MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

More fraud?

[Hidyman]

How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.

Re:More fraud?

[The+Clockwork+Troll]

On the flipside, the card never has to leave your physical possession.

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates, while simultaneously encouraging consumers to buy more goods and services, because the PayPass transaction is perceived to be "easier" than exchanging cash or presenting plastic.

Re:More fraud?

[should_be_linear]

1. Create portable swiper 2. Visit major football event 3. Profit!

Re:More fraud?

[jrockway]

This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.

The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)

Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.

But for credit cards, this is a security risk.

Re:More fraud?

[petej2310]

Spreading FUD...u should all work for BILL!!!
These cards are based on SMARTCARDS and the EMV standards (3DES, PKI, challenge-auth techniques) against which millions of credit and debit cards have been issued. The only difference is that they use an RF interface to provide comms and power the chip.
See http://en.wikipedia.org/wiki/ISO_14443/
They ARE NOT RFID tags, they do not emit your card number, banks (as other have correctly posted) are smart enough to NOT provide OTHER avenues of fraud.

Re:More fraud?

[Neil+Blender]

I was in Hong Kong a while back. They have something called an Octopus card, which is a RFID card that you can charge with dollars money. It's mostly used for mass transit, but you can use it in many stores, phones, parking, etc. It was pretty slick - you'd scan it and the reader would tell you how much you had left on it.

The cool thing about it is you just add money to it as needed, it's not tied to any personal bank account or linked to you in any way. If you lose it, you are out of luck but even if someone could hijack your signal, the most you'd ever lose is what was on the card.

Thinking of it just now, Hong Kong is pretty damn high-tech. You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers. Everyone, and I mean everyone, has one of these Octopus cards in Hong Kong (well, I read 95% of them do because noone has cars.)

Re:More fraud?

[iamdrscience]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

Have you ever used your credit card? It's pretty rare that cashiers will check your signatures, particularly if you're paying for something under $100. Try working as a clerk somewhere and notice the looks you get if you take the time to compare a signature, not to mention the arguments that will erupt with the few customers whose signature doesn't match, but are the legitimate owner.

People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.

Re:More fraud?

[Jim+Haskell]

This is completely contrary to my experience. Every time I've ever payed with a credit card, the person accepting my credit card has never looked at the back of my card. In fact, (and, yes, I just looked,) my credit card isn't even signed. Signatures are not a security measure -- they're a formality. There's a light-hearted look at the issue here.

Re:More fraud?

[Lord+Kano]

As I understand it, these aren't really RFID cards but just imagine the mayhem if all you had to do was stand outside of your local mall smoking and rip off every RFID card that passed by.

Or a corrupt janitor could install a sniffer inside of a garbage can in a high traffic area.

LK

Re:More fraud?

[thelonestranger]

War driving for credit cards? Get a scanner sit on a motorway bridge and fleece 30 people a minute.

Re:More fraud?

[jrockway]

I believe that JR's (Japan Railways) Suica card is now being accepted as cash in a number of places. I know that if I still lived in Tokyo I would definitely use this to pay for things like coffee, etc, just because it's so damn convenient.

I would appreciate that when I buy a laptop or something that they would pretend to watch me sign the receipt, though :)

Re:More fraud?

For all those people who think this is a good idea, try this web site.

http://rfidanalysis.org/

Scary.

Re:More fraud?

[MyGirlFriendsBroken]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card

In the UK, and I believe the a lot of the rest of europe now, PIN numbers are used as opposed to signatures. So with this method you still have to enter your pin into the keypad to complete a transaction, but don't have to get the card out. The main benefit here I guess is that you can't the leave your card/wallet on the counter etc. Of course cloning of the card is I guess just as easy, or easier as the cashier doesn't look at the card so visually it doesn't have to be a good fake, and reading the RFID details may be easier.

Re:More fraud?

[gravij]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I disagree. When I worked on a checkout in a supermarket I found the most time consuming part of the transaction was:

• waiting for the customer to get search through their wallet for the right card,
• swiping it a few times,
• forgetting to press ok to confirm transaction,
• waiting for the system to connect and authenticate,
• waiting for the slip to print out.

Handing the slip to the customer, them squiggling on it and me having a quick look to see if the two squiggles was not the hold up in the process.

Re:More fraud?

[E8086]

"On the flipside, the card never has to leave your physical possession."

It rarely has to anymore. Most stores have installed credit/debit card readers for their customers, thanks to that scare a while back that cashiers were stealing credit card numbers. The only time my card leaves my posession is with the older style BoA/Fleet ATMs that still want to hold on to your card until the transaction is complete. I hope they will still require a PIN/passcode along with the card or maybe a thumb held on a scanner while the PIN is entered with the other hand.

Or they could try making the cards smaller. Who says a credit/debit card has to be 3.5"x2"? Yes, it fits perfectly in a wallet, but so does a 3.5" floppy in a shirt breast pocket. I remember seeing commercials of credit cards designed to fit on a keychain, it even had a protective case. A credit card can easily be reduced to 1" high, if you examine one you'll see that the top half contains the magnetic strip and the signature box and the bottom has the number, exp date and name. And they're on opposite sides of the card.

Remeber, RFID that claims to be read at only up to 6" can really be read at up to 70'
The tinfoil wallet is too passive an approach and can only protect the card while it's in the wallet, not in use. It's time to modify a PDA RFID scanner to be an RFID jammer.

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards? That will add a new level to wardriving and even war/RFID walking in malls.

Re:More fraud?

[lendude]

As a tourist, another great thing about the Octopus card is that at touristy type areas/venues they have readers which will add a small credit value to your card - so basically if you walk a little to find these chargers you could, after an initial charge payed for by yourself, get around very cheaply.

Re:More fraud?

[Jason1729]

Why don't we go with instantly....

I picked one up a couple of weeks ago when the store was donating their gross income for the day to a Katrina fund. It's advertised in Make vol 3.

Re:More fraud?

[shadowmas]

True they seem to be secure. but smartcards have been hacked to certain amount. the problem is that these kinds of cards make hacking attempts very attractive beacuse the hacker can attempt to hack a card without the owner of the card getting any indication that such a hack is taking place. with a traditional card someone would have to steal the physical card which you would notice within a day or two at max but with these sort of cards you wouldnt know that something went wrong till the monthly bill comes. (i'm only considering the card present transactions here since online transactions only need the cards number and it wouldnt make a difference as to wether its a smart card or a normal card).

Re:More fraud?

[Gordonjcp]

It's a lot harder to clone "Chip and PIN" cards, because they are very difficult to program. There is surprisingly little security-by-obscurity involved, and lots of things like 3DES and rotating keys uploaded from the till on a regular basis, and stuff like that.

The big problem is with vending machines and the like that use Chip and PIN. We have a cashless vending system that can be topped up with either cash or a credit or debit card. Great. The problem is that instead of a small (calculator-sized) PIN pad that's difficult to shoulder-surf, you enter your pin on a 6" square keypad on the big, bright touchscreen on the front of the unit. This kind of defeats the purpose.

Re:More fraud?

[xSauronx]

i never got the idea of this because sliding my card through a reader really isnt the big stretch of time for me when i go shopping...the actual shopping is. glad someone cares enough to save me 6 seconds though.

Re:More fraud?

[Znork]

"The only place where RFID cards are convenient is for rapid transit fare control."

Nah, they're also very convenient for assassins or terrorists who want to create ID-triggered explosive devices. Just imagine how practical when you can leave a device, and a few weeks later when the victim walks by, there goes the boom.

Any remote ID that doesnt require the owners active cooperation is a security risk.

I expect tinfoil wallets to become commonplace.

Re:More fraud?

In the paper 'picking virtual pockets using relay attacks on contactless smartcard systems' by Avishai Wool and Ziv Kfir, it has been shown that a simple relay attack on RFIDs is feasible, and the range of those cards can be maliciously extended.

Here's a link to the paper:
http://eprint.iacr.org/2005/052.pdf

and from http://www.uncoveror.com/rfid2.htm

...
The manufacturers of these devices insist that they have a limited range, but hackers have always been able to build antennas to extend the range of any wireless device. Sometimes a simple Pringles can, a coax connector and a soldering iron are all they need to rig one up. A similar home-brewed contraption was how they got Paris Hilton's address book. Also, if a hacker, mugger or terrorist's RFID reader is too far away from a chipped passport, it can always piggyback data from a legitimate reader, and no one will ever know. ...

Re:More fraud?

[DrXym]

I believe some countries allow you to use your rapid transit card to make small purchases. In addition of swiping your card to be allowed through a gate you can buy a bar of chocolate or a newspaper or other small transactions. Apparently London is piloting doing such a thing with their Oyster card.

It makes sense that if you have a card which is acting like pocket change to allow this. You deplete the credit and then you top it up. You can only spend as much as you have on the card so it has a natural cutoff. Since you buy the card with cash from a machine, the card is effectively acting like semi-anonymous currency.

It doesn't make much sense to do the same with a credit card, unless the credit card imposes a hard limit on what you can spend in such a manner. And I don't mean per item - I mean total that you deplete and must be topped up either by you or a preset top up. Otherwise what's to stop someone reading your RFID and making their own purchases by spoofing yours?

It doesn't really make sense to even embed the RFID into the credit card anyway. Are Mastercard going to be happy with reissuing cards to hundreds of people for the sake of thieves leeching $10 a day off them? How does a customer or Mastercard even spot suspicious transactions for tiny items anyway until the statement arrives?

It seems smarter for the RFID to be on separate card - to be more like a gift card that can be topped up at the discretion of main card holder. These could be sold anywhere and it would be easy for someone to buy a couple of them and set them up with their main account. Then if someone steals one, you simply don't top it up anymore. This would of course require Mastercard or whoever to stop gouging owners of these cards by charging a monthly "administration fee", but if they wanted to see the scheme work, they'd waive it.

Re:More fraud?

With the olde-fashioned disposable magnetic stripe cards we use in london you can walk through the readers without breaking stride (unless you are a tourist, grr.). There are oyster cards (rfid) too but they're just for big brother's benefit.

Re:More fraud?

[ajs318]

Ah yes ..... the London Underground. Guaranteed to make even a hardcore Brummie feel like a country boy .....

Re:More fraud?

[The+Clockwork+Troll]

This doesn't make any sense. The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

This probably should be the most time-consuming part but anecdotally folks (including myself) spend more time getting the card, handing it to the cashier/waiter/clerk/etc., waiting for them to (walk back to and) run the card through the register, waiting for receipts to print, waiting for them to walk back to you, getting your signature, (theoretically) checking your signature, separating the merchant copy from the customer copy, etc. It's not closing a mortgage but gratification can always be a little more instant - that's what MC's going for here.

If you just touch the card, there's no way for anyone in authority to verify that you are you

Yes, without any sort of biometric or other guard, it reduces to possession is authentication. Again it's a gamble that this will facilitate more purchases than fraud.

The only place where RFID cars are convenient is for rapid transit fare control.

That's the only place they'd be convenient? Really? Or is it just the only application with which you could be comfortable using them? Fraud and debt issues conveniently aside, PayPass approaches waving your hand to make a purchase, like some sort of magician. What could be more convenient to consumers (or yes, to thieves too)

Re:More fraud?

While working as a clerk I would constantly come across unsigned cards. I'd tell the customer I would like to see id to make sure the card was at least owned by someone with the same name as they had. They would invariably reply
C:"its ok ill sign it now"
Me: "But then its bound to match"
C:?

Re:More fraud?

[Stween]

Your comment deserves to be marked as funny, rather than informative; I laughed out loud.

Having done a lot of bar work, it's surprising how much the customer does hold up the whole process of paying. The whole hunting for cash thing is irritating, but so is the downright stupid "I don't know what I want yet". Uh-huh...

What irritated me the most though were the customers who carefully placed their money on the bar in front of you, while you stand there with your hand out to receive said money. All too often I was tempted to place their change on the bar just as they did to me, to make my point crystal clear, but unfortunately never did.

Re:More fraud?

