RFID MasterCard

starburst writes "MasterCard introduces a RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"

How long?

[Mononoke]

How long until I can buy a wallet with a woven copper grid liner?

Re:How long?

[Beautyon]

How about right now?

CARD-SAFE(TM) WALLET

"Protects Credit Cards And Other Valuables From EMF Damage"

The magnetic strip on your credit card can be damaged, even erased by exposure to strong magnetic fields. Ordinary magnets will do it, but so can less obvious sources such as anti-theft scanners in department stores or libraries, small electric motors, even speaker magnets (someone told us that electromagnetic harassment can be used to erase credit cards too)! This handsome black leather wallet is discretely lined with both RF and magnetic field shielding materials and offers excellent protection. Includes 2-compartment bill fold, 6-compartment credit card holder and change pouch, all shielded. Measures about 4" x 4½" when folded. Quality European craftsmanship, equally attractive for men and women.

Photo and PIN on Cash Card / Credit Card??

[justinmc]

If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??
If I am at the store, they compare my photo to me?
However I guess some people would not like carrying an ID card (which it could make the Credit Card?) around with them??
Just my two bits (0&1)

Re:Photo and PIN on Cash Card / Credit Card??

[Elvisisdead]

In my case, on the back of every card I carry is emblazoned, "ASK FOR ID !!!" in red sharpie-induced print. Someone asks me for ID maybe 20% of the time. The percentage jumps to around 50% for those who actually look at the back of the card.

It doesn't matter which technology is used (a magnetic strip or an RFID tag). Without authentication of a valid user, the situation won't improve.

Re:Photo and PIN on Cash Card / Credit Card??

[dbc]

20% That high??? You are lucky. One friend of mine who for a time ran his own company doing very high priced ECAD software had this experience: He was entertaining clients at a pricey eatery -- the waiter quietly calls him asside and says: "Excuse me sir, but the name on this card does not match your signature" -- Indeed, it did not. The name was someone elses entirely -- not even close. (He settled the bill on another card without embarassment.) Turns out, about a month earlier, a salesmen and he had gotten their cards swapped by a waiter at some other resturant. They both went for *a solid month* of sales call T&E before this waiter caught it. They got to be well aquainted over the next two months as they sorted out their bills.

tin foil hat...

[millahtime]

time for a tin foil hat for my wallet.

mastercard, don't sue me

Tank of gas - $22.47
Pack of cheetos - $1.25
1 Liter of Mountain Dew - $1.50
Stolen card # via RFID - Priceless (or your max on the card)

Tell me I'm wrong

[Exiler]

I'm haven't read much on RFID tags, but I thought the power came from the reader, so the only thing that would have to be more powerful for the cards to be read from more than an inch away would be the reader, not the card.

Re:Tell me I'm wrong

[josecanuc]

The power does come from the reader in the form of a low frequency, unmodulated RF signal (a sine wave) around 140 kHz (a very, very low frequency). An antenna on the RFID chip absorbs this RF energy into a capacitive component and the energy from each pulse of the low frequency "Activates" the chip to emit its information on a higher frequency (varies, from 400 MHz to 3 GHz, but mostly in the 400 MHz or 920 MHz bands, depending on the chip design).

The power with which the chip emits its information is dependent on the size of the capacitor on it, so feeding a higher "power beam" to it will not increase the output power.

However, RF energy decreases as the distance from the radiator increases (inverse square law), but does not technically (theoretically) go away completely at any distance from the radiator. If your subversive reader had a higher-gain receiving antenna than the official reader, then you would be able to read the data farther away than one inch.

Note that RFID chips have come a long way since the beginning and now can perform whole two-way transactions during each pulse of activity. The devices could implement a challenge-response type of authentication. The chip sends a string, the reader encrypts it with the secret code, and sends it back to the chip which checks to see if the string is encrypted correctly. If it is, then it sends the data (also enrypted) to the reader, all in one pulse from the "power beam".

While nothing can be totally secure AND also accessible to everyone, the challenge-response system is practical and effective (some mail servers use it so you can log into your mail server over an unencrypted channel without revealing your password).

Really!

[_Sharp'r_]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.

Re:Really!

[Motherfucking+Shit]

How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

I really have to agree here. "They tout the convenience of no more swiping or giving your card to cashiers." What the heck? Swiping my credit card is supposedly "inconvenient?" I don't think so. I can't remember the last time I shopped anywhere that I had to physically hand my card to a cashier, every retail store seems to have the self-swipe card reader. Swiping my own card takes, what, 2 seconds? Entering the PIN (if I'm using a debit card) takes another 2 seconds.

What's the "inconvenience" that RFID is trying to solve here? Why can't some company concentrate on making it faster for Ms. Soccer Mom to write her $300 check at the grocery store, when she's one of 4 Ms. Soccer Moms in line in front of me?

I agree, this is a solution looking for a problem, and it's going to die a quick death.

How secure?

[jayminer]

I think that's a make up on the current insecure credit card framework, which is hopeless. Credit cards are so propagated through the world, and it would be very costly (and disastrous) to build a brand new security mechanism so anyone can understand why MasterCard does such kind of show-off, without doing actually anything.

This quote is worth any comment:

"PayPass is guaranteed as safe and secure as all MasterCards."

Oh, then that gave me a very strong and confident feeling. (Read this as: secure my ass)

Better idea - 2 accounts in one card?

[cygnusx]

This card is not about RFID, it's about making card use in scenarios like drive-throughs easier. Also, it's currently limited to <$25 transactions currently according to the FAQ.

Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.

how long...

[moviepig.com]

...how long till criminals ... with portable readers [get] your card information?

How long till plainclothes cops walk the malls carrying detectors that sense the self-incriminating probe of the would-be pickpacket?

Where is the security measure? (was: Re:How long?)

[beh]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.

b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.

Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).

BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).

Before I'd go for such a card, I would most definetely like THAT question answered...

Smart and Subtle

[PetoskeyGuy]

I love the Shielded cap. All the benefits of an aluminum foil beanie, without the strange looks.

Even an inch is too much.

[Ungrounded+Lightning]

It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.

Then a little careful observation as you enter your PIN and your account is toast.