Slashdot Mirror
Visa To Push Swipeless Credit Cards
BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.
It is secure. They're using SHA-1 hashes.
Especially since it would be easy enough to wave an RFID reader at people's purses, back pockets, etc. At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.
How am I supposed to fit a pithy, relevant quote into 120 characters?
This is a contactless credit card, ISO 14443. RFID is ISO 15693. They are different. The article never mentions RFID. Slashdot has inserted something that was never there. This is misleading, dishonest, and unprofessional. There are MAJOR DIFFERENCES between the technologies. You would think that a techie site like /. would know better.
Lasers Controlled Games!
to have the sales folks in a store be able to read the info, check your limit, and in *MY* case, simply leave me alone while i browse, since i'm always broke anyway and don't like to be hassled whilst i look at stuff i can't buy!
Yes, it's a joke.
And now a thief doesn't have to guess PINs. It will be enough just to steal a card!
From TFA:
Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.
What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!
It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!
I'm a big tall mofo.
What the hell kind of stupid idea is that? People aren't gonna go for that... Will they?
someone comes up with a phony reader? No longer will people have to steal cards to make fraudulent charges! Just make you walk by a reader and voila! you have a $25 charge on your card.....
BP http://www.card-central.com
I've always wanted an excuse to carry around a wallet made of tinfoil.... it'll match my hat, and my under.... I mean socks....
Mobil gas stations give you a little RFD dealie to authorize gas purchases at the pump and other purchases in the store. They've done this for years.
All Visa is moving the RFD dealie from a little wand on your keychain to the card.
The referenced article says that Visa and other credit card companies are looking at this technology to make it easier for card holders to use the cards for small purchases. If enough legit small purchases are made these credit card companies will make more money but will that reduce their overall exposure to fraud? Will these additional funds that run through my credit card make the card cheaper (lower or no annual fees and lower monthly interest rates)? It will be interesting to see how no fee and low interest rate Visa and MasterCard offerers adopt this.
Anyone who has never made a mistake has never tried anything new.
Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.
And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.
Recursive (adj.): see 'Recursive'
The Magstripe on my card is constantly wearing out. so I think this is a good use of technology.
I would hope they sufficiently range-limit the devices, and send a security pamphlet along with the card recommending a foil-lined wallet. Even if the cryptography is sound (How do we know without peer review?) preventing access to the device is the first line of defense.
So, when Wal-Mart incorporates this technology, can I just have the bag containing the stolen card near the reader to purchase my illicit goods? And *IF* I am questioned about it, I can say that I didn't know it was in there, and I thought it was going to read my REAL card.
Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence?
"No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure. Yeah, I heard about it on the news, too. Never need to see my ID again. Compleltly safe. Don't forget to put that $1,235.65 on "credit". okay?"
And while the article says there is a code that can't be re-used for other readers, wont a signal jumper (the ones used to grab car alarm frequencies) still be able to get the 16 digit card number, plus exp. date?
Yeah, sending important financial data through the air sounds like a great idea. To the tech savvy, this is the same as screaming the numbers to the woman behind the register. Would you do that?
There are no gods but ourselves.
and something tells me that Zonk should stick to games and stay off the front page. This is classic FUD.
Lasers Controlled Games!
Tired of having to swipe and sign every time you use a credit card?
I haven't signed for a purchase in a long time, except once in a restaurant. Everything is chip and pin now. You can just stick your card in the reader, enter your pin, and be done. Something you have and something you know, at least it is two items of security.
Surely this contactless card will simply turn it to something you have being a requirement, making trivial theft very profitable.
Are Americans so lazy that they can't hand over the card to the cashier to swipe/insert into the chip reader?
All this looks like to me is credit card companies trying to generate a new revenue stream by getting existing merchants to pony up for the new technology required to use this system.
Is it really so hard to swipe your card through a reader as you checkout? Does Visa really think people are so lazy that swiping a card is too much work?
This is an example of technology being used simply because it exists. This adds ZERO value for the consumer and opens up huge security holes. Who believes for one second that this technology is actually 100% secure?
I guess we're supposed to be reassured by the quote from the Visa rep in the article reminding us that there is no consumer liability for fraud.
I can only imagine what is going to happen if they roll out debit/checkcards linked to actual bank accounts with this technology!
In Soviet Russia, credit cards wave you!
once someone figures out how to bypass the code, all they need to do is walk by you to steal your card. and besides, how lazy do you have to be not to take out your card and swipe it? seriously: 1) take card out 2) swipe. wow, that was so hard, i need to create an elaborate method so that i dont even need to move my fat ass anymore.
Witness the return of the tinfoil wallets!
Fortunately I already had them patented. [insert maniacal laughter here]
Just
So now instead of someone having to take my wallet to steal my credit card they can just walk by me with a contactless reader?
hack a day
RFID and Visa, for when it's too much effort to slide your card, you can just wave it around!
Pretty Pictures!
Hopefully not as easy as stopping payment on questionable charges to the account. The advantage of online progressively-updated statements becomes infinitely greater here; you'll have to check your statements every WEEK if it gets bad. Genuine cowhide is out, 100 mil thick aluminum is in!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
what if someone wave a reader a few inches behind my butt?