[Tony+Hoyle]

A pickpocket who gets your card can also get your PIN and clean you out... no cloning needed (that's actually quite hard although not impossible). The whole point of C&P was to shift responsibility - if someone uses your pin to make a transaction *you* are liable even if the card was stolen.. there's a basic assumption that only you know your pin.

I *really* hate the way they limited it to 4 digit pins. I'd rather have a 10 digit one - much less chance of a casual thief being able to memorise it on the first shot. Leave it at 4 for the AOL users, but I'd rather have some security thanks.

Signatures were way better in many ways... everywhere round here was really strict about checking them.

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

Re:More fraud?

"Have you ever used your credit card? It's pretty rare that cashiers will check your signatures,"

It depends on the country. In the UK they seem pretty determined to check it for credit and debit cards unless you are a regular customer.

Re:More fraud?

[fuzheado]

Yes, everyone in HK has them, and most places in Asia - where public transit is the norm - are adopting similar RFID cash systems. Bangkok, Thailand; Shenzhen, China; Singapore.

They are finding quite novel uses for it. In Hong Kong, many apartment buildings use the Octopus card unique RFID as a "cookie" for residents to get access. In places around town, folks can also pick up "digital coupons" that become embedded in the card and used for discounts at the point of purchase.

Re:More fraud?

[justasecond]

Yah, it's pretty rare to check for a sig. This page has a nice writeup from a guy who decided to see how far he could go in goofing around with the signature.

Re:More fraud?

[NidStyles]

I have no idea where in the US you live, but I'm always asked to show them my card. Even when I use my debit card they ask to see it, and some ID.

Re:More fraud?

[maxwell+demon]

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards?

To prevent physical stealing of personal RFID cards, you'll get an RFID chip implanted in your forehead. Which means that you can pay by banging your head against the cash desk.

Re:More fraud?

[willCode4Beer.com]

It's a lot harder to clone...

haha, forgive me for laughing but, its used to be hard to copy normal credit cards, now you buy kits to make them online pretty cheap.
It used to be "hard" to copy CDs.
It used to be "hard" to copy DVDs.


My solution for the big touchpads. First, just glance around that no one near you has their cell phone (camera) out. Block their view as best as possible with your body. Enter 8 digit pin. Most people are used to a 4 digit pin so the unexpected blows them off. Note: sometimes cashiers are freaked by the bigger pin number.
Finally, do business with a bank that lets you change your pin at the ATM. Then change it every once and awhile and make it big.

Re:More fraud?

[Nuskrad]

Yeah, I've been stopped because I signed my name differently to my card (my card uses my first initial and surname, I signed with my full first name and surname). I had to show ID and the manager had to come and approve the transaction. It was only £25.

However, signing is being replaced by Chip&Pin now, so all it takes is for someone to look over your shoulder and grab your pin (but on the plus side, if someone just finds the card, or swipes it in the post, they won't have much luck - unless they say they forgot the pin and ask if they can sign for it instead, most places say yes)

Re:More fraud?

[MinotaurUK]

Not RFID, but I remember something about 5 years ago at a few UK Universities that was very similar - think it was called Mondex. Essentially there were terminals around campuses where you could charge these cards up either with cash or with a debit card. They were accepted in all campus outlets, a few local bus companies, etc.

Certainly in Exeter (where I was at the time) they canned the project due to "lack of use". Which was surprising since everyone used the things all the time.

Re:More fraud?

[Skye16]

When I worked for Pac-Sun (don't ask), we had to match signatures. It wasn't a cursory glance. One signature was completely off. I told them I couldn't accept that card. She said "It's okay, it's my Daddy's!" and I'm like "uhh...you can't sign your Dad's name for a purchase you're making." She got all pissy, the manager came over and she told her the exact same thing. So then the girl called Corporate. They told her the same thing. She left, all pissed off.

Personally, I do the see ID route. I get angry when most stores don't check. A gas station we have in western PA, Sheetz, doesn't actually require a signature for amounts under 20$. So they don't bother checking. I don't know whether I'm okay with that or not, but I guess that, since it's under 20$, it's no big deal, to either party.

But that's enough rambling anecdotes for the day. :]

Re:More fraud?

[bhiestand]

After reading your post, I laughed for a minute. Then I remembered that this was true.

I know nothing about your current employment status, but I wish I had a job to offer you right now.

Re:More fraud?

[AdderD]

I think a great idea would actually be to allow customers to buy a device or have a location where they could go to check up on the smartcard accesses. If you see a much of accesses to the card and you know you didnt use it at that time then it's a big indication that something is wrong. It might be a bit cumbersome to have to manually check though... If it were possible then having the smartcard vibrate when it is accessed would be ideal. Unfortunately I'm sure RF signals can induce nowhere near enough amperage to do something like that. Having a watch battery for the vibrator would work though. Then if you keychain vibrates when you walk by a suspicious guy w/ a laptop then you know whats up. ;-)

Re:More fraud?

[hcob$]

Maybe they will ship wrapped in a small, foldable faraday cage like they are doing with the US pasports. That way you just have to say :

"'Scuse me while I whip this out!"

Re:More fraud?

This is exactly MC's motivation for moving to RFID. The number one place where a credit card is compromised is a restaurant. Why? Because your credit card leaves your sight. By letting the consumer keep the card on hand they already reduce fraud exposure.

One needs to understand that fraud is a multi-billion dollar loss per year for credit card associations. Even a reduction of 1% is enough to make something worthwhile.

RFID is also a cheaper approach for MC to reduce fraud than the Euro MasterCard VISA (EMV) chip and pin approach. EMV is significantly more secure, however, due to the infastructure and implementation costs is likely never to fly successfully in US (and likely in Canada despite numerous efforts).

Re:More fraud?

[Fordiman]

portable?

Hell, an RFID reader connected to a small parabolic dish to increase its range. You could be swiping peoples credit card from 100 yards.

Re:More fraud?

[tocs]

the most you'd ever lose is what was on the card

I thought the point is that this is a credit card and with a credit card you could loose a lot more. It might even reflect on your credit rating.

Re:More fraud?

The other side of that is the cashiers who tell me 'We can't accept an unsigned card - but that's ok, just sign it now."

Umm....???

Re:More fraud?

[khazad]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I honestly can't remember the last time a cashier checked the signature on the back of my credit card, which is another issue entirely. My card wasn't even signed for about a year, and I only had one person ask me for further identification. That's very disturbing to me.

Re:More fraud?

[muellerr1]

Your cc# will still be printed on the card. There is nothing forcing small merchants to upgrade to RFID scanners, and some of them (at least in the US) still have the old carbon copy swipers that don't need any technology at all.

My point is, any store clerk who feels like they're not being paid enough can pretty easily steal your credit card information because you gave it to them anyway. Any disgruntled database admin or developer can take a peek at the field labeled 'CC_Number' which are all too often not even encrypted. The only way to keep your account safe is to never use it.

If someone really wants to steal your credit card number, they'll find any one of a number of ways to do it. Hell, mine was stolen by an automated script that *guessed* at the number. At least that's what my CC company told me.

As long as the CC companies make it extremely easy to dispute and refund unauthorized charges, I don't care how the system works, just that it does.

Re:More fraud?

[hackstraw]

forgetting to press ok to confirm transaction

Fortunately, this is a dying "feature" of CC transactions.

The cashier tells you the amount, asks you how you want to pay, you reach into your wallet and pull out your card, you swipe the card yourself, and then Do you really want to buy this? dialog question comes up. I've asked many a cashier if anybody has said "No", and none have.

That is the perfect example of a PHB wisdom at its finest.

Re:More fraud?

[debraj]

Why can't we have credit card companies map a customer's account information to a biometric ID. For example, I go to a store and place my thumb on a reader and enter a PIN. No more carrying any credit cards or anything!! - - - I suppose contact-less payment systems have more utility - as illustrated by /. readers who posted about rapid transport fare payment systems, etc. Besides, I am not aware of the cost implications of biometric readers versus RFID readers.

Re:More fraud?

[TripleE78]

The DC Metro system has something called the SmartCard that's very similar. They didn't catch on right away, but about a year ago, the stations with parking lots were switched from a cash system to a card only system. Anyone who parks at a metro station needs a SmartCard to leave when the parking lot is open.

The downsides are that unmanned systems mean you have to pay later (manned lots used to be free after 10 pm, now it's after midnight), and that short timers are confused by the cards if they need to get one. The upshot, though, is that less people are using those paper tickets, and the lines move faster. Also, I haven't had to use it much, but SmartCard's do work great on the DC bus system.

I'm not a huge fan of RFID, but in this case, it works well. I'm also a fan of the fact that it's pay as you go, and no personal info is on the card itself. You have an option to register, but that's stored off the card, and used to claim money if the card is lost.

~EEE~

Re:More fraud?

[Evil+W1zard]

I still don't even know why we do the signature thing in the US anymore as no one ever checks it really. (I know some ppl look at the back of the card but how often do you really see someone verify that the signature matches. Instead of moving directly to RFID why dont we do what the UK does and instead of a signature we require the buyer to enter a PIN in whenever they want to use their card. Seems to be a very simple concept that would make it much more difficult for the common crooks to use stolen CC's?

Re:More fraud?

Maybe the stores by you are different but i cant recall the last time I had my signature checked.

Most of the time they never even touch the card because they have you swipe it on the box at the checkout.

The most annoying thing is the rare time they do check, see its not signed and have you sign it there. which completely defeats the purpose of checking and ID

Re:More fraud?

I've never really understood how checking the signature is particularly helpful. In my case, my signature seems to change a lot depending on the surface - the plastic signature-capture terminals have a different amount of friction against the pen than a piece of paper, and a vertical or tilted surface is different than a flat surface. Plus, my handwriting is just plain messy.

When I went to take the GREs, they ended up checking my signature against just about every card in my wallet. "The 'm' matches that one, but not this one. But the 'w' on this one is right - but not on that." It's a good thing that the test itself is all computerized.

As an aside, isn't it possible to use someone else's card if you are authorized to do so, but you'd have to sign it as "abc, as an agent for xyz"? That is, you have to state that you are authorized by the cardholder to make a purchase on their behalf? But, it's been awhile since I've read the UCC.

Re:More fraud?

[AnnualSparrow]

It would help if the UI wasn't completely different on every single POS machine I've ever used. Even a particular store will sometimes change its POS system often enough that I have to carefully follow the UI prompts, instead of relying on muscle-memory. Then you have the stores where they've modified the UI themselves, using sharpies or masking-tape.

Think of it from the customer's point of view: he would have to remember the UI for every POS system he uses. Meanwhile, you use the same one, all day, and only have to remember it. So it's no wonder that you expect it to be easy - and it's no wonder that it isn't so easy.

Re:More fraud?

I work at Home Depot to help pay for college and I am a backup cashier. I always ask for an id, unless the person's picture is on the CC (some have that now). I have declined sales before and other times I had to call the CC company. I could care less how pissed someone is for asking their id, since it is for their security and for saving the companies butt, since we would eat the cost if the transaction was fruad. Granted-- the signing pad is not easy to write well on, which causes most of the problems. I've caught teenagers trying to use their parent's card and their only id was a drug perscription; I have declined a sale to a husbands for using their wife's card; if your name is not on it-- then you can not sign it. If I want to be evil, I can just "actidently' hit the sign-slip button if they do not want to show id-- then it wastes more time, because they have to sign a second thing, I have to see id for that, and I have to imprint the card. Ninety percent of people are happy that I check, nine percent do not care, and one percent bitch and moan because they just want to leave (mostly contractors do this). The thing is, if someone is resistant to convincing me that they are the card owner, it just makes me more suspicous. Reason for that is-- if you hang around the returns desk at HD people throw such hissy-fits and clever lies to trick the store into giving them money or store credit, so you cannot fully trust any customer. Oh the stories I could tell-- such as someone returned a ten foot pipe and getting their money back despite the fact the pipe was only 3 inches long; the guy returned his scrap from 10 feet and we gave him a full refund. Only two customer's complained about me asking for id or declining a sale to management and in each case I got a pat on the back.

