Visa To Push Swipeless Credit Cards

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.

Show me the security

[IO+ERROR]

Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security. Otherwise I'm going to take my low-tech X-Acto knife and cut that RFID tag right out of the card. Considering that anybody can hack an RFID tag now, I'm not particularly inclined to trust this thing.

Especially since it would be easy enough to wave an RFID reader at people's purses, back pockets, etc. At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

Re:Show me the security

[Delirium+Tremens]

Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.

"While 3DES appears to be secure for now, it takes at least 3 times as long to run as DES, and this means that it is inefficient and slow compared to other available block ciphers such as the new standard, AES, which has replaced DES."

-- W. Diffie and M. E. Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard," in IEEE Computer, vol. 10, 1977, pp. 74-84.

Re:Show me the security

[Thaelon]

While this may seem very scary at first it's complete FUD.

In order to process claims from a reader like this you're going to need a merchant account.

So let's say you try it, I'll outline the events for you in chronological order:

1. You obtain a merchant account to be able to collect funds from your portable reader.
2. You figure out a way to generate transaction IDs without contacting Visa.
3. You go out and collect ~$24 from fifty people in a crowd, wohoo $1,200!
4. Let's say you play it smart and only claim those trasnaction monies and random increments over a day or so.
5. 50 people protest to visa that they didn't authorize your charges.
6. Visa does about 30 seconds worth of research and realizes that all 50 of these claims lead directly to you via your merchant account.
7. Visa shuts you down like a bitch and presses charges.
8. You go to jail since you have no case whatsoever.
9. Your ass now belongs to Bubba.

Re:Show me the security

[John+Harrison]

Please show me the reader that can read one of these from 5 feet. I would love to see it. Again, this isn't an RFID tag with a 3 meter range. But you know what? Tinfoil works great. I have a desk full of contactless smart cards here and if you put a single layer of tinfoil around it nobody can read it. I've tried.

Re:Show me the security

[iamwahoo2]

Put scanner near someones pocket and charge $24 or record credit card number (depending on how you wish to rip ther person off). No signature necessary nor decryption necessary. You do not have to "break" anything.

Why is the technology even necessary given the risk? How much harder is swiping versus hovering the card over the scanner, aside from a fraction of a second of your time, what do you gain? The hardest part in either case is just getting the card out of your wallet.

From a risk standpoint using these cards would be a poor decision on anybody's part. You gain basically nothing except for the coolness factor, and you put yourself at additional risk of fraud.

Re:Show me the security

[Qzukk]

People wave this "it only works from inches away" bullshit without having any idea how radio works.

Its simply a matter of using the right antenna with the right gain. See the bluetooth sniper rifle for details (kilometer range! With bluetooth!). If the antenna is too big to hide on your person, set up shop in a dark alley somewhere and scan the masses as they mill by unaware.

And yeah, tinfoil would work but make it all the more stupid. Not only would the old lady have to fumble the card out of her purse, you'd be sitting around watching her try to unwrap it and wrap it again afterwards. Just swipe the damn thing already!

Re:Show me the security

[trigeek]

For the record, Visa is very paranoid about encryption security. They don't even trust RSA for key exchange, because you are never guaranteed a prime number. They've been using Smart Cards in their credit cards in France since before 2000, and I haven't heard a lot of complaints (if anyone has, I'd be interested to hear). Besides, this will allow a waiter to take a cordless reader to your table to scan your card. Which is the higher security threat, someone who can hack triple DES (and manage to get their hands on rogue hardware), or a waiter earning $3/hour plus tips simply writing down your credit card number when he has it in the back room? Final point: If your paranoid about someone scanning your credit cards in a crowd, build a Faraday cage into your wallet. I'm sure there would be a hug market for that kind of thing in the "Aluminum Foil Hat" crowd. I'd probably buy one, actually :-)

Re:Show me the security

[John+Harrison]

You can probably eavesdrop on the card to reader communication from some distance. This is known by those that created the spec and they have designed for it. Go read the EMV spec. Tell me if you can hack it. It has been out for years and in production in Europe for a while, though most deployments there are for contact cards.

The real goal is fraud reduction. Visa isn't aiming for a perfect system, they want a better one that prevents skimming of your mag stripe. This means that they are no longer the low hanging fruit and the fraudsters will target traditional magstripe cards.

Re:Show me the security

[sangreal66]

And how exactly do you expect this to make you any money? Cash is magically going to fly out of their credit card and into your bank account? Or do you actually expect VISA to start cutting checks to your house for charges made on your stolen card reader?

