Slashdot Mirror

← Back to Stories (view on slashdot.org)

Visa To Push Swipeless Credit Cards

Posted by Zonk on from the tossing-your-money-into-the-aether dept.

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.

7 of 452 comments (clear)

  1. Sure would nice... by hot_Karls_bad_cavern · · Score: 5, Funny

    to have the sales folks in a store be able to read the info, check your limit, and in *MY* case, simply leave me alone while i browse, since i'm always broke anyway and don't like to be hassled whilst i look at stuff i can't buy!

    Yes, it's a joke.

  2. Security? by Cyberax · · Score: 5, Insightful

    And now a thief doesn't have to guess PINs. It will be enough just to steal a card!

  3. Re:Show me the security by John+Harrison · · Score: 5, Informative

    You don't know what you're talking about and neither does /., or at least Zonk. This isn't RFID, these aren't the TI chips. This isn't ISO 15693. If you can break 3DES please let me know. I would be VERY interested.

    --
    Lasers Controlled Games!
  4. Another Fine example of Slashdot "journalism" by sQuEeDeN · · Score: 5, Insightful

    Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.

    And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.

    --

    Recursive (adj.): see 'Recursive'
  5. Re:Show me the security by Thaelon · · Score: 5, Insightful
    While this may seem very scary at first it's complete FUD.

    In order to process claims from a reader like this you're going to need a merchant account.

    So let's say you try it, I'll outline the events for you in chronological order:
    1. You obtain a merchant account to be able to collect funds from your portable reader.
    2. You figure out a way to generate transaction IDs without contacting Visa.
    3. You go out and collect ~$24 from fifty people in a crowd, wohoo $1,200!
    4. Let's say you play it smart and only claim those trasnaction monies and random increments over a day or so.
    5. 50 people protest to visa that they didn't authorize your charges.
    6. Visa does about 30 seconds worth of research and realizes that all 50 of these claims lead directly to you via your merchant account.
    7. Visa shuts you down like a bitch and presses charges.
    8. You go to jail since you have no case whatsoever.
    9. Your ass now belongs to Bubba.

    --

    Question everything

  6. Give them a few hours, by Eternally+optimistic · · Score: 5, Funny

    It will be presented better in the dupe later today.

    --
    What keeps me going is my inertia.
  7. Re:Show me the security by swillden · · Score: 5, Informative

    Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.

    They're all published and available.

    The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.

    Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.

    Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform web site.

    In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here.

    Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.

    Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.

    Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.

    EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.

    There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.

    At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

    LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.