Re:More fraud?

[TGK]

Which begs the question - why isn't there a standard for this?

I can't imagine that the different manufacturers actually have some kind of brand look and feel to the inteface that they have to maintain. Why not just standardize it?

As for prompting and the "are you sure" message -- I know it doesn't make sense for credit purchaces, but I've been using my debit card at grocery stores a lot recently. The grocery has more or less replaced the ATM as my prefered method of getting cash. When I change the amount of the purchase (say, from 24.34 to 40.00) I like that I'm prompted. An extra zero could be bad.

Re:More fraud?

[rnelsonee]

I've noticed more and more places around me (Maryland) not needing signatures/IDs for amounts under $25. I use my credit card all the time because I have like to have a written record of purchases, so I think this is pretty cool. Any reputable credit card issuer will defend you if you refute a charge (if it's not habitual, they just give you your money back no questions asked), so the risk of actually losing money on a stolen credit card is still low.

Re:More fraud?

[Artfldgr]

ahhh.... mon ami... it DOES make sense... when you enter the store they know who are carrying gold cards, platinum cards, etc... its then easy to get sales people to focus on THOSE people first and formost. technology today is no longer installed for any purpose that its stated its being installed for. from cameras in the subways (who are supposed to spot terrorists), to things like this. the financial info may not be available openly, but there is no word on whats available off the card. at the very least an ID.. which can tie back to previous purchases in the store. another reason to focus on you. later, stores will be able to analyse what you are wearing, where its from, when you purchased, it and whether they should hit you up to replace it. note that integrationg with cell phones and ads, will mean instant ads as you walk past counters or stores. biometric and radio coupled with visual recognition will build profiles of you based on what clothing you wear. at work AND off the job. i dont doubt that some company will provide psych profiles of people based on their choices...(ah, yes, third copy of catcher in the rye... just kidding). dont forget littering... you lose some paper or shit and it will go through a different conveyor that will ping each garbage owners purchases as litter... ping $50 per cigarette butt. hey... the next thing you will see are some fly by night companies that will make foil lined wallets and carrying cases... put your card in here so it cant be scanned... now you have to wait in line till the person pulls out their wallet, pulls out the foil lined case, fishes the credit card out, swipes it and then does all that work to put it away... so no.. its not about faster checkout times... its about eventually using a air lock type door system, so that you shop... you walk... pause.... and then walk... everything on you already checked and billed (they of course dont think that people are smart enough to block their tags - or screw them up with a tag mimic that answers yes to all radio queries, making communication with any tag impossible!)

Re:More fraud?

[gr84b8]

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates

MC's main priority, however is not to thwart fraud, so it may not be a huge gamble. They actually make money by resolving disputes in fraud cases (its the banks that usually eat it).

I suppose if fraud became rampant then banks might stop issuing MasterCard and switch to Visa, but if the new system makes people start to use their cards for all small/medium transactions that would probably far outweigh any fraud concerns (as far as MasterCard is concerned, that is).

Re:More fraud?

[Thuktun]

A gas station we have in western PA, Sheetz, doesn't actually require a signature for amounts under 20$.

Many fast food restaurants in the Minneapolis/St. Paul, MN, metro area do the same kind of thing, particularly during busy times, when not bothering with fetching a signature and checking it can really speed up the line.

Re:More fraud?

That still won't stop someone from picking up the card's transmission during a legitimate transaction. It also won't stop someone from placing a fake reader somewhere the card owner thinks is legitimate.

High-tech solutions often obfuscates security concerns more often than they fix them. Preying on one's sense of safety is probably the easiest way to get at anything, so making sure users understand the dangers is most important.

The best tech-fraud I know of is very low-tech. For example, Japanese pay-phone pre-paid cards used to be very easy to clone. Since the card was read upon insert, and re-written upon hanging up, you simply used rubber cement to stick some 8mm video tape over the magnetic portion of a valid card, stick it in the phone and hang up. Voila, carbon copied onto the video tape. Stick that video tape onto a properly cut sheet of plastic, or even a poker card, and you had a cloned phone card.

Back in the day, magnetic card readers weren't easily available to the public, and Japanese banks didn't bother to encrypt the data. In order to ease traffic on the servers (remember, this was way back) the PIN number was included on the magnetic strip un-encrypted too. Stolen cards could be used just by pouring a bit of powdered steel over the magnetic stripe, and reading the 0/1 bits by eye once the location of the PIN data was identified. No need for an expensive reader.

A few years ago, the homeless in Tokyo found a good way to steal change from vending machines. Stick some gum up inside the change chute of vending machines. Most people don't check their change since the machines have a reputation of being quite accurate, and won't notice a few yen missing.

These are all low-tech attacks on high-tech solutions. It's the same with hacking, really. Often, if you know the target, it's easier and more effective to just make a few impersonated phone calls or dumpster dive, than it is to crack a WEP signal.

If anything, the "convenience" of the RFID credit card will be the biggest threat against it. I can already envision a scenario. The Japanese SUICA cards are basically the same thing as the RFID credit cards, and since they can be read even when inside a wallet, people just tap their wallet up against the reader. Since this is common knowledge, it won't look funny if someone just holds their wallet up to a credit card reader once these become common. But unlike traditional cards, no one will notice if the card INSIDE THE WALLET is only a white, non-printed plastic card with a forged chip inside. Forget the signature, it doesn't even need to LOOK like a credit card anymore. How they will forge the chip is beyond me, but if history's any hint, someone will find a way to do it. And I bet it'll be low-tech.

Re:More fraud?

Part of the reason for this is your liability for unauthorized transactions usually is at the $50 mark. As a business owner, it's not worth the timeto pursue a $20 charge that's invalid -- for me the owner or the credit card company. It's chalked up as a loss and you move on.

Re:More fraud?

[drakaan]

I wish there was a "+5 Scary" mod.

So, not only could someone steal your money with you not noticing (imagine how wardriving evolves to cashwalking), they could steal your identity without even having to go through your trash or sending you to a phishing site.

I'm sorry, but there are some extremely big problems with this technology being tied to people. All you have to do is put your own reader in a snowcone stand, next to an ATM machine, at a bus stop, in a toilet, etc, and start cloning cards.

Re:More fraud?

[Gverig]

Please help me out here...

Why do I need account ID to commit fraud? Portable RFID scanners will be SOLD (completely legit) in a while (and maybe they are being sold now). High-tech fraud with faking RFID keys and stuff is still possible and IF they get hacked you will be vulnerable no matter how careful you are (unless you keep your cards with your RFID home).

But I am personally more worried about much less technical fraud. Just by somebody buying scanner and creating a company with a fake identification and walking in stores and charging people's cards. They do this for a week, cash out, close company. The very fact that access to my money is exposed through wireless for anyone to take a whack at it if they want to try makes ne nauseous.

BTW, your wikipedia link does not work.

Re:More fraud?

[OhHellWithIt]

You're right about that. Several years ago, I started writing "Please ask for photo ID" above my signature on my charge cards. A long time went by before someone asked to see an ID. I'm sure it was funny to watch my expression. I had forgotten about it, and I used to be ticked off by requests for ID. Luckily, before I said anything, I remembered, and I was able to thank the clerk for taking the time to check the signature, so I didn't make [more of] an ass of myself.

As it is, I am only asked for ID once or twice a year. Still, I would refuse a contactless card unless it only worked with a PIN. PINs and signatures are poor authenticators, but they're all I've got to protect my interest between the time a card goes missing and my reporting it to the bank.

Re:More fraud?

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

i have to disagree. the supermarkets, around here, have an employee watching everyone going through the "'self service' checkouts"; if you use a credit card to pay for the purchase, a receipt prints out at this employee's station, and they will not let you pass without signing the receipt. occasionally, they even check ID.

OTOH, i can charge $60++ [U$] at just about any gas station, and never even have to interact with another human being, in the process.

i can pick up the phone, and charge thousands of dollars to a credit account by reading the information printed on the front of the damn card.

i can surf the web, and type in information from the front of a credit card which i found, on the side of the road. if it hasn't been reported stolen, or lost, or otherwise canceled, all that it takes is the information printed on the card.
[of course, ordering large ticket items that require shipping also requires a secure drop/bounce point for the merchandise, but we're talking theft/fraud, not racketeering, here]

basically, simple possession of the card will still get a thief through most point-of-purchase transactions, and simply knowing the account information (which is printed on the card) will still allow a thief to access the account (while it's still active).

as far as PIN 'security' goes, i have never had to use a PIN with any of my credit cards (why pay for a 'cash advance' when i have the money in my checking account). i use PINs for voice mail, and my ATM transactions. have you, or has anyone you know, ever had to enter their PIN when making a CC transaction that did not involve a ca$h advance?

security - bah. TANSTAAFL

Re:More fraud?

[drsquare]

They don't check signatures anyway, and you don't have to sign for things anymore, especially in the self-service places. The slowest part is typing the personal PIN number in and waiting three weeks for the computer to verify it.

Re:More fraud?

[autophile]

There is surprisingly little security-by-obscurity involved, and lots of things like 3DES and rotating keys uploaded from the till on a regular basis, and stuff like that.

Darn, we have registers over here, so I guess this won't work.

Sorry, I'm feeling very strange today.

--Rob

Re:More fraud?

[shadowmas]

i thought about this as well. this would certainly make it a bit more secure but most people (specially women) have there cards in their big handbags which can dampen the ringing tone and the vibration altert of the average phone in a mildly busy enviroment so i dont think a card would have sufficent chance of bieng heard/felt in such a case. the checkpoints to check up on the card accesses would be good (ATMS could do this) but as u said thats quite inconvient and how many people would be willing to do it every week.

any credit card is a security risk the but reason that credit card companies still use them is because the the number of fraud to legitimate use rate is low enough to have a good profit. but this new card has more vulnerabilities than a normal card while not adding sufficent amount of benifits.

i think this is just a hype by mastercard to gain a technological lead over Visa which seem to be in lead these days (visa first created the 'verified by visa' system which then mastercard adopted as well. IIRC visa was also the one who created CISP standard as well).

Re:More fraud?

[elphkotm]

I've used my debit card probably 10,000 times and never once been asked why it's not signed. I've never signed any of the credit cards I've owned. Come steal from me :P

Re:More fraud?

[Doctor+Memory]

we have registers over here

Yeah, and my chair is directly over one. That warm air sure feels good on a chilly autumn day!

Re:More fraud?

[csimpkin]

One of the stores around here has the cancel button in the lower right corner of the PIN pad. Everywhere else, the OK or Accept button is in the lower right corner. So, everytime that I buy something I have to enter my PIN twice. Since, the first time I always hit cancel.

Re:More fraud?

RFID only helps the first 2 of 5 items- the rest are still a problem. You will certainly have to still approve the transaction, especially if the card can be read without your putting it into a reader.

Re:More fraud?

[smbarbour]

FWIW, I work for a credit card processor
 
The signature on the back of the card only authorizes the card for use (for Visa and MasterCard). As long as the card is signed, it is valid no matter who presents it. The signatures do not have to match (The name signed on the slip doesn't have to match either). As long as the card is signed, the merchant CAN NOT request to see your ID unless the terminal instructs them to.
 
As a cardholder, you have the right to dispute any transactions that were made on your account.

Re:More fraud?

[pomo+monster]

Incidentally, and offtopic, this is exactly why the Mac Human Interface Guidelines put the OK/Accept (default) button in the lower-right corner. If you're right-handed, it's the easiest and most natural place to hit a button.

I hear GNOME does the same thing.

Re:More fraud?

[saskboy]

Don't worry it will be easy to spot those theives though. They'll be the people trying to hump your pocket with something that beeps in their pants when they get close to your wallet.

Re:More fraud?

[Nerdfest]

Some banks (at least 1 here in Canada) allow longer PINs. I have a couple that are significantly longer.

Re:More fraud?

[myov]

I once bought a $2000 item using a corporate purchasing card belonging to my boss. The transaction shouldn't have gone through - no id check, the signatures didn't match and her name (not mine) was on the card. I could have very easily stolen the card and it would have worked.