Re:Show me the security

[Muad'Dave]

You don't seem to have read the spec - this is more about how air core transformers work than radio. These ISO 14443 cards use inductive coupling to power the card, not RF field strength. From this ISO 14443 overview:

ISO 14443-2 was published on July 1, 2001. This standard describes the characteristics of power transfer (based on inductive coupling) and communication between the PICC and PCD. Power is transferred to the card using a frequency modulated [magnetic] field at 13.56 MHz +/- 7kHz.

Having a crypto processor on board (especially the exponentiator) requires way more power than can typically be delivered by RF field strength (far field tags vs near field tags). EPC tags are RF field powered, and can be read from several meters away. Magnetically coupled tags can only be read from a few cm.

73 de k4det

Re:Show me the security

[swillden]

completely anonymous paypal account (who i am sure will have the cash to convince visa to give them access to this system)

Bwahahahah!!!

Jeez, dude, you made me spray coke all over my keyboard.

That's the funniest thing I've seen all day.

Anonymous Paypal account? Riiiiggghtt. Paypal issuing acquiring devices? Riiiggggtt.

And, of course, it would be so much harder to do any of this with the current magstripe system, where you don't even need the card at all.

Security?

[Cyberax]

And now a thief doesn't have to guess PINs. It will be enough just to steal a card!

Re:Security?

[swillden]

And now a thief doesn't have to guess PINs. It will be enough just to steal a card!

Umm, under the current magstripe-based system, the thief doesn't need a PIN *or* a card. All he needs is the card number.

Very Secure?

[bigtallmofo]

From TFA:

Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.

What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!

It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!

Re:Very Secure?

[DustMagnet]

What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card?

The same exact thing that protects you from having a merchant missuse your credit card number. You have to check your bill and write a written complaint. You don't pay a penny and each complaint costs the merchant an extra charge. Too many could start a fraud investigation, but from what I hear the companies usually don't bother.

Re:People, this isn't RFID!!!!!!!!

[RPI+Geek]

This is an old /. tactic, don't get so excited:
1) Use misleading buzzword to capture /. editor's attention.
2) Front page story.
3) ???
4) Profit!

Another Fine example of Slashdot "journalism"

[sQuEeDeN]

Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.

And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.

Re:Another Fine example of Slashdot "journalism"

[drnlm]

Privacy freaks are anti RFID (and any similiar distance tagging method) for precisely two reasons:
It's passive (minimal activity required by anyone to get something scanned) and it's long range. While the ability to link identity to purchases (assuming no cash transactions) exists with bar-code readers, it's a much more active system, and the user has much more control over when and where this information is collected.

If with a few minutes thought, you can't construct a worst case scenerio for long-range (where long range is further than about 20cm) bar-codes, there no hope for you as a privacy freak :).

Re:Another Fine example of Slashdot "journalism"

[drinkypoo]

A barcode cannot be read through your wallet at a distance. Personally I do not have a wallet with a mylar insert, though you may. RFID tags can be read at a significant distance with off the shelf (though perhaps not handheld) equipment. Bar Codes can be read at basically any distance if you have line of sight and the bar is more or less perpendicular to you. Can you see the difference now? Here's another one to mull over: There was an article here about putting RFID in the shoe soles, ostensibly to track sole inventory. Can you imagine a more ideal situation if you're trying to track pedestrians? Every floor mat, sidewalk segment, et cetera is a potential hiding place for an RFID antenna, and with a large antenna at close range like that, the potential for error is vastly reduced.

I am not inclined to believe anyone when they say they have a secure system. If it's not a OTP scheme then it's crackable.

Re:Another Fine example of Slashdot "journalism"

[DaveJay]

Why is slashdot so anti-RFID, anyways?

I believe it is an issue of knowledge. Specifically, with RFID and RFID-like technologies that do not require physical contact or personal interaction (like a PIN or swipe) it is conceivable that your information can be read at a distance* without your knowledge.

Does that mean the VISA card in this article is going to allow someone to drain your bank account because you walked too close to a vendor's shop? Not necessarily. However, consider this:

1. The "secure" WiFi protocols have all been beaten;
2. The "close-range" of bluetooth has been increased to over 1/4 of a mile by use of a shotgun-style antenna;
3. In general, people continue to use these technologies even if they are informed of the flaws, because they do not want to lose the convenience (or believe that "if it was really insecure, they wouldn't be able to sell it" or "It won't happen to me").

So do I think that a card like this will eventually be cracked, and will eventually be used to spy or steal from people (successfully or not**)? Yes. Yes I do.

*Here, "a distance" could be a few feet, or could be across a street through a shop window using a shotgun antenna (see bluetooth example).

**Here, I refer to the idea that someone who did this in bulk would likely get caught, and if they got caught it would not be a successful theft; then again, people steal checks and forge transactions to pay their utility bills all the time, and are rarely prosecuted for this provided the dollar amounts are small.

