Chase Deploying "Touchless" Credit Cards

← Back to Stories (view on slashdot.org)

Chase Deploying "Touchless" Credit Cards

Posted by ryuzaki0 on Thursday May 19, 2005 @01:12PM from the trust-us dept.

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

15 of 373 comments (clear)

Min score:

Reason:

Sort:

why not by Festering+Leper · 2005-05-19 13:14 · Score: 5, Insightful

store it in a shielded sleeve until you use it?

--
if you want people to think you know what you are talking about, just put ".com" at the end of everything you say.com
1. Re:why not by Albinofrenchy · 2005-05-19 13:30 · Score: 2, Insightful
  
  So we are going to take out our "Touchless" credit card when we want to use it? Seems familiar... oh wait, thats what I do now...
  
  --
  "A man is but the product of his thoughts what he thinks, he becomes." -Mahatma Gandhi
2. Re:why not by Anonymous Coward · 2005-05-19 15:05 · Score: 2, Insightful
  
  Yes, but now you get to wrap you wallet with tin-foil.
3. Re:why not by pyrrhonist · 2005-05-19 17:50 · Score: 2, Insightful
  
  Come on, this was on Mythbusters; these guys kicked the CRAP out out of some credit cards,
  They hardly kicked the crap out of the cards. All Mythbusters did was subject the cards to electric shocks.
  
  I'm talking about friction rubbing off the magnetic material on the card. This makes the magnetic strip inoperative, because there is no magnetic strip left.
  
  Take some sandpaper and sand the magnetic strip a bit. Then tell me if your card still works.
  
  Why is this so difficult for people to understand?
  
  --
  Show me on the doll where his noodly appendage touched you.
Choices... by cd_serek · 2005-05-19 13:15 · Score: 2, Insightful

Having to waste 5 seconds looking through my wallet for my Credit Card, and having to manually swipe it...

vs.

Having my Credit Card details stolen and sold.

I think the choice is easy.
1. Re:Choices... by raehl · 2005-05-19 13:46 · Score: 3, Insightful
  
  Having to waste 10 minutes walking to the store...
  
  vs.
  
  Getting sideswiped by a semi on the way to the door and getting killed.
  
  Your comparison is a bad one. You need to add up all those 5 seconds you save and compare them to the time you'd spend fixing it if your information got stolen times the odds your information gets stolen.
  
  Let's also keep in mind how easy it is to steal your credit card information as it is. The number is written RIGHT ON your card. Every cashier you ever give your credit card to has access to that number.
  
  And when that cashier runs the card, what happens? It dials up to the central server and sends your personal information over the phone line. If you're confident with encrytpion to someplace perhaps thousands of miles away, why are you not comfortable with encryption to something 10 inches away?
  
  The fact of the matter is, getting bent out of shape about contactless transmission is silly. Either the encryption method used is good, or it ain't. You don't need to worry about physical layer compramisesif your transaction layer protection is good.
  
  Also, there are other savings here than just your time: Contactless transactions are chepaer to process than signed paper credit card transactions. Merchants can save a lot of money not having to pay cashiers to sit there and watch you sign the receipt, and credit card companies can save money not having to archive those pieces of paper.
  
  Economic efficiency is good for everyone.
  
  --
  paintball
2. Re:Choices... by StarManta.Mini · 2005-05-19 15:07 · Score: 1, Insightful
  
  Let's also keep in mind how easy it is to steal your credit card information as it is. The number is written RIGHT ON your card. Every cashier you ever give your credit card to has access to that number.
  
  Unless the cashier has a photographic memory, he/she would have to write the number down while the card is still in their possession - and if I ever see a cashier do that the cops shall be called.
  
  If you're confident with encrytpion to someplace perhaps thousands of miles away, why are you not comfortable with encryption to something 10 inches away?
  
  Because I'm confident that any company engaging in credit card theft will promptly get caught, prosecuted, and sued the pants off of. The same may not hold true for an individual, and the fact that there are two dozen people standing within RFID range when most transactions are done greatly disturbs me.
  
  Either the encryption method used is good, or it ain't.
  
  And it ain't good enough. I can promise you it will be cracked sooner rather than later.
  
