Chase Deploying "Touchless" Credit Cards

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

Few Details

[AKAImBatman]

The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)

Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)

That's my guess anyway. I'm sure someone else can add a few details or make corrections.

Re:Few Details

[hawado]

I worked for a company, here in Japan where thre use of these type of contactless smart cards is wide spread, which used this technology for fare collection. The bigest problem I had and still have with the system here is that you load up your card with virtual money. So in essence you pay before you play.
We used these cards to sign in and out of work as well as to pay for lunch at the cafeteria.
A number of phone manufacturers here are also putting this technology into their phones so you can swipe your phone to pay for things at stores. The main supplier of the actual chip is sony, under the namefelica.
Now here, it is impossible to use your bank card to pay for anything. The service is just not avaliable as it is in North america or Europe.
As to the security of the smart cards, the only information on the card is your personal account number and how much money you have on the card. At the end of the day, on mobile fare collection systems anyways, the data is transfered at the depot to a server which updates the main account information. As to store systems, the data is retrieved immediately from the server and updated.
If your card is stolen or lost, it is like loosing cash at least until you call the card issuer and they freeze the account.
I am not sure about how this may affect the magnetic strip on most credit cards, but a magnetic field generates the electrical power required by the chip on card to 'transmit' the data to the reader.

Re:Choices...

[AKAImBatman]

How about option 3?

3. Being able to wave your credit card while simultaneously keeping your CC data more secure than ever.

Don't mind the story submitter, (s)he's just making wild claims. This is probably contactless smartcard technology, which is far more secure than RFID. How secure you ask? Well, the card is only supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred. At least, that's the theory, but at least it's had a few decades to mature. :-)

Contactless Tech, Old news?

[Hido]

In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.

As much as the /. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.

Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.

Nope

[Sycraft-fu]

Smart cards are actually little processors. With current credit cards, all the mag stripe has is your info repeating over and over. You swipe it, the reader gets the number and contacts your bank (indirectly, they actually talk to an auth network who talks to Visa/MC and so on) to see if you have the necessary funds. If so, it places a hold on those funds and the transaction goes through.

The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.

Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.

Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.

The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.

THIS IS NOT RFID

[RzUpAnmsCwrds]

Umm, Slashdot has made this mistake before and it will make it again, so let me say this:

THIS IS NOT RFID.

RFID is a term used to describe a number of standards.

Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.

ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.

Re:Major clarifications

[faedle]

I mean c'mon people - we're talking about a huge bank here - do you really think Chase is that stupid to deploy a technology so insecure that people's "wallets" can be secretly "scanned" from across the room?

As a matter of fact, yes.

Especially considering that American banks are WAY behind the rest of the world in areas like using one-time pads or multi-factor authentication. Heck, Bank of America actually only requires use of your 4-digit PIN number from your ATM account.

In my experience, you are actually more likely to get intelligent solutions to identity theft from smaller institutions. If something "funny" goes on with my account, THEY CALL ME personally FROM THE BRANCH, with a friendly voice I recognize. They also by default have passwords set up on accounts (and discourage the use of common passwords like maiden names).