Slashdot Mirror
Chase Deploying "Touchless" Credit Cards
Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
store it in a shielded sleeve until you use it?
if you want people to think you know what you are talking about, just put ".com" at the end of everything you say.com
The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)
Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)
That's my guess anyway. I'm sure someone else can add a few details or make corrections.
Javascript + Nintendo DSi = DSiCade
Sounds no harder to steal money than today's current credit cards.
I'm sure there will be RFID security issues, but the trend does remind me of a commercial I saw a few years back. I forget the company (real effective, then, huh?), but the gist was that this Gen-Xer walks into a supermarket, starts stuffing TV dinners in his trenchcoat, then walks out. The security guard stops him, but just hands him a receipt.
I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.
Paleotechnologist and connoisseur of pretty shiny things.
Having to waste 5 seconds looking through my wallet for my Credit Card, and having to manually swipe it...
vs.
Having my Credit Card details stolen and sold.
I think the choice is easy.
Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!
How long before people get portable readers and walk down the street collecting card info.
...a brand new set of legal case templates will be opened up to the money-grubbing lawyers. And, there will be more lawyers!!! YAY!!!
--- We need more Ron Paul!
Wait...so what is the inconvenience of having to slide a little plastic card and sign a little piece of paper? Are consumers really THAT lazy...?
It's not going to be RFID. RFID tags are not the same as contactless smartcards. Contactless smartcards are inherently more secure.
The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers
In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.
This sig has been deprecated.
Well why phish in the comfort of your stinky computer room with thousands of emails when you can fish from your laptop while drinking a latte'.
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.
Oh, by the way, am I the first post?
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
Hmmm.. let me see, the new card doesn't require a signature and has 'encryption'. A signature is not conclusive but it is still a time tested way of verifying authenticity, and this system has been working successfully for centuries now.
I won't be surprised to see over the next few years, ID thieves roaming around gathering card data over the air using RFID readers, manufacturing new cards and using them. This could be a pretty lucrative industry. I'm betting we're also going to see a huge increase in the number of cancelled cards and payment disputes.
Interesting times ahead. I only hope other banks don't follow suit.
You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.
How long will it be before Albertson's, Tom Thumb, and Safeway require RFID tags in order to save avoid paying a 15% markup?
Ok, not clicking on a link and reading an article before commenting on an intriguing summary is understandable, but not even finishing the
Read The Fucking Summary
the vendors are not stupid.
they know fully well the pitfalls of security, but the marketing departments dictate the selling pitch to the public, and, well, they can pretty much lie all they want it seems.
business and profit before customers.
We should have been
So much more by now
Too dead inside
To even know the guilt
Please, fellow modders. Do not waste your points on this parent post.
We shan't encourage behaviour such as this. It's pretty repugnant.
Comment removed based on user account deletion
store it in a shielded sleeve until you use it?
Actually, the card uses some of the scan energy to signal that it has been accessed... With the new laws in Florida, you'll be able to just shoot into the crowd when you get an unauthorized access.
Gentlemen, start your armchairs!
but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
...and we have Ignition!
Seriously, until we know the specifics, much of what anyone says in this story will be silly posturing and armchair engineering. It's also pretty hilarious to see a slashdot reader questioning the qualifications of a bank's security- do you honestly think they'd put their reputation (critical to a bank) and money on the line, without having the whole thing rather thoroughly evaluated by security consult firms? I'm not saying they're perfectly qualified, but I am saying they're a tad more qualified than the general slashdot readership, myself included.
It would have been nice if Slashdot had, say, gotten the inside scoop on some more details- instead of being about 12 hours behind the AP wire (I read about it this morning. And to think one of the reasons on the Slashdot FAQ for "not notifying people they're about to get slashdotted" is "we don't want you to have to wait an hour"). I used to read Slashdot for stories that have more detail/insight than AP stories, or beat them to the punch.
Now it does neither.
Please help metamoderate.
As far as I can tell, it seems like credit card companies currently don't care too much about who is using the card. My signature is checked against my card maybe 10% of the time I'm making a transaction. It's probably much easier for them to run through their database with a "fraudulent buying pattern" detection algorithm then crack down on the way the card is physically used, be it by signature or embedded RFID.
The fact that credit cards are often used online further nullifies the point of efforts for making credit cards more physically secure.
But then again, I've never been the victim of fraud.
I can see the headline now, from when somebody cracks this technology:
"Wave of the future breaks" :)
The solution is simple, make the card reader tied to a certain account at the credit card company, to which cards may debit only. Then you'll always know where the money ends up, and the security problem becomes one of bank security. Unless criminals have some reason to want to debit from someone else's card into someone else's account.