Why do I need a contactless transaction? What is so hard about running my card through the slot in the terminal?
When I first moved to the UK from Norway five years ago, the first thing that annoyed the hell out of me was having to sign when I used my cards instead of just entering a PIN. Now signatures are rapidly being phased out here as well. I'd happily get rid of having to insert my card in the reader, as long as the PIN is still required.
Scammer: "Could you step over here and read this number for me, I need to get new glasses or something." .... Yeah this is tiny print..."
Unsuspecting stooge: "sure, your total is
Scammer: "maybe you can read it from a little closer"
Unsuspecting stooge: "...$598. And it looks like your credit card was just approved too."
Scammer: "Oh, thanks you very much."
Unsuspecting stooge: "You're welcome"
3DES is cracked. ;)
Proud Rememberer of the BBS Days.
Tracking down online transactions isn't necessarily so trivial or likely to happen.
It's not wasting time, I'm educating myself.
"And for purchases of less than $25, no signature is required."
;)
Does anybody in N. America check signatures? They hardly seem to look at my cards. I have a friend who wrote "See ID" on the signature strip of their card and it took four months before she had a request. Having emmigrated from the UK, I really notice this. Over there they seem to make more of an effort, hold on to the card for longer and really compare it against the signed receipt. On many occasions in the UK I've been asked to resign things. In fact, I was once chastised by a cashier in Sainsburys in Norwich and told to stop being so lazy and make more of an effort! You see my signature had deteriorated in to a squiggly line that barely even resembled the signature on the card.
Besides, doesn't anybody else find those signature strips hard to sign? They don't have much height, and the surface seems to "writes differently". It's nigh on impossible to put a good approximation of my signature on it! Furthermore, I think the only way to tell a signature isn't faked is because every one is different so it shouldn't be identical to the one on the card!
Given that it is dead easy to forge a credit card now this probably will be better.
My newspaper still reports cases where an unscrupulous employee at a gas bar or cafe swipes your card twice; once for the transaction and once in his own reader to steal your number. Apparently there are still places where you can buy thousands of credit card numbers. This has to be better.
The 'encoding' scheme reminds me of a chip sold by the people who make the PIC (Microchip). I think it is called KeeLoq or something like that. It sends a different code every time it is used. I haven't heard that it has been seriously compromised.
Anything can be stolen and I'm sure we can all think up a way to get all the gold from Fort Knox but at some point the hassle involved keeps it from happening. Remember; locks are for honest people. (but we still use them because it makes life inconvenient for the crooks.)
It will be presented better in the dupe later today.
What keeps me going is my inertia.
Please excuse me while I get this personal pet peeve off my chest.
WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?
I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.
And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?
With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?
Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.
Thanks.
Well, if their printing on my forehead then yes.
RFID isn't far of tagging everyone who walks into your shop. I'm also anti-creditcard, but I suppose if you die in debit then you've made money.
thank God the internet isn't a human right.
Why do I get the feeling that this new customer "convenience" is a push to encourage more sales, which translates into more fees collected by the credit card company? The merchant will just pass on this cost, too, I'm sure.
To-do List: Receive telemarketing call during a tornado warning. Check.
Why not just put a Bar Code on the card, and wave that at the little black box, cheaper too My grocery store has a discount card that operates that way, and it works great.
We are Dead Stars looking back Up at the Sky
just get rid of the card and implant the RFID chip in to your forehead or hand, or any other part of the body...
i can hear the christians in a uproar about this...
Ever go to the post office?
they flat out refuse to accept such.
(individual offices aside, they are all supposed to be doing this like gangbusters)
For that matter, most merchant agreements (I've read enough) also instruct merchants not to accept such, but instruct that the customer must sign the card, or be refused...
every day http://en.wikipedia.org/wiki/Special:Random
Somehow this article left me with more questions than answers, like:
How does Visa intend to make sure the card owner acknowledges the charge? PINs?
Is scanning a card so difficult that this is even very useful? I can see it being useful in certain limited cases, but overall... not so much. I've never gnashed my teeth over the difficulty I've had scanning a card and signing my name. I have nearly screamed at scanners and readers that are supposed to pick up signals and don't, however.
All in all, I'm left only with the information that Visa wants to implement a new "contactless" system. Wheeeeeee. Can we say fluff marketing piece?
Salesman: $30 please.
Fry: $30? I can't afford that. Unless...[He pulls out his wallet.] Do you take RFID Visa?
Salesman: RFID Visa hasn't existed for 500 years.
Fry: RFID American Express?
Salesman: 600 years.
Fry: RFID Discover card?
Salesman: Uh, sorry we don't take RFID Discover.
"isn't that very similar to how TI's car RFID system was made?"
According to Visa:
"Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted"
So... not really, no. Just because two products use the same base technology doesn't mean that one is as fallible as the other. All cars made of metal and fiberglass don't rate the same in crash tests.
"Someone's gotta have some damn perspective around here!" -- Commander Susan Ivonova, Babylon 5
if they could imbed one of these in my penis, I could complete sexual transactions without ever making physical contact. What's not to love?
... and then they built the supercollider.
1977? AES wasn't around in 1977!
