Visa To Push Swipeless Credit Cards

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.

People, this isn't RFID!!!!!!!!

[John+Harrison]

This is a contactless credit card, ISO 14443. RFID is ISO 15693. They are different. The article never mentions RFID. Slashdot has inserted something that was never there. This is misleading, dishonest, and unprofessional. There are MAJOR DIFFERENCES between the technologies. You would think that a techie site like /. would know better.

Sure would nice...

[hot_Karls_bad_cavern]

to have the sales folks in a store be able to read the info, check your limit, and in *MY* case, simply leave me alone while i browse, since i'm always broke anyway and don't like to be hassled whilst i look at stuff i can't buy!

Yes, it's a joke.

Security?

[Cyberax]

And now a thief doesn't have to guess PINs. It will be enough just to steal a card!

Very Secure?

[bigtallmofo]

From TFA:

Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.

What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!

It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!

Re:Very Secure?

[FLEB]

Now that's convenient!

The normal task of using a credit card:
1.) Get out your wallet.
2.) Get out the card.
3.) Place the card in the reader
4.) Swipe downward

That Step 4 was just killing me!

Re:Show me the security

[John+Harrison]

You don't know what you're talking about and neither does /., or at least Zonk. This isn't RFID, these aren't the TI chips. This isn't ISO 15693. If you can break 3DES please let me know. I would be VERY interested.

Tinfoil

[Mork29]

I've always wanted an excuse to carry around a wallet made of tinfoil.... it'll match my hat, and my under.... I mean socks....

Another Fine example of Slashdot "journalism"

[sQuEeDeN]

Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.

And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.

Re:Another Fine example of Slashdot "journalism"

[DaveJay]

Why is slashdot so anti-RFID, anyways?

I believe it is an issue of knowledge. Specifically, with RFID and RFID-like technologies that do not require physical contact or personal interaction (like a PIN or swipe) it is conceivable that your information can be read at a distance* without your knowledge.

Does that mean the VISA card in this article is going to allow someone to drain your bank account because you walked too close to a vendor's shop? Not necessarily. However, consider this:

1. The "secure" WiFi protocols have all been beaten;
2. The "close-range" of bluetooth has been increased to over 1/4 of a mile by use of a shotgun-style antenna;
3. In general, people continue to use these technologies even if they are informed of the flaws, because they do not want to lose the convenience (or believe that "if it was really insecure, they wouldn't be able to sell it" or "It won't happen to me").

So do I think that a card like this will eventually be cracked, and will eventually be used to spy or steal from people (successfully or not**)? Yes. Yes I do.

*Here, "a distance" could be a few feet, or could be across a street through a shop window using a shotgun antenna (see bluetooth example).

**Here, I refer to the idea that someone who did this in bulk would likely get caught, and if they got caught it would not be a successful theft; then again, people steal checks and forge transactions to pay their utility bills all the time, and are rarely prosecuted for this provided the dollar amounts are small.

Re:Show me the security

[Delirium+Tremens]

Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.

"While 3DES appears to be secure for now, it takes at least 3 times as long to run as DES, and this means that it is inefficient and slow compared to other available block ciphers such as the new standard, AES, which has replaced DES."

-- W. Diffie and M. E. Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard," in IEEE Computer, vol. 10, 1977, pp. 74-84.

Re:Show me the security

[Thaelon]

While this may seem very scary at first it's complete FUD.

In order to process claims from a reader like this you're going to need a merchant account.

So let's say you try it, I'll outline the events for you in chronological order:

1. You obtain a merchant account to be able to collect funds from your portable reader.
2. You figure out a way to generate transaction IDs without contacting Visa.
3. You go out and collect ~$24 from fifty people in a crowd, wohoo $1,200!
4. Let's say you play it smart and only claim those trasnaction monies and random increments over a day or so.
5. 50 people protest to visa that they didn't authorize your charges.
6. Visa does about 30 seconds worth of research and realizes that all 50 of these claims lead directly to you via your merchant account.
7. Visa shuts you down like a bitch and presses charges.
8. You go to jail since you have no case whatsoever.
9. Your ass now belongs to Bubba.

Give them a few hours,

[Eternally+optimistic]

It will be presented better in the dupe later today.

