RFID MasterCard

starburst writes "MasterCard introduces a RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"

Tell me I'm wrong

[Exiler]

I'm haven't read much on RFID tags, but I thought the power came from the reader, so the only thing that would have to be more powerful for the cards to be read from more than an inch away would be the reader, not the card.

Really!

[_Sharp'r_]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.

Re:Really!

[Motherfucking+Shit]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

I really have to agree here. "They tout the convenience of no more swiping or giving your card to cashiers." What the heck? Swiping my credit card is supposedly "inconvenient?" I don't think so. I can't remember the last time I shopped anywhere that I had to physically hand my card to a cashier, every retail store seems to have the self-swipe card reader. Swiping my own card takes, what, 2 seconds? Entering the PIN (if I'm using a debit card) takes another 2 seconds.

What's the "inconvenience" that RFID is trying to solve here? Why can't some company concentrate on making it faster for Ms. Soccer Mom to write her $300 check at the grocery store, when she's one of 4 Ms. Soccer Moms in line in front of me?

I agree, this is a solution looking for a problem, and it's going to die a quick death.

Re:Really!

[Richthofen80]

The inconvienece is that Magnetic card readers wear quickly and everyone gets mad at a multiple swipe purchases, or when it doesn't even work at all. At gas stations, where credit card is self-serve, its really convienent. Thats why mobil invented speedpass. so this is a speedpass for 'everywhere else'. I like it. anything that takes the cashier out of the equation so i can get on with my life instead of dealing with a snotty underpaid teen is a good thing.

They must think it's safe

[kirun]

From the site:

Your card never leaves your hand. And, of course, you get the same level of security that you've been accustomed to: $0 liability on unauthorized purchases and a receipt for every purchase.

If it's really possible to grab numbers from a crowd, this one could get expensive for them. You'd think they'd be smarter than that. But companies have messed up before.

Better idea - 2 accounts in one card?

[cygnusx]

This card is not about RFID, it's about making card use in scenarios like drive-throughs easier. Also, it's currently limited to <$25 transactions currently according to the FAQ.

Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.

Why don't they put some contacts on the card?

[Da+w00t]

The kind of contacts I'm talking about would be the ones that measure the resistance across two contacts a few mm apart, in order to use the card your finger(s) have to be on the contacts, otherwise your card doesn't send or receive RFID crap.

Re:Why don't they put some contacts on the card?

[SWTP_OS9]

Nice but everyone has a difference resistance... Some almaost non existant and others can short out anything.

Heat could do it.

Remember "Locks only keep honest people out."

This is a Horrible Idea

[Mister+Transistor]

Once again, just because something can be done, it has been, totally without regard to whether or not it is actually a _good_ idea.

RFID's on personal ID's or credit cards have to be a security nightmare. How easy would it be to hide a collection device under a bus or train seat and collect ID's for a whole day or two?

Not to mention that a transmitter generates EM fields, which might be strong enough to erase your other mag-stripe cards in proximity.

RFID technology is now getting into the "buzzword" phase of electronic manufacturing/production, it's now cheap and common enough to start getting idiotic designers thinking "gee, wouldn't it be neat if we put an RFID in ...". The same thing happened to microprocessors in the mid-80's, and we started seeing truly idiotic applications, uP-based Toasters, Staplers, Golf Tees, etc.

History repeats itself once again.

gee wiz factor...

"no more swiping or giving your card to cashiers."

riiight.... so they wont be checking your signature anymore? ok... so no mag stripe to wear out... (this has only happened to me once in 32 years) but i think they are forgetting the Keep It Simple rule.... complications without benefits. tech for tech sake. reminds me of the time a synth voice from the coke machine thanked me for my patronage...

Where is the security measure? (was: Re:How long?)

[beh]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.

b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.

Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).

BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).

Before I'd go for such a card, I would most definetely like THAT question answered...

Magnets!

Thats a lie. It takes a moving magnetic field several times that of the earth to erase a magnetic strip.

Strong magnets, sure. But ordinary ones? No way.

Re:Photo and PIN on Cash Card / Credit Card??

[Radon+Knight]

If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??

It's interesting that you suggest this scheme. Over here in Europe, several countries have started using/requiring PINs to be entered for all credit card purchases. They claim that since this scheme has been implemented, credit card fraud has fallen markedly.

Personally, I have somewhat mixed feelings about it. Credit cards have - until now - always been safe, emergency financial fallback. As long as you have your card (and haven't hit the limit) you can use it to get yourself out of any bind: buy a ticket, buy a meal, pay for a cab. Now, even if you still have your credit card, if you forget your PIN you're in a world of hurt. ("So, don't forget your PIN, dummy!" Yeah, I know. But no one ever plans on forgetting their PIN.)

Mastercard is not stupid.

[stienman]

The people working for mastercard and other financial credit companies are as smart as we are, and they stand to lose millions in fraud if they don't secure their customer's cards.

I would be very surprised if the cards didn't have built in challenge/response cryptography to send the information. These cards are available now, and cheaply in bulk. Further, they would likely only contain a database link to the credit information which can probably be invalidated without changing the credit card number.

Of course, this means the bad guys only need to break one (or maybe a few) keys to gain access to everyone's card, but then they have to go around and collect them by hand.

The assumption that companies are stupid or lazy is actually based on the fact that they have to make cost/performance decisions. What seems stupid to us generally is cheaper including all the incidental and security costs. I doubt that the cost/performance ratio here would favor a 'stupid' solution.

-Adam

Re:Convenience

[Ctrl-Z]

You would still need to take the card out for signature validation.

Clone Speedpass RFID?

[Aoverify]

Are there any documented cases of Mobil Speedpass RFID's being stolen and cloned? I do recall reading a slashdot story about a product that could be used for this purpose.

There are already millions of these out, and the infrastructure for using them has already been in place for years (atleast in my neck of the woods).

Even an inch is too much.

[Ungrounded+Lightning]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.

Then a little careful observation as you enter your PIN and your account is toast.