Another company I worked for would always check id above a certain amount. No id = no sale, but stolen cards were somewhat common.

The last company I worked for encouraged credit card payment over cash/cheque but never told us to check ID/signature/etc. We had home addresses in many cases though

Re:More fraud?

[TheLetterPsy]

I also do the "Ask For Identification" thing on my signature strip. Wendy's doesn't require signatures for any purchases at all.

I get about 10% of cashiers asking me for ID, but that number is slowly growing. I have actually had some less bright cashiers turn the card over, look at the "Ask For Identification" signature, and hand the thing right back to me, without a word. Maybe they can't read?

And yes, enough rambling anecdotes for me, too. But I was lonely so I felt like posting.

Re:More fraud?

Disclaimer: I Was A Hong Kong Resident For Ten Years. So very very biased.

The Octopus cards (which were being phased in when I left) rocked. You could use it on practically any bus line and any MTR (Subway) station, and they were starting to let you pay for things in 7/11 with it when I left.

I think the Octopus system is really one of those technology solutions that works, because it doesn't try to be so convenient that it becomes a dangerous security risk. (I'm sure this paradigm sounds familiar to many people here.) I think the RFID aspect of it has more to do with the durability and expense of card readers making them practical than issues of distance-reading.

But being able to swipe your whole wallet across the reader when in a hurry was cool--no fiddling around to find the card.

On the car bit--after living in Hong Kong, I have no respect for the Car Culture of my native land. Sure, the highways and masses of cars are impressive (and by comparison somewhat agoraphobia-inducing)... but public transit lags behind in this "lone superpower".

In Hong Kong, one of the main costs of a car was the physical space for parking it--I think most visiting Americans would find it amazingly dense if they have not been inoculated by a visit to Tokyo or something. Some roads (especially along the mountains and the Tai Tam area) were so narrow I'm surprised that the rocks and buildings didn't need to have liability insurance for crashes. (Local taxi drivers, as they are when faced with adversity in any country, promptly broke out their latent superhuman driving powers to compensate.)

Re:More fraud?

[Suidae]

The self checkout stands here in Omaha (Walmart and Hy-Vee chains, I don't think Target has them yet) are mostly unattended. Someone watches them, but if you are paying with cash, walmart card, credit or debit they only come over and bug you if you have a bag that might contain unscanned items, or you have a problem with the stupid bag scale.

If you pay with a check it sends you over to the manager to pay.

I don't understand why RFID is useful for these systems. Magstripes are pretty robust and can contain the same kind of info. If they are going to improve the cards, they need to turn them into SecurID cards that generate a new number for every transaction. Heck, I'd even pay them to buy a SecurID-like card that I could use with their system. Bonus points if it includes an option to put all my cards into the same device so I can just carry the one device and leave the rest at home.

Re:More fraud?

[myov]

I wonder why it's so hard to actually change my PIN on a regular basis. The only way to change it is to visit my branch during business hours (ie: closed by 3PM) and use the single PIN change machine. It used to be at the end of the counter, now it seems I need to ask for it.

I'd like to change my PIN on a weekly or at least monthly basis if it wasn't so difficult.

How many people have a compromized/stolen PIN that don't even know? A PIN should work like a password and expire every 30-60 days.

Re:More fraud?

[zippthorne]

took me a minute to realize that POS in your context meant "Point of Sale" and not "Piece of S(hoddy workmanship)" though I suppose both would be appropriate.

Re:More fraud?

[GoogolPlexPlex]

I had this same scenario occur daily while I worked at a store. Another thing that happened a lot was people using their spouse's debit card (verified by PIN, not signature). Back in those days (early 90's), the modem-operated lines back to the bank went offline several times a day, and verification had to be performed by signature, and quite often customers would yell at me because the store could not let the goods to be sold to someone using a card that was not their own.

Re:More fraud?

[jrockway]

I think the MTA uses a similar system (in New York). I hear you can walk through those pretty quickly.

The CTA (Chicago) for some reason has a system where you insert the card (one direction only), it sucks it down, spits it back up a bit, sucks it down, then pushes it all the way back up. Then you remove it, hear a beep, and the turnstile unlocks. It is really very slow. I do like the sound it makes -- very rhythmic and familiar :)

The system that most railroads in Tokyo used was the best. You could put any sort of media in in any direction or orientation, and if the card/ticket was valid you would walk through unimpeded and pull the ticket out on the other side. If your card was bad, the gates would slam shut and the card would come up on the fare-unpaid side and you'd have to go to the ticket machine and pay the right amount.

The process repeated when you were leaving because the fares were zoned.

I've never ridden on a US system with zoned fares -- are there any? (Now that I think of it, Washington DC has one. What are their fare control machines like?)

Re:More fraud?

[PCM2]

You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers.

He ain't kidding, nor naïve either. I was in Malaysia a while back and I saw more than one ATM with a prominent sign posted next to it warning you to examine the machine carefully. Apparently crooks were fond of tacking fake card readers onto ATM machines. The banks knew there was a problem and they literally posted a sign.

Re:More fraud?

[mtibbitts]

I'm not the type to wear a tinfoil hat, but I will certainly use a tinfoil wallet if this becomes popular. DVD encryption was supposed to be unbreakable...until somebody goofed leading to the creation of DeCSS and many other versions. Now DVD encryption is a joke and the industry has its entire library vulnerable. What would happen if the same were to happen to millions of credit cards? I do not believe that slightly greater ease of use will overcome the risk...real or perceived. Martin Tibbitts

Re:More fraud?

QuickTrip doesn't require a signature for under $35 in GA.

Re:More fraud?

[g0at]

My understanding is that if your card is not properly signed (if, say, you've written "see ID" instead of your signature) then the card is not valid, and a purchase made with it is fraudulent. At least, that's what my Mastercard cardholder agreement said to me last time I read it.

Am I wrong?

-ben

Theft

[jedie]

Well okay, you don't need physical access to the card anymore to steal money from it.

They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.

Re:Theft

[Burning1]

You never did need physical access. Ever made an online purchase? There's a million other valid numbers sitting right next to yours, neatly orginized and ready to be stolen.

Re:Theft

[Tatarize]

Walking around with a scanner is too much work. What you really need is a really small scanner with a meg or two of memory say about the size of a sticker, and put it on a sticker and stick it near the scanner at a merchant. Come back in a week or so and you'll have a few thousand CC#. The scanning chip should be dirt easy and super tiny. You should be able to put them in just about anything in a few years.

Also another great scam is going to be those stupid turnstiles on subways and the like. Everybody seems to push the bar and put their right butt cheak (usually has the wallet) right next to the side. Have a reader planted just inside the turnstile (with wifi access) and it could be sending you a thousand CC# a day everyday. Don't get me wrong, but this is a bad idea. It would be far better to have some data you generate with some biometric reading and use that.

And by biometric reading I don't mean a chip in the hand. Then I might have to just shake your hand to steal your information.

Re:Theft

[DigitumDei]

I dunno about what's happening in the US, but in South Africa my bank claimed it was bringing these into circulation at the beginning of this year. The thing is, according to the letter from the bank, you wouldn't have to remove the card from you wallet, but you would have to enter in a pin code on a key pad. The pin code wouldn't be on the card itself, the keypad/reader would have to confirm with the banks much like your average ATM.

Of course someone with a reader who also see's you entering in your pin code could then easily fabricate a new card and start using it.

Re:Theft

[Begemot]

...They're gonna need to put in some confirmation thing in this...

Dunno how's it in states, but in Russia, France and more countries you have to type in your PIN in order to approve a payment.
Long range RFID would be much easier because you won't need to get your card out of your wallet that's stuck somewhere in your pouch full of other stuff. Just type the PIN.

Supermarkets should greatly welcome this initiative because their lines will go much faster that way.

Re:Theft

[samael]

Will it ask you which of the 4 cards in your wallet you want to pay with?

Re:Theft

[Begemot]

...Will it ask you which of the 4 cards in your wallet you want to pay with? ...

Simple - the input dev detects all cards and asks which one to charge.

More important is not to mix it with the cards of the next customer.

Far more important is what all Platinum card owners are gonna do? They have to wave it into your face, right? I guess that alone may kill the whole long-range idea.

Any bright ideas how to give them a reason to show off the cards?

Re:Theft

[blane.bramble]

A big flashing light on top of the keypad unit perhaps?

Re:Theft

[F�an�ro]

4 digit pins means that if you snoop 10000 cards, and try them all with the same pin, on average one of them will work.
Usually you have three tries for each pin, so it should also work with 3333 cards.
Snoop cards in some busy shoping centers until you have a million, and then rake in the cash.

Re:Theft

[Begemot]

4 digit pins means...

Interesting calculation, but if you can snoop 10000 cards in a shop you must have certain abilities that can gain you much more elsewhere. Besides, following my previous comment, the input dev may support up to, say, 5 cards.

If you have more than that - send your maid for grocery shopping.

Re:Theft

[cloudmaster]

If supermarkets would instead ask you to swipe your card *while* they're scanning your groceries, there would be less delay too.

Besides, how messy is your wallet, anyway? Do you *need* four hundred credit cards? Do you need much of anything that's not used to pay for things? I *like* having to get my money out before someone can take it, wheras I don't like the idea that someone can take my money without me having go give it to them - and credit cards are not a significant delay as presently implemented.

Re:Theft

3333 in a major supermarket takes how long?

Re:Theft

[Begemot]

Besides, how messy is your wallet, anyway?

I wish I'd have something to mess up my wallet. I'm a lazy bum, that's all :-)

Re:Theft

[drsquare]

When they're scanning the goods, I'm putting them into bags. They're usually done before I am, so that doesn't save any time anyway.

Re:Theft

[cloudmaster]

So, put the bags next to the cashier. She puts them in to a bag after scanning, rather than into a pipe / on a belt / etc. That frees you up to swipe your card while the scanning is happening. That's how the markets I shop at behave already, though - the ones that made customers bag their own only did that for a while, probably until their sales dropped...

Besides, you could just unload the basket, swipe your card, then start bagging. Presumably there's a queue somewhere that unbagged items can enter while they wait to be bagged. With a pair of queues, the cashier can move on to the next person while you finish bagging up your paid-for items.

Not a big change

[drivinghighway61]

The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.

Re:Not a big change

[elad]

One wonders what the real motive for adding the RFID chips to the cards will be

No physical contact between reader and card ==> Less (read: no) wear at shop's equipment.

Re:Not a big change

[WoTG]

IMHO, over time this will become part of a more secure credit card system. It's much harder to clone an RFID than it is to clone the mag stripe and graphics of current cards.

It won't completely fix credit card security (think online purchases and manual imprints), but it will help.

Plus it gives MC some marketing bullet points for providing advanced "RFID super-technology" to its members first.

Re:Not a big change

[Fordiman]

Better security.

Your card number is not transmitted from your card. With the inductance field, a challenge datum (randomly selected public key) is sent. In return, your data is encrypted by the card and returned to the scanner, which then decodes the data into a hash of your card info, which is then sent with the transaction request to the bank.

In other words, at no point does the cleartext of your card go through. Unlike with a magnetic stripe, where your card number is in cleartext and encoded (not encrypted) on the magstripe.

It's basically fraud protection. Prevent fraud by making the cards more difficult to duplicate.

That doesn't mean you can't just steal the card, but lets face it, the second you notice yours is missing, what do you do?

If you're not reporting it missing, you deserve thefted.

Re:Not a big change

[kevin.fowler]

It's all about monitoring purchases, just like discount cards at chain stores are for. Then they sell the info to Johnson & Johnson or whoever to know what flavor of toothpaste someone who listens to Judas Priest prefers.

Re:Not a big change

[Fordiman]

They can already do that with credit cards.

Jeez. Somebody's been watching too much "Minority Report"

Shoplifting

[jbellows_20]

No more shoplifting now. They just scan my creid card as I walk out the door, after they scanned the merchandise that was in my backpack. What has the world come to?