For those who are afraid of this technology's potential for abuse, I wouldn't worry too much. I'm sure that even before this thing gets released Thinkgeek will start selling a wallet which is also a Faraday Cage.
(Tinfoil would work too, yes, but that wouldn't be durable and would probably scratch the mag-stripes off your non-evil cards.)
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
Doesn't sound like it would matter, but it does. In a lot of cases it speeds lines up which equals lots of savings. A few seconds here and there adds up when you've got a lot of people.
People can NOT charge from your account simply by scanning your card.
/.
Although the article doesn't give much information, the card sends a unique number along with its id with each purchase. The credit card company knows wich number to expect for each id and only allows the transaction if the two match.
If your card is stolen however, purchases can be made.
----------
A request to
Please use acurate headlines --> FFS !! --
1: Build battery-powered emulator for register, set to auto-charge on $24.99 :D
2: Walk through a packed subway station with emulator in backpack
3: PROFIT!
News for Geeks in Austin, TX
American Express is also starting to roll out an RFID solution, although seperate from their card and also available on a preload basis. Their national partner I am aware of seems to be CVS drugstores, which seems to have rolled out credit card terminals which can read these cards locally even through I know of no other place I could use their RFID tag.
But you should appreciate the fact that they shrink it from the size of a car to the size of a card.
I could just see me pull out my wallet and have it just be in range of the reader. I intend it to charge to one card and...whoops, it charges to the card I'm almost over limit on.
What happens when shopping malls decide they don't generate enough revenue by rent alone...
1)install reader in door frame
2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
3)...
4)profit!!
or Blockbuster:
1)Take out advert at superbowl "THE END OF RENTAL FEES"
2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
3)...
4)profit!!
Here's the senario:
When a new card is issued, it's unique RF signature will have to be retrieved so that it can be linked to an account. The crooks will get this signature the same way the card issuer did. What will keep a crook from capturing this RF signature on the way from your table to the restaurant's POS just as they do a magnetic strip and then later cloning it using a special keychain fob? The crook would then position the fob at the reader as he waves a nonfunctioning card across the sensor. Bam! The victim just paid for what the crook will be taking home.
I suspect that this is really as way for Visa/Mastercard/Amex to make money from merchants buying the new readers.
Here's another thing...
With this new super secure RF technology, the cashier won't be looking at my card in order to compare the signature on it with the forge one provided by the crook? The cashier also won't be able to pick out obviously fake cards since she/he won't be looking at it up close.
This is just another attempt to fix something by replacing it with another broken system. How is the current "swipe card and sign on the line" method so inconvenient that it needs to be replaced? I just don't get it.
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
No signature needed for under $25, works from a few inches away?
I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.
11*43+456^2
RFID is increasingly being used for things that have NO real advantage but do have a significant security risk, how lazy do you have to be to even risk compromising security just so you dont have to get your wallet out or just so you dont have to replace your worn out card every year or two?! Maybe this is secure, but is it really worth the effort of upgrading the credit card infrastructure? is there any other advantage to it or is it really just showing off? RFID is nice but good old swipe or smart-card technology has been tried and tested for decades, it works, and never once in my life have i thought "damnit getting cards out and swiping them is such a hassle i wish there was some other way of doing this!" - except the printing system at my uni, someone had the bright idea of buying card readers that don't work 90% of the time and have arrows pointing both ways but don't have any indication of which way or which side to swipe, but thats called cheap hardware.
visa better hope this works or theres going to be one hell of a class action suit.
This comment does not represent the views or opinions of the user.
Being a certified privacy nut, this bothers me.
I mean, what about the uses that have nothing to do with money? What about every time you walk in a store they check who you are and how much you buy, or don't buy? And if it isn't technically RFID, it is the same thing in many regards.
Why don't we just put chips in the back of people's heads. (I said I was a privacy nut.)
Our hope is that the contactless payment feature will drive added convenience and speed to consumers...
/.ers have pointed out), what is the advantage to the average credit card user of having this feature? Maybe, maybe if they took away the "no signature for under $25" feature, which would remove a massive theft risk, and made the credit cards pin-accessible only so that you never had to get your card out of your purse/wallet (and really, how often do people check your signature in the first place?), maybe then it might be worth the cost it would take to implement it, but only by a very small margin. And although it may be a "free" service on your card, don't forget that interest rates and yearly charges are affected by every new technology that Visa has to pay to put into place. They're also affected by how much credit card fraud the companies have to write off. You might not see the costs up front, but they are there, just waiting to take a sizeable chunk out of your hard-earned paycheck.
The thing is, most of the time it's not the swiping of the card that takes the time when you're in the checkout line. The cashier has to scan every item you're purchasing into the computer (assuming they're not still working out the old SKU method or on an even older "just enter the cost on the price tag" kind of register), giving you lots of time to rummage through your purse or wallet to look for your credit card. The actual swiping of the card takes about a second. Then, because the information is transmitted over an old-fashioned phone line for approval by the bank, you have to wait for that to be processed at both ends. And then you have to sign for the purchase (because, come on, a good portion of your Visa purchases are probably over $25), at which time you're supposed to pass over your card to the cashier anyway so that they can compare signatures. So how much time will not having to stripe your credit card really save you?
