/writeoffs, and a buttload on other things that aren't relevant to this post.
The credit industry is still just that - an industry. They're a business. They make decisions based on that ever-present bottom line
Don't know whether it's new, of course... but I did figure only sociopathic punsters like me would notice it.
Seeing bad movies only encourages them. Watch responsibly
Assuming this technology is similar to the popular HID cards used for security, then its a combination of both. The reader is just a low-energy field at a particular frequency. The card has an indutor coil wound around the inside, connected to a small RF emitter with a 48-bit ID number (at least for HID, I would assume that number will be larger eventually).
When the coil passes through the specific frequency field that the reader is generating, it causes enough charge in the coil to send the ID in a burst to the reader. The larger the field, the further away they will work, however. This technology is being used in cars for auto-toll paying and such, which has a range of several feet, and some larger readers are stationed on either side of a doorway to read the cards of everybody passing through.
That is some hot shit. Got any more?
When you hand your card to the cashier, anybody -- and I mean anybody, particularly the cashier -- with a decent memory, or even just a piece of paper, can glance at the number and jot it down. If you're really worried about this, you'd be really worried about cashiers as a potential source of credit card fraud -- they, after all, get to see the number whenever they want. Especially in places where the number is on the receipt, whats to stop a dishonest cashier from just taking a receipt? Pretty much anybody, including a would-be-theif, can get a job in a grocery store accepting credit cards. Lets be real people. Or, for that matter, the guy behind me in line with a concealed digital camera. The possibilities for visual credit card data theft are basically endless.
On the other hand, waving my wallet over the RFID reader, never taking the card out, now that's secure! Particular if the system offers some sort of data encryption, which would make the credit card end hard to fake (that, I imagine, is the primary security concern -- spoofing stolen numbers).
Also, let's remember folks: these are credit cards! Has anybody else ever been the victim of credit card fraud? (I have -- by a dishonest sales clerk at the Gap! They caught the bitch, though). When your card is declined and your statement shows $12,000 in charges to Tiffany's jewelry online, you just call up MasterCard and report it. They cancel your card, start an inquiry. As long as they figure out that its really fraud, you are COMPLETELY off the hook. Its all on the credit card companies.
Honestly, I don't think the RFID switch really makes fraud easier. If it did, it would certainly be against the best interests of the credit card companies to introduce it -- after all, the liability is all on them. This really, perhaps unlike Wal-Mart, is an instance of customer convenience.
Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
There's a simple workaround for security (situation posed was: hack3r walking around mall with portable 'scanner') ... if the RFID device you're carring is a key fob or card or something, incorporate a spring-loaded slide switch. You frob the switch when you want the thing to be read. When read, let go and it disables the device.
Or take a clue from that USB key that includes a fingerprint scanner to activate/unlock it. Put your finger on your RFID fob/cad/whatever to enable it.
They don't expect it to be secure. Not only that, but it doesn't need to be. They could track all of the RFIDs from a network of ground antennas or sats or both. When they see two cards of the same type in existence they will simply go to both locations and arrest the imposter card. Can you say 1984?
How long before everyones drivers license has one?
"If any question why we died, Tell them because our fathers lied."
hahaha, thats great stuff
Who is asking for this? I hardly doubt it's the consumer. Average Joe consumer doesn't care a rip.
This to me sounds like an invention without a purpose of benefiting a consumer - so why waste the money developing it.
Unless of course there is another alterior motive - i.e. tracking in general. Seems like people freak out about the possibly of RFID on products they buy, but would they if it was tied to *security* of their accounts.. Maybe not and if so, how very sad...
Network/telecommunications is much cheaper and widely available in North America than smart cards.
Very little smart card payment processing technology has been actually implemented as well.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
According to the Mastercard site, the RFID tags will carry exactly the same information as the magnetic strip. And while these cards may indeed return encrypted information, there is no challenge/response system. That's just not how they work. When you broadcast the correct radio frequency close enough to these tags, they just resonate and play back (over radio waves) a predetermined string, encrypted or not. If you have a matching reader at your disposal, you have the means to read every RFID within range. Where would you get such a reader? Why, you could steal one, buy one at a distressed business auction, or open a small store and order one from Mastercard. Think of the RFID tag reader just like the magnetic stripe reader, but you don't have to do the "swipe."
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
ttt
"There is nothing more frightful than ignorance in action." Johann Wolfgang von Goethe
Actualy, there are smart RFID cards. If you check out the HID iClass cards which are read/write and offer encription and mutual authentication. I would hope that MC plans on using something like this.
...
hello
if you implant rfid tags into people as well as in the cards so both must be present. before card would work it may help with theft by walk by card scanning!
jmho
my rfid tag number is 666
So, tell me, how well can the typical Wal-Mart employee tell the difference between a real ID and a fake ID? If someone steals or dupes my Credit Card or ATM card and steals my Pin, whatever, and you card them and they have an ID that says it is me, but has their picture on it and not me, how can you tell? They can even dupe holgrams now.
:)
Next I suppose you will tell me there has to be a thumbprint or retna scan ID to verify they are who they say they are.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Can they create modified RFIDs tags that require pushing a button on the card or say placing your finger in a spot that completes a circuit? That way no one could steal the info because the RFID is off without the circuit, and you could use the card when you want by just completing the circuit.
Possible?
Party at O'zorgnax's Pub! Buy me a Slurmtini aye?