Slashdot Mirror
Chase Deploying "Touchless" Credit Cards
Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)
Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)
That's my guess anyway. I'm sure someone else can add a few details or make corrections.
Javascript + Nintendo DSi = DSiCade
IBM ad.
How about option 3?
:-)
3. Being able to wave your credit card while simultaneously keeping your CC data more secure than ever.
Don't mind the story submitter, (s)he's just making wild claims. This is probably contactless smartcard technology, which is far more secure than RFID. How secure you ask? Well, the card is only supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred. At least, that's the theory, but at least it's had a few decades to mature.
Javascript + Nintendo DSi = DSiCade
Shell and Esso both doe this, atleast in Canada.
The transaction information is challenge-response type, which is tied back to the credit card transaction itself. While it might be crackable, it isn't going to happen to the same extent the gas-jockey lifts credit card numbers, or the waitress 'borrows' it.
In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.
/. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.
As much as the
Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
Smart cards are actually little processors. With current credit cards, all the mag stripe has is your info repeating over and over. You swipe it, the reader gets the number and contacts your bank (indirectly, they actually talk to an auth network who talks to Visa/MC and so on) to see if you have the necessary funds. If so, it places a hold on those funds and the transaction goes through.
The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.
Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.
Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.
The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.
Umm, Slashdot has made this mistake before and it will make it again, so let me say this:
THIS IS NOT RFID.
RFID is a term used to describe a number of standards.
Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.
ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.
"Unless the cashier has a photographic memory, he/she would have to write the number down while the card is still in their possession - and if I ever see a cashier do that the cops shall be called."
Wrong. A cashier has to print a copy of the receipt (with your card # on it. YOUR copy may not have that number but the vender copy most certainly does.), have YOU sign it, then it stays in the cash register. If that transaction is challeneged, they'll bring that receipt up to verify your signature.
At least that's the way it was when I worked in retail. It's funny what you learn from your boss when you neglect to do something.
"Derp de derp."
The shady guy standing next to you in line (or the cashier who double-swipes) doesn't care about legal charges now. Why would he care in this future where he can steal your card wirelessly?
Because they can't steal the card wirelessly. All they can do is attempt a transaction by placing a reader close to your behind. (Or wherever you keep your cards.)
And that transaction is useless unless they can submit it to the credit card company. You need a merchant account to do that. And a merchant account is not easy to get. Even if you do get one, the CC company will have all the info they need to track it back to you. Thus you'd have to use someone else's merchant account. But since the money from that account goes directly to the merchant (which will then be charged back by the CC company after the theft anyway), you'd have to steal from the merchant. Which means that it would have been easier to just steal the money in the first place.
Javascript + Nintendo DSi = DSiCade
I loved those experiments, except there's something he left out...he didn't file a dispute with any of the charges with the credit card company. It's really not up to the businesses to verify signatures as much as it is the credit card company when something goes wrong...
I mean c'mon people - we're talking about a huge bank here - do you really think Chase is that stupid to deploy a technology so insecure that people's "wallets" can be secretly "scanned" from across the room?
As a matter of fact, yes.
Especially considering that American banks are WAY behind the rest of the world in areas like using one-time pads or multi-factor authentication. Heck, Bank of America actually only requires use of your 4-digit PIN number from your ATM account.
In my experience, you are actually more likely to get intelligent solutions to identity theft from smaller institutions. If something "funny" goes on with my account, THEY CALL ME personally FROM THE BRANCH, with a friendly voice I recognize. They also by default have passwords set up on accounts (and discourage the use of common passwords like maiden names).
At a risk of repeating what has already been said several times, here is a simplified version of this "encryption" thing going on:
Say your card reader wants to verify the card:
Reader: "Card, identify yourself."
Card: "Name: John Smith. Today's code: 2xfG&k29#5"
Reader (to bank): "John Smith gave me code 2xfG&k29#5". Correct?"
Bank: "Yes. Proceed with transaction."
Meanwhile Angry Bob intercepts the code with his scanner and sends a message to the bank from his terminal: "John Smith gave me code 2xfG&k29#5. Correct?"
Bank: "No. the code you gave is not valid." The code was only valid for that particular instance. (perhaps the bank provided a "seed" value that the card combined with a hash of the account number to verify itself, of course stripping out enough information that the account number can never be reconstructed from the verification code.