So, if the lack of striping doesn't save you much (if any) time and it makes your credit card that much less secure (as so many other
...until we have ISO 14443 readers on our PCs to validate online purchases? Having a crypto-enabled card would help cut down on online fraud by guaranteeing "card present", no?
I want to see credit cards with 4 little buttony things on them - maybe labeled 1-4 or different colors. (Not necessarily real pushbuttons - that'd be too expensive and fragile. Conductive pads would be enough). Every time the card is used you have to enter your PIN on the card - 1-2-1-3 or red-red-green-blue or whatever. That info would be used by the crypto processor to create a signed validation from the card. The old "something you have + something you know" routine, right?
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
For the past year or so all new credit/debit cards in the UK have been using a new chip and PIN system to reduce card fraud. Instead of signing a receipt you simply put your card in a reader and enter your PIN which is then verified by the microchip embedded into the card.
Seems fine until you get the silly people in stores not hiding the keypad as people look over their shoulder, or even worse, mouthing or even saying their PIN out loud!!
Some time next year, I believe, the credit card companies will make stores liable for credit card fraud where the signature has been used to verify identity.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
1.) Get out your wallet.
2.) Get out the card.
3.) remove the card from the tin foil pouch you made.
4.) wave it around.
Lose the receipt, put the RFID tag on a keychain or something, and no signature needed (low cost limit).
Fast food will love it.
The global credit card company will offer PayPass, its RFID-enabled contactless payment system, to fans at the Seattle Seahawks and Baltimore Ravens stadiums this fall. http://www.rfidjournal.com/article/articleview/142 0/1/1/
This is a credit card. The funds have to be transferred somewhere. The pickpocket has to be registered as a merchant with some bank, and when they get chargebacks, they will simply throw him out and not send him the money. It's not as if he walks by you and suddenly has $20 in his account to buy a nice dinner. He has to wait to the end of the (day,week,month) to get his funds, they have contact info more than just a phone number, and too many people will complain for him to collect any of it.
Even if it were a debit card, I doubt he'd get any of it. You might have to wait a bit to get it back, but the pickpocket wouldn't get any of it.
Infuriate left and right
What you want is irrelevant to them. Visa/MC want to make the most money possible, and they get a cut of every transaction made with your card. Requiring ID is just a barrier to use of the card, so Visa/MC doesn't want that. Since cardholders are indemnified against theft of more than $50 (and usually that is waived if the card is reported stolen promptly), it shouldn't matter to them. And Visa/MC have determined that the losses through theft to them are far outweighed by the extra money they get from transaction fees and finance charges.
Personally, we don't live in a police state YET, and I don't want to show ID every time I make a purchase. When I come to a store that requires this, I report them to MasterCard, who usually gets the merchant back into compliance with their agreement. Sorry if you don't like that.
I too sign my cards CHECK I.D. This is accepted practice. Some credit card companies have even recommended it. Stores are SUPPOSED to ask for ID in that case, the point being to see that the photo ID matches my face, and the names match.
I'd like to see some store manager so ignorant as to try to confiscate my credit card because it tells him to to ask for I.D.
Infuriate left and right
The merchant does not add a $20 item and transfer money instantly. It has to go thru the issuing bank, and not instantly, and not without the possibility of chargebacks, and then that merchant will lose his VISA account and be out of business. If you dispute the matter, and they see a pattern of some merchant going bananas with $20 chargebacks, he will be in banana-skin city. The merchant will lose. This is credit cards.
Infuriate left and right
In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.
Is that PIN pad on the card itself? If I enter my PIN into somebody else's device that's a great opportunity for them to steal it. Can that be made durable enough to live in my wallet?
It sounds like these cards are going to be pricey (several dollars each to manufacture). Fine with me, if they can improve the currently horrific security associated with credit cards.
Is there a way to extend that unique RFID chip to online transactions? Maybe a reader hooked to your computer? Right now there's no good way to authorize a transaction over the Internet without sending them your credit card number (along with the sooper-seekrit protection code on the back).
This must be how companies will be able to figure out exactly who we are and our available credit line the moment we walk through the door.
Can you imagine?
Walking through a store and no employee wants to wait on you.
Then when you go to make a purchase, the cashier immediately asks you for cash when you go to offer your credit card.
Is it 5:30 yet?
ISO 14443 and ISO 15693 operate on the same principles, the essential difference is that the ISO14443 protocol allows a higher data bandwidth which results in shorter maximum range (ca. 10cm instead of ca 1m).
In general, ISO14443 chips are less low-cost, able to store more data and supporting cryptographic capabilities. But this has more to do with the market that they target than with technical issues.
Remember, if you have a VISA credit card and someone make unauthorized transactions you have 30 days to dispute the charges. If dispute the charges the loss is VISA and the merchant's loss, not yours. (With Debit cards, however, you only have about 10 days to challenge the charge and are therefore a much higher risk to consumers.) Also, the problem with swiping cards is the wear and tear on the card. For example, I've had my VISA for about 10 months, but the signature field is already pretty much illegible. This makes it impossible for a merchant to verify your sig without asking for a second ID...something that rarely happens in most places. This sounds pretty secure...especially since VISA taking the big financial risk. Obviously, they're going to try to recoop most of this cost by getting merchants to fork out $$$ for new hardware.