I DESIGN REGISTERS! BLINK IS A SMART CARD READER TECH!!!!!
contactless but u have to still slide it in!! kinda like my last date..
Sounds like a new way to get ripped-off. Is the sack under the mattress such a bad idea?
Zhrodague.net - I do projects and stuff too.
A friend of mine came up with a clever workaround. Just make a little wallet or envelope of conductive material to hold the card. It will act like a Faraday cage and totally shield the card. When you want to use it you have to take it out though. Should work well for the new passports!
These contactless cars probably use weak encryption .. and so they'll be cracked .. and then consumers will lose confidence..
.. corporations are always cheap .. I have no doubt they opted for low grade "encryption". If they give me one of these cards I'm throwing it away unless they tell me exactly what the protocol is and the type / bit strength of the encryption.
I'm willing to bet that they use dumbed down encryption
Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!
This is why we should put our biometric research dollars into rectal printing. Sure, they could simply take it, but not many would.
I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.
those are just as hard to crack as PGP emails. Not at all easy.
I'm guessing that these things won't have any *human* readable numbers on them, which is a huge source of credit card losses now. If, as one poster suggested already, these are smartcard based and use some sort of public/private key encryption, then they might just be on to something.
I'm no fan of credit card companies, but they aren't total idiots. They're losing billions of dollars due to fraud and I suspect they've put rather a lot of thought into ways of preventing it.
If a giant oil company wanted an abortion, would W's head explode?
If you are familiar with Easypass you know how this will revolutionize things. According to one bill, our car passed a Parkway toll near the Atlantic City Expressway and entered the Lincoln Tunnel ten minutes later.
What does this button do...
Outside of the US merchants are manadated by Visa and Mastercard to move to a high encryption RF standard. Dispite what the credit cards would have you beleive, the US has extremely low credit card fraud. Because fraud provention work well no one is in a hurry to move in this direction.
In Europe organized crime is a big deal. In particular in the east. So much that the credit card companies have mandated EVERY merchant switch credit card terminals. If they don't switch terminals, they won't cover certain types of Credit Card fraud anymore.
Because you've heard about all the Mobil card information that's been stolen, right? Oh. You haven't? Right. Because there hasn't been any.
You have to touch the speedpass reader for it to work, that's the keypad one without a battery. The window one can be read at about 2' but all you're going to get is a number that Mobil matches up with an account. Nothing sensitive.
Not a Twitter sockpuppet... but I wish I was.
I don't care how encrypted or advanced or "secure" it is, I don't want my credit card doing anything unless I've taken it out of my wallet.
And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Its not like these cards are storing SSN's or medical records yet.
If someone steels your card number, or what ever is on the chip, then call up customer service and demand they take care of it right away.
Not like almost all american banks arent FDIC inshured anyways. If it prooves to be to big of a problem, im sure theill pull the cards out of circulation.
Would it be that difficult to simple wire in a loop to a contact button, such that the induction circuit is open unless you press the button, and thus the induction field itself is not enough to read the card?
rm
Sci-Fi Storm
I design armchairs for a living you insensitive clod!
printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
My friend thinks that the motivation for all of this is to eliminate the need to check signatures, and to eventually place liability for fraud on the user. The idea is that stores like 7/11 don't check signatures because their employees aren't well trained, and Credit Card companies treat failure to check a signature as grounds for place liability on the store. He thinks that these new "secure cards" aren't so vulnerable to fraud, so credit card companies will bribe stores to buy new equipment by relieving them of the responsibility to check signatures. He believes that this will ultimately lead to a higher burden of responsibility on customers.
What about a variation where a bogus vendor sets up at a ballgame and charges a few hundred or a few thousand fans for a rather expensive beer and hotdog. If enough people complain they will get caught but if they only do it for a few games and move on and the company is set up under a bogus name, how do you catch them? There's likely to be hundreds of variations on what seem to be legit purchases from bogus vendors. They want vendors to use the service so how do you properly police vendors?
HK has been using a contactless cash card since 1997 called Octopus It's proprietary RFID system (built before the standard appeared), that seems to work quite well for public transport and retail.
Two wrongs don't make a right, but three lefts do.
I just don't see why everyone is so afraid of RFID credit cards. Simply have the private key portion of a key pair stored in the card itself, with the public key in an easily-accessible database. When you make a purchase, the merchant sends a random challenge to the card, which then encrypts it with the private key and sends it back. The merchant verifies against the public key, and, if it matches, the transaction is approved. With a smart card, the only way to use my card is to have the physical card, in which case we're back to be exactly as secure as the current system.