  Also, there are other savings here than just your time: Contactless transactions are chepaer to process than signed paper credit card transactions. Merchants can save a lot of money not having to pay cashiers to sit there and watch you sign the receipt, and credit card companies can save money not having to archive those pieces of paper.
  
  You haven't gone to fast food places lately, have you? McDonald's, Wendy's, and Panera (the 3 joints i frequent most) do not require a signature on credit cards if the transaction is small (less than $25 or so). So, there is next to no money saved on that point.
  
  Do you happen to work for Microsoft? You seem to agree with their security policy.
Hong Kong's Octopus by G4from128k · 2005-05-19 13:45 · Score: 4, Insightful

HK has been using a contactless cash card since 1997 called Octopus It's proprietary RFID system (built before the standard appeared), that seems to work quite well for public transport and retail.

--
Two wrongs don't make a right, but three lefts do.
Here's how it might work by Comatose51 · 2005-05-19 13:52 · Score: 2, Insightful

I was just thinking about this. I doubt banks will make it THAT easy for people to steal identity. Remember, it's money here we're dealing with and if it becomes too easy to steal the banks will lose money as well and customers' good will and trust, which you want in the finance industry.

In any case, I can imagine it working like this:
1. Terminal sends some string of random bytes, p.
2. Card processes it using some one way function f(p,q) and returns the value s where q is some secret info.
3. Terminal takes the results and sends p and s to the bank to verify. Bank runs f(p, q) and see if it matches s. If so, return true.

That's just a simple scheme I hatched up where you don't have to reveal your secret info to verify yourself. I'm sure there are much better ways.

--
EvilCON - Made Famous by /.
Except that it's not by StarManta.Mini · 2005-05-19 14:57 · Score: 3, Insightful

RFID is a very good idea for many things, such as grocery tagging. For credit cards it's awful. There are only two possible states of an RFID credit card:
1) Safely in a sleeve, where no one can read it
2) Out in the open, where everyone in a certain radius can read it

In other words, you can't spend it without exposing it. Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.

I don't care how much you encrypt it: it'll be cracked, and sooner rather than later. The fact that they are compounding this with no regulation of requiring signitures is one of the worst security decisions I've ever heard of - far worse than anything Microsoft has ever put out, and that INCLUDES ActiveX. Because ActiveX breaches don't immediately and directly cause credit card numbers to get stolen en masse unless combined with social engineering.
1. Re:Except that it's not by GeckoX · 2005-05-20 03:41 · Score: 3, Insightful
  
  Yes, but it reduces the security from something you have, something you are, something you know down to simply something you have.
  
  How come all we are talking about here are the communication of the something you have part, and everyone is ignoring the loss of the other 2 critical parts of the secure equation?
  
  To me, this looks like these cards are totally disassociated from the card holder when used. That is most certainly NOT more secure than we have currently.
  
  Am I missing something or is everybody else?
  
  --
  No Comment.
Real geeks spend cash by NotQuiteReal · 2005-05-19 15:38 · Score: 2, Insightful

As long as it is legal tender, I pay cold, hard cash for lots of stuff.
I dress like a slob, so I am not a mugging target, and I don't spend what I don't have, so I don't have any credit card debt.

When the clerk asks for personal info, even if it is just "Can I have your zip code, sir?", I say "No".

Sure, I could get a couple of percent on "the float", but just not hassling with big bills is worth it. Paying for a meal you excreted a month ago sucks.

Pay as you go. Be happy.

--
This issue is a bit more complicated than you think.
Unbelievable... by Anonymous Coward · 2005-05-19 17:19 · Score: 1, Insightful

Are they joking about the encryption thing? Do they honestly believe there's even the slightest chance that it wouldn't be cracked?
Re:Problem is they use weak encryption by 91degrees · 2005-05-20 00:22 · Score: 2, Insightful

Banks tend to be pretty good with encryption. When negligence could easily cost you several billion, security is worth it.
Re:transaction approval by Anonymous Coward · 2005-05-20 02:42 · Score: 1, Insightful

You know those electronic key badges/fobs that you can hold up to a door to unlock it? Same type of technology. Notice how close they have to be for the reader to read the key. That's how close an attacker has to get his reader to your ass.

Unless they increase the power and put on a more sensitive antenna.

Remember, BlueTooth wasn't meant to transmit over a mile, either...