I'm sorry but most of the time I only carry a credit card in my wallet and cash is a commodity. If they make contactless transactions the next item they could release is a personal card reader or card reader in cell phones and allow me to give $10 to my friends without finding a cash machine.
I understand things like having your picture on your credit card which I think is the best simple innovation yet and I can understand the mini-credit card on your keychain. But how many seconds are saved by taking a credit card out or wallet out of your pocket and waving it back and forth? We all know from experience credit cards start to wear down over time...I dont want to be the one in the store looking like I'm having a seizure when I try to purchase the product of my choice, especially a more embarrasing personal product. Yes the slide method will probably never go away but I, like a lot of people on here, see this as another security problem and not a solution to our high speed lives. You want to help us? Lets skip to biometrics please where it could be faster and more secure and not something that leaks information out of my own pocket.
Trix are for kids!
"It is secure." What if you just don't want to leave a trail of bread crumbs every where you go. This means everywhere you go someone will know you were there whether you want them to or not.
Well, there's a long way and a short way.
Shortway:
Steal someones card. Put it in your wallet, buy things. They won't ask for ID cause that will slow down the process (and they hardly ever do now anyway). If it's less than $25 there's no paper trail, either. This will work until the person realized their card is missing and reports it stolen. Esentially the same as the present, but at least now they're supposed to verify your identity by comparing signatures or checking for ID... at least there's SOME verification to prevent a stolen card that should occure.
Longway:
1) Use a small device about the size of a palm pilot to send someone's credit card a serious of a few hundred to a few thousand challanges and not the responce that's given back.
2) Go back to your computer and crunch the challange vs responce to determine the algorithm used to provide each.
3) Plug that algorithm into a generic battery powered tranciever about the size a palm pilot let the reader scan that rather than a wall encased credit card.
Steps 1 and 2 will be possible eventually (using the same methods that cracked TIs method, I'm sure) and eventually someone will make the nessicary hardware for step 3, or at least post instructions on the internet on how to build one with a PIC and some other cheap hardware.
The teller will never know if you're scanning a wallet with a credit card inside, or a wallet with a small battery powered tranciever inside.
The problem is not that this system is less secure than magstrips (it's about a million times more secure right now) The problem is that the teller never has to see your card to verify your identy. They won't know if it's your card in the wallet or purse you swing past the reader, or someone elses, or even a device that randomly picks 1 of 30 peoples identities you got off the subway the week before. I wouldn't be concerned, but since the TI thing just a few weeks ago, I'm not sure how much I can trust RFID based challange response systems. The TI solution cracked was supposedly one of the best out there.
WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?
Generally as a customer I don't. Not that I think showing ID is bad idea but I generally find the signature and to a lesser extend ID security measures to be as pointless as most of the airline "security". They're half heartedly implemented, irritating, and as implemented don't really do much to stop crime. It's appearance of security without substance. I wouldn't mind people asking for ID except that almost no one does, so what's the point? And the signature matching is a stupid since any thief with half a brain (admitedly some lack even half) will just look at the card and make at least a half-hearted effort to copy it. It's not like he has to look hard for it...
Let me be clear. I have the mistfortune of being a man with a name that is very rarely associated with the masculine gender. As irritating as that is to me, I should get asked for my ID all the time. But I don't which tells me that the the store management and credit card companies don't really percieve it as a problem. And they have the data to know whether it is or isn't. It's not like they're guessing. Furthermore, when I do get asked for ID, it's almost always at places like an airport (where I've been asked for my ID 20 times) when buying a $4 magazine, never for the $1000 printer. As a customer, I'll admit that being asked for ID is irritating and I don't like being regarded as a potential criminal but if it were a widely implemented security measure, I could deal. But since the credit card companies and most retailers don't regard it as enough of a problem (actions speak louder than words) to ask for ID consistently, I'd rather they save me the irritation and not bother at all.
It gets repeated here ad-nauseum that authentication consists of some combination of what you have, what you are and what you know. The signature is worthless as a security measure because it is simply two instances of something you have in the same item. Someone who takes my credit card also has my signature. Asking for photo ID sort of gets at what you are, though it can be forged by an ambitious criminal. But it could slow down the smaller thefts were it actually used. A pin code is actually useful IMO because it is something you know but is not used (for cost reasons mostly) for credit cards here in the US. And unlike biometric ID, it can be changed if there is a mixup.
While I'm venting, what really irritates me is when they have those swipe-it-yourself pads but still ask to see the signature! I've already mentioned that I think signature comparison is worthless as a security measure, but this practice just wastes both my time and the clerk's time. Furthermore they don't physically have the card at the right time if the credit card company tells them to hold the card. If they want to see my signature, the clerk should swipe the card him/herself and check. By having me do it, they don't save any time and they don't improve security. If they are going to ask for something they should ask for ID at that point, not a signature.
Should we use tin foil or aluminum foil to wrap our cards up?
if you steal from one source, that is plagiarism, if you steal from many, well, that's just research.
... at least in North America.