/. geeks would be all over this. I mean, it's not perfect, but it would be a hell of a lot more secure than the current system. Right now, if I take my credit card to a restaurant, the waiter need only make a spare imprint of the card (and write down the verification number on the back). Later, he can pull out a phone book to get my address, and then he has all of the information he needs to use my card fraudulently.
I would think that
I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.
Now I can blink my bling
(ducks)
Jiggity
Some retailers (Gas station employees mostly) will double swipe your card to charge you twice or swipe it through a personal magnetic reader which grabs and stores all info on your card which they use later to repro your magnetic strip. With RFID, an fradulent retalier would simply need you to walk through the door and have a concealed reader sitting within close proximity. You won't even know you've been charged until you get your bill at the end of the month. And to add to this, if they charged you 10 cents, would you go through the hassle of calling waiting on customer support for 10 minutes just to report a 10 cent charge you don't have?
There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.
-- Binary Finary
After all, Bluetooth isn't meant to have a range of over 1 mile either. ;o)
I'd hazard that it's just a matter of time, so I think I'd prefer to play it safe on this one
Don't take the above poster too seriously. He doesn't.
I can't help thinking how easy it would be for someone with a mobile card-reader to walk through a crowd. I don't know if there's anything on the card to notify when to activate, but if not, it's a free for all.
I had a look 'round, and found American Express has a similar product, called "ExpressPay" (google it) - shaped like a key fob, rather than a card (much better, I would have thought). Their website makes no reference to anything else needing to be done. A scammer need simply swipe the machine past a user's pocket.I assume these cards are probably the same - swipe your scanner past someone's purse or pocket.
Also, does the reader indicate clearly what you're about to be charged? "That'll be $20", the clerk said, ringing up $200. I've had it done to me. I don't know if it was on purpose...
Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft'
For a second I thought they were going to make the same mistake the MPAA did...
Heh, never. Humans learn from their mistakes. Right?
Unless you're also eliminating the ID check, this isn't going to save any time. Plus, I don't see the benefit of not having to swipe outweighing the problems with something that compromises security this much.
Further, this will make it a nightmare for law enforcement. Most credit card rings go through a retail location (i.e., a waiter jacks everyone's info, and someone else does the fraud). However, if you could just steal credit card info from people who you just brush up against, there'd be very little for authorities to go on.
... with touchless priests...
I was just thinking about this. I doubt banks will make it THAT easy for people to steal identity. Remember, it's money here we're dealing with and if it becomes too easy to steal the banks will lose money as well and customers' good will and trust, which you want in the finance industry.
In any case, I can imagine it working like this:
1. Terminal sends some string of random bytes, p.
2. Card processes it using some one way function f(p,q) and returns the value s where q is some secret info.
3. Terminal takes the results and sends p and s to the bank to verify. Bank runs f(p, q) and see if it matches s. If so, return true.
That's just a simple scheme I hatched up where you don't have to reveal your secret info to verify yourself. I'm sure there are much better ways.
EvilCON - Made Famous by
Well, that in itself is a story. Where is this information? A company is planning to deploy millions of these things across the country, and they don't seem interested in giving out technical details or advertising any sort of independent evaluation. If they are using strong encryption, it should be very easy for these companies to answer security concerns from the get go. And yet I've scoured the companies' fact sheets and done a number of web searches in order to get some idea of what technology these companies are using, and I can't find much. I think a healthy dose of skepticism is called for, if only so that companies release more information in the future.
The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?
Contactless Credit Card Charges = Contactless Credit Card Fraud
In the near future, all that a pick pocket has to do is bump into you and he's got your entire wallet.
I dub this "Phishpocketing".
Computers are useless. They can only give you answers.
-- Pablo Picasso
In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.
/. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.
As much as the
Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
This being the first new Slashdot post since the new google homepage, I'm sort of dissapointed that google does not update quickly. But being open for less than a few hrs I think I can let google off this time.
I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?
If all you have are silver bullets, everything looks like a werewolf.
Why would this not require a customer signature? Why not eliminate the need for the signature for any type of credit-card transaction?
It'd be childish to blindly assume criminals were cleverer than vendors. They're not. Instead, they: - have more efficient "cost structure" and thus more manpower, and - are bound to less limitations (practically none, to be exakt - other than the law of physics, that is, if you must count that).
Worked there for almost a decade. I don't trust my money with their non-touchless cards. There's no way I'd trust my money with their touchless cards. I have a Citibank account.
In Japan they have already rolled out Felica for train tickets, coke machines and some convenience store purchases. The cards are pre-paid and you can recharge them at any JR (Japan Rail) train station. Here is the info on the technology.