Making Fraud easy and fun!

[kbonapart]

So, when Wal-Mart incorporates this technology, can I just have the bag containing the stolen card near the reader to purchase my illicit goods? And *IF* I am questioned about it, I can say that I didn't know it was in there, and I thought it was going to read my REAL card.

Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence?

"No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure. Yeah, I heard about it on the news, too. Never need to see my ID again. Compleltly safe. Don't forget to put that $1,235.65 on "credit". okay?"

And while the article says there is a code that can't be re-used for other readers, wont a signal jumper (the ones used to grab car alarm frequencies) still be able to get the 16 digit card number, plus exp. date?

Yeah, sending important financial data through the air sounds like a great idea. To the tech savvy, this is the same as screaming the numbers to the woman behind the register. Would you do that?

So this saves what, exactly?

Tired of having to swipe and sign every time you use a credit card?

I haven't signed for a purchase in a long time, except once in a restaurant. Everything is chip and pin now. You can just stick your card in the reader, enter your pin, and be done. Something you have and something you know, at least it is two items of security.

Surely this contactless card will simply turn it to something you have being a requirement, making trivial theft very profitable.

Are Americans so lazy that they can't hand over the card to the cashier to swipe/insert into the chip reader?

Is this technology really necessary?!

[William_Lee]

All this looks like to me is credit card companies trying to generate a new revenue stream by getting existing merchants to pony up for the new technology required to use this system.

Is it really so hard to swipe your card through a reader as you checkout? Does Visa really think people are so lazy that swiping a card is too much work?

This is an example of technology being used simply because it exists. This adds ZERO value for the consumer and opens up huge security holes. Who believes for one second that this technology is actually 100% secure?

I guess we're supposed to be reassured by the quote from the Visa rep in the article reminding us that there is no consumer liability for fraud.

I can only imagine what is going to happen if they roll out debit/checkcards linked to actual bank accounts with this technology!

Dont even need to take the guys wallet anymore

[GatesGhost]

once someone figures out how to bypass the code, all they need to do is walk by you to steal your card. and besides, how lazy do you have to be not to take out your card and swipe it? seriously: 1) take card out 2) swipe. wow, that was so hard, i need to create an elaborate method so that i dont even need to move my fat ass anymore.

theft

[SpongeBobLinuxPants]

So now instead of someone having to take my wallet to steal my credit card they can just walk by me with a contactless reader?

Better watch those monthly statements!

[AFCArchvile]

"Security is a question," Gillespie said. "How easy is it for someone to interact with a wireless communication and pick up a number?"

Hopefully not as easy as stopping payment on questionable charges to the account. The advantage of online progressively-updated statements becomes infinitely greater here; you'll have to check your statements every WEEK if it gets bad. Genuine cowhide is out, 100 mil thick aluminum is in!

What's the point?

[Lemuel]

Why do I need a contactless transaction? What is so hard about running my card through the slot in the terminal?

Re:People, this isn't RFID!!!!!!!!

[iamwahoo2]

The information is transferred via radio signal. Given only this information I also would have inferred that RFID chips are used. The devil may be in the details but saying that it is misleading, dishonest and unproffesional is a little overboard. The main concern of security is still the same.

Re:No, this is different

[FLEB]

Aaaaand... the merchant gets screwed.

Vent my Credit Card/Check Card Pet Peeve

[Confessed+Geek]

Please excuse me while I get this personal pet peeve off my chest.

WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?

I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?

With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?

Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.

Thanks.

Re:Vent my Credit Card/Check Card Pet Peeve

[graphicsguy]

Why not get a credit card with your photo on it?

Re:Vent my Credit Card/Check Card Pet Peeve

[AK+Marc]

Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

No, they are not. You further listed Mastercard rules, and it permits (or requires) that they refuse sales in certain circumstances. It does not state that they are allowed to confiscate cards for not being signed. I don't have a full agreement with me (or the hours necessary to read it), but the cards themselves do not identify themselves as the property of the bank.

And, if you were familiar with signature law (yes, there is a suprisingly large amount of law regarding signatures), "See ID" could be considered a signature. That would be a legal issue not fully explored by the courts, so it is pointless to guess what the outcome would officially be (other than my poining out that it is a possibility).

Re:People, this isn't RFID!!!!!!!!

[Smack]

You're right, it may only be misleading and unprofessional.

What if I carry multiple VISA cards?

[lugar]

I could just see me pull out my wallet and have it just be in range of the reader. I intend it to charge to one card and...whoops, it charges to the card I'm almost over limit on.

Re:It speeds things up greatly.