I mean, Visa and MC might be able to convince merchants to switch to contactless readers, OR smart card readers, but the chances of convincing them to do BOTH is effectively zero.
It'll be hard enough getting contactless technology out there. Chicken and egg: some large merchants will want them, like Walmart and the department stores, but the investment for each merchant will be on the order of millions of dollars -- and will be useless unless the cards are widely available.
But in order to make the cards widely available, the issuers will have to spend millions of dollars -- and there's zero return TO THE ISSUER on that investment.
And ma and pop won't upgrade their corner store just to pay Visa fees for selling packs of gum.
It's supposed to be completely automatic, but actually you have to press this button.
That's why we send your preapproved credit applications and your blank checks through the U.S. Mail.
OK, these "Soviet Russia" jokes were funny the first million or so times I read them. Now, it's just stupid. Please stop displaying your deficient IQ.
So I own a stop and shop type store, I put a hidden reader under the counter and rack up bogus sales for piddly consumables on any accomodating VISA that wanders by. A lot of people place their wallets and purses down as they fish out their money or credit cards. As long as the sale is under $25 I require no signature, the person being charged vaguely remembers being there and does not challenge the charges. Wow! I need a small business loan so I can jump on this opportunity!
They should offer a client card reader for internet transactions. That way the encryption could afford you some protection from internet identity theft as well.
but even on credit cards they don't require a signature. barista swipes your card, gives it back to you, here's your receipt, have a nice day. i'm sure there's a cap, but coffee and a scone (est. $9) isn't enough to flag it.
maybe there are other merchants doing this, but this is the first large-scale policy i've encountered.
i could use anybody's card i wanted to buy coffee...
If somebody could just embed the chip in our brains, that would be perfect! If you weren't going to buy anything for a while, you could just put your tin foil hat back on and presto, no more RF from the brain! Maybe it would be better to just tattoo a barcode on our foreheads that they could scan for a quick, no signature required purchase authorization. Those Visa people are always working so hard to improve our lives, I trust them implicitly!
Anyone else see the potnetial for Faraday cage handbags and wallets? Its the next geek/privacy advocate must have item!
I have mobil speedpass (which was shown to be somewhat insecure cause they used low grade encryption btw) .. anyway .. it's super convenient. It doesnt seem like much .. but it really feels a lot more convenient to save the extra 15 seconds it takes to sign for stuff and swipe etc. I think the technology exists to use high grade encryption etc. now .. so I really look forward to these contactless credit cards.
Think about how many times you go to a store but don't buy anything and you walk out passing nearby the registers...
The unique number may or may not be usable once only; depends on how delayed authorize gets handled. There is nothing to keep your name, number, exp. date all from being read over the air while the device is read; IEEE Times reported a 30 foot detect radius. Also, Visa/MC "unique id" is an option, not a mandate. Some of this stuff CAN be done relatively securely, but it can also be very open to fault.
Removing the consumer's role in the decision making will do wonders for businesses, allowing them to smooth out demand and make themselves more efficient, increasing profits. Don't worry, the folks down at ChoicePoint can serve up your purchasing patterns and theres plenty of smart folks around who can decide much better than you or me what we REALLY need. So the consumer wins, business wins, everybody wins! And you'll never miss another minute of American Idol because you had to run to McDonald's for some large fries.
There! I needed to get that off my chest.
A good place for this would be at public transportation places. Examples: Subways, buses, etc.
Credit Card transaction can be pre-authorized, meaning that they don't actually charge you yet but reserves an amount of money on the credit to be charged later.
So.... in taking the subway, you can pass your wallet over the gate as you walk in and it will pre-authorize the card, then as you walk out and pass your wallet over the gate, it charges you the appropriate amount based on the distance you travel. All without the middle device of a train ticket or a special train pass to do the same thing. Quick, fast, efficient. Not only do you save time not having to fiddle with a ticket or card (and bypass the line in ticket purchasing), you don't even have to bloat your wallet with all the different ones. The same can be said of buses, shuttles, and most public transportation use.
Though I can imagine that there might be other uses, but this one would come in handy as a city with competing/disparate transportation companies then will automatically be unified in payment system, no more multiple stored value tickets or cards for different systems.
The specs are not EMV but hew rather closely to existing US messaging...which runs in the clear on many merchant LANs. Some of the semiconductor merchants describe 14443 RFIDs with crypto, are a better guide to what is available. Look at what is done at POS and you will see they mainly have the RFID supply data that would be on magnetic stripe and just feed it into the same terminals that would normally have a stripe reader.
I tried that.
Then I went to buy gas.
I put the card in the machine, and waited.
"Beep," it said.
I showed it my ID.
"Beep."
"No, this is my ID. See?"
Still, it refused to look. "Beep."
The crowd got larger and larger, but it still refused to look at my id. "Beep."
Now I'm stuck on my bicycle.
hawk
Illegal is not the right word, but until recently it was against VISA rules -- merchants who accepted credit cards could not ask for an ID. It was probably good for cc marketing.