. html
http://www.sony.net/Products/felica/contents04_02
its already easy for me to spend too much... its just getting too easy to spend money...
pretty hilarious to see a slashdot reader questioning the qualifications of a bank's security
Man, all these people questioning security specialits just ruin it for the rest of us. Just think, everyone's American passports would have been perfectly secure because nobody would know that the new RFID design would not use encryption at all. If everyone had simply assumed that the homeland security office actually understood what security means, and had never questioned them about it.
If I have been able to see further than others, it is because I bought a pair of binoculars.
The US State Dept recently reported that U.S. passports will soon be read remotely at borders around the world, thanks to embedded chips (RFID) that will broadcast on command an individual's name, address and digital photo to a computerized reader. Wrapping your passport in aluminium foil might be the only way to keep away would-be hackers.
If you can't see why contactless credit cards are a terrible idea, then congratulations, you don't have a criminal mind!
Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.
Sign me up!
"Against the assault of laughter nothing can stand." - Mark Twain
This is the only post in these threads that makes sense
Smart cards are actually little processors. With current credit cards, all the mag stripe has is your info repeating over and over. You swipe it, the reader gets the number and contacts your bank (indirectly, they actually talk to an auth network who talks to Visa/MC and so on) to see if you have the necessary funds. If so, it places a hold on those funds and the transaction goes through.
The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.
Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.
Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.
The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.
Oh yes--improve life to any discernable degree.
Wake me up when my WiMAX/Bluetooth cellphone/camera/PDA/GPS can use RFID with distributed hash tables to podcast via a Google proxy from my blog. Not that I have/use any of these.
RFID is a very good idea for many things, such as grocery tagging. For credit cards it's awful. There are only two possible states of an RFID credit card:
1) Safely in a sleeve, where no one can read it
2) Out in the open, where everyone in a certain radius can read it
In other words, you can't spend it without exposing it. Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.
I don't care how much you encrypt it: it'll be cracked, and sooner rather than later. The fact that they are compounding this with no regulation of requiring signitures is one of the worst security decisions I've ever heard of - far worse than anything Microsoft has ever put out, and that INCLUDES ActiveX. Because ActiveX breaches don't immediately and directly cause credit card numbers to get stolen en masse unless combined with social engineering.
Exactly. That's way the new marketing slogan "Wave your money away" isn't the smartest thing I've ever heard. :)
The best way to predict the future is to create it. - Peter Drucker.
FINALLY! I cant remember how many times I've said to myself "this whole swiping thing fucking sucks - if only there was a way to swipe - but not actually touch the reader - I would be in heaven". And not only that but they made it insecure? Plz, where do I sign UP??
I'll bet you're semi-horizontal while you do that.
"We believe these innovative cards with blink will provide merchants and cardmembers with the increased speed and convenience they want at the point-of-sale," said Carter Franke, chief marketing officer of the company's credit card division, in a statement.
I didn't think that signing a charge receipt took that long, but maybe I'm wrong.
From the CNN article referenced:
But MasterCard said the feedback for its system was more positive. The company has been testing its cards in Orlando and Dallas and plans to roll the new cards this summer in other cities but declined to elaborate on the details.
"We're looking at places where the cards can replace cash," said Art Kranzley, MasterCard's chief ebusiness officer, citing McDonald's, Starbucks, Loews movie theaters and Chevron gas stations, among other destinations, as examples. Citibank, J.P. Morgan Chase and MBNA -- some of the nation's biggest card issuers -- took part in the trials.
How does the current use of the cards not perform the same function?
Call me old-fashioned, but the idea of my signature on the receipt being checked against the card (stop laughing, some merchants actually still do this) at least provides a little bit of protection against credit card theft/fraud.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Umm, Slashdot has made this mistake before and it will make it again, so let me say this:
THIS IS NOT RFID.
RFID is a term used to describe a number of standards.
Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.
ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.
OMG, my old Swatch Access site (now hosted by someone else) is the 5th hit on a Google search for "Swatch Access".
Because my wife never lets me touch it
I dress like a slob, so I am not a mugging target, and I don't spend what I don't have, so I don't have any credit card debt.
When the clerk asks for personal info, even if it is just "Can I have your zip code, sir?", I say "No".
Sure, I could get a couple of percent on "the float", but just not hassling with big bills is worth it. Paying for a meal you excreted a month ago sucks.
Pay as you go. Be happy.
This issue is a bit more complicated than you think.
I love the fact that people get all worried about Credit Card fraud... Anyone would think that it's your personal money involved. It's the banks, not yours.
If you actually read the details of your credit card, you'll probably find that you are only liable for x of the fraud anyhow... In my case, it's 10% of the total to a max of $50.