Re:Shoplifting

[jamesh]

And the security guards will jump you when you walk _into_ the store if you don't have a credit card on you, since obviously you are there to steal stuff.

Re:Shoplifting

[E8086]

"And the security guards will jump you when you walk _into_ the store if you don't have a credit card on you, since obviously you are there to steal stuff."

or they'll stop you as your about to leave and hand you the recept you forgot to take. I'm sure cash will still be accepted, but don't know how long until it's also RFID tagged.

Already compromized?

[flipsoft]

Aren't the PayPass cards already comprimized?

Security?

[Mateito]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

How long will it take the collectives minds of the criminal fraternity ... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?

Re:Security?

[rincebrain]

Already done...I think.

I read a HOWTO, written by a student in a college which used RFID chips in cards for authenticating students, about building a nice device for artificially duplicating any given chip's signal. I can't find it offhand, but I know it's there...someone on Slashdot has to have read it.

Re:Security?

[zoloto]

They already have, but they're doing such a good job and raking in a ton of money - so sneakily that they aren't being noticed yet.

Just wait, I'm sure the NYT will have an article about it in the future.

Re:Security?

[Burning1]

The signature isn't required at all to process transactions. The signature is only there to protect the store if you decide to contest your purchase.

Credit fraud is trivially easy.

Re:Security?

[slashdot.org]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card.

Well, that is pretty uncommon and you will only see it at places that have done the math and decided that it made more financial sense to take the risk.

Self-service gas stations are good example.

Not really; as someone else pointed out, the signature is only used as proof when you contest the transaction. Some companies decide to take the risk, especially if they have security cameras recording your car's license plate.

The security cameras basically make it impossible to deny a purchase for the owner of the car & card (or after a couple of times the CC company will notice how you are always denying transactions).

It is probably still the major place where people go with stolen credit cards, but it's evidently still cheaper for the gas stations to have less staff though.

What's more bothersome to me are these places that require you to provide them with every single bit of private information that you have. What's your birthdate? What's your birthplace? What's your mother's maiden name? My question is: what more information do you need before you can succesfully impersonate me?!

Think of it; you call your bank, and they ask all these questions. Sounds reasonable, you want your bank to be secure. Now some website asks the same stuff. Sounds like they take security seriously. But what about the people that have access to that information? They can now pretty much call your bank and do whatever they want.

Back to 'advancements' in the credit/debit card industry though: why is it that by far the biggest problem, which has been known for at least 10 years, has not been solved? I'm talking about how we, the customers, have no way to verify that the person charging our card is a-okay. It's very possible that the ATM/CC machine has a fake keypad and reader. There's no way to find out for us, which is crazy.

Of course the CC companies will gladly undo the charges but who the hell has time to go through every line on a statement, especially when technology apparently still hasn't made it possible to list an item other than "POS/123 SUNSET LA 0101 $11.50"

Re:Security?

[ctr2sprt]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

Most places have a guideline about what the total cost of the purchase can be before they want additional authentication (i.e. a signature). At a nearby convenience store, it's $20. I'm sure that most gas stations don't require a signature because, until fairly recently, most people could get a tank of gas for less than $25. Nowadays, of course, it's twice that, but...

All gas stations in my area now ask for your zip code too. It's a dumb form of authentication, but it can be done at the pump so it doesn't annoy people into going elsewhere.

(Actually, coupled with decent fraud-detection software, and if you're in or near a major city, it could be really effective. We have probably twenty zip codes within a twenty mile radius here, so your chances of guessing right the first time are pretty poor. You could spot a stolen card real quick just by noting two consecutive failed attempts on the card. It would actually be far more effective than signature verification. Hmm. I was thinking their primary motivation for this approach was the fact that pumps can't take signatures, but now that I think about it this could be a really excellent idea. After all, signatures are only useful when it's already too late and you're in court. One-digit PINs, anyone?)

Re:Security?

[kf6auf]

The problem with asking for a ZIP code is that if someone steals (whether by RFID or not) you driver's license information along with your credit card information then they have your ZIP code too.

(My dad's car got broken into last night and had his credit cards stolen.)

Re:Security?

[Riturno]

I have run into self-serve gas stations in the past year that require 2 factor authentication. Not always, but sometimes. The card and the billing ZIP Code.

Re:Security?

[Malor]

That will happen shortly after they crack public-key encryption, I imagine.

Despite the misleading post title, these things aren't RFID. They're smartcards. Very, VERY difficult to copy.

Re:Security?

Stop getting all paranoid. If the card is stolen, physically or otherwise, you are not liable. The CC companies are. It is the cost of doing business to them.

Re:Security?

Don't know what part of the States you're talking about, but here in California just about every self service gas station requires that I enter my billing zip code before it will charge my card for the purchase. Not quite a PIN, but better than nothing.

I also don't get asked to compare signatures between the card and the charge slip very often. I do, however, very often get asked to show my picture ID and verify that my name is the name on the card.

I have a bad feeling about this...

MasterCard RFID Credit Card: free

Checking out at the grocery store without signing your name or entering a pesky PIN number: effortless

Having your account drained by a 12 year old who bought a high-gain RF antenna off eBay: priceless

Re:I have a bad feeling about this...

[RzUpAnmsCwrds]

12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.

The RF component of these cards is considerably more secure than even the magstripe component.

Re:I have a bad feeling about this...

[caluml]

The RF component of these cards is considerably more secure than even the magstripe component.

If only I could dig up someone saying that about WEP a few years ago...

Re:I have a bad feeling about this...

Two factor authentication can be (relatively) easily side stepped by using a relay attack. This is a crude yet effective way of using stolen ISO14443A card data. Possibly easier than a mag stripe. And if I could clone Japanese pay phone cards when I was 12 (and I did, out of curiousity), then I could certainly do this too.

Of course, such an attack is mostly meaningless in a real world context... By using a relay attack to collect the data, and not actually decrypting the stream, you're limited to the exact same transaction. Which most likely would only work for a train or bus, and not for a credit card transaction where the communicated content will vary each time.

I find it interesting that people on /. seem to think that RFID charge/credit card data theft is just as easy as cloning mag stripe cards, except easier, because you don't need physical access. This is not true. You don't need to be a genius to skim through the ISO14443 work group papers to realize that it's a LOT more than just handing over the entire data content of the card to a reader, as is the case with mag stripes.

So I'll explain a bit. With mag stripes, the reader will read the entire data stored on the magnetic strip. As long as you can clone this (which is trivial), whether or not you understand the data (meaning crypto or not), you have a working copy at hand. Security measures around this are varied, but a good one is the requirement of a PIN number which is NOT stored on the card, and needs to be checked against an online database. But as long as you have the PIN, there's nothing to stop you from using a clone. Think of it like a backup card.

On the other hand, the entire content of the card is NOT transmitted with an RFID. Better yet, the communication is encrypted, so you don't know what part of the data is being transmitted, or even what the request was from the reader. The data transmission is not static. The encryption method could use any common crypto, such as SHA-1, meaning that even if you did pick up the signal from a distance away, you would have no way to (easily) understand what it meant, and would need to decrypt the message.

So, in the relay attack mentioned above, you COULD simply do a "If reader asks XXX, reply YYY" without understanding what it meant, and that would probably work for mass transit. But, getting a free ride probably isn't worth the investment beyond the simple satisfaction of knowing that you proved your point.

In order to make it profitable, you would need to decrypt the entire card content, re-create it, and be able re-transmit data in an encrypted format in order to place transactions on a credit card. This is not easy, and will require considerable more work than just scanning someone's pocket with a directional antenna. I won't deny that it's possible though. However, if someone actually uses this data, it will be no different than people that skim mag stripe cards right now. The only difference is that people will no longer require physical access to your card... but will require considerable effort per card they obtain. Much easier to pay a Wal-Mart employee to skim mag stripes for you.

Re:I have a bad feeling about this...

Explain how RF is considerably more secure then magnetic strips. The article mentions nothing about security as far as I can see.
Mastercard claims the RF can be read within an inch distance. Magnetic needs make contact to be read. They both transfer numbers, no cryptographics keys etc. The above said, magnetic strips seem the safer then rfid, albiet the less convenient.

Re:I have a bad feeling about this...

[msormune]

A post on Slashdot about something that the writer has just a vague idea but just wants to bitch and moan about his views anyway: Pretty common.

Re:I have a bad feeling about this...

Explain how RF is considerably more secure then magnetic strips. The article mentions nothing about security as far as I can see.
Mastercard claims the RF can be read within an inch distance. Magnetic needs make contact to be read. They both transfer numbers, no cryptographics keys etc. The above said, magnetic strips seem the safer then rfid, albiet the less convenient.

Before I start, I will point out that the RFID based ISO14443A cards DO INDEED transfer data using cryptographic keys. These are NOT static, passive cards like mag stripes are. They are not the same as an office ID card that opens doors.

That said, I'm not saying that using RFID is an increased security issue, but simply that it's not as easy as a lot of tinfoil hatters around here make it out to be.

Here's the reasoning.

Mag stripe: Requires physical contact. However, anyone that has physical contact can easily read the ENTIRE content of the card and create a clone. Mag stripe cards are not intereactive, they are static. That is, you MUST read the entire content off of the card in order for it to work, and there's nothing stopping someone with physical access to the card to do so. Storing the data for later retrieval and cloning is also trivial. There are quite a few sleezy places (especially in Asia) where you will hand the cashier the card, and they will swipe it through a skimmer under the register before using it in the legitimate transaction. Your card data has been 0wn3d.

ISO14443A cards (aka the RFID cards): No physical contact is required. Data transmission can be picked up from quite a distance away at the time the card is activated through a magnetic field (aka the reader). The card, however, is interactive. It does not give out it's entire data bank to anyone that asks for it. There is a shared key, and then it kicks into encryption mode. Even then, the card will only transmit the necessary data for that specific transaction. It's basically 2-way communication. So, what does an attacker do? The attacker can use a trivial relay system to retrieve the exact content of the communication between the card reader and card. Once that is obtained, they COULD replicate the same transaction. However, it would only be good for that specific transaction. Any other transaction, and the data request from the reader would be different.

Another scenario is if, like WEP, the attacker somehow knows the key, or knows of an insecure key that is easily cracked. Even then, the only data s/he will obtain is that from the specific transaction, which may or may not be sufficient for any other transaction, depending on what kinds of security measures on the software level are implemented. Again, the RFID does not transmit it's entire contents in order for a transaction to complete, thus complicating things for an attacker. An attacker may be required to follow the card around and gather data for multiple transactions before having an acceptable chunk of data usable for a forged transaction.

Again, I'm not saying that RFID based credit cards are more secure or anything. I am, however, saying that they are not inherently more dangerous than a mag stripe card. It won't be easy to "skim" a card like it is done now with mag stripes, even if a fake reader is placed in an inconspicuous location. I'm not saying it's impossible, but it's highly unlikely. If someone does that, it shouldn't be any harder to track down the location of the skimmer than it is with modern techniques for fraud detection. 100 people with fradulent billings also made a purchase at retailer XXX. Fishy? You bet! So what do you do then? Same as you would do if your mag stripe got skimmed. Get a new card, and watch where you use it.

Re:I have a bad feeling about this...

[glitch0]

WEP is considerably more secure than a magstripe component?

Re:I have a bad feeling about this...

Guy who conducts a credit card transaction via his RFID-enabled palm pilot while "bumping" into you on the subway: Truly classic

It's great that there's crypto to prevent cloning the card, but RFID simply requires that I bring a scanner within your proximity. As a thief, it's actually better for me to go take this approach. When I can go after random victims in public, it's all that more difficult to correlate my attacks across multiple victims, and there aren't the risks of getting caught associated with having to get physical access to cards via pickpocketing, etc.

Credit cards have needed crypto for a long time to prevent the fraud that we're generally familiar with. Hell, even simple things like single-use credit card numbers would have been a boon for people's perceived, and perhaps even actual, safety in Internet transactions (there is a chunk of the market that is still reluctant to do CC transactions online). However, do not casually dismiss the valid concerns about introducing RFID tech into the equation. There are still plenty of (simple) attacks available around your fancy-schmancy 4096-bit elliptical quantum crypto system.