The point many posters have made is that the smart card never actually passes along any sensitive information. It passes along some encrypted code that tells the bank whether or not the card is legit. That code will be useless outside the context of that specific transaction. In other words, you can intercept and decrypt all the codes you want but they will not help you.
Unless the cashier has a photographic memory, he/she would have to write the number down while the card is still in their possession - and if I ever see a cashier do that the cops shall be called.
I can memorize 16 digit numbers, at least long enough to write them down a few minutes later, without much trouble. Talent picked up when working in a restaurant and it being convenient to memorize the numbers on the manager cards.
Because I'm confident that any company engaging in credit card theft will promptly get caught, prosecuted, and sued the pants off of. The same may not hold true for an individual, and the fact that there are two dozen people standing within RFID range when most transactions are done greatly disturbs me.
You missed the point. I'm not talking about the company on the OTHER END of the line - I'm talking about the ability of parties to intercept your transmission between you and the company. If you use credit cards, you must accept that the encryption that keeps your data safe from when it leaves you and when it gets to the company is sufficient. If you're willing to accept that the encryption is sufficient, why does swapping hundreds of miles of phone line or fiber for 10 inches of air suddenly make you not trust the encryption?
Either the encryption is good enough, or it isn't. Whether it's a contact or contactless transmission doesn't matter.
And it ain't good enough. I can promise you it will be cracked sooner rather than later.
Are there people running around breaking the encryption used on web transactions? The encryption used to move money from bank to bank? The encryption used when the VERY SAME data you don't want to transmit wirelessly is transmitted over the phone or internet to process EVERY SINGLE OTHER CREDIT CARD TRANSACTION YOU MAKE?
I can accept that you are paranoid and don't trust encryption. But if you don't trust encryption, you shouldn't use a credit card at all. But if you do use a credit card, which it appears that you do, there is no logical reason not to use contactless credit cards. If the information can be stolen in contactless transmission, it can be stolen even more efficiently by tapping the data line on the way out of the store.
You haven't gone to fast food places lately, have you? McDonald's, Wendy's, and Panera (the 3 joints i frequent most) do not require a signature on credit cards if the transaction is small (less than $25 or so). So, there is next to no money saved on that point.
For those merchants, and that was a huge concession on the part of the credit card industry in order to be accepted into those merchants, who didn't want to slow down their lines to make people sign stuff. It won't be that easy for industries where credit cards are already an expected form of payment, so if contactless transmission will get the credit card companies to allow merchants to not require paper, that's a good thing.
paintball
Chip and Pin is destined to stay outside of the US, which is why US credit card companies are always trying to do something new that is entirely unnecessary.
Actually, pin # verification for Visa / MC is *already* in the US. They're called Verified by Visa and Mastercard Secure, respectively, and any cardholder is free to attach a pin # to their card.
They're a huge benefit to merchants, as verified transactions are subject to far fewer chargeback reasons.
If you're not living on the edge, you're just taking up space!
As usual, MB did not test the occurance in many wallets: magnetic stripe vs leather. The mag strip will lose. It will take thousands of cycles. This is easily accomplished by putting your wallet in your back pocket and walking around. Micro-abrasion will occur, and tanning and some leather finshes retain small amounts of solvent which accelerates the process.
I've had cards go bad in less than 9 months.
I got a handful of tyvek sheaths off of ebay and keep may cards in them now. It takes an extra second or two to get the card out (I'm not an old fart yet), and sometimes five or six seconds if I grab the wrong card. This is a fair trade off for my to keep my cards useable for the ever-extending valid period (three years on my most recent one).
Is it just my observation, or are there way too many stupid people in the world?
If I wave my wallet near some type of scanner, which card will be selected?
I have two different contactless readers on my desk, and a few dozen cards of different types, so I think I can answer this.
Which one will be selected? None. In my experiments, the reader is unable to communicate with any card if there are multiple cards in range. The technology doesn't have any anti-collision technology, and no way of addressing a specific card, so when multiple cards are powered by the field, they step all over each other.
If you have two cards and one is deep into the field while the other is just at the edge, just barely into the region where it would normally work, the nearer card seems to block the transmissions from the further card and the reader can communicate with the nearer card.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.