Slashdot Mirror
Visa To Push Swipeless Credit Cards
BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.
It is secure. They're using SHA-1 hashes.
Especially since it would be easy enough to wave an RFID reader at people's purses, back pockets, etc. At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.
How am I supposed to fit a pithy, relevant quote into 120 characters?
This is a contactless credit card, ISO 14443. RFID is ISO 15693. They are different. The article never mentions RFID. Slashdot has inserted something that was never there. This is misleading, dishonest, and unprofessional. There are MAJOR DIFFERENCES between the technologies. You would think that a techie site like /. would know better.
Lasers Controlled Games!
to have the sales folks in a store be able to read the info, check your limit, and in *MY* case, simply leave me alone while i browse, since i'm always broke anyway and don't like to be hassled whilst i look at stuff i can't buy!
Yes, it's a joke.
And now a thief doesn't have to guess PINs. It will be enough just to steal a card!
From TFA:
Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.
What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!
It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!
I'm a big tall mofo.
I've always wanted an excuse to carry around a wallet made of tinfoil.... it'll match my hat, and my under.... I mean socks....
Mobil gas stations give you a little RFD dealie to authorize gas purchases at the pump and other purchases in the store. They've done this for years.
All Visa is moving the RFD dealie from a little wand on your keychain to the card.
Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.
And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.
Recursive (adj.): see 'Recursive'
So, when Wal-Mart incorporates this technology, can I just have the bag containing the stolen card near the reader to purchase my illicit goods? And *IF* I am questioned about it, I can say that I didn't know it was in there, and I thought it was going to read my REAL card.
Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence?
"No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure. Yeah, I heard about it on the news, too. Never need to see my ID again. Compleltly safe. Don't forget to put that $1,235.65 on "credit". okay?"
And while the article says there is a code that can't be re-used for other readers, wont a signal jumper (the ones used to grab car alarm frequencies) still be able to get the 16 digit card number, plus exp. date?
Yeah, sending important financial data through the air sounds like a great idea. To the tech savvy, this is the same as screaming the numbers to the woman behind the register. Would you do that?
There are no gods but ourselves.
All this looks like to me is credit card companies trying to generate a new revenue stream by getting existing merchants to pony up for the new technology required to use this system.
Is it really so hard to swipe your card through a reader as you checkout? Does Visa really think people are so lazy that swiping a card is too much work?
This is an example of technology being used simply because it exists. This adds ZERO value for the consumer and opens up huge security holes. Who believes for one second that this technology is actually 100% secure?
I guess we're supposed to be reassured by the quote from the Visa rep in the article reminding us that there is no consumer liability for fraud.
I can only imagine what is going to happen if they roll out debit/checkcards linked to actual bank accounts with this technology!
So now instead of someone having to take my wallet to steal my credit card they can just walk by me with a contactless reader?
hack a day
RFID and Visa, for when it's too much effort to slide your card, you can just wave it around!
Pretty Pictures!
Hopefully not as easy as stopping payment on questionable charges to the account. The advantage of online progressively-updated statements becomes infinitely greater here; you'll have to check your statements every WEEK if it gets bad. Genuine cowhide is out, 100 mil thick aluminum is in!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Why do I need a contactless transaction? What is so hard about running my card through the slot in the terminal?
Scammer: "Could you step over here and read this number for me, I need to get new glasses or something." .... Yeah this is tiny print..."
Unsuspecting stooge: "sure, your total is
Scammer: "maybe you can read it from a little closer"
Unsuspecting stooge: "...$598. And it looks like your credit card was just approved too."
Scammer: "Oh, thanks you very much."
Unsuspecting stooge: "You're welcome"
Tracking down online transactions isn't necessarily so trivial or likely to happen.
It's not wasting time, I'm educating myself.
"And for purchases of less than $25, no signature is required."
;)
Does anybody in N. America check signatures? They hardly seem to look at my cards. I have a friend who wrote "See ID" on the signature strip of their card and it took four months before she had a request. Having emmigrated from the UK, I really notice this. Over there they seem to make more of an effort, hold on to the card for longer and really compare it against the signed receipt. On many occasions in the UK I've been asked to resign things. In fact, I was once chastised by a cashier in Sainsburys in Norwich and told to stop being so lazy and make more of an effort! You see my signature had deteriorated in to a squiggly line that barely even resembled the signature on the card.
Besides, doesn't anybody else find those signature strips hard to sign? They don't have much height, and the surface seems to "writes differently". It's nigh on impossible to put a good approximation of my signature on it! Furthermore, I think the only way to tell a signature isn't faked is because every one is different so it shouldn't be identical to the one on the card!
It will be presented better in the dupe later today.
What keeps me going is my inertia.
Then you take the stolen cards and make lots or $25 purchases, without having to forge a signature.
Who thought this up? The Guild of Thieves?
Please excuse me while I get this personal pet peeve off my chest.
WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?
I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.
And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?
With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?
Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.
Thanks.
Salesman: $30 please.
Fry: $30? I can't afford that. Unless...[He pulls out his wallet.] Do you take RFID Visa?
Salesman: RFID Visa hasn't existed for 500 years.
Fry: RFID American Express?
Salesman: 600 years.
Fry: RFID Discover card?
Salesman: Uh, sorry we don't take RFID Discover.
"isn't that very similar to how TI's car RFID system was made?"
According to Visa:
"Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted"
So... not really, no. Just because two products use the same base technology doesn't mean that one is as fallible as the other. All cars made of metal and fiberglass don't rate the same in crash tests.
"Someone's gotta have some damn perspective around here!" -- Commander Susan Ivonova, Babylon 5
American Express is also starting to roll out an RFID solution, although seperate from their card and also available on a preload basis. Their national partner I am aware of seems to be CVS drugstores, which seems to have rolled out credit card terminals which can read these cards locally even through I know of no other place I could use their RFID tag.
I could just see me pull out my wallet and have it just be in range of the reader. I intend it to charge to one card and...whoops, it charges to the card I'm almost over limit on.
What happens when shopping malls decide they don't generate enough revenue by rent alone...
1)install reader in door frame
2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
3)...
4)profit!!
or Blockbuster:
1)Take out advert at superbowl "THE END OF RENTAL FEES"
2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
3)...
4)profit!!
But the slow part involves getting out the card, answering the debit/credit question, printing the receipt, and signing it. If the goal is speed up the process the debit/credit question could be removed and the signature. I'm assuming people still want receipts, although I could be wrong there.
No signature needed for under $25, works from a few inches away?
I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.
11*43+456^2
The global credit card company will offer PayPass, its RFID-enabled contactless payment system, to fans at the Seattle Seahawks and Baltimore Ravens stadiums this fall. http://www.rfidjournal.com/article/articleview/142 0/1/1/
I too sign my cards CHECK I.D. This is accepted practice. Some credit card companies have even recommended it. Stores are SUPPOSED to ask for ID in that case, the point being to see that the photo ID matches my face, and the names match.
I'd like to see some store manager so ignorant as to try to confiscate my credit card because it tells him to to ask for I.D.
Infuriate left and right
The merchant does not add a $20 item and transfer money instantly. It has to go thru the issuing bank, and not instantly, and not without the possibility of chargebacks, and then that merchant will lose his VISA account and be out of business. If you dispute the matter, and they see a pattern of some merchant going bananas with $20 chargebacks, he will be in banana-skin city. The merchant will lose. This is credit cards.
Infuriate left and right
ISO 14443 and ISO 15693 operate on the same principles, the essential difference is that the ISO14443 protocol allows a higher data bandwidth which results in shorter maximum range (ca. 10cm instead of ca 1m).
In general, ISO14443 chips are less low-cost, able to store more data and supporting cryptographic capabilities. But this has more to do with the market that they target than with technical issues.
Well, there's a long way and a short way.
Shortway:
Steal someones card. Put it in your wallet, buy things. They won't ask for ID cause that will slow down the process (and they hardly ever do now anyway). If it's less than $25 there's no paper trail, either. This will work until the person realized their card is missing and reports it stolen. Esentially the same as the present, but at least now they're supposed to verify your identity by comparing signatures or checking for ID... at least there's SOME verification to prevent a stolen card that should occure.
Longway:
1) Use a small device about the size of a palm pilot to send someone's credit card a serious of a few hundred to a few thousand challanges and not the responce that's given back.
2) Go back to your computer and crunch the challange vs responce to determine the algorithm used to provide each.
3) Plug that algorithm into a generic battery powered tranciever about the size a palm pilot let the reader scan that rather than a wall encased credit card.
Steps 1 and 2 will be possible eventually (using the same methods that cracked TIs method, I'm sure) and eventually someone will make the nessicary hardware for step 3, or at least post instructions on the internet on how to build one with a PIC and some other cheap hardware.
The teller will never know if you're scanning a wallet with a credit card inside, or a wallet with a small battery powered tranciever inside.
The problem is not that this system is less secure than magstrips (it's about a million times more secure right now) The problem is that the teller never has to see your card to verify your identy. They won't know if it's your card in the wallet or purse you swing past the reader, or someone elses, or even a device that randomly picks 1 of 30 peoples identities you got off the subway the week before. I wouldn't be concerned, but since the TI thing just a few weeks ago, I'm not sure how much I can trust RFID based challange response systems. The TI solution cracked was supposedly one of the best out there.
WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?
Generally as a customer I don't. Not that I think showing ID is bad idea but I generally find the signature and to a lesser extend ID security measures to be as pointless as most of the airline "security". They're half heartedly implemented, irritating, and as implemented don't really do much to stop crime. It's appearance of security without substance. I wouldn't mind people asking for ID except that almost no one does, so what's the point? And the signature matching is a stupid since any thief with half a brain (admitedly some lack even half) will just look at the card and make at least a half-hearted effort to copy it. It's not like he has to look hard for it...
