Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chase Deploying "Touchless" Credit Cards

Posted by ryuzaki0 on from the trust-us dept.

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

29 of 373 comments (clear)

  1. why not by Festering+Leper · · Score: 5, Insightful

    store it in a shielded sleeve until you use it?

    --
    if you want people to think you know what you are talking about, just put ".com" at the end of everything you say.com
    1. Re:why not by Mr.+Bad+Example · · Score: 4, Funny

      I prefer to store it in a shielded sleeve before I use it.

      Oh...you're talking about your credit cards. Sorry. Carry on.

    2. Re:why not by gkuz · · Score: 5, Funny
      Do you keep your credit or debit cards in a protective sleeve now?

      Yes. It's called a "wallet".

    3. Re:why not by pyrrhonist · · Score: 4, Funny
      Magnetic strips haven't been prone to rubbing off in years.

      Uh, no. Even when they're in the sleeves, some of the strip still gets rubbed off. The friction just isn't as bad as when it's sleeveless, and they actually survive 3 or 4 years without having to be replaced.

      Perhaps that's why the only people I see who have to laboriously pull their cards

      Laboriously? It's not like you're trying to break into Fort Knox. You just pull the card out.

      out of those stupid sleeves are old farts.

      You really should talk to a counsellor regarding the hostility you feel towards inanimate objects and the elderly.

      --
      Show me on the doll where his noodly appendage touched you.
    4. Re:why not by Anonymous Coward · · Score: 3, Funny

      I don't have to. I'll just keep it in my hat.

  2. Few Details by AKAImBatman · · Score: 5, Informative

    The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)

    Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)

    That's my guess anyway. I'm sure someone else can add a few details or make corrections.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Few Details by hawado · · Score: 5, Informative

      I worked for a company, here in Japan where thre use of these type of contactless smart cards is wide spread, which used this technology for fare collection. The bigest problem I had and still have with the system here is that you load up your card with virtual money. So in essence you pay before you play.
      We used these cards to sign in and out of work as well as to pay for lunch at the cafeteria.
      A number of phone manufacturers here are also putting this technology into their phones so you can swipe your phone to pay for things at stores. The main supplier of the actual chip is sony, under the namefelica.
      Now here, it is impossible to use your bank card to pay for anything. The service is just not avaliable as it is in North america or Europe.
      As to the security of the smart cards, the only information on the card is your personal account number and how much money you have on the card. At the end of the day, on mobile fare collection systems anyways, the data is transfered at the depot to a server which updates the main account information. As to store systems, the data is retrieved immediately from the server and updated.
      If your card is stolen or lost, it is like loosing cash at least until you call the card issuer and they freeze the account.
      I am not sure about how this may affect the magnetic strip on most credit cards, but a magnetic field generates the electrical power required by the chip on card to 'transmit' the data to the reader.

      --
      Feed my eyes...
    2. Re:Few Details by Anonymous Coward · · Score: 3, Funny

      Maybe he's a /. editor.

  3. Watch out! by E+IS+mC(Square) · · Score: 3, Funny

    Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!

  4. Europe by Nexum · · Score: 4, Interesting

    The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers

    In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.

    --

    This sig has been deprecated.
    1. Re:Europe by JimBobJoe · · Score: 4, Interesting

      In Europe we have the chip & pin way of using credit and debit cards at Point of Sale.

      Chip and Pin is destined to stay outside of the US, which is why US credit card companies are always trying to do something new that is entirely unnecessary.

      Mastercard and Visa are competing with people using their debit cardson the debit system and not running the transaction over the MC/Visa system. When you use your debit card on the debit system, you have the card swiped, and then you enter in your pin number...and MC/Visa doesn't get its valuable merchant's fee.

      In order to maintain their fees, MC/Visa has to make sure that people swipe and sign the receipts, avoiding the pin code alltogether. The introduction of a pin based MC/Visa transaction in the US would confuse people toward using their debit cards off of the MC/Visa system.

      There are those who find the signing the receipt thing a pain, and entering the pin easier. So MC/Visa will continue trying to elminate the signature and get people to feel as comfortable as possible in as easy a transaction as possible. Merchants, who don't have to pay the merchant fee if you pay via debit, would prefer you to run the transaction on that system (though I believe they can't request that you do it via debit as part of their MC/Visa agreements) I can only presume that merchants who agree to install these new credit card readers (as featured in the article) are getting some very special deal on all their MC/Visa transactions.

      I hope this goes some way to explain why credit card companies are so keen to reinvent the wheel.

  5. To be fair by hoka · · Score: 5, Interesting

    You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.

  6. Re:Choices... by AKAImBatman · · Score: 4, Informative

    How about option 3?

    3. Being able to wave your credit card while simultaneously keeping your CC data more secure than ever.

    Don't mind the story submitter, (s)he's just making wild claims. This is probably contactless smartcard technology, which is far more secure than RFID. How secure you ask? Well, the card is only supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred. At least, that's the theory, but at least it's had a few decades to mature. :-)

    --
    Javascript + Nintendo DSi = DSiCade
  7. it might not be rfid by Naikrovek · · Score: 5, Interesting

    I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.

    those are just as hard to crack as PGP emails. Not at all easy.

  8. I'm sorry by mcc · · Score: 4, Interesting

    I don't care how encrypted or advanced or "secure" it is, I don't want my credit card doing anything unless I've taken it out of my wallet.

    And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  9. Re:Armchair cryptographers; Slashdot AP wire by mr_snarf · · Score: 3, Funny

    I design armchairs for a living you insensitive clod!

    --
    printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
  10. Hong Kong's Octopus by G4from128k · · Score: 4, Insightful

    HK has been using a contactless cash card since 1997 called Octopus It's proprietary RFID system (built before the standard appeared), that seems to work quite well for public transport and retail.

    --
    Two wrongs don't make a right, but three lefts do.
  11. Why the paranoia? by Joe+Random · · Score: 3, Interesting

    I just don't see why everyone is so afraid of RFID credit cards. Simply have the private key portion of a key pair stored in the card itself, with the public key in an easily-accessible database. When you make a purchase, the merchant sends a random challenge to the card, which then encrypts it with the private key and sends it back. The merchant verifies against the public key, and, if it matches, the transaction is approved. With a smart card, the only way to use my card is to have the physical card, in which case we're back to be exactly as secure as the current system.

    I would think that /. geeks would be all over this. I mean, it's not perfect, but it would be a hell of a lot more secure than the current system. Right now, if I take my credit card to a restaurant, the waiter need only make a spare imprint of the card (and write down the verification number on the back). Later, he can pull out a phone book to get my address, and then he has all of the information he needs to use my card fraudulently.

    I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.

  12. Re:Choices... by raehl · · Score: 3, Insightful

    Having to waste 10 minutes walking to the store...

    vs.

    Getting sideswiped by a semi on the way to the door and getting killed.

    Your comparison is a bad one. You need to add up all those 5 seconds you save and compare them to the time you'd spend fixing it if your information got stolen times the odds your information gets stolen.

    Let's also keep in mind how easy it is to steal your credit card information as it is. The number is written RIGHT ON your card. Every cashier you ever give your credit card to has access to that number.

    And when that cashier runs the card, what happens? It dials up to the central server and sends your personal information over the phone line. If you're confident with encrytpion to someplace perhaps thousands of miles away, why are you not comfortable with encryption to something 10 inches away?

    The fact of the matter is, getting bent out of shape about contactless transmission is silly. Either the encryption method used is good, or it ain't. You don't need to worry about physical layer compramisesif your transaction layer protection is good.

    Also, there are other savings here than just your time: Contactless transactions are chepaer to process than signed paper credit card transactions. Merchants can save a lot of money not having to pay cashiers to sit there and watch you sign the receipt, and credit card companies can save money not having to archive those pieces of paper.

    Economic efficiency is good for everyone.

    --
    paintball
  13. Re:Armchair cryptographers; Slashdot AP wire by Joe+Random · · Score: 3, Funny
    I design armchairs for a living you insensitive clod!
    *sigh* A golden opportunity wasted. The correct response to the phrase "armchair cryptographers" would have been, "I encrypt armchairs for a living, you insensitive clod!"
  14. Contactless Tech, Old news? by Hido · · Score: 5, Informative

    In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.

    As much as the /. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.

    Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.

    --
    Havin' it large, livin' the life, Welcome to the land of the rising sun.
  15. What if you have multiple cards? by Chibi · · Score: 4, Interesting

    I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?

    --
    If all you have are silver bullets, everything looks like a werewolf.
  16. Encryption is irrelevant by rufusdufus · · Score: 3, Interesting

    If you can't see why contactless credit cards are a terrible idea, then congratulations, you don't have a criminal mind!
    Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
    The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
    The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.

    1. Re:Encryption is irrelevant by asuffield · · Score: 4, Interesting

      If you don't see why encryption can solve this problem, then you don't have a technical mind.

      The information supplied by the card is of ZERO value to any criminal. Copying the data sent over the air is completely useless. No secret is ever revealed. Everything transmitted is considered 'public' information, in the sense that it doesn't matter who sees it.

      The message from the card in particular is useless, and doesn't even need to be encrypted. It can say "Alice has made a purchase of two pairs of woollen socks from the shop on the corner for £2.67. This is her third purchase on 20/05/2005", and the credit company can maintain a replay database to make sure that she only makes one third purchase on a given day.

      Replaying that message to another device accomplishes nothing. It's not a purchase at this device, for this object or amount of money, or which will actually be accepted by the credit company.

      We aren't really talking about 'contactless credit cards' here. We're talking about contactless smart cards, which are a well-developed technology. They are nothing like RFID.

      Now, there's still plenty of room for the credit companies to screw up security on these cards, particularly since they don't actually care how secure they are. But genre attacks like you describe are not an issue.

  17. Nope by Sycraft-fu · · Score: 4, Informative

    Smart cards are actually little processors. With current credit cards, all the mag stripe has is your info repeating over and over. You swipe it, the reader gets the number and contacts your bank (indirectly, they actually talk to an auth network who talks to Visa/MC and so on) to see if you have the necessary funds. If so, it places a hold on those funds and the transaction goes through.

    The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.

    Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.

    Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.

    The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.

  18. Except that it's not by StarManta.Mini · · Score: 3, Insightful

    RFID is a very good idea for many things, such as grocery tagging. For credit cards it's awful. There are only two possible states of an RFID credit card:
    1) Safely in a sleeve, where no one can read it
    2) Out in the open, where everyone in a certain radius can read it

    In other words, you can't spend it without exposing it. Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.

    I don't care how much you encrypt it: it'll be cracked, and sooner rather than later. The fact that they are compounding this with no regulation of requiring signitures is one of the worst security decisions I've ever heard of - far worse than anything Microsoft has ever put out, and that INCLUDES ActiveX. Because ActiveX breaches don't immediately and directly cause credit card numbers to get stolen en masse unless combined with social engineering.

    1. Re:Except that it's not by GeckoX · · Score: 3, Insightful

      Yes, but it reduces the security from something you have, something you are, something you know down to simply something you have.

      How come all we are talking about here are the communication of the something you have part, and everyone is ignoring the loss of the other 2 critical parts of the secure equation?

      To me, this looks like these cards are totally disassociated from the card holder when used. That is most certainly NOT more secure than we have currently.

      Am I missing something or is everybody else?

      --
      No Comment.
  19. THIS IS NOT RFID by RzUpAnmsCwrds · · Score: 5, Informative

    Umm, Slashdot has made this mistake before and it will make it again, so let me say this:

    THIS IS NOT RFID.

    RFID is a term used to describe a number of standards.

    Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.

    ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.

  20. Re:Major clarifications by faedle · · Score: 4, Informative

    I mean c'mon people - we're talking about a huge bank here - do you really think Chase is that stupid to deploy a technology so insecure that people's "wallets" can be secretly "scanned" from across the room?

    As a matter of fact, yes.

    Especially considering that American banks are WAY behind the rest of the world in areas like using one-time pads or multi-factor authentication. Heck, Bank of America actually only requires use of your 4-digit PIN number from your ATM account.

    In my experience, you are actually more likely to get intelligent solutions to identity theft from smaller institutions. If something "funny" goes on with my account, THEY CALL ME personally FROM THE BRANCH, with a friendly voice I recognize. They also by default have passwords set up on accounts (and discourage the use of common passwords like maiden names).