Go ahead, scam my details - put your ass on the line. Waste all the banks money you like. You spend $3000, the most it costs me is $50. And you can bet you'll have the bank hunting you for the balance for a number of years.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
In most other types of transactions, (e.g., gas station, grocery store) swiping the card is a tiny fraction of the transaction time. Since credit card companies usually eat losses when fraud occurs, it's not clear why they would be eager to get behind this, especially as it also opens up the possibility of abuse by customers ("I didn't know I was being charged for those porno videos, honest!")
My county (cities+suburban+rural, 727 sq.mi.) has a population of 480,000 and the police get a few hundred reported cases of "identity theft" (fraud via stolen/forged/etc credentials) each year. That's about 1:2000, which would be 150,000 per year in the US.
Shielded bags to block all the transmission of information that all our crap is broadcasting all the time now.
It would really suck to park your car and walk past a criminal and the criminal scans you, cracks your info from your car keys, credit card and passport and just walks over, drives your car off while ordering thousands of dollars of stuff off the internet and selling your passport info to a fense.
In Soviet Russia, armchairs encrypt you!
Maybe now pickpockets will instead of taking things from your pocket, add things to your pocket.
A thief bumps into you, and puts a little transciever in it. Then he goes on a shopping spree, and another transceiver in his pocket forwards the questions to the tranceiver in your pocket which forwards it to your card. The card answers all questions and sends them back through the reverse route.
"and remember - when walking down the street, never accept coupons for a restaurant from anyone!"
Yes it is true that various standards used for RFID have been shown to be insecure but this doesn't mean this new card will be insecure as well. That makes about as much sense as noting that most computer programs are insecure, or even that a large collection share the common vulnerability of caching cryptographic data to swap, and deducing that therefore gpg isn't secure.
There are no algorithmic challenges to making such a system work. Challenge response protocols are well studied. The primary problem is providing enough power for the cryptographic chip while not coupling it too tightly to the reader/broadcaster. If the cryptographic computation is closely connected and powered by the broadcasting circuit then power usage and RF fluctuation can be potentially used (and some attacks demonstrated I believe) to steal secrets.
Still this problem is hardly insurmountable. One could do alot of research into masking the computations or more simply seperate the computation for the broadcast/reception (of course you would need your own antenna or battery as a power source).
So just like a computer program it could be done well or poorly all depending on who designes it.
If you liked this thought maybe you would find my blog nice too:
So let me get this straight. You are worried that some sophisticated criminal is going to construct a reader for whatever protocol is used in these cards. Chase down the cryptographic flaws in the algorithm, walk around with a broadcasting reader to copy information (which could be detected by police or the credit card company) and then manufacture some fake card as a duplicate of yours?
Don't you think it would be alot simpler to just put a hidden camera on your person and photograph people's credit card numbers when they use a normal card. I mean cmon current credit cards offer virtually no security, anything else has to be an imporovement.
If you liked this thought maybe you would find my blog nice too:
This seems like one of the topics which will always bring a bunch of paranoid nuts to the surface. Yeah, it's pretty likely that the algorithm will be cracked at some point or another. But we are pitting criminals against a department of engineers.
Yeah, chances are it will be broken. But not by very many people. Compare:
1) An extremely intelligent criminal group cracks the algorithm, gets a reader. They manage to configure their reader to have wireless networking abilities and get themselves set up with a bank so they appear legitimate. This way they can request and actually recieve money from your bank through your card (Their reader can't just magically take money from the card. Transactions like this are two banks communicating through information found on a card). They then walk around the local mall and get within 10cm of the pocket carrying the card for long enough to get a reading. The criminals are smart and don't want to get caught - any money taken will be in small enough amounts to be unnoticed. Chances are pretty good you will only get hit by their reader once, because conditions have to be just right - you have to be in the same place as the criminals and it has to be crowded enough that their actions go unnoticed. You lose $10.
2) You misplace your credit card. Perhaps you dropped it when you were paying for gas at the pump. It was cold and you had bulky gloves on. The card is found by Billy Bob, who then racks up thousands of dollars of purchases. You will probably get your money back, though it will depend somewhat on bank policy. The situation will place a large amount of stress on your life.
3) You make an online purchase. Whether through the spyware on your computer, an insecure connection, or a dishonest retailer, your number and information is taken. The thief then racks up thousands of dollars of purchases. You will probably get your money back, though it will depend somewhat on bank policy. The situation will place a large amount of stress on your life.
I really think that situations (2) and (3) are much more likely. Situation (3) might not be likely for the slashdot crowd, but in case you hadn't noticed, we are a huge minority in the world. So, hey. Be paranoid if you want. Get out the aluminum foil. But I'm afraid I can't stick my head quite far enough up there to see things your way.