Vent my Credit Card/Check Card Pet Peeve

[Confessed+Geek]

Please excuse me while I get this personal pet peeve off my chest.

WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?

I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?

With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?

Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.

Thanks.

Re:Vent my Credit Card/Check Card Pet Peeve

[cowscows]

A few years back I was working retail at a store where the manager told us to require ID for all credit card purchases. Some people would get so upset about it. I don't know if it was because they believed that we were accusing them of being dishonest, or if they were just lazy.

There's plenty to be said about not treating your customers like criminals (DRM, copy-protection), but it seems to me that, as a consumer, I have just as much to gain from protecting my credit card as a business does.

Interestingly enough, I've heard that part of some contracts that retail outlets and credit card companies make nowadays specifcally state that the credit card companies do not want you to check ID's. Apparently they want credit cards to be as convenient as possible so that consumers will ring up as much debt as possible, so the banks can collect interest and fees. I guess if that's true, the ratio of fraud to legit purposes isn't so bad.

I've got see-ID on the back of my cards too. Sometimes they'll flip the card over and pretend to look at it, then give it back without asking for ID. Amazing. If they do ask for ID, I make it a point to thank them.

Re:Vent my Credit Card/Check Card Pet Peeve

[duffbeer703]

I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

You're an idiot. That signature panel is not there to identify you to the store clerk. Its there to prove that you have agreed to abide the provisions of the cardmember agreement. (ie pay your bill) Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

The purpose of checking your signature is to cover the merchant. If you don't sign your card the merchant is liable if you refuse to pay

PIN-based electronic transactions are actually considered digital signatures. The fact that you set or remembered your PIN signals your acceptance of the card agreement, and entering your PIN signs your transaction. Merchants prefer that you do a PIN transaction because it is cheaper and does not require them to store boxes of signed credit card drafts in the back for a year or more.

Re:Vent my Credit Card/Check Card Pet Peeve

[EmagGeek]

I had one of those cards a while ago... I glued a picture of Chris Rock on the front of it, and not ONCE was I ever questioned (even though I'm a white guy)...

I work part time in retail and our store used to have a policy about asking for ID with every CC purchase, but Visa threatened to pull out of our store because of it...

The CC companies and orgs do not want under any circumstances for retailers to ask for ID, even if the card is not signed. They are also against any and all PIN initiatives, or any other thing that might prevent credit cards from being used.

Even if there is a fraudulent charge, the only people that lose money are consumers. Retailers and Credit Card companies have insurance against fraudulent charges, and the cost of those premiums is worked into the merchant rate, which is passed along to consumers.

This is why CC companies and retailers DON'T CARE ONE BIT if a CC is stolen. If the retailer gets charged back, they just claim on their insurance, and pass the premium costs along to the consumer. If the chargeback is denied and the CC has to write it off, they claim _their_ insurance and pass the cost along to merchants, who then pass it along to consumers. If the thief gets away with it, the consumer is stuck with the bill for the fraudulent charge.

So, in any case, it's the consumers that are screwed, as usual.

Re:Show me the security

[swillden]

Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.

They're all published and available.

The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.

Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.

Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform web site.

In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here.

Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.

Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.

Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.

EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.

There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.

At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl

Re:Show me the security

[John+Harrison]

You can probably eavesdrop on the card to reader communication from some distance. This is known by those that created the spec and they have designed for it. Go read the EMV spec. Tell me if you can hack it. It has been out for years and in production in Europe for a while, though most deployments there are for contact cards.

The real goal is fraud reduction. Visa isn't aiming for a perfect system, they want a better one that prevents skimming of your mag stripe. This means that they are no longer the low hanging fruit and the fraudsters will target traditional magstripe cards.

Re:Show me the security

[sangreal66]

And how exactly do you expect this to make you any money? Cash is magically going to fly out of their credit card and into your bank account? Or do you actually expect VISA to start cutting checks to your house for charges made on your stolen card reader?

Fraudulent readers are not the only issue

[pseudosocrates]

What happens when shopping malls decide they don't generate enough revenue by rent alone...

1)install reader in door frame
2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
3)...
4)profit!!

or Blockbuster:

1)Take out advert at superbowl "THE END OF RENTAL FEES"
2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
3)...
4)profit!!

That's so insane

[photon317]

No signature needed for under $25, works from a few inches away?

I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.