I've read the responses to this article and a large number of them express concerns over identity theft, cash sucking wands, no ID transactions, etc. Chill out people! The deal with credit cards is that the large credit companies try to promote their ease of use by reminding us that we can leave the house with only our credit card and paying for things won't be a problem. As a result they incure some liability for fraudulent transactions. I'll repeat that: THEY not you incure the liability. That means that if a fradulent charge is made then you download a form that says "I didn't make those charges", fax it to them and they erase the charges. Its as simple as that. People are so darn brain washed by other companies and people who promote the fear economy... fear identity theft: by our identity theft insurance, fear ffor your personal safety: buy a gun and bomb Iraq, fear that you are ugly: buy a bunch of crappy beauty prodcts... I know that Visa and Mastercard are big bad companies that are gaining power and wealth every day, but they sell a pretty damn usefull product. I love leaving the house with only my key chain with mini visa card atached and not worrying about anything else.
For a really long time, I didn't have a wallet. I just carried everything, including my debit card, around in my pockets. After a while, the little signature strip wore off. Nobody noticed.
(I caught a wallet at a skate demo a while back. Life has improved.)
This will be great, all you have to do is get within a few feet of someone's wallet and you can instantly "swipe" $25.00. Let's see, a wireless card reader and trip through a crowded park ought to be worth a few hundred dollars...
My VISA credit card number got stolen last fall and they are still strying to hold me responsible for it! I had to take them to court and still didn't see a penny. After researching that issue I found out that I am not the only victim and that thousands of other people had their numbers stolen and have fallen victim to VISA and their well paid lawyers. Fuck VISA! No credit cards anymore, ever! Good old cash rules!
Hey, that's what my ex-girlfriend used to call me...
"Was it a millionaire who said 'Imagine No Posessions?'" -- Elvis Costello
It's worse. Way worse. This guy on zug.com experimented with some..."creative" signatures:
Next I tried the old standby, "X." I was kind of nervous about this one, and had a long story prepared about how I had recently been involved in a motorcycle accident, and during my sixteen months in traction had only been able to sign with an X, a signature which grew on me. At the last minute, I chickened out and added an additional squiggly. I don't know why I was concerned; I was just buying a beer at Jillian's.
Signing X, incidentally, is not a bad idea -- it's quick and easy, and if someone wants you to "sign on the X," it's already signed.
The Credit Card Prank
The Credit Card Prank II
Here in Alberta (Canada), everyone always checks the signature on my card. I am constanty impressed.
I've heard, and witnessed, that the bag trick works to get a fussy card to read. I've also seen it done with a folded piece of paper around the card.
What I dont understand is why it works. Does anybody out there know?
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
One of the biggest values of such a solution has to do with Micro-Payment. How many times have you turned away from a drive-through because the lineup is too long. This class of business needs to be able to process an order (including settlement) quickly. The more orders they can put through in an hour, the more revenue the business generates.
Typically, this sort of transaction will also be done offline. This will allow the business to batch process their transactions at the end of the day, saving on transaction fees.
Don't get me wrong, Visa isn't being altruistic in this. The more they can encourage people to move away from debit or cash, the more credit transactions they process and the bigger the interest earning bills.
You sly dog: you got me monologuing! - Syndrome
OK, I have several cards in my wallet (Mastercard, Discover, AmEx). Assuming they all follow Visa's lead and incorporate this contactless tech., what happens when I wave my wallet with all three cards in it? Which card responds? is there a race condition?
I assume the terminal will only charge one card, but if I have to take the card out to make sure the preferred one registers, I might as well swipe it.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
I have had bank officers tell me to write SEE I.D. on the cards. I have never had threats to confiscate them. I say the rules can't be that all fired important if bank officers, speaking officially for their bank, tell me to use SEE I.D.
Infuriate left and right
Sweet! Now all I have to do is get a reader for these things, set it to auto-charge $20 when I get near a card, and go walking around a big city!
Forget worrying about bumping into someone on the street and having them take your wallet, they could just be getting close enough to scan and charge your card!
I would definitely count myself amoung the lazy, but this goes way above me. I mean, swiping is just such a pain that we need to be able to pay without touching things?
On a realistic note, I'm worried about the proximity thing. Radio doesn't have nice black and white cut-offs of how close something is. I like to have a tangible, physical connection when I'm paying just for the sake of knowing when I'm paying. When I'm spending money, I like it to be a tangible experience. Of course, Visa probably likes you to think of it as abstract as possible so that you spend more.
I really like the chip and pin combination that is being introduced in Europe. You put your card in the reader and enter a pin into the keypad. Now that's security. Right now, if someone steals my card, they have to fake my signature. Easy with the little checking that goes on, but still. With this, they won't have to fake anything should they get my card (and are purchasing under $25). Why not a nice pin code to keep us secure?
If you REALLY meant business the shirt would say 24.99!!
or did you mean 19.95 +tax?
Note: This sig contains nine S's, nine I's and five O's which... means absolutely nothing.
I thought this was old news - Master Card has been pushing Paypass for around two years now.
I still don't see why it's such a big deal.
Exactly.
Visa is loosing out (at least here in Canada) to companies like Dexit and EasyPass. Key-fob based systems that have declining balances. The $25 market is being owned by other systems that are easier and faster than credit and debit and cash. Those methods are too slow.
Their motivation in creating this is not security, or anything nearly so noble. It's profit. So they're jumping on the wagon.