Computers need to explode more often.
If the card only returns hashed results, and has a limitation of say 1 result per 5 seconds, it'll take many swipes to figure out the private key. If the private key is properly saved.. ie, cannot be 'read' through certain pins on the IC, then we have something here. If this technology is combined with a keycode like the Interac of canada, I think its the best solution.
All these negatives on slashdot, and none of the posts has convinced me why this is less secure than a credit card, which has numbers printed on the front and nobody checks the signature.
My only real beef is that crypto hashing takes cpu power, and I'll get warm, and I'll have to slap on a tiny heatsink in the hotter countries.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
While you're right that the submitter's speculation about RFID is completely at-odds with the actual article, dumber things have happened.
And, as a Slashdotter who's been on the receiving-end of some half-assed "smartcard" technology from one of those supposed "security consult firms", I think you're way off when you assume they automatically know more than anyone here.
"I assumed blithely that there were no elves out there in the darkness"
Wow - where to start - the original bit is just wildly irresponsible in making the assumption that this is RFID.
- This is basically NFC, AKA "contactless" technology. It is VERY different from RFID!
- RFID is designed to be used with small, ultra-cheap tags and long-range (several feet) readers, so you can "scan" a whole shipping pallet of products in one pass. It's designed for logistics, not personal ID cards or e-commerce.
- NFC/contactless has a MUCH shorter range - like 2cm. It's the same technology used in the smartcards that already allow access to countless office buildings, transit systems, and university buildings on the US. You know - where you can leave the card in your wallet, but you basically have to press your wallet against the pad for it to read it.
- NFC/contactless cards (and phones) are already in very widespread use in Japan, with great success and no major security issues to date.
I mean c'mon people - we're talking about a huge bank here - do you really think Chase is that stupid to deploy a technology so insecure that people's "wallets" can be secretly "scanned" from across the room?
I don't just have blind trust in companies to be smart, of course... but fraud is a major concern for any financial institution, so to think they would put RFID in your credit card is just ridiculous.
I haven't written my own signature on a credit recpiept in a good 2 years at this point. I write all kinds of dumb stuff like "Bob Vila", "Gordon Shumway", "Fred Flintstone" or even random scribbles. Nobody ever checks. The back of my card says, "Ask for ID". and I'd say 1 in 20 people actually ask for it, and those people get a fat cash tip.
Deltron 3030 - Virus (music video)
Are they joking about the encryption thing? Do they honestly believe there's even the slightest chance that it wouldn't be cracked?
Just a countermeasure to potential RFID card theft, but be warned it might also have the potential to damage the card if it uses an exposed chip. Wrap the card in tinfoil when you're not using it. No signal gets out, no RFID theft. You'd probably need a damned strong reader to get by something like that.
Personally, I'm going to avoid the Real ID as long as possible, but if I have to get one I'm going to use the same solution on that.
Why does RFID sound like a solution looking for a problem, that will cause more problems than it solves?
Nothing's absolute... but whom would you trust more to come up with a secure solution?
1. A half-assed slashdotter making the tired old ooooh RFID-bad argument
2. A bank with billions of dollars at stake
The concept of an instantaneous, effortless payment transfer system is certainly intriguing and *sounds* useful. I've read many of the concerns already listed and agree with them. IMO, there is a larger issue here.
As it stands, the purpose of providing a physical card and signature is to provide something analogous to two-factor authentication. Ostensibly if I (1) have physical possession of the card, and (2) can match the signature, then I get to make a purchase.
How many of us sign the back of our cards? I certainly don't. All of my cards read "Please Verify ID". The sad news is that many merchants simply don't look or don't care. So the end result is that I have a single authentication mechanism: possession of the card. This is one of the major contributors to credit card fraud.
Here in the USA many merchants, including grocery, gasoline, etc., provide POS terminals where nothing but a swipe of the card is necessary. Some will occasionally ask to see the card and ID, but in my experience those are rare.
Is there a better way? I believe so. The idea of two-factor authentication is on target but needs to be implemented in a better manner. How about providing the physical card and a PIN? If we link to biometrics there will be many people (myself included) that will balk... and for good reason. However, by requring a PIN - perhaps something longer than the standard 4 digits - we can virtually eliminate many of the concerns, reuse existing technological concepts, and increase the security of our purchases.
Going back to the POS example, if I swipe my card (regardless whether it is through or over a machine) then enter a PIN, I believe we will have succeeded in providing tangible improvements to the security of credit sales.
Thoughts?