Let me be clear. I have the mistfortune of being a man with a name that is very rarely associated with the masculine gender. As irritating as that is to me, I should get asked for my ID all the time. But I don't which tells me that the the store management and credit card companies don't really percieve it as a problem. And they have the data to know whether it is or isn't. It's not like they're guessing. Furthermore, when I do get asked for ID, it's almost always at places like an airport (where I've been asked for my ID 20 times) when buying a $4 magazine, never for the $1000 printer. As a customer, I'll admit that being asked for ID is irritating and I don't like being regarded as a potential criminal but if it were a widely implemented security measure, I could deal. But since the credit card companies and most retailers don't regard it as enough of a problem (actions speak louder than words) to ask for ID consistently, I'd rather they save me the irritation and not bother at all.
It gets repeated here ad-nauseum that authentication consists of some combination of what you have, what you are and what you know. The signature is worthless as a security measure because it is simply two instances of something you have in the same item. Someone who takes my credit card also has my signature. Asking for photo ID sort of gets at what you are, though it can be forged by an ambitious criminal. But it could slow down the smaller thefts were it actually used. A pin code is actually useful IMO because it is something you know but is not used (for cost reasons mostly) for credit cards here in the US. And unlike biometric ID, it can be changed if there is a mixup.
While I'm venting, what really irritates me is when they have those swipe-it-yourself pads but still ask to see the signature! I've already mentioned that I think signature comparison is worthless as a security measure, but this practice just wastes both my time and the clerk's time. Furthermore they don't physically have the card at the right time if the credit card company tells them to hold the card. If they want to see my signature, the clerk should swipe the card him/herself and check. By having me do it, they don't save any time and they don't improve security. If they are going to ask for something they should ask for ID at that point, not a signature.
Is that PIN pad on the card itself?
Nope, it'll work the same way PIN pads at Wal-mart (and wherever else) work right now.
Can that be made durable enough to live in my wallet?
Durability isn't the problem with putting a PIN pad on the card. The problems are power (where do you get it?) and cost -- mostly for the increased manufacturing complexity.
It sounds like these cards are going to be pricey (several dollars each to manufacture).
About $3 each. Current cards cost about $0.25 each. Cards with a PIN pad would be closer to $10 each.
Is there a way to extend that unique RFID chip to online transactions? Maybe a reader hooked to your computer?
Sure. Contactless readers are still fairly expensive, though, the cheapest one I know of costs about $70. However, most of these cards will probably also have a contact plate, so you can use them with a contact reader attached to your PC. Those readers can be bought for along with the sooper-seekrit protection code on the back
Yeah, CVV and CVV2 are a joke.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Removing the consumer's role in the decision making will do wonders for businesses, allowing them to smooth out demand and make themselves more efficient, increasing profits. Don't worry, the folks down at ChoicePoint can serve up your purchasing patterns and theres plenty of smart folks around who can decide much better than you or me what we REALLY need. So the consumer wins, business wins, everybody wins! And you'll never miss another minute of American Idol because you had to run to McDonald's for some large fries.
There! I needed to get that off my chest.
I tried that.
Then I went to buy gas.
I put the card in the machine, and waited.
"Beep," it said.
I showed it my ID.
"Beep."
"No, this is my ID. See?"
Still, it refused to look. "Beep."
The crowd got larger and larger, but it still refused to look at my id. "Beep."
Now I'm stuck on my bicycle.
hawk
I've read the responses to this article and a large number of them express concerns over identity theft, cash sucking wands, no ID transactions, etc. Chill out people! The deal with credit cards is that the large credit companies try to promote their ease of use by reminding us that we can leave the house with only our credit card and paying for things won't be a problem. As a result they incure some liability for fraudulent transactions. I'll repeat that: THEY not you incure the liability. That means that if a fradulent charge is made then you download a form that says "I didn't make those charges", fax it to them and they erase the charges. Its as simple as that. People are so darn brain washed by other companies and people who promote the fear economy... fear identity theft: by our identity theft insurance, fear ffor your personal safety: buy a gun and bomb Iraq, fear that you are ugly: buy a bunch of crappy beauty prodcts... I know that Visa and Mastercard are big bad companies that are gaining power and wealth every day, but they sell a pretty damn usefull product. I love leaving the house with only my key chain with mini visa card atached and not worrying about anything else.
OK, I have several cards in my wallet (Mastercard, Discover, AmEx). Assuming they all follow Visa's lead and incorporate this contactless tech., what happens when I wave my wallet with all three cards in it? Which card responds? is there a race condition?
I assume the terminal will only charge one card, but if I have to take the card out to make sure the preferred one registers, I might as well swipe it.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman