RFID MasterCard

starburst writes "MasterCard introduces a RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"

How long?

[Mononoke]

How long until I can buy a wallet with a woven copper grid liner?

Re:How long?

[Beautyon]

How about right now?

CARD-SAFE(TM) WALLET

"Protects Credit Cards And Other Valuables From EMF Damage"

The magnetic strip on your credit card can be damaged, even erased by exposure to strong magnetic fields. Ordinary magnets will do it, but so can less obvious sources such as anti-theft scanners in department stores or libraries, small electric motors, even speaker magnets (someone told us that electromagnetic harassment can be used to erase credit cards too)! This handsome black leather wallet is discretely lined with both RF and magnetic field shielding materials and offers excellent protection. Includes 2-compartment bill fold, 6-compartment credit card holder and change pouch, all shielded. Measures about 4" x 4½" when folded. Quality European craftsmanship, equally attractive for men and women.

Photo and PIN on Cash Card / Credit Card??

[justinmc]

If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??
If I am at the store, they compare my photo to me?
However I guess some people would not like carrying an ID card (which it could make the Credit Card?) around with them??
Just my two bits (0&1)

Re:Photo and PIN on Cash Card / Credit Card??

[Elvisisdead]

In my case, on the back of every card I carry is emblazoned, "ASK FOR ID !!!" in red sharpie-induced print. Someone asks me for ID maybe 20% of the time. The percentage jumps to around 50% for those who actually look at the back of the card.

It doesn't matter which technology is used (a magnetic strip or an RFID tag). Without authentication of a valid user, the situation won't improve.

Re:Photo and PIN on Cash Card / Credit Card??

[Radon+Knight]

If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??

It's interesting that you suggest this scheme. Over here in Europe, several countries have started using/requiring PINs to be entered for all credit card purchases. They claim that since this scheme has been implemented, credit card fraud has fallen markedly.

Personally, I have somewhat mixed feelings about it. Credit cards have - until now - always been safe, emergency financial fallback. As long as you have your card (and haven't hit the limit) you can use it to get yourself out of any bind: buy a ticket, buy a meal, pay for a cab. Now, even if you still have your credit card, if you forget your PIN you're in a world of hurt. ("So, don't forget your PIN, dummy!" Yeah, I know. But no one ever plans on forgetting their PIN.)

Re:Photo and PIN on Cash Card / Credit Card??

[dbc]

20% That high??? You are lucky. One friend of mine who for a time ran his own company doing very high priced ECAD software had this experience: He was entertaining clients at a pricey eatery -- the waiter quietly calls him asside and says: "Excuse me sir, but the name on this card does not match your signature" -- Indeed, it did not. The name was someone elses entirely -- not even close. (He settled the bill on another card without embarassment.) Turns out, about a month earlier, a salesmen and he had gotten their cards swapped by a waiter at some other resturant. They both went for *a solid month* of sales call T&E before this waiter caught it. They got to be well aquainted over the next two months as they sorted out their bills.

tin foil hat...

[millahtime]

time for a tin foil hat for my wallet.

mastercard, don't sue me

Tank of gas - $22.47
Pack of cheetos - $1.25
1 Liter of Mountain Dew - $1.50
Stolen card # via RFID - Priceless (or your max on the card)

Tell me I'm wrong

[Exiler]

I'm haven't read much on RFID tags, but I thought the power came from the reader, so the only thing that would have to be more powerful for the cards to be read from more than an inch away would be the reader, not the card.

Re:Tell me I'm wrong

[josecanuc]

The power does come from the reader in the form of a low frequency, unmodulated RF signal (a sine wave) around 140 kHz (a very, very low frequency). An antenna on the RFID chip absorbs this RF energy into a capacitive component and the energy from each pulse of the low frequency "Activates" the chip to emit its information on a higher frequency (varies, from 400 MHz to 3 GHz, but mostly in the 400 MHz or 920 MHz bands, depending on the chip design).

The power with which the chip emits its information is dependent on the size of the capacitor on it, so feeding a higher "power beam" to it will not increase the output power.

However, RF energy decreases as the distance from the radiator increases (inverse square law), but does not technically (theoretically) go away completely at any distance from the radiator. If your subversive reader had a higher-gain receiving antenna than the official reader, then you would be able to read the data farther away than one inch.

Note that RFID chips have come a long way since the beginning and now can perform whole two-way transactions during each pulse of activity. The devices could implement a challenge-response type of authentication. The chip sends a string, the reader encrypts it with the secret code, and sends it back to the chip which checks to see if the string is encrypted correctly. If it is, then it sends the data (also enrypted) to the reader, all in one pulse from the "power beam".

While nothing can be totally secure AND also accessible to everyone, the challenge-response system is practical and effective (some mail servers use it so you can log into your mail server over an unencrypted channel without revealing your password).

Really!

[_Sharp'r_]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.

Re:Really!

[Motherfucking+Shit]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

I really have to agree here. "They tout the convenience of no more swiping or giving your card to cashiers." What the heck? Swiping my credit card is supposedly "inconvenient?" I don't think so. I can't remember the last time I shopped anywhere that I had to physically hand my card to a cashier, every retail store seems to have the self-swipe card reader. Swiping my own card takes, what, 2 seconds? Entering the PIN (if I'm using a debit card) takes another 2 seconds.

