Slashdot Mirror
Visa To Push Swipeless Credit Cards
BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.
This is a contactless credit card, ISO 14443. RFID is ISO 15693. They are different. The article never mentions RFID. Slashdot has inserted something that was never there. This is misleading, dishonest, and unprofessional. There are MAJOR DIFFERENCES between the technologies. You would think that a techie site like /. would know better.
Lasers Controlled Games!
"And for purchases of less than $25, no signature is required."
;)
Does anybody in N. America check signatures? They hardly seem to look at my cards. I have a friend who wrote "See ID" on the signature strip of their card and it took four months before she had a request. Having emmigrated from the UK, I really notice this. Over there they seem to make more of an effort, hold on to the card for longer and really compare it against the signed receipt. On many occasions in the UK I've been asked to resign things. In fact, I was once chastised by a cashier in Sainsburys in Norwich and told to stop being so lazy and make more of an effort! You see my signature had deteriorated in to a squiggly line that barely even resembled the signature on the card.
Besides, doesn't anybody else find those signature strips hard to sign? They don't have much height, and the surface seems to "writes differently". It's nigh on impossible to put a good approximation of my signature on it! Furthermore, I think the only way to tell a signature isn't faked is because every one is different so it shouldn't be identical to the one on the card!
Given that it is dead easy to forge a credit card now this probably will be better.
My newspaper still reports cases where an unscrupulous employee at a gas bar or cafe swipes your card twice; once for the transaction and once in his own reader to steal your number. Apparently there are still places where you can buy thousands of credit card numbers. This has to be better.
The 'encoding' scheme reminds me of a chip sold by the people who make the PIC (Microchip). I think it is called KeeLoq or something like that. It sends a different code every time it is used. I haven't heard that it has been seriously compromised.
Anything can be stolen and I'm sure we can all think up a way to get all the gold from Fort Knox but at some point the hassle involved keeps it from happening. Remember; locks are for honest people. (but we still use them because it makes life inconvenient for the crooks.)
Then you take the stolen cards and make lots or $25 purchases, without having to forge a signature.
Who thought this up? The Guild of Thieves?
Somehow this article left me with more questions than answers, like:
How does Visa intend to make sure the card owner acknowledges the charge? PINs?
Is scanning a card so difficult that this is even very useful? I can see it being useful in certain limited cases, but overall... not so much. I've never gnashed my teeth over the difficulty I've had scanning a card and signing my name. I have nearly screamed at scanners and readers that are supposed to pick up signals and don't, however.
All in all, I'm left only with the information that Visa wants to implement a new "contactless" system. Wheeeeeee. Can we say fluff marketing piece?
A few years back I was working retail at a store where the manager told us to require ID for all credit card purchases. Some people would get so upset about it. I don't know if it was because they believed that we were accusing them of being dishonest, or if they were just lazy.
There's plenty to be said about not treating your customers like criminals (DRM, copy-protection), but it seems to me that, as a consumer, I have just as much to gain from protecting my credit card as a business does.
Interestingly enough, I've heard that part of some contracts that retail outlets and credit card companies make nowadays specifcally state that the credit card companies do not want you to check ID's. Apparently they want credit cards to be as convenient as possible so that consumers will ring up as much debt as possible, so the banks can collect interest and fees. I guess if that's true, the ratio of fraud to legit purposes isn't so bad.
I've got see-ID on the back of my cards too. Sometimes they'll flip the card over and pretend to look at it, then give it back without asking for ID. Amazing. If they do ask for ID, I make it a point to thank them.
One time I threw a brick at a duck.
American Express is also starting to roll out an RFID solution, although seperate from their card and also available on a preload basis. Their national partner I am aware of seems to be CVS drugstores, which seems to have rolled out credit card terminals which can read these cards locally even through I know of no other place I could use their RFID tag.
Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.
Or maybe not.
Many security architects aren't going to use AES for a while yet. It's too new. It has received a fairly large amount of scrutiny from the cryptographic community since its birth, so that gives us some confidence, but nowhere near the confidence we have in DES.
DES has stood up to 30 years worth of attacks and remains essentially unbroken. Sure, the key size is too small, so the cipher can be brute-forced relatively easily, but 3DES fixes that problem and does it by building on the fundamentally solid security of DES.