Theft!

[Palal]

Not only will thieves be able to capture your CC#, they will be able to do it without you knowing it! Think of the possibilities! Subways, buses, crowded trains, elevators, escalators, and other public places! I guess that gives me another reason to not leave home and to spend all day reading slashdot about how others have had their identity stolen.

Re:Theft!

[MoralHazard]

I thought of this immediately, too. But there HAS to be something more going on, right?

In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

Re:Theft!

[Palal]

Have you ever tried getting money back from fraud charges? I, thankfully, had not had to deal with it *YET*. Howeever, I have heard both horror stories and the opposite of horror stories (the word escapes me now) regarding getting your money back from the CC company. In the end, it'll be the consumer who'll be spending more time on the phone, trying to get through to customer support along with everyone else.

Re:Theft!

[cra]

Your theory floats, but just barely. How much harder is it to pull the card through a megnetic reader than waving it in front of an RFID scanner? Not much, I'd say.

I agree that there has to be some motive, and you can be pretty sure the goal is to increase the income for the company, which boils down to getting it from the card users/customers.

Still, the fact that the merchant/bank has to cover any fraud except for the first $50 isn't good enough. If I have my card scanned and stolen ten times, that ads up to $500, and I'm sure as hell not willing to pay even $5 for the convenience of waving my card to pay. Not even if the gorgeous girl behind the counter in the perfume shop has to touch my a$$ with the scanner where my card is.

Re:Theft!

[lostchicken]

Getting money back from anybody is hell. What you CAN do is refuse to pay a certain charge when the bill gets to you. Things actually get cleared up pretty quickly that way.

Re:Theft!

[MoralHazard]

I have, actually, experienced CC fraud. Card got double-swiped at a restaurant in San Jose, and a few years before that a shady acquiantance of a college roommate nicked my wallet and bought a few hundreds' worth of audio equipment.

I wasn't that big of a deal, either time. In the restaurant case, I called the CC company, got a CS rep in about 30 seconds, and explained the situation. I got a call back about an hour later and they instantly reversed the second charge--could have just been a mistake by the server, right?

The other time, I called and they told me to fill out a police report. They froze the fraudulent charge, essentially meaning that it was off for the time being, and cancelled that card. I got a call back the next week telling me that they'd looked into it and agreed with me. The only real hassle was the police report, but being as I was living in NYC, the local precinct was two blocks away. It took about 30 minutes, including travel time.

Re:Theft!

[RzUpAnmsCwrds]

ISO/IEC 14443 has two-factor authentication. You can't steal the card number because the card doesn't transmit the card number.

Re:Theft!

[Ark42]

Generally, you can probably buy something and just say its fraud, keep the item, and get your money back with no hassle, if you don't do it that often. CC Companies and banks don't care one way or another, they do not take ANY of the hit from a chargeback. The entire chargeback comes from the merchant, on top of a chargeback fee of at least $35, so only the mercahnts are hurt.

Re:Theft!

[jesdynf]

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

I dunno. Wendy's shrugging off checking ID or making you sign documents for credit purchases under a certain amount isn't unreasonable. Those checks take seconds, and seconds do add up. They're already eating fradulent charges anyways, signing things and glancing at poorly-printed IDs isn't stopping 'em. This new feature isn't any different.

I do wonder about your prediction, though. How many purchases a day are you refusing because using credit cards is so difficult?

Re:Theft!

[icecow]

"By law, the customer is limited to being responsble for only the first $50 of charges." So of a bank's computer generates a $200 charge AND the customer catches it, fills out all the forums right, and jumps through the hoops the bank only makes $50 that the government doesn't know about? I'm not sure if it could go down like that or not, but it's a reminder that opening up 'Enron' possibilities can happen.

Re:Theft!

disincentivizes

WTF? Is that like deters? Less than half the length and makes more sense.

Re:Theft!

[BlueTrin]

I thought of this immediately, too. But there HAS to be something more going on, right? Yes, in fact you will have to wave your card and to identify yourself, you will just have to swipe your card, type your pin and sign a receipt.

Re:Theft!

[wcdw]

Not quite. The way the credit card world actually works is that when you dispute a charge, the processor (usually a 3rd party) has 45 days to produce a signed receipt (not considering MOTO here, which has different rules).

If a signed (original) receipt cannot be produced, the consumer is automatically awarded the chargeback. And the merchant is screwed. If a valid receipt can be found with your signature, and you've just claimed fraud, you're the one who is [potentially] screwed.

Having seen the inner works of such a receipt-retrieval setup I can tell you that they lose your original more often than they'd care to admit....

As a merchant as well as a consumer, I think this sucks. However, it can be useful for e.g. those times when the store gives you their copy, instead of the 'customer copy'. Chargeback disputes MUST produce the 'original' in order to be prevented.

Re:Theft!

[dubl-u]

ISO/IEC 14443 has two-factor authentication.

What's the second factor? What people typically mean by two-facto auth is a physical token plus a PIN or password, but that doesn't square with the marketing literature or their "easier than cash" claims.

You can't steal the card number because the card doesn't transmit the card number.

Is it some sort of challenge/response thing? If so, where does the challenge come from? It seems like the challenge would have to come from the clearing firm, yes? But wouldn't that require a hot connection with good response time to get the exchange done during a wave?

Re:Theft!

[EiZei]

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

How about just printing your photo on the card itself?

Re:Theft!

[achurch]

ISO/IEC 14443 has two-factor authentication.

Source, please? (I'm not doubting you, I just want to know exactly what the standards say. I did glance through the drafts on www.14443.org but didn't see anything related to authentication; is it something that was only added in the final version of the standards?)

Re:Theft!

[stinerman]

The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards.

That doesn't follow, IMO. Who is this person that says "Why, that seems like a nice sweater. If only I didn't have to take 2 seconds to get my card out of my wallet, I'd buy it. Damn this inconvenience!"

Re:Theft!

[Ark42]

I've only dealt with internet sales, which are basically MOTO, but there is never an original receipt, so the customer always gets their money back, and I always get hit with the $35 fee myself.

How does this work at places like Meijer U-Scan where you just sign on a little LCD screen? There are no store-kept receipts there, are there?

Either way, the banks and CC issuers never seem to take the hit, so it wouldn't seem in their interest to try to do much to stop people from copying RFID numbers and start making fraudulent charges. Either the merchant (most likely) or the consumer in some cases, gets screwed, so my original point stands.

Re:Theft!

[wcdw]

The company I worked for was just starting to deploy signature pads (to Service Merchandise, at that time), when I left, so I don't know all the details.

However, I did know a gentleman at that time who was responsible for recreating digital signatures from the store data, in order to print mock receipts, probably to cover this issue.

Presumably the digital signature + the actual transaction are watermarked, hashed, signed and/or whatever, in such a way as to be able to demonstrate conclusively that a given signature belongs on a given receipt.

(BTW, I believe that stores typically don't retain the 'original receipts' in question; they are generally warehoused by the merchant account processor.)

I'm currently involved in e-tailing, and we're painfully aware of chargeback policies in that world. Verified by Visa / MasterCard Secure looked like potential solutions, but they're overpriced, and the latter, at least, is a complete joke.

If I were a B&M merchant, I'd be very leery of accepting RFID cards; I see a lot of potential for those merchants to get screwed.

Now, let's see; where did I put my long-distance RFID reader, anyway? :)

Re:Theft!

[wcanevari]

this week my wife recieved her new American Express card..... not green, but transparent. CLearly visible thru the plastic was a quadruple antenna loop around the edge of the card and a 1cm chip centered in the card top to bottom, and about 3cm off the right hand edge. A call to AMEX with a plea for a card without RFID (easy access they call it) resulted in a kurt "no.... they all have it now." Well, stupid people, they made the chip location very obvious. Now my wife can carry the card on a chain if she wants.... suing the hole I neatly punched thru the card where the chip once was. BTW, the card also has the traditional mag strip on the back as well..... I always have printed "ask for ID" on my cards, and have been asked about 75% of the time..... must be my honest face!!

As a MasterCard customer...

... I will refuse this. If I have no choice, I will cancel the account. It's like walking around with my card number tattooed on my forehead.

Re:As a MasterCard customer...

[cra]

More like on the back of your jacket where you can't see who is taking a note of you number.

Re:As a MasterCard customer...

[Joe+Random]

It's like walking around with my card number tattooed on my forehead.

So? It's likely that in an RFID credit card system your account number will not be a very interesting piece of data. What the crooks will need is your private key, which will not be broadcast by the card.

Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.

Re:As a MasterCard customer...

[Burning1]

Fine. Just relax: I'm sure they are going to give you the option.

Re:As a MasterCard customer...

[FirienFirien]

THIS is interesting. If I don't have to take out my card, but DO still have to type in a pin (which takes around a second) then so long as that typing is shielded then it's a huge lump more secure than most of the posts in this thread so far are complaining about. Personally, I would prefer a pin that isn't simply 4 characters long - if someone vaguely sees the pattern or directional movements of your hands, they've got a huge chance of being able to guess your pin in a few tries. Even if that few tries > card lock, there's still a bunch of other typing patterns just about to happen. For those of us who type at speed, a pass phrase would take somewhere near that second for a normal pin - and would be a heck of a lot less easy to recognise and copy. Granted, people with bags in one hand and non-fast typers etc etc etc will disagree - but they should then be able to choose their system. If it's a 4-key PIN, then they've got the same security they had before.

So: I agree with still putting in your private key (as noted by parent), and suggest as corrollary an option to have a longer key if you want to have more security. Even if I'm restricted to the numpad, I can still think of a whole bunch of memorable ways of generating long sequences. Anyone who's played tekken/etc will surely be able to splay a rapid-fire combo move. Anyone can think up their own memorable combo; if they can't, there's always the default 4-key.

Re:As a MasterCard customer...

[slashnik]

From http://www.mastercard.com/aboutourcards/faqs.html# q5 www.mastercard.com

Q: How safe are these transactions? Can't someone intercept the data or get incorrectly charged for purchases when carrying the card?

A: These transactions are just as safe as, if not more safe than, traditional payment transactions, as the PayPass feature incorporates special security technology to prevent "replay" fraud. MasterCard PayPass also provides more consumer control, since the card doesn't have to leave your hands to be swiped by the merchant. Additionally, MasterCard PayPass provides zero liability in North America, just like all MasterCard payment programs.

No It's not "like walking around with my card number tattooed on my forehead"

It doesn't really look like RFID more like a multipart handshake based on RFID technology

Re:As a MasterCard customer...

This is not at all what the parent is talking about when they said "private key." The private key they're talking about is a cryptographic key that is stored in the card on a chip, but never broadcast. Read about cryptography.

Wow...

[Vo0k]

Now you can get pickpocketed without ever getting touched by the thief!

Re:Wow...

But what if I like getting touched by the thief?

OOOH...4 million unsecure credit lines

[realilskater]

With the known security flaws of RFID it is surprising that a credit card company would go this route. Oh, wait MasterCard wants people to be in debt to them. Now it all makes sense.

next time an apple user bumps in to you...

[bit+trollent]

he may just want your credit card number.

Anyone else concerned

[SecureTheNet]

about people walking through the mall with rfid readers? Will /. readers line their wallets with tinfoil? :-)

Re:Anyone else concerned

[rincebrain]

After reading this, I'm going to.

The sad part is, I'm completely serious.

Re:Anyone else concerned

[likewowandstuff]

You... you haven't already?

Re:Anyone else concerned

[BlueTrin]

I guess that you are fine if you don't wave your card to card readers ...

Brings a whole new meaning to drive throu...

[the_xaqster]

Imagine, your greasy burger in your hands without even getting your wallett out!

Not sure I really like this idea, _way_ too easy for someone to carry a RFID scanner on the tube for example, and come back with a huge haul of credit card info.

Re:Brings a whole new meaning to drive throu...

