Slashdot Mirror

← Back to Stories (view on slashdot.org)

Visa To Push Swipeless Credit Cards

Posted by Zonk on from the tossing-your-money-into-the-aether dept.

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.

6 of 452 comments (clear)

  1. Re:Show me the security by John+Harrison · · Score: 5, Informative

    You don't know what you're talking about and neither does /., or at least Zonk. This isn't RFID, these aren't the TI chips. This isn't ISO 15693. If you can break 3DES please let me know. I would be VERY interested.

    --
    Lasers Controlled Games!
  2. Re:Show me the security by John+Harrison · · Score: 3, Informative

    BTW, the specs are out there if you care to look. Here's a hint for you: EMV

    --
    Lasers Controlled Games!
  3. Tracking down criminals by FuzzyDaddy · · Score: 3, Informative
    My wife once had a charge for ~$600 appear on her card. It turns out a worker who had been in our house (don't know which one) got the card and ordered a bunch of bulk food. It was shipped to an address. For $600, no one (police, credit card company) was willing to investigate it to the point of actually checking out that address and seeing if someone lived there who worked in my house. The shipping company had the address but wouldn't give it to me.

    Tracking down online transactions isn't necessarily so trivial or likely to happen.

    --
    It's not wasting time, I'm educating myself.
  4. Re:Show me the security by swillden · · Score: 5, Informative

    Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.

    They're all published and available.

    The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.

    Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.

    Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform web site.

    In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here.

    Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.

    Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.

    Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.

    EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.

    There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.

    At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

    LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:Vent my Credit Card/Check Card Pet Peeve by duffbeer703 · · Score: 4, Informative
    I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

    You're an idiot. That signature panel is not there to identify you to the store clerk. Its there to prove that you have agreed to abide the provisions of the cardmember agreement. (ie pay your bill) Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

    The purpose of checking your signature is to cover the merchant. If you don't sign your card the merchant is liable if you refuse to pay

    PIN-based electronic transactions are actually considered digital signatures. The fact that you set or remembered your PIN signals your acceptance of the card agreement, and entering your PIN signs your transaction. Merchants prefer that you do a PIN transaction because it is cheaper and does not require them to store boxes of signed credit card drafts in the back for a year or more.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  6. Re:Show me the security by SupremeTaco · · Score: 3, Informative

    Once again, please quit spreading dis-information. Visa has not ever, and hopefully will not ever issue a merchant account with an "anonymous" pay-to system/account/email address! There's a lot of paperwork and verification involved. Sure someone could steal a scanner and rack up charges, but unless they're a verified, bonded, merchant, they won't see that money.

    Period.

    --
    You have a constitutionally protected right to be wrong, and I the right to ignore you.