Jim
I wonder if an RFID signal blocking wallet has been patented yet... anyone wanna lend me money to start my company? :)
We would have the first fairly secure credit card ever made!
Of course, that would make it more work to use it and would require adding a keypad to the card, and the twits would never be willing to hassle with it, but....
You might also make it a pcmcia card that goes into a laptop/PDA, and then you can create a gui and everything....
Or, better than any of these, you can put it into a cell phone.... and the merchant can SMS your phone and ask you to approve the purchase.
If you don't see why encryption can solve this problem, then you don't have a technical mind.
And the problem is that you do. If there is no separate pin, you don't have to break encryption, a bad guy can simply carry out completely normal purchases with a normal credit card terminal through a normal, legitimate terminal while the card is still in the person's wallet. This has lots of potential for both criminal abuse and just simple problems, like unintended multiple charges. And since many credit cards are linked to debit cards now, you don't even have the usual purchase protections.
The acts of physically swiping a card and of signing a piece of paper both are important security features. Tampering with the process make it work less well.
At a risk of repeating what has already been said several times, here is a simplified version of this "encryption" thing going on:
Say your card reader wants to verify the card:
Reader: "Card, identify yourself."
Card: "Name: John Smith. Today's code: 2xfG&k29#5"
Reader (to bank): "John Smith gave me code 2xfG&k29#5". Correct?"
Bank: "Yes. Proceed with transaction."
Meanwhile Angry Bob intercepts the code with his scanner and sends a message to the bank from his terminal: "John Smith gave me code 2xfG&k29#5. Correct?"
Bank: "No. the code you gave is not valid." The code was only valid for that particular instance. (perhaps the bank provided a "seed" value that the card combined with a hash of the account number to verify itself, of course stripping out enough information that the account number can never be reconstructed from the verification code.
The point many posters have made is that the smart card never actually passes along any sensitive information. It passes along some encrypted code that tells the bank whether or not the card is legit. That code will be useless outside the context of that specific transaction. In other words, you can intercept and decrypt all the codes you want but they will not help you.
It does not matter whether it is plan old magnetic strip or not, you are not anonymous. The only safe option is laundered and microwaved cash. Preferably, it is from a non-ISO standard financial institution. Oh, wear a mask.
Unless the cashier has a photographic memory, he/she would have to write the number down while the card is still in their possession - and if I ever see a cashier do that the cops shall be called.
I can memorize 16 digit numbers, at least long enough to write them down a few minutes later, without much trouble. Talent picked up when working in a restaurant and it being convenient to memorize the numbers on the manager cards.
Because I'm confident that any company engaging in credit card theft will promptly get caught, prosecuted, and sued the pants off of. The same may not hold true for an individual, and the fact that there are two dozen people standing within RFID range when most transactions are done greatly disturbs me.
You missed the point. I'm not talking about the company on the OTHER END of the line - I'm talking about the ability of parties to intercept your transmission between you and the company. If you use credit cards, you must accept that the encryption that keeps your data safe from when it leaves you and when it gets to the company is sufficient. If you're willing to accept that the encryption is sufficient, why does swapping hundreds of miles of phone line or fiber for 10 inches of air suddenly make you not trust the encryption?
Either the encryption is good enough, or it isn't. Whether it's a contact or contactless transmission doesn't matter.
And it ain't good enough. I can promise you it will be cracked sooner rather than later.
Are there people running around breaking the encryption used on web transactions? The encryption used to move money from bank to bank? The encryption used when the VERY SAME data you don't want to transmit wirelessly is transmitted over the phone or internet to process EVERY SINGLE OTHER CREDIT CARD TRANSACTION YOU MAKE?
I can accept that you are paranoid and don't trust encryption. But if you don't trust encryption, you shouldn't use a credit card at all. But if you do use a credit card, which it appears that you do, there is no logical reason not to use contactless credit cards. If the information can be stolen in contactless transmission, it can be stolen even more efficiently by tapping the data line on the way out of the store.
You haven't gone to fast food places lately, have you? McDonald's, Wendy's, and Panera (the 3 joints i frequent most) do not require a signature on credit cards if the transaction is small (less than $25 or so). So, there is next to no money saved on that point.
For those merchants, and that was a huge concession on the part of the credit card industry in order to be accepted into those merchants, who didn't want to slow down their lines to make people sign stuff. It won't be that easy for industries where credit cards are already an expected form of payment, so if contactless transmission will get the credit card companies to allow merchants to not require paper, that's a good thing.
paintball
So now you know why you are so glad that you kept your grandfather's old metal cigar(|ette) case.
--
J
We aren't really talking about 'contactless credit cards' here.
Yes, we are talking about credit cards. The article is about a bank that is issuing touchless credit cards.
