Slashdot Mirror
Chase Deploying "Touchless" Credit Cards
Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
store it in a shielded sleeve until you use it?
if you want people to think you know what you are talking about, just put ".com" at the end of everything you say.com
The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)
Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)
That's my guess anyway. I'm sure someone else can add a few details or make corrections.
Javascript + Nintendo DSi = DSiCade
I'm sure there will be RFID security issues, but the trend does remind me of a commercial I saw a few years back. I forget the company (real effective, then, huh?), but the gist was that this Gen-Xer walks into a supermarket, starts stuffing TV dinners in his trenchcoat, then walks out. The security guard stops him, but just hands him a receipt.
I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.
Paleotechnologist and connoisseur of pretty shiny things.
Having to waste 5 seconds looking through my wallet for my Credit Card, and having to manually swipe it...
vs.
Having my Credit Card details stolen and sold.
I think the choice is easy.
Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!
The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers
In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.
This sig has been deprecated.
Well why phish in the comfort of your stinky computer room with thousands of emails when you can fish from your laptop while drinking a latte'.
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.
Oh, by the way, am I the first post?
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.
I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.
those are just as hard to crack as PGP emails. Not at all easy.
If you are familiar with Easypass you know how this will revolutionize things. According to one bill, our car passed a Parkway toll near the Atlantic City Expressway and entered the Lincoln Tunnel ten minutes later.
What does this button do...
I don't care how encrypted or advanced or "secure" it is, I don't want my credit card doing anything unless I've taken it out of my wallet.
And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I design armchairs for a living you insensitive clod!
printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
HK has been using a contactless cash card since 1997 called Octopus It's proprietary RFID system (built before the standard appeared), that seems to work quite well for public transport and retail.
Two wrongs don't make a right, but three lefts do.
I just don't see why everyone is so afraid of RFID credit cards. Simply have the private key portion of a key pair stored in the card itself, with the public key in an easily-accessible database. When you make a purchase, the merchant sends a random challenge to the card, which then encrypts it with the private key and sends it back. The merchant verifies against the public key, and, if it matches, the transaction is approved. With a smart card, the only way to use my card is to have the physical card, in which case we're back to be exactly as secure as the current system.
/. geeks would be all over this. I mean, it's not perfect, but it would be a hell of a lot more secure than the current system. Right now, if I take my credit card to a restaurant, the waiter need only make a spare imprint of the card (and write down the verification number on the back). Later, he can pull out a phone book to get my address, and then he has all of the information he needs to use my card fraudulently.
I would think that
I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.
Some retailers (Gas station employees mostly) will double swipe your card to charge you twice or swipe it through a personal magnetic reader which grabs and stores all info on your card which they use later to repro your magnetic strip. With RFID, an fradulent retalier would simply need you to walk through the door and have a concealed reader sitting within close proximity. You won't even know you've been charged until you get your bill at the end of the month. And to add to this, if they charged you 10 cents, would you go through the hassle of calling waiting on customer support for 10 minutes just to report a 10 cent charge you don't have?
There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.
-- Binary Finary
How does 2048 bit RSA on a SecurCore ARM processor sound? Sounds good to me.
Javascript + Nintendo DSi = DSiCade
I was just thinking about this. I doubt banks will make it THAT easy for people to steal identity. Remember, it's money here we're dealing with and if it becomes too easy to steal the banks will lose money as well and customers' good will and trust, which you want in the finance industry.
In any case, I can imagine it working like this:
1. Terminal sends some string of random bytes, p.
2. Card processes it using some one way function f(p,q) and returns the value s where q is some secret info.
3. Terminal takes the results and sends p and s to the bank to verify. Bank runs f(p, q) and see if it matches s. If so, return true.
That's just a simple scheme I hatched up where you don't have to reveal your secret info to verify yourself. I'm sure there are much better ways.
EvilCON - Made Famous by
The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?
In the near future, all that a pick pocket has to do is bump into you and he's got your entire wallet.
I dub this "Phishpocketing".
Computers are useless. They can only give you answers.
-- Pablo Picasso
In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.
/. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.
As much as the
Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?
If all you have are silver bullets, everything looks like a werewolf.
Why would this not require a customer signature? Why not eliminate the need for the signature for any type of credit-card transaction?
In Japan they have already rolled out Felica for train tickets, coke machines and some convenience store purchases. The cards are pre-paid and you can recharge them at any JR (Japan Rail) train station. Here is the info on the technology.
. html
http://www.sony.net/Products/felica/contents04_02
If you can't see why contactless credit cards are a terrible idea, then congratulations, you don't have a criminal mind!
Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.
Smart cards are actually little processors. With current credit cards, all the mag stripe has is your info repeating over and over. You swipe it, the reader gets the number and contacts your bank (indirectly, they actually talk to an auth network who talks to Visa/MC and so on) to see if you have the necessary funds. If so, it places a hold on those funds and the transaction goes through.
The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.
Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.
Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.
The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.
RFID is a very good idea for many things, such as grocery tagging. For credit cards it's awful. There are only two possible states of an RFID credit card:
1) Safely in a sleeve, where no one can read it
2) Out in the open, where everyone in a certain radius can read it
In other words, you can't spend it without exposing it. Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.
I don't care how much you encrypt it: it'll be cracked, and sooner rather than later. The fact that they are compounding this with no regulation of requiring signitures is one of the worst security decisions I've ever heard of - far worse than anything Microsoft has ever put out, and that INCLUDES ActiveX. Because ActiveX breaches don't immediately and directly cause credit card numbers to get stolen en masse unless combined with social engineering.
Umm, Slashdot has made this mistake before and it will make it again, so let me say this:
THIS IS NOT RFID.
RFID is a term used to describe a number of standards.
Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.
ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.
I dress like a slob, so I am not a mugging target, and I don't spend what I don't have, so I don't have any credit card debt.
When the clerk asks for personal info, even if it is just "Can I have your zip code, sir?", I say "No".
Sure, I could get a couple of percent on "the float", but just not hassling with big bills is worth it. Paying for a meal you excreted a month ago sucks.
Pay as you go. Be happy.
This issue is a bit more complicated than you think.
I mean c'mon people - we're talking about a huge bank here - do you really think Chase is that stupid to deploy a technology so insecure that people's "wallets" can be secretly "scanned" from across the room?
As a matter of fact, yes.
Especially considering that American banks are WAY behind the rest of the world in areas like using one-time pads or multi-factor authentication. Heck, Bank of America actually only requires use of your 4-digit PIN number from your ATM account.
In my experience, you are actually more likely to get intelligent solutions to identity theft from smaller institutions. If something "funny" goes on with my account, THEY CALL ME personally FROM THE BRANCH, with a friendly voice I recognize. They also by default have passwords set up on accounts (and discourage the use of common passwords like maiden names).
At a risk of repeating what has already been said several times, here is a simplified version of this "encryption" thing going on:
Say your card reader wants to verify the card:
Reader: "Card, identify yourself."
Card: "Name: John Smith. Today's code: 2xfG&k29#5"
Reader (to bank): "John Smith gave me code 2xfG&k29#5". Correct?"
Bank: "Yes. Proceed with transaction."
Meanwhile Angry Bob intercepts the code with his scanner and sends a message to the bank from his terminal: "John Smith gave me code 2xfG&k29#5. Correct?"
Bank: "No. the code you gave is not valid." The code was only valid for that particular instance. (perhaps the bank provided a "seed" value that the card combined with a hash of the account number to verify itself, of course stripping out enough information that the account number can never be reconstructed from the verification code.
The point many posters have made is that the smart card never actually passes along any sensitive information. It passes along some encrypted code that tells the bank whether or not the card is legit. That code will be useless outside the context of that specific transaction. In other words, you can intercept and decrypt all the codes you want but they will not help you.
Unless the cashier has a photographic memory, he/she would have to write the number down while the card is still in their possession - and if I ever see a cashier do that the cops shall be called.
I can memorize 16 digit numbers, at least long enough to write them down a few minutes later, without much trouble. Talent picked up when working in a restaurant and it being convenient to memorize the numbers on the manager cards.
Because I'm confident that any company engaging in credit card theft will promptly get caught, prosecuted, and sued the pants off of. The same may not hold true for an individual, and the fact that there are two dozen people standing within RFID range when most transactions are done greatly disturbs me.
You missed the point. I'm not talking about the company on the OTHER END of the line - I'm talking about the ability of parties to intercept your transmission between you and the company. If you use credit cards, you must accept that the encryption that keeps your data safe from when it leaves you and when it gets to the company is sufficient. If you're willing to accept that the encryption is sufficient, why does swapping hundreds of miles of phone line or fiber for 10 inches of air suddenly make you not trust the encryption?
Either the encryption is good enough, or it isn't. Whether it's a contact or contactless transmission doesn't matter.
And it ain't good enough. I can promise you it will be cracked sooner rather than later.
Are there people running around breaking the encryption used on web transactions? The encryption used to move money from bank to bank? The encryption used when the VERY SAME data you don't want to transmit wirelessly is transmitted over the phone or internet to process EVERY SINGLE OTHER CREDIT CARD TRANSACTION YOU MAKE?
I can accept that you are paranoid and don't trust encryption. But if you don't trust encryption, you shouldn't use a credit card at all. But if you do use a credit card, which it appears that you do, there is no logical reason not to use contactless credit cards. If the information can be stolen in contactless transmission, it can be stolen even more efficiently by tapping the data line on the way out of the store.
You haven't gone to fast food places lately, have you? McDonald's, Wendy's, and Panera (the 3 joints i frequent most) do not require a signature on credit cards if the transaction is small (less than $25 or so). So, there is next to no money saved on that point.
For those merchants, and that was a huge concession on the part of the credit card industry in order to be accepted into those merchants, who didn't want to slow down their lines to make people sign stuff. It won't be that easy for industries where credit cards are already an expected form of payment, so if contactless transmission will get the credit card companies to allow merchants to not require paper, that's a good thing.
paintball
Banks tend to be pretty good with encryption. When negligence could easily cost you several billion, security is worth it.
Using a sandpaper wallet was your big mistake n/t