What's the "inconvenience" that RFID is trying to solve here? Why can't some company concentrate on making it faster for Ms. Soccer Mom to write her $300 check at the grocery store, when she's one of 4 Ms. Soccer Moms in line in front of me?

I agree, this is a solution looking for a problem, and it's going to die a quick death.

Dexit

[Chess_the_cat]

There's something similiar in Canada called Dexit. But it's not a credit card. It's a type of debit card with a $100 limit so if you lose it or anything you're not really out all that much. You can refill it anytime online, over the phone, or automatically from your account. It's used for fast food, candy, newspapers, whatever.

How secure?

[jayminer]

I think that's a make up on the current insecure credit card framework, which is hopeless. Credit cards are so propagated through the world, and it would be very costly (and disastrous) to build a brand new security mechanism so anyone can understand why MasterCard does such kind of show-off, without doing actually anything.

This quote is worth any comment:

"PayPass is guaranteed as safe and secure as all MasterCards."

Oh, then that gave me a very strong and confident feeling. (Read this as: secure my ass)

Better idea - 2 accounts in one card?

[cygnusx]

This card is not about RFID, it's about making card use in scenarios like drive-throughs easier. Also, it's currently limited to <$25 transactions currently according to the FAQ.

Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.

Obligatory Credit Card Fraud Quote

[Mad+Man]

"Now I've got enough money to build my robot. My girl robot. This is going to be the best prom ever."

how long...

[moviepig.com]

...how long till criminals ... with portable readers [get] your card information?

How long till plainclothes cops walk the malls carrying detectors that sense the self-incriminating probe of the would-be pickpacket?

Why don't they put some contacts on the card?

[Da+w00t]

The kind of contacts I'm talking about would be the ones that measure the resistance across two contacts a few mm apart, in order to use the card your finger(s) have to be on the contacts, otherwise your card doesn't send or receive RFID crap.

This is a Horrible Idea

[Mister+Transistor]

Once again, just because something can be done, it has been, totally without regard to whether or not it is actually a _good_ idea.

RFID's on personal ID's or credit cards have to be a security nightmare. How easy would it be to hide a collection device under a bus or train seat and collect ID's for a whole day or two?

Not to mention that a transmitter generates EM fields, which might be strong enough to erase your other mag-stripe cards in proximity.

RFID technology is now getting into the "buzzword" phase of electronic manufacturing/production, it's now cheap and common enough to start getting idiotic designers thinking "gee, wouldn't it be neat if we put an RFID in ...". The same thing happened to microprocessors in the mid-80's, and we started seeing truly idiotic applications, uP-based Toasters, Staplers, Golf Tees, etc.

History repeats itself once again.

Where is the security measure? (was: Re:How long?)

[beh]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.

b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.

Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).

BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).

Before I'd go for such a card, I would most definetely like THAT question answered...

In theory it is the card vendors problem

[Coryoth]

I had my credit card number stolen - still no idea how. May have been random card number generation for all I know - I did nothing particularly unsafe (using your credit card at all is pretty unsafe). I was immediately contacted by my bank who were suspicious because the charges were (a) out of line with my current spending pattern (b) in a completely different country to my previous charges. I simply verified that no, I hadn't been to Spain recently, they faxed me some forms (basically just signing to say that no, the following charges were not made by me) and 3 days later my new credit card arrived by courier. everything else was handled by the bank.

In some ways I got lucky because the nature of the spending raised flags, and because my bank actually has incredibly good service. The catch is, it is up to the credit card companies to wear the cost of stolen cards etc. presuming you take reasonable precautions. If they want to embed easily readable RFID tags and have to cover a shitload of costs for easily stolen card numbers... well, more power to them. They'll be out of that business soon enough.

Jedidiah.

Smart and Subtle

[PetoskeyGuy]

I love the Shielded cap. All the benefits of an aluminum foil beanie, without the strange looks.

Mastercard is not stupid.

[stienman]

The people working for mastercard and other financial credit companies are as smart as we are, and they stand to lose millions in fraud if they don't secure their customer's cards.

I would be very surprised if the cards didn't have built in challenge/response cryptography to send the information. These cards are available now, and cheaply in bulk. Further, they would likely only contain a database link to the credit information which can probably be invalidated without changing the credit card number.

Of course, this means the bad guys only need to break one (or maybe a few) keys to gain access to everyone's card, but then they have to go around and collect them by hand.

The assumption that companies are stupid or lazy is actually based on the fact that they have to make cost/performance decisions. What seems stupid to us generally is cheaper including all the incidental and security costs. I doubt that the cost/performance ratio here would favor a 'stupid' solution.

-Adam

Clone Speedpass RFID?

[Aoverify]

Are there any documented cases of Mobil Speedpass RFID's being stolen and cloned? I do recall reading a slashdot story about a product that could be used for this purpose.

There are already millions of these out, and the infrastructure for using them has already been in place for years (atleast in my neck of the woods).

Even an inch is too much.

[Ungrounded+Lightning]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.

Then a little careful observation as you enter your PIN and your account is toast.