[Lemuel]

But the slow part involves getting out the card, answering the debit/credit question, printing the receipt, and signing it. If the goal is speed up the process the debit/credit question could be removed and the signature. I'm assuming people still want receipts, although I could be wrong there.

No, you are ignorant

[A+nonymous+Coward]

I too sign my cards CHECK I.D. This is accepted practice. Some credit card companies have even recommended it. Stores are SUPPOSED to ask for ID in that case, the point being to see that the photo ID matches my face, and the names match.

I'd like to see some store manager so ignorant as to try to confiscate my credit card because it tells him to to ask for I.D.

No money would be lost by consumers

[A+nonymous+Coward]

The merchant does not add a $20 item and transfer money instantly. It has to go thru the issuing bank, and not instantly, and not without the possibility of chargebacks, and then that merchant will lose his VISA account and be out of business. If you dispute the matter, and they see a pattern of some merchant going bananas with $20 chargebacks, he will be in banana-skin city. The merchant will lose. This is credit cards.

Signatures/ID are poor(ly implemented) security

[sjbe]

WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?

Generally as a customer I don't. Not that I think showing ID is bad idea but I generally find the signature and to a lesser extend ID security measures to be as pointless as most of the airline "security". They're half heartedly implemented, irritating, and as implemented don't really do much to stop crime. It's appearance of security without substance. I wouldn't mind people asking for ID except that almost no one does, so what's the point? And the signature matching is a stupid since any thief with half a brain (admitedly some lack even half) will just look at the card and make at least a half-hearted effort to copy it. It's not like he has to look hard for it...

Let me be clear. I have the mistfortune of being a man with a name that is very rarely associated with the masculine gender. As irritating as that is to me, I should get asked for my ID all the time. But I don't which tells me that the the store management and credit card companies don't really percieve it as a problem. And they have the data to know whether it is or isn't. It's not like they're guessing. Furthermore, when I do get asked for ID, it's almost always at places like an airport (where I've been asked for my ID 20 times) when buying a $4 magazine, never for the $1000 printer. As a customer, I'll admit that being asked for ID is irritating and I don't like being regarded as a potential criminal but if it were a widely implemented security measure, I could deal. But since the credit card companies and most retailers don't regard it as enough of a problem (actions speak louder than words) to ask for ID consistently, I'd rather they save me the irritation and not bother at all.

It gets repeated here ad-nauseum that authentication consists of some combination of what you have, what you are and what you know. The signature is worthless as a security measure because it is simply two instances of something you have in the same item. Someone who takes my credit card also has my signature. Asking for photo ID sort of gets at what you are, though it can be forged by an ambitious criminal. But it could slow down the smaller thefts were it actually used. A pin code is actually useful IMO because it is something you know but is not used (for cost reasons mostly) for credit cards here in the US. And unlike biometric ID, it can be changed if there is a mixup.

While I'm venting, what really irritates me is when they have those swipe-it-yourself pads but still ask to see the signature! I've already mentioned that I think signature comparison is worthless as a security measure, but this practice just wastes both my time and the clerk's time. Furthermore they don't physically have the card at the right time if the credit card company tells them to hold the card. If they want to see my signature, the clerk should swipe the card him/herself and check. By having me do it, they don't save any time and they don't improve security. If they are going to ask for something they should ask for ID at that point, not a signature.

Re:A built-in PIN pad?

[swillden]

Is that PIN pad on the card itself?

Nope, it'll work the same way PIN pads at Wal-mart (and wherever else) work right now.

Can that be made durable enough to live in my wallet?

Durability isn't the problem with putting a PIN pad on the card. The problems are power (where do you get it?) and cost -- mostly for the increased manufacturing complexity.

It sounds like these cards are going to be pricey (several dollars each to manufacture).

About $3 each. Current cards cost about $0.25 each. Cards with a PIN pad would be closer to $10 each.

Is there a way to extend that unique RFID chip to online transactions? Maybe a reader hooked to your computer?

Sure. Contactless readers are still fairly expensive, though, the cheapest one I know of costs about $70. However, most of these cards will probably also have a contact plate, so you can use them with a contact reader attached to your PC. Those readers can be bought for along with the sooper-seekrit protection code on the back

Yeah, CVV and CVV2 are a joke.

And if you just walk by?

Think about how many times you go to a store but don't buy anything and you walk out passing nearby the registers...

Re:Settle Down and Enjoy the Benefits of Credit

[Ulric]

I agree completely that this technology is useful and should be more secure than what we have today if it is used right. But it is surely a problem if someone can swipe your card without your knowledge while it is still sitting on your keychain. A small amount among a whole bunch of other small amounts in a month has a good chance to go unnoticed.