How soon until a store makes it so that if you try and walk out withouth paying, it automatically debits your card? Then, when the dumbass clerk forgets to disable to RFID security tag, and you walk out, you get billed twice for the same item!
...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
The credit card companies have to PAY for their insurance, you know. It's not just some magical fountain of money. If credit card chargebacks go up too much, their insurance premiums will go up, too. The insurance companies need to make money. So credit card companies have every reason to keep fraud low, so their insurance premiums would be lower. (This is all assuming you're right about them using insurance companies for this in the first place. I kinda doubt that, because insurance is worthwhile to prevent something big from bankrupting you. For lots of small charges, it'd be more cost-effective for the CC companies to pay out-of-pocket, instead of letting insurance companies get a cut, no?)
Obviously, it would be stupid to run through a crowd with your own merchant account, just so you can go to jail. Duh.
But what about trashing a merchant you don't like? Find a way to get a reader linked to their account, and then charge everyone in a crowd $25. The legit merchent would have MAJOR trouble even if they were able to keep their account at all, unless they were somehow able to prove one of their readers was used "elsewhere."
In a country where most people have multiple cards, how will any arms length system know which card to use? For instance, I use a different credit card for my petrol purchases than grocery purchases, so I can't just wave my wallet like I can when I am getting into my office. Sounds to me like a half baked idea, that probably needs a little more thought.
Ok so now people won't ask you to "swipe your card" anymore, instead they will want you to "flash your card". I can see all kinds of potential for fun here. "Whip it out and flash me, please". "if you flash us, we'll take 10% off!". Yikes! 10% off!! I like it the size it is just fine, thanks.
All other things being equal, a contactless system is less secure, and not because of snooping. I find it disturbing that the only security question the article raised had to do with snooping.
Currently I enjoy the "contact-required" cards' security feature that lets you know anytime your card is being read. You know because you had to take it out of your pocket and swipe it. Contact-free takes away this feature, no matter how much crypto you throw at it.
If VISA is really trying to improve security, I'd rather see credit cards work more like how my smartcard already works. You still have to swipe it, but it uses crypto to prevent the key from being stolen.
I refuse to believe that crypto technology to prevent the card key from being stolen can only be used in a "contact-free" system.
This is already available in Japan in 3 different forms.
The first was Edy by Sony(japanese). It was a card, you added money to the card. You can use it all around Tokyo. The second was JR's Suika card(japanese) (JR is the largest train company in Japan). First they used to as your train pass to make it even faster to go through the turn styles, then they started expanding it so you can make purchases.
Finally NTT teamed up with Edy (I think they teamed up) and now all NTT cell phones have the same chip(english, flash, click the "i-Mode FeliCa Debut!" link) in them so you can pass your cellphone near the censor instead of a card and you'll get build through the phone.
The cards basically need to be within like 1 mm of the sensor surface but they only need to be there for a spit second.
You find a way to get the relavent information from the card, and sell that information to organized crime. Now they charge less than $24 from a few thousand people every month but it is distributed and so it doesn't track back to one account.
This used to be a huge problem in Hong Kong for a long time.
LedgerSMB: Open source Accounting/ERP
So the new crime will be to swipe peoples asses at $20 a pop.
But the difference is that if it was a CREDIT CARD, then the function would be beyond the Oyster card (UK), or the Octopus Card (HK), or the iCard (Japan), etc. As if you are move from one system to another, it will (in theory) be accepted. Skipping that middleman.
Because it looks like the Oyster card is valid in London only. And also, you still have to go to a machine to put money in the Oyster card, while if you can just use the credit card, you skip that step also.
Remember the guy who had an article on SlashDot a while back about how to create your own magnetic card reader?
:-)
Well, I was just sitting here reading the articles and replies and thought to myself:
"Myself," I said.
"Yes?" I replied.
"What if we took one of the new readers, set it up so it would charge anyone $20.00 who got near me with one of those new cards." I said.
"You might be on to something," I said to myself, "Like ten to twenty if you aren't careful!"
Someone put a black hole in my pocket and now I'm broke.
Credit Card Prank from Zug.
To share my own experience, no, I rarely have anyone look at the signature on the receipt much less try to compare it with what's on the back of the card. Cashiers are either lazy or trusting; it's the South, so probably a little of both.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
I work at a Blockbuster in the Nashville area and we are not a corp store - we are owned by a franchisee holding company based out of Memphis; Southern Stores, INC.
The "No Late Fees Program" which has been heavily advertised across the us is not true for about 5% of the BBs in the US. The majority of the stores in the Tennessee area do not participate in this program.
If you want to see confused and pissed off customers, try hanging out at my store on a Fri/Sat night. People will return rental items days and weeks late expecting to NOT pay a late fee. Then when we tell them there is a late fee the get very upset because they saw an ad on TV that said there were no more late fees. I don't say that I blame them either but I am sure all of the commercials say something like "at participating locations only"
This is a PRIME example of large corps causing confusion on the market place and pissing off their customers.
Libertas in infinitum
Tell that to Choicepoint.
To help in the phasing-out process of swipable cards, why not create cards that have the contactless chips inside them as well as magnetic stripes?