The rest of your 'argument' is rendered moot, since the problem is that thieves may be able to route the cards I/O to a credit card reader and thus make fraudulent charges to a card in someone pocket. Its a man in the middle attack where the sender doesn't even know a transaction happened.
Speedpass was originally devised in the early ninties, and they used a 64 or 32 bit encryption key (I can't remember which). At the time that was very secure and state of the art, after all it took over ten years for the technology to progess for it to be able to be broken. In fact, there were additonal security measures that the developers suggested Exxon(who then sold it to mobil) use, which would have made speedpass even more secure, though Exxon opted out to lower the cost of the device.
How do I know? The patent plaque is sitting in my library with my father's name on it.
Where I'm going with this is that there is not inherent weakness in RFID, it can be just as secure or insecure as any other electronic system, what dictates the security of an RFID system is the implementation, plain and simple. I'm sure Chase will be willing to invest a little bit more in the security of thier devices because a con would not be stealing a tank of gas, but a person's bank account or line of credit.
the card is used to get an authorization on a credit card account so you can buy stuff at the register
you dont need to replay a message for this to work all you have to do is wave a credit card reader reader over someones pocket creating a new fourth purchase
the reader could just be owned by a fraudulent company, or maybe it could be connected to a two way amplifier who's outputs are being waved over a cash register
Just maybe, RFID is some kind of misspelling of being aFRaID.
Since they are making a touchless credit card, can they also make a payless credit card that I don't have to pay back? :)
Using a sandpaper wallet was your big mistake n/t
Will it use the same secure technoligy all those toll booth and gas station e-passes that are so often cloned use? Damn it, at least make the guy get out of his car to steal my money.
The neqw contactless cards aren't in use in the Uk yet, but they are a type of EMV card. EMV is a smart card standard that is being brought in all over the world to combat fraud. All over the world except the US of course because industry leaders in the US seem to think it's everyone else's problem...
EMV is a secure system in that it uses cryptographic signing of all secure data. I'm sure some genius will find a way round it someday (and I believe there already is a way if you happen to own an electron microscope), but it ends the days when a restaurant employee can just skim your magstripe details and have a functional card copy.
It also allows more secutriy for offline transactions as the PIN can be verified by the card. These cards really are smart, they have crypto processors on board rather than just memory, so the PIN hash stored on the card is never ever known to any reader device.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
... with a 10-foot pole. I know enough about their shady business practices to never trust them with my money. I won't even get into a long story of how they screwed a bunch of us by telling us we had jobs and went back and forth like a ping-pong match. If my experience with them isn't enough, then this site should give plenty of insight from others. Chase has tried to shut them down, but the site is hosted in France. :) :)
presumably using RFID technology
No one should assume this is RFID just because it is contactless.
There are other better technologies available that provide quite good crypto services using proven methods. Things like contactless smartcards are quite secure.
The ratio of people to cake is too big
And before anyone asks, I'll answer in advance: If I don't have enough cash on me for something I see that I'd like to have, I don't really need it in the first place.
Criminals do have to hold a gun to my head they just have to walk past me to get my wallet. See the world is getting to be a better place.
This looks to me to be very subject to a man in the middle attack. Our thief waves his "man in the middle" card over the reader. The reader's challenge is echoed to the victim's (who is standing in line behind the thief) card. The victim's card replies with the victim's financial info. The thief's equipment echoes that info to the reader.
Ross Anderson and colleagues present a great deal of information on what chip and pin does and doesn't do at http://www.chipandspin.co.uk/
I've been carrying a SpeedPass on my keychain for about 18 months, now.
Never had a problem. The nice thing is that it only works at certain gas stations (Esso in Canada). I hope it has a smartcard-like challenge:response system, but I haven't really looked too far into it.
S
Pocket-fishing, which is just like pocket-pool only more sloppy.
Industry experts believe the reading from a meter away is possible. They also believe that if you are putting out enough power to read from that distance and the card comes within half a meter then the chip will be fried. Reading from a varying distance is actually pretty hard to do. Eavesdropping is easier, but won't do you any good since even if a secure channel isn't used the information is only good once.
Lasers Controlled Games!
This is has the actual press release.
http://www.chaseblink.com/
Oh, well, if Chase attempts to force this on me, I'll have to go shopping for another card, or pay cash.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Is this just me or does this sound like we'll be getting chips put in us soon?
"drive-by"
We go from "drive-by shootings"
To "drive-by over-the-limits"!
Tapered shank drills, wholesale drill bits in large quantities, industrial tools, telephone modular jacks, audio, video, rg6, rg59, cable tie wraps and more.