[jamesh]

Many many people are posting along these lines. Do you all really think that Mastercard hasn't already thought of this and solved it???

A simple solution would be to have an RSA key + engine on the card, so that the 'scanner' issues a challenge to the card and if the card can supply the decrypted string then it passes. A limit of 1 challenge per 30 seconds would stop anyone getting any useful data out of it. Presumably this is do-able using today's technology... or would an RSA engine use more power than could be received via the RF?

I'm sure there are many other solutions too.

Re:Brings a whole new meaning to drive throu...

[dubl-u]

Do you all really think that Mastercard hasn't already thought of this and solved it???

Sorry, are we talking about the same people whose previous major innovation in security was to print an extra three- or four-digit PIN directly on the card? And the people who have rolled out pretty much nothing while identity theft went from a minor problem to a giant national clusterfuck?

Yes, I expect them to do something retarded. From the announcement, they're talking about how these super-neat cards will get them revenue growth through added convenience, not how they'll increase security. I think their main criterion is that this should suck no more than magnetic stripes. And for a few years, until theives make fancy new hardware, it probably will meet that.

Of course, they could actually do something pretty smart, in which case I'll be pleasantly surprised.

A simple solution would be to have an RSA key + engine on the card, so that the 'scanner' issues a challenge to the card and if the card can supply the decrypted string then it passes.

That protects you against capture and playback attacks, but not man-in-the-middle attacks.

Re:Brings a whole new meaning to drive throu...

[Piquan]

That protects you against capture and playback attacks, but not man-in-the-middle attacks.

Hmmm... I'm trying to think of MitM attacks against this, and I can't think of any that can't be fairly trivially thwarted. I'm pretty sure there are some, but it's late and I'm tired.

But there are other scenarios that I can see. For instance, you're at the jeweler while your buddy's in the food court. You both have small radios. You pick out a big diamond. Your buddy gets near somebody who looks loaded. The jeweler thinks you're using the RFID card, but really you and your buddy are just relaying it to the guy at the food court. (This is a restatement of an old problem involving grandmaster chess.)

Re:Brings a whole new meaning to drive throu...

[jamesh]

Could there be a way of determining the distance of the card from the reader, that couldn't be trivially worked around? Obviously a simple radio ping wouldn't cut it as that could be spoofed by the repeater, and I have no idea if the distances we are talking about could even be measurable (mm vs 10's of m)

So I guess the ping would have to involve the same sort of rsa, which would make any timing measurement unusable.

Which pretty much means that 'no' is the answer to my question.

Re:Brings a whole new meaning to drive throu...

[dubl-u]

But there are other scenarios that I can see. [...] you and your buddy are just relaying it to the guy at the food court.

Ah, yes, that's exactly the scenario I was thinking about. I was using the term too loosely.

As I read more, though, it looks like they're only accepting the swipe for $25 or less. Given that a primary use is getting gas and given the recent price of gas, it seems like they'll have to go to $50 or so. But that still reduces the possibility for high-volume theft.

But it doesn't eliminate it. I was talking to a person who dealt with credit card fraud and he told me about people who steal gasoline for a living. One person buys $24.90 of gas over and over while their pal zaps people at the stoplight nearby. They probably wouldn't even get many chargebacks: if people are driving right by a gas station, it'd be easy for them to think they had just stopped their and forgotten.

Nice

[Anonymous+Crowhead]

This will be very convenient at the 0.0001% of retailers who have a reader for the RFID.

Conflicting RFIDs

[Cytos]

This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.

Re:Conflicting RFIDs

[qazsedcft]

A possible solution is to wear your cards on a cord around your neck or a retractable cord attached to your belt. My company's ID card is like this and it works very well.

Re:Conflicting RFIDs

[Goldenhawk]

Inter-chip conflict is not a problem, really. The RFID spec is designed for this overlap. Just like Ethernet communications, the chip is programmed to select a random delay before responding, then "test the waters" and see if it's clear before sending. In short, there's anti-collision features built in to the chips and the readers. Even a simple Google search will give you complete details.

Honestly, do you think this hasn't been considered? RFID was DESIGNED for warehouse operations, where literally THOUSANDS of identical chips (except for the serial number) were in reading range ALL THE TIME. Three cards in your wallet won't even make the system break a sweat....

Re:Conflicting RFIDs

[swillden]

Inter-chip conflict is not a problem, really. The RFID spec is designed for this overlap.

*The* RFID spec?

I've posted this a hundred times before, so here we go again... all "RFIDs" are not the same. There are several different technologies which use RF to transmit data short distances between cards/tags and readers. There are active and passive technologies. There are technologies that allow the chip in the tag/card to be very smart (a full-blown 32-bit microprocesor), others in which the tag does nothing more than reflect a signal back at a different frequency, and nearly everything in between. There are technologies that actively manage interference and overlap so that a reader can scan dozens of tags simultaneously, and there are others that take no such precautions, or even ensure that multiple devices in range actively interfere with one another for security purposes. There are technologies that are designed to enable readers to pinpoint the physical location of the tag, and those that know nothing more than in-range/out-of-range.

The worlds of RFID and the related, but different, world of RF-enabled smart cards are complex. Simple statements of the sort "RFIDs can..." are nearly always wrong for at least some of the technologies.

Re:Conflicting RFIDs

[gg3po]

Of course you realize the solution to this is to implement a standard, government-issue, all-in-one RFID card that includes all financial information for all of my accounts, medical information, criminal history, psycological profile, and library reading habits. Maybe it shouldn't be a card at all, but rather an implanted chip -- that way I won't have to face the terrible inconvenience of losing it. The forehead or back of the hand would make convenient locations for such an implant.

Range?

[interactive_civilian]

Really? Just out of curiosity, what is the range of RFID in these cards?

I only ask because my train pass (in Japan, the Suica card) is RFID, and you pretty much have to touch the sensor for it to work at the ticket gates. Anything more than about 5mm and it won't be read. You pretty much have to touch it to the sensor.

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK. If you are paranoid about it, you could always wrap your cards in tinfoil or something. ;)

Or am I missing something, and these things are more remotely scannable than I thought?

Re:Range?

[Anonymous+Crowhead]

These new 4th generation RFIDS (or 4GRFIDs as known in the industry) broadcast at a strength 64.2W (1.9 amps/hz) Though it not might seem like much, the signal is detectable by a dime sized reader at over 3000 yards and does not require line of sight. This reader can be easily assembled by about $13 dollars worth of parts (diodes,wires,etc) from RadioShack. There are instructions on the internet that are so simple, a child capable of drawing crude stick figures of his mommy and daddy with crayons could assemble one, link it to an offshore bank account and be draining bank accounts in less than thirty minutes.

Re:Range?

[gardyloo]

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK.

      It's not the scanners I'm worried about. It's the guys who *call* it a scanner, and are just really happy to see me -- THEM I worry about.

Re:Range?

[moro_666]

the range always depends on the censor, i'm pretty sure that some adequate h4x0rs can make their scanners work on 2-3cm distance or even more. if you have 10k cash on your account that a thief could "use", he will definetly "bump" into you and probably into some other people too :)

imagine the power of such a scanner in a wall street elevator, you struggle through some people and "pay" a few minutes later while they are struggling for stocks.

seems awfully insecure and i would advise against using this stuff. you could as well have cash hanging out of your pocket.

i guess wrapping it into a tinfoil will make it quite prone to magnetical defects, not sure about that, but when the tinfoil gets magnetically/electronically charged by some external strong magnetic force, it may cause damage to your card in the long run.

isnt it just easier to stick with the old cards ?

Re:Range?

[amodm]

I don't know about the range and all. What I can tell is that I used to keep my company ID card (RFID based) in my wallet.

I never really needed to bring my card out for swiping. I just brought my wallet in front of the scanner (at least 2 cms distance), and it worked.

I wonder if in a subway, a guy could bring a scanner close enough to my pocket and sniff our my CC info.

Worse, if the info is static, all he needs to do is replicate the same signals using any damn device. He doesn't even need to build another card, or decode the info.

Re:Range?

[lostchicken]

You just made all that up, didn't you. "1.9 amps/hz"? A dime sized-reader? I don't know of a dime-sized much anything. A dime is really, really small. And 64.2W is a shitload of power. If my credit card is broadcasting with more power than my car's amateur radio transmitter, there's something horribly wrong, and you'd be able to pick it up in the next county, not "3000 yards".

Man, the mod system here is broken...

Re:Range?

[tooth]

When you bring the card near the reader it induces a current in the card to power it (Passive RFID). This is why you need to put it close to the reader. Once this happens you can snoop the signal from the card from nearby.

Re:Range?

[xurble]

They're going to have to make it less sensitive than that though aren't they?

I can't waive my wallet at the cashier to pay if I've got multiple cards - how would it know which one to pay with?

Re:Range?

[joe_bruin]

You put your card up to the reader not because that is the range of the signal coming out of the card. Rather, it is the range of the magnetic induction field coming out of the reader to power the card. The signal the card emits can probably be read at 100 meters by a person with a high gain directional antenna.

Of course, Suica cards are not that prone to theft because the most that person could do is take a spin around the Yamanote Line at your expense. When there's serious money involved, you will see someone place a high powered field generator in a trash can by the entrance to a mall, and then sit in a car nearby and gather access numbers from everyone going in or out and massively cash out. Non-contact based transactions are a bad idea. Faraday-cage wallet, here I come.

Re:Range?

[Dachannien]

What's best is when they put the sensor on the inside of a window at about ass-height. If your RFID card is in your wallet in your back pocket, all you have to do is press your ass up against the window to get into the building.

Re:Range?

[Guignol]

The card itself is just an antena powering an embedded 'tag'
The power it will be able to get and partly send back will be function of the field it is in. That field will be generated by the reader and, of course, different readers have different capabilities.
I have installed several types and while most of them are 5 to 12 cms range, there are some that work at meter range.

Re:Range?

Hook. Line. Sinker.

Re:Range?

[Allnighterking]

Remember Range (in somewhat simplistic terms) is a function of two components. Component 1 is distance the transmitter can transmit a signal at level "X". Component 2 would then be the signal level, or sensitivity, needed by the reciever. Increase the sensitivity (or actually decrease the level at which it can read data.) and you increase the distance the signal can be transmitted.

Increasing the sensitivity of the reciever is much easier and much less expensive than increasing the power of the transmitter. Witness the difference between a 400 dollar (US) FM radio in your car vs the 200 dollar Mono FM radio it came with. The radio station didn't boost it's output, your radio sensitivity improved dramatically. With a simple doubling of retail price you now can listen to stations you previously didn't know existed.

Now take and add in the final component of sensitivity .... discretion (You might have heard of discrete FM). The ability of a reciver to know the difference between viable data and useless noise. Now suddenly with a few higher quality components (that bus pass reader probably has a manufacturing cost on the order of pennies.) You suddenly can read the data at 3ft line of site.

Now 3 ft line of site would easily translate to 1 foot through 1/4 inch of plywood (like in a counter.) Meaning that while you are giving the OK to a valid transaction you could also be giving authorization at the same moment to a second "hidden" transaction.

Don't believe this could happen? Think about the two gentlemen arrested a while back for reading customer and corporate data from wireless cash registers. Just because you have to touch the intended receiver to register a transaction doesn't mean that that is the distance it can transmit. The actual distance a radio wave can go is when unobstructed and absorbed, infinate. However beyond a certain point a radio wave of signal strength Y is just too decayed to be able to be found in the cacophany of radio signals surrounding us. That guy that just bumped into you might not have picked you pocket. Instead he read your credit card.

In the end promises of "We won't do X, Y, or Z" with the data stream we create is about as useful as websites claiming they won't sell data about you. I can tell you the ones that haven't, I can't predict the ones who won't.

Re:Range?

[thelonestranger]

Tinfoil hats, now available for credit cards. Only 99c (starting bid) on ebay.

Re:Range?

Maybe it can only be picked up at 3000 yards BECAUSE it's being read by a dime sized reader ?

Re:Range?