The bottom line is that there is really no need to move to AES, since 3DES is perfectly adequate, and the odds of AES being broken sometime in the near future are at least as high as DES being broken. 3DES is, currently, the best choice from a pure security standpoint.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Put scanner near someones pocket and charge $24 or record credit card number (depending on how you wish to rip ther person off). No signature necessary nor decryption necessary. You do not have to "break" anything.
No, but you do have to have a merchant account, and that requires telling the bank in great detail who you are and where to find you. And when all of the complaints roll in, they're going to send some nice folks out to bring you in for a long chat.
From a risk standpoint using these cards would be a poor decision on anybody's part. You gain basically nothing except for the coolness factor, and you put yourself at additional risk of fraud.
Huh??? The current magstripe-based system is so wide open to fraud that almost nothing could be worse. I don't even need to ever *see* your card to use it to steal from you. Any way I can collect card numbers works just fine. And I don't have to make myself easy for the authorities to find, either.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What happens when shopping malls decide they don't generate enough revenue by rent alone...
1)install reader in door frame
2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
3)...
4)profit!!
or Blockbuster:
1)Take out advert at superbowl "THE END OF RENTAL FEES"
2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
3)...
4)profit!!
No signature needed for under $25, works from a few inches away?
I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.
11*43+456^2
Actually it is even worse than that. I worked at an online computer vendor, and sometimes we would get defrauded. Even with the contact info, the address, etc. the police/FBI/Customes etc agents simply did not have the time to look into these things. We are talking up to $50K that they would not look into.
If there was no signature and physical presence then the merchant is out of luck. The customer doesn't pay, the credit card company doesn't pay, it is the merchant who pays.
However, one time a fraud tried to do it again, so we sent the police with the delivery person. That was stupid.
I had one of those cards a while ago... I glued a picture of Chris Rock on the front of it, and not ONCE was I ever questioned (even though I'm a white guy)...
I work part time in retail and our store used to have a policy about asking for ID with every CC purchase, but Visa threatened to pull out of our store because of it...
The CC companies and orgs do not want under any circumstances for retailers to ask for ID, even if the card is not signed. They are also against any and all PIN initiatives, or any other thing that might prevent credit cards from being used.
Even if there is a fraudulent charge, the only people that lose money are consumers. Retailers and Credit Card companies have insurance against fraudulent charges, and the cost of those premiums is worked into the merchant rate, which is passed along to consumers.
This is why CC companies and retailers DON'T CARE ONE BIT if a CC is stolen. If the retailer gets charged back, they just claim on their insurance, and pass the premium costs along to the consumer. If the chargeback is denied and the CC has to write it off, they claim _their_ insurance and pass the cost along to merchants, who then pass it along to consumers. If the thief gets away with it, the consumer is stuck with the bill for the fraudulent charge.
So, in any case, it's the consumers that are screwed, as usual.
I've read the responses to this article and a large number of them express concerns over identity theft, cash sucking wands, no ID transactions, etc. Chill out people! The deal with credit cards is that the large credit companies try to promote their ease of use by reminding us that we can leave the house with only our credit card and paying for things won't be a problem. As a result they incure some liability for fraudulent transactions. I'll repeat that: THEY not you incure the liability. That means that if a fradulent charge is made then you download a form that says "I didn't make those charges", fax it to them and they erase the charges. Its as simple as that. People are so darn brain washed by other companies and people who promote the fear economy... fear identity theft: by our identity theft insurance, fear ffor your personal safety: buy a gun and bomb Iraq, fear that you are ugly: buy a bunch of crappy beauty prodcts... I know that Visa and Mastercard are big bad companies that are gaining power and wealth every day, but they sell a pretty damn usefull product. I love leaving the house with only my key chain with mini visa card atached and not worrying about anything else.
OK, I have several cards in my wallet (Mastercard, Discover, AmEx). Assuming they all follow Visa's lead and incorporate this contactless tech., what happens when I wave my wallet with all three cards in it? Which card responds? is there a race condition?
I assume the terminal will only charge one card, but if I have to take the card out to make sure the preferred one registers, I might as well swipe it.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman