Chase Deploying "Touchless" Credit Cards

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

why not

[Festering+Leper]

store it in a shielded sleeve until you use it?

Re:why not

[gkuz]

Do you keep your credit or debit cards in a protective sleeve now?

Yes. It's called a "wallet".

Few Details

[AKAImBatman]

The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard, similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)

Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)

That's my guess anyway. I'm sure someone else can add a few details or make corrections.

Re:Few Details

[hawado]

I worked for a company, here in Japan where thre use of these type of contactless smart cards is wide spread, which used this technology for fare collection. The bigest problem I had and still have with the system here is that you load up your card with virtual money. So in essence you pay before you play.
We used these cards to sign in and out of work as well as to pay for lunch at the cafeteria.
A number of phone manufacturers here are also putting this technology into their phones so you can swipe your phone to pay for things at stores. The main supplier of the actual chip is sony, under the namefelica.
Now here, it is impossible to use your bank card to pay for anything. The service is just not avaliable as it is in North america or Europe.
As to the security of the smart cards, the only information on the card is your personal account number and how much money you have on the card. At the end of the day, on mobile fare collection systems anyways, the data is transfered at the depot to a server which updates the main account information. As to store systems, the data is retrieved immediately from the server and updated.
If your card is stolen or lost, it is like loosing cash at least until you call the card issuer and they freeze the account.
I am not sure about how this may affect the magnetic strip on most credit cards, but a magnetic field generates the electrical power required by the chip on card to 'transmit' the data to the reader.

To be fair

[hoka]

You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.

it might not be rfid

[Naikrovek]

I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.

those are just as hard to crack as PGP emails. Not at all easy.

Contactless Tech, Old news?

[Hido]

In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica Suica and Edy.

As much as the /. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.

Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.

THIS IS NOT RFID

[RzUpAnmsCwrds]

Umm, Slashdot has made this mistake before and it will make it again, so let me say this:

THIS IS NOT RFID.

RFID is a term used to describe a number of standards.

Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.

ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.