Visa To Push Swipeless Credit Cards

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.

Re:Show me the security

[John+Harrison]

You don't know what you're talking about and neither does /., or at least Zonk. This isn't RFID, these aren't the TI chips. This isn't ISO 15693. If you can break 3DES please let me know. I would be VERY interested.

Re:Show me the security

[John+Harrison]

BTW, the specs are out there if you care to look. Here's a hint for you: EMV

big deal -- Mobil already does this

Mobil gas stations give you a little RFD dealie to authorize gas purchases at the pump and other purchases in the store. They've done this for years.

All Visa is moving the RFD dealie from a little wand on your keychain to the card.

Re:Security?

[BenjyD]

Many countries (most of Europe, at least AFAIK) require PINs for credit/debit card purchases. You type it into a little keypad dealie with a cover so the person at the till can't see you typing.

Tracking down criminals

[FuzzyDaddy]

My wife once had a charge for ~$600 appear on her card. It turns out a worker who had been in our house (don't know which one) got the card and ordered a bunch of bulk food. It was shipped to an address. For $600, no one (police, credit card company) was willing to investigate it to the point of actually checking out that address and seeing if someone lived there who worked in my house. The shipping company had the address but wouldn't give it to me.

Tracking down online transactions isn't necessarily so trivial or likely to happen.

Re:Show me the security

[duffbeer703]

The signature is not a security device, it indicates that you accept and agree to adhere to the terms of your credit agreement (ie you will pay your bill).

If your credit card is unsigned and you refuse to pay, the merchant is on the hook for it.

Not really...

[niki9]

"isn't that very similar to how TI's car RFID system was made?"

According to Visa:

"Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted"

So... not really, no. Just because two products use the same base technology doesn't mean that one is as fallible as the other. All cars made of metal and fiberglass don't rate the same in crash tests.

Sjeez, its not rfid!!

People can NOT charge from your account simply by scanning your card.

Although the article doesn't give much information, the card sends a unique number along with its id with each purchase. The credit card company knows wich number to expect for each id and only allows the transaction if the two match.

If your card is stolen however, purchases can be made.

----------

A request to /.

Please use acurate headlines --> FFS !! --

Re:Show me the security

[swillden]

Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.

They're all published and available.

The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.

Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.

Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform web site.

In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here.

Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.

Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.

Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.

EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.

There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.

At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl

Re:Vent my Credit Card/Check Card Pet Peeve

[duffbeer703]

I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

You're an idiot. That signature panel is not there to identify you to the store clerk. Its there to prove that you have agreed to abide the provisions of the cardmember agreement. (ie pay your bill) Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

The purpose of checking your signature is to cover the merchant. If you don't sign your card the merchant is liable if you refuse to pay

PIN-based electronic transactions are actually considered digital signatures. The fact that you set or remembered your PIN signals your acceptance of the card agreement, and entering your PIN signs your transaction. Merchants prefer that you do a PIN transaction because it is cheaper and does not require them to store boxes of signed credit card drafts in the back for a year or more.

Real RFID

[Megamote]

The global credit card company will offer PayPass, its RFID-enabled contactless payment system, to fans at the Seattle Seahawks and Baltimore Ravens stadiums this fall. http://www.rfidjournal.com/article/articleview/142 0/1/1/

Re:Very Secure?

[sbryant]

What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!

That's easy to answer! It's almost certainly based on the technology they already use.

VISA and others have been making smart cards for a while - they have a chip in which a smart card reader can talk to. You've probably seen cards with the contacts on the front already. The whole point of these cards is to cut down fraud, especially by card duplication. It's relatively easy to reproduce what is on the magnetic stripe, as the information is static.

These chips are used as part of an "online" transaction: the terminal (card reader) connects to the service provider's system, which in turn connect to VISA. VISA issues a challenge, the card's chip issues a response, and VISA verifies the card. This way, you can instantly detect fake or blacklisted cards. (If you lose your card, always call them immediately!) The challenge is unique every time, and a PIN/signature may still be required, possibly depending on the amount.

The retailer is guaranteed payment for such transactions, even it the charge is contested. Such online transactions cost the retailer more than offline ones, where the retailer takes the risk in case of fraud/chargeback. If you have to type in your PIN, it's online.

This new system will most likely be an extension of the smart card system. Even if somebody finds a way to challenge the card and get a response, they could only ever use that response against the same challenge from VISA for a charge on the exact same card. It may also be that the amount being charged affects the challenge and/or response too (I think so, but don't remember). It might be theoretically possible, but there is too much left to chance for it to be realistic. If they add an extra security layer to cover the wireless part, you are left with a very safe system.

If I wanted to get lots of money (illegally), I would turn my efforts to something which was easier and actually had a real chance of succeeding. Beware the old-fashioned pickpocket!

-- Steve

Re:No, you are ignorant

On the back of my Visa Check Card:

Authorized Signature
Not Valid Unless Signed

You're supposed to sign it, and then write "CHECK I.D." elsewhere on the back of the card.

Merchant account not required

[BobPaul]

Well, there's a long way and a short way.

Shortway:
Steal someones card. Put it in your wallet, buy things. They won't ask for ID cause that will slow down the process (and they hardly ever do now anyway). If it's less than $25 there's no paper trail, either. This will work until the person realized their card is missing and reports it stolen. Esentially the same as the present, but at least now they're supposed to verify your identity by comparing signatures or checking for ID... at least there's SOME verification to prevent a stolen card that should occure.

Longway:
1) Use a small device about the size of a palm pilot to send someone's credit card a serious of a few hundred to a few thousand challanges and not the responce that's given back.
2) Go back to your computer and crunch the challange vs responce to determine the algorithm used to provide each.
3) Plug that algorithm into a generic battery powered tranciever about the size a palm pilot let the reader scan that rather than a wall encased credit card.

Steps 1 and 2 will be possible eventually (using the same methods that cracked TIs method, I'm sure) and eventually someone will make the nessicary hardware for step 3, or at least post instructions on the internet on how to build one with a PIC and some other cheap hardware.

The teller will never know if you're scanning a wallet with a credit card inside, or a wallet with a small battery powered tranciever inside.

The problem is not that this system is less secure than magstrips (it's about a million times more secure right now) The problem is that the teller never has to see your card to verify your identy. They won't know if it's your card in the wallet or purse you swing past the reader, or someone elses, or even a device that randomly picks 1 of 30 peoples identities you got off the subway the week before. I wouldn't be concerned, but since the TI thing just a few weeks ago, I'm not sure how much I can trust RFID based challange response systems. The TI solution cracked was supposedly one of the best out there.

This is not EMV warmed over.

The specs are not EMV but hew rather closely to existing US messaging...which runs in the clear on many merchant LANs. Some of the semiconductor merchants describe 14443 RFIDs with crypto, are a better guide to what is available. Look at what is done at POS and you will see they mainly have the RFID supply data that would be on magnetic stripe and just feed it into the same terminals that would normally have a stripe reader.

Re:Show me the security

[SupremeTaco]

Once again, please quit spreading dis-information. Visa has not ever, and hopefully will not ever issue a merchant account with an "anonymous" pay-to system/account/email address! There's a lot of paperwork and verification involved. Sure someone could steal a scanner and rack up charges, but unless they're a verified, bonded, merchant, they won't see that money.

Period.