Chase Deploying "Touchless" Credit Cards

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

Can't be all bad

[FlyByPC]

I'm sure there will be RFID security issues, but the trend does remind me of a commercial I saw a few years back. I forget the company (real effective, then, huh?), but the gist was that this Gen-Xer walks into a supermarket, starts stuffing TV dinners in his trenchcoat, then walks out. The security guard stops him, but just hands him a receipt.

I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.

Europe

[Nexum]

The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers

In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.

Re:Europe

[JimBobJoe]

In Europe we have the chip & pin way of using credit and debit cards at Point of Sale.

Chip and Pin is destined to stay outside of the US, which is why US credit card companies are always trying to do something new that is entirely unnecessary.

Mastercard and Visa are competing with people using their debit cardson the debit system and not running the transaction over the MC/Visa system. When you use your debit card on the debit system, you have the card swiped, and then you enter in your pin number...and MC/Visa doesn't get its valuable merchant's fee.

In order to maintain their fees, MC/Visa has to make sure that people swipe and sign the receipts, avoiding the pin code alltogether. The introduction of a pin based MC/Visa transaction in the US would confuse people toward using their debit cards off of the MC/Visa system.

There are those who find the signing the receipt thing a pain, and entering the pin easier. So MC/Visa will continue trying to elminate the signature and get people to feel as comfortable as possible in as easy a transaction as possible. Merchants, who don't have to pay the merchant fee if you pay via debit, would prefer you to run the transaction on that system (though I believe they can't request that you do it via debit as part of their MC/Visa agreements) I can only presume that merchants who agree to install these new credit card readers (as featured in the article) are getting some very special deal on all their MC/Visa transactions.

I hope this goes some way to explain why credit card companies are so keen to reinvent the wheel.

Re:Europe

[Tony+Hoyle]

Chip&Pin is just a way of transferring legal responsibility onto the consumer - if someone steals your pin you are liable even if your card was stolen, because they assume you must have told them the pin.

If it was about 'security' they'd still require a signature+pin (+photo ID would be nice). As it is, all a theif has to do is to say 'I don't know my pin' or (my favourite) 'Don't bother.. this card doesn't work with pins' and they'll immediately put it through as a signature only transaction and *still* never check the signature.

When C&P first started none of my cards worked with it. Now they do, but I still use the excuses above... I have *never* been refused or asked to actually enter a pin.

Hmmm, I have a new business idea..

[multi-flavor-geek]

Well why phish in the comfort of your stinky computer room with thousands of emails when you can fish from your laptop while drinking a latte'.
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.

Oh, by the way, am I the first post?

To be fair

[hoka]

You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.

Re:Few Details

[Goeland86]

Wouldn't this technology also be safer for the RealID cards rather than RFID? It's still contactless, though not readable from 40 feet like some RFID tags. I hope that's what the FBI and NSA had in mind, instead of RFID, 'cuz otherwise I'll sue them both for knowingly facilitating identity theft. I wouldn't mind the government being able to read cards without contact, as it imposes less wear on the readers AND the cards, thus saving US money. As for Europe, I was there last month, and the reader wouldn't take my US visa card because it was lacking the safety chip from EU banks, and I had to be served by the clerk instead... Which was a royal pain. It definitely wasn't contactless though.

it might not be rfid

[Naikrovek]

I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.

those are just as hard to crack as PGP emails. Not at all easy.

Familiar with Easypass?

[Exluddite]

If you are familiar with Easypass you know how this will revolutionize things. According to one bill, our car passed a Parkway toll near the Atlantic City Expressway and entered the Lincoln Tunnel ten minutes later.

I'm sorry

[mcc]

I don't care how encrypted or advanced or "secure" it is, I don't want my credit card doing anything unless I've taken it out of my wallet.

And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.

Why the paranoia?

[Joe+Random]

I just don't see why everyone is so afraid of RFID credit cards. Simply have the private key portion of a key pair stored in the card itself, with the public key in an easily-accessible database. When you make a purchase, the merchant sends a random challenge to the card, which then encrypts it with the private key and sends it back. The merchant verifies against the public key, and, if it matches, the transaction is approved. With a smart card, the only way to use my card is to have the physical card, in which case we're back to be exactly as secure as the current system.

I would think that /. geeks would be all over this. I mean, it's not perfect, but it would be a hell of a lot more secure than the current system. Right now, if I take my credit card to a restaurant, the waiter need only make a spare imprint of the card (and write down the verification number on the back). Later, he can pull out a phone book to get my address, and then he has all of the information he needs to use my card fraudulently.

I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.

gives new meaning to "double swipe"

[gooogle]

Some retailers (Gas station employees mostly) will double swipe your card to charge you twice or swipe it through a personal magnetic reader which grabs and stores all info on your card which they use later to repro your magnetic strip. With RFID, an fradulent retalier would simply need you to walk through the door and have a concealed reader sitting within close proximity. You won't even know you've been charged until you get your bill at the end of the month. And to add to this, if they charged you 10 cents, would you go through the hassle of calling waiting on customer support for 10 minutes just to report a 10 cent charge you don't have?

There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.

Re:Problem is they use weak encryption

[AKAImBatman]

How does 2048 bit RSA on a SecurCore ARM processor sound? Sounds good to me.

transaction approval

[j1m+5n0w]

How does the card know that it's owner approves of a particular transaction? From the card's perspective, there's not much difference from running it past a walmart scanner and getting pickpocketted by a card reader with a high gain antenna from a hundred feet away. With a magnetic strip card (horribly insecure, but in different ways), running the card through a reader implies the user's consent, but if that's no longer required, there needs to be some other way to validate the owner's intent to conduct a transaction.

