Slashdot Mirror
RFID MasterCard
starburst writes "MasterCard introduces a
RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"
How about right now?
CARD-SAFE(TM) WALLET
"Protects Credit Cards And Other Valuables From EMF Damage"
The magnetic strip on your credit card can be damaged, even erased by exposure to strong magnetic fields. Ordinary magnets will do it, but so can less obvious sources such as anti-theft scanners in department stores or libraries, small electric motors, even speaker magnets (someone told us that electromagnetic harassment can be used to erase credit cards too)! This handsome black leather wallet is discretely lined with both RF and magnetic field shielding materials and offers excellent protection. Includes 2-compartment bill fold, 6-compartment credit card holder and change pouch, all shielded. Measures about 4" x 4½" when folded. Quality European craftsmanship, equally attractive for men and women.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
This would be better with a Smart MasterCard and a microswitch on the card.
The Smart MasterCard would exchange single-use credit card numbers a la Citibank's Virtual Account Numbers. That way the number would be useless as soon as the retailer has charged it, so that a bystander "sniffing" the information would not get anything of value.
The microswitch would simply allow you to control WHEN the card can be interrogated, so that passersby can't much with it. You'd squeeze a spot on the card when you held it up to the retailer's reader, and thereby allow the transaction.
The power does come from the reader in the form of a low frequency, unmodulated RF signal (a sine wave) around 140 kHz (a very, very low frequency). An antenna on the RFID chip absorbs this RF energy into a capacitive component and the energy from each pulse of the low frequency "Activates" the chip to emit its information on a higher frequency (varies, from 400 MHz to 3 GHz, but mostly in the 400 MHz or 920 MHz bands, depending on the chip design).
The power with which the chip emits its information is dependent on the size of the capacitor on it, so feeding a higher "power beam" to it will not increase the output power.
However, RF energy decreases as the distance from the radiator increases (inverse square law), but does not technically (theoretically) go away completely at any distance from the radiator. If your subversive reader had a higher-gain receiving antenna than the official reader, then you would be able to read the data farther away than one inch.
Note that RFID chips have come a long way since the beginning and now can perform whole two-way transactions during each pulse of activity. The devices could implement a challenge-response type of authentication. The chip sends a string, the reader encrypts it with the secret code, and sends it back to the chip which checks to see if the string is encrypted correctly. If it is, then it sends the data (also enrypted) to the reader, all in one pulse from the "power beam".
While nothing can be totally secure AND also accessible to everyone, the challenge-response system is practical and effective (some mail servers use it so you can log into your mail server over an unencrypted channel without revealing your password).
A couple of banks in the uk trialed this and apparently cut fraud by a significant amount.... but they stopped it due to cost I believe.
I recently spoke with an RFID engineer about how easy it is to read RFID tags. Basicaly, the readers are very sensitive to the position of the tag, as well as distance. Move the tag out of the ideal plane for the antenna and it becomes unreadable. Sheild it and the reader must be much closer to read it. Great technology for tracking shipments - anything that takes away people entering data via a keyboard and replaces it with people holdining recievers to spots on containers should help greatly reduce tracking errors - as well as allow shippers to track temperatures, if a container has been openned, etc.
OTOH, what makes things easier when you can train a person to perform a task in a set way is not always better for mass consumption. Look at how often people have to reswipe cards becuse they put the strip on the wrong side of the reader - no imagine someone trying to align the RFID tag with a reader - all you've done is replace one motion with another. Mobil (ExxonMobil - the Mobile is silent) has SpeedPass - which never really caught on - that is esentially the same idea. They tried to push it for fast food purchase as well - ever see a SpeedPass enabled drive through? Which brings up th eissue - how much will it cost for companies to replace/upgrade existing readers to handle the new cards? Without a lot of cards, there's no incentive for companies to spend the money. Without readers, why have the card?
I've had one CC strip go bad - and all the clerck did was key in the info - this RFID idea sounds like a solution to a non-problem. Now, if they could add a biometric reader that required my thumb on the card to validate it - and it read the first thumb placed on the card as the right one when you get the card, then I'd be interested.
A switch that activates the tag sounds neat - but now I must not only get the RFID tag close to the reader but hold the card in a special way - forget it - not to mention some people may have trouble doing that due to physical constraints.
I'm a consultant - I convert gibberish into cash-flow.
I have seen a boosted reader read a card (which has this magical "2 centimetre" reading distance) several metres away. It was an experiement, and the reader emitted so much energy that it certainly wouldn't pass any certifications but I strongly doubt criminals care about that.
You could quite easily set such a transmitter up in a window overlooking a busy street, and you will be able to scan most people that pass by.
So, to answer your question. The reading distance mostly related to the power of the transmitter. The card itself cannot determine how far away the reader is.
That said, I would assume that MasterCard uses smarscards for this. The card would actually perform a cryptographic signature check using some form of challenge response algorithm. This prevents anyone from reading your card number, but it won't protect against a malicious store charging customers passing by on the street outside his store. :-)
If they work exactly like a magnetic card, only sending the number on the card (like most rfid-based key cards do) then they are plain stupid.
Which bit are you referring to - the photo part? Because point-of-sale PIN number entry is currently being rolled out nationwide here in the UK - there was a trial period and now they're going live.
Nokia also announced recently they have software & hardware that can turn your cellphone into a tag reader.
Wonder how long until the later gets "improved" upon by "outside independent researchers", the kind of dudes who wear darker colored chapeaus.....
WRONG!
You are protecting Walmart. I'm not liable for fraud. Walmart and the CC company have to eat it. You probably didn't understand this, but you are the clueless one.
I also get very angry when people as for ID, but only if it's a store that doesn't ask 100% of the time. Asking based on streotypes drive me nuts. I used to shop at Target and only got carded the one time I complained about something. When I asked why I was being carded I was told it was policy to card everyone. When I asked why I'd never been carded before, there was no answer. That's what makes people pissed off. CompUSA and Fry's card everyone. I have no problem with that and normally hand bother cards over together. I've never been carded at Walmart, so I'd be very mad when you carded me.
I noticed you that you said you frequently asked for ID. You are the kind of asshole I hate. Who did you card? Poorly dress people? Blacks? People with accents? Cute girls?
Asshole.
I allways go ahead and swipe my card and enter my pin before the cashier is done scanning my stuff, this way all I have to do is hit "yes" once their done, so this takes like .5 seconds which I would say is even more efficent than cash.
...
No... just because their passivly powered dosen't mean they can't process data, there are dumb and smart prox cards. A smart prox card has RAM and a processor insted of just ROM, and the processor is powered off of the magnetic field the antenna picks up. Here's an example of a smart prox card: hID iClass
...
In that case, the RFID chip would still only output it's regular power, since the capacitor in it has a limited capacity. There would be no way to get the RFID chip to emit more power than it was manufactured to.