The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?

Re:transaction approval

[AKAImBatman]

Results 1 - 10 of about 17,200,000 for merchant account. (0.07 seconds)
You were saying?

I was saying that they're hard to get. Have you ever tried getting a merchant account? It's expensive, and a royal pain in the ass! Not to mention that it is really easy to lose your merchant account. Just because there are variety of carriers (although not as many as it might seem at first) doesn't mean that such accounts are easy to get.

...because criminals NEVER use fake names and addresses, right?

Because merchants are never verified by CC companies, right? And because merchant accounts don't cost $$$ to get set up, right? And because the CC company isn't going to lock out your account as soon as fraudulent transactions start coming through, right?

Geez, people. Pull your heads out.

What if you have multiple cards?

[Chibi]

I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?

A Question

[citizenc]

Why would this not require a customer signature? Why not eliminate the need for the signature for any type of credit-card transaction?

Don't assume RFID

In Japan they have already rolled out Felica for train tickets, coke machines and some convenience store purchases. The cards are pre-paid and you can recharge them at any JR (Japan Rail) train station. Here is the info on the technology.

http://www.sony.net/Products/felica/contents04_02. html

Re:Few Details

[AKAImBatman]

Do you work for/with Chase? If so, maybe you can help us out on a few things?

1. Is this an induction communications device, or an RF transciever?

2. Does it actually use an encryption chip to secure transmissions?

3. If so, wouldn't it basically be the same thing as a contactless or RF smartcard?

Encryption is irrelevant

[rufusdufus]

If you can't see why contactless credit cards are a terrible idea, then congratulations, you don't have a criminal mind!
Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.

Re:Encryption is irrelevant

no matter how clever the card/reader transaction was, heres a scenario that would always work:

hacker #1 finds a mark he can get close enough to to read the card, maybe he's on the subway or something. Then radios his accomplish hacker #2 who is about to buy something from the store. Instead of having a card in his wallet, he has a radio repeater from a hacker #1's reader that takes the information from the card and plays it to the store's card reader. Even if the card reader "challenged" the card with sophisticated encryption, the transaction would still go through because the reply from the challenge would always be correct, because it was read real-time from a real card.

Re:Encryption is irrelevant

[asuffield]

If you don't see why encryption can solve this problem, then you don't have a technical mind.

The information supplied by the card is of ZERO value to any criminal. Copying the data sent over the air is completely useless. No secret is ever revealed. Everything transmitted is considered 'public' information, in the sense that it doesn't matter who sees it.

The message from the card in particular is useless, and doesn't even need to be encrypted. It can say "Alice has made a purchase of two pairs of woollen socks from the shop on the corner for £2.67. This is her third purchase on 20/05/2005", and the credit company can maintain a replay database to make sure that she only makes one third purchase on a given day.

Replaying that message to another device accomplishes nothing. It's not a purchase at this device, for this object or amount of money, or which will actually be accepted by the credit company.

We aren't really talking about 'contactless credit cards' here. We're talking about contactless smart cards, which are a well-developed technology. They are nothing like RFID.

Now, there's still plenty of room for the credit companies to screw up security on these cards, particularly since they don't actually care how secure they are. But genre attacks like you describe are not an issue.

Re:Few Details

There was a company in finland I believe offering a integrated biometric RFID authentication solution .. basically u had the fingerprint reader (or other biometric input) right on the card. The card verifies basically that "you are you" .. then, the card uses PKI or RSA certificates to authenticate you. It was mainly used to authenticate people for entrance or access to stuff. A credit card based on this would allow you to buy stuff without a vendor ever knowing your biometrics or being able to record your account numbers or PIN or whatever.

Hmmmm, I see a new product niche opening up...

Shielded bags to block all the transmission of information that all our crap is broadcasting all the time now.

It would really suck to park your car and walk past a criminal and the criminal scans you, cracks your info from your car keys, credit card and passport and just walks over, drives your car off while ordering thousands of dollars of stuff off the internet and selling your passport info to a fense.

Re:Except that it's not

[Joe+Random]

Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.

However, if things are done correctly, your credit card number will no longer be the important bit of information that it currently is. It will simply be a type of GUID that is useless without the circuitry that holds your private key. That will be the useful piece of information stored by your card, and will only be accessible to someone if they have the physical card.

Re:why not

[DrXym]

So you're saying the thief need merely loiter near the victim at checkout when they remove their card to wave it past the reader? I'm sure standing behind them would be close enough.

That assumes people are going to use a shielded sleeve. Precious few won't. And a thief could simply plant themselves somewhere busy like a food court and steal any id that goes past.

Of course any such system would require some other form of protection. The site says encryption, e.g. the card's credentionals are encrypted with a key known only to the clearing house. It still means the key could be vulnerable to a plaintext attack since the data is likely to be short but contain well formed data such as dates, names, credit card numbers. It also means that the card could be vulnerable to some kind of playback attack unless the card itself is capable of giving a different response depending on some challenge.

It seems to me that it would be cheaper and safe if they adopted the chip & PIN system already used by France and recently UK & Ireland. There is nothing to "sniff" and it's hardly less convenient to use or implement.