[BrokenHalo]

That's what worries me. There seems to be nothing to prevent a fraud from placing a RF gadget at hip-pocket height and making up his own transactions. It also seems that in a high-traffic situation, they are going to have to take steps to make sure the correct transaction is assigned to the correct card, rather than just $RANDOM_CARDS_IN_WALLETS.

Re:Range?

[nietsch]

few meters if you do not power the card yourself. As a previous poster already stated, the card needs to be powered remotely for it to work. That is done with a pretty big low frequency field IIRC. The reader that is sending this field also has to detect the response through his own noise, that is why you need to be pretty close before it works. If you do not have to energise the chip, you can just listen from farther away and you will be able to 'hear' what the card says.

There was this website on /. a while (can't be bothered to look it up now) where the author had built his own reader, that could record the emissions from rfid cards to open doors etc. and emit these signals to the real reader. He only had to stand nearby and push the record button at the right time to copy a card. A big coil, a pic and some other common components was all it took, he was very suprised about the lack of real security in them.

For creditcards i sure hope they found a way to do two way communication so you can do a proper challenge-response authentication. But that is still very insecure as it does not combine something I know with something I have. I guess merchants still have to pay a share of the transaction to cover for all the disputed charges.

Re:Range?

[StrawberryFrog]

it is the range of the magnetic induction field coming out of the reader to power the card

This is true.

Anecdote: During the early trials of the Oyster RFID transport card in London, there was a problem with passing buses dinging the accounts of people waiting at the stop who didn't get on that bus. The Solution was to reduce the power of the reader on the bus.

Re:Range?

Did you know that the next version of HTML is going to include a tag?

Re:Range?

Why can't there just be an 'authorize' button on the card, that is thermally sensitive - so you can only pay for things when you actually have the card between two fingers.

Re:Range?

[logpoacher]

> Really? Just out of curiosity, what is the range of RFID in these cards?

That is one of those unanswerable questions. You can only determine the maximum range of a radio system if the capabilities of both the endpoints are known (plus the characteristics of the channel, of course).

An RFID is powered by the emissions of the reader, and transmits a small signal back.

So with a sufficiently powerful and/or directional transmitter, I could activate your card from any distance. With a sufficiently directional and sensitive receiver, I can pick up the response. If the device sends the same response each time, I can repeat this over and over, and incrementally cancel out the noise.

The readers in Japan sound as though they are pretty short-range, but that might be so that they don't activate many cards at once, which means that they can keep their signal processing system simple and cheap.

Re:Range?

[David+Horn]

You can't (unless you've somehow changed the laws of physics) "magnetically charge" something. Wrapping it in tin foil will have no effect whatsoever on the RFID chip, and even if it did, the only thing to suffer would be the magnetic strip on the back.

The RFID chips are remarkably robust, and I'm willing to bet you could expose it to some fairly massive magnetic fields without any problem.

Re:Range?

[frostw]

No need for any kind of physical button. Just an area on the card that must be touched by a finger (i.e. grip the card between thumb and forefinger at point 'X').

The sensor would be capacitive, a la Ipod controls. Nothing to wear out. No transaction takes place without the card being held properly.

Re:Range?

[Sinclair12]

Passive RFID does not "broadcast" anything. Passive tags use an incoming wave as both a communication and power source; it bounces an incoming wave back at a fraction of the energy of what it was when it arrived. The other portion of energy is partially wasted through dissipation and partially consumed by the antenna/chip to read an EPC or some other number off of the chip.

Re:Range?

Dude, it was a freakin joke.

Re:Range?

[zootm]

Well, "draining bank accounts" seems a little extreme since the system is apparently based on a strong encryption (?) scheme.

Re:Range?

[TractorBarry]

Is that a scanner in your pants or are you just pleased to see me ?

Re:Range?

[Tony+Hoyle]

At an office I sometimes go to they have RFID cards like that. The door unlocks when you're about a foot away from it.. there's a scanner panel but nobody ever uses it.

If they started using credit cards like that I'd definately invest in some kind of RF shielding.

Re:Range?

[ivan256]

The oscilating magnetic field that generates current in the coil that powers these transmitters has a much, much lower effective range than that.

Sure, once it's powered up you can snoop the encrypted communications. Have fun with that. The chances of you initiating communications with an idle card without being a few inches away or less is essentially nil.

Re:Range?

[Kordmp]

ummm, since every card reader in every store will have to be allowed to read it, all you have to do is buy a credit card reader, very easy to do, and hook it up to a transmitter/receiver and snoop away. Send out with a lot of power and receive with a sensitive receiver. Walk down a city street and poof you got yourself some credit cards.

Re:Range?

[SatanicPuppy]

I know a guy who makes a joke about that:

*Leans his ass up against the door to open it*

*Bleep*

"When I ordered these I told them I wanted RETINAL scanners...I guess they must have misheard."

Where I work the scanners are too high up for such shenanigans.

Re:Range?

[zootm]

Does it really seem likely that a credit card company would release a technology so easily circumvented?

Re:Range?

[Kordmp]

lol, yes. How can you prevent this? I setup a passthru company and get an account with mastercard. I have a credit card unit and randomly charge $20 to everyone as I walk down the street. How does the credit card know this is not a valid charge. I do this for a week close up shop, close the business bank account, preferably opened overseas, and start again with a new company next week. Viola, I have a quick way to make money with very little effort.

Re:Range?

Actually, if you do find a magnetic monopole in your wallet, there are some physicists who'd like to take a look. :)

Re:Range?

[volsung]

He probably meant "magnetize." You need a ferromagnetic material to be able to do that, though. If you don't make a habit of wrapping your cards in iron or nickel foil (or one of the various ferromagnetic alloys), you should be fine. :)

As for electric charges, foil is such a good conductor, it's unlikely you'd be able to build up any charge at all with it bouncing around in your wallet. You'd have to turn your wallet into a little Van de Graf generator....

Re:Range?

[zootm]

Viola...

...is a musical instrument. I don't usually correct spelling, but that one amused me.

On a more serious note, this post kinda contends the sort of thing you're talking about.

Additionally, most criminals wish to be able to stay in their own country – if you got this to work, you'd need to steal enough cash before detection, since to get a store credit card system you'd definately need to have your identity known, to leave the country and pay for your life overseas, outwith the reach of your government.

Re:Range?

[borawjm]

A guy here does that but the scanner is a little bit higher than his "ass-height". He looks rediculous when he stretches out his legs and stands on his tippie-toes as he presses his ass against the scanner to open the door.

Re:Range?

[drooling-dog]

all you have to do is press your ass up against the window to get into the building.

Works for my girlfriend...

Re:Range?

Hahaha, for real man, I'd rather be a victim of identity theft than have some homo hit on me any day.

Re:Range?

[autophile]

What's best is when they put the sensor on the inside of a window at about ass-height. If your RFID card is in your wallet in your back pocket, all you have to do is press your ass up against the window to get into the building.

So swiping your ass against the sensor would be a "butt-wipe"?

--Rob

Re:Range?

[Kordmp]

The post you refer to talks about copying cards. I am talking about just using it to make charges to the card without the person knowing because they think it is safe in their pocket. You aren't unecrypting anything you are just making transactions with the persons card, just like any business would do. It takes very little to get a business account with mastercard. It takes about 24hrs to receive a unit and account from them after submitting a web form. You just need a valid business license which anyone can get quite easily by walking down to the courthouse with fake ID and a bank account number. And opening the bank account in a foreign country was just because in some foreign countries it is easier to get an account w/o proper id. You could do it in the US, almost as easily, a good fake id, passports, driver license, social security cards, shouldn't cost you more than ~$600-$2000. By the time anyone could catch on, you are changing them anyway so no biggy. People steal peoples credit cards now...produce fake id's setup bank accounts, steal money and move on to the next person. Heck online companys are setup every day that charge you for stuff you didn't buy and close down overnight. This isn't really hard to do and is done all the time. Will they eventually be caught....yeah if they keep doing it, but they aren't concerned with being caught. In the meantime you suffer the hassle. The point I am trying to make is that it seems silly to make a card that can transact without human interaction or direct contact. At least put a pin on it or biometrics or I think someone suggested using contact leads on both sides of the card so that it only works when you connect the leads by holding it with two fingers on each side of the card.

Re:Range?

[zootm]

In this case the party responsible is either the credit card company, for accepting such meagre proof of identity. You should be able to get any money stolen back, and the credit card companies would soon change their policies if this was a valid means of attack.

I suspect it's too traceable to be cost-effective. I'm not convinced you'd get enough return on the cost of your IDs and the machine itself before they'd shut the system down, and even if you did you could probably never do the same thing more than one or two times before your description was well-known. The companies who commit fraud online are generally based outside the reach of the law in the countries of the people they trick, or are not tracable. In addition, you need a lot less information to get money from someone's card online than through one of these systems.

That's not to say that a little extra security isn't warranted, though. The standard they are built on apparently has support for embedded biometric data, which could sort it all out were it ready for the market :). I'd certainly be hesitant about using a card one "just waved", if only in case I lost it.

Re:Range?

And that's true even when you're not home :(

Re:Range?

[Kordmp]

I agree the stolen/lost case would really be bad. Especially if you didn't realize it at first. Just to note the exact scenario I am talking about is done today with stolen cards. Alot of the companies that commit fraud online are based outside this country but alot of them are run by people inside this country. I use to know a person who used stolen credit cards to do just this scenario. Luckily he finally got caught, but not before several years of making hundreds of thousands of dollars. I am not as concerned about being reimbursed as I am about being inconvenienced by something they think is suppose to provide me more convience. I always call for a manager if a clerk doesn't ask me for ID when using a credit card, when I have written on the back PLEASE ASK FOR ID on the back. People are too worried about making things easy, instead of secure. Unfortunately, the truth of the matter is, no matter what we do we will always have people that will get around the system to steal your money, I would just prefer to make it harder for them, than to just have them walk past me.

Re:Range?

[zootm]

In this country we have to enter our PIN to purchase (used to be signature) so it's a little less bad, but yeah, convenience can take precedence over safety sometimes, and that's rarely good.

Re:Range?

I think the last record attempt was about 69 feet.

Wait...

You just wait until I wave my RFID MasterCard after I pull it out of my iron box wallet.

Fraud Prevention.

[ciroknight]

Quick, start selling Tinfoil hats!!!!.. for WALLET!!!

Swiping that hard?

[Unsus]

I never knew people found swiping a card so difficult. I do enjoy the fact that I don't have to do rudimental math when using a credit card, but this is a bit ridiculous and definitely not worth the security risk. Usually I hand the card to the cashier anyway, so I really don't see this as much of an innovation.

I'm an honest person... I'm an honest person... I'

"I'm an honest person."

It's my new mantra. I need to keep reminding myself that no matter how vunerable the systems become, I'm an honest person; but, honestly they are making it really really hard. Years studying and implementing security... and for what? Peace of mind... hhhmmm how about a great BIG Piece of the Pie.

Next stop?

[andersa]

What do you mean, next stop? RFID theft is where the trip starts!!

Get some facts

[scdeimos]

PayPass FAQ page: http://www.paypass.com/faq.html

I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.

The issue of Card ID theft isn't really that much more than it already is.

Re:Get some facts

[zurab]

The issue of Card ID theft isn't really that much more than it already is.

How so? Instead of picking your pocket and removing your wallet from it, all I would have to do is stand next to you with a small scanner in my hand/pocket in an unsuspecting environment - i.e. any crowded place. The FAQ page you liked to doesn't address this issue.

Re:Get some facts

[MassacrE]

It uses two factor auth, i.e. it doesn't just broadcast out a static credit card # to anyone who can induct a current through it.

Re:Get some facts

[BathAndy]

Within an inch is enough. Your wallet will have to be twice the recommended thickness (ie middle of wallet) for it not work. Anyway if the range is too long, there is the issue of paying for services inadvertantly. My wife and I were in Hong Kong, where they have the 'octopus' card system. It worked well enough to pay for subway/taxi/buses/fast food without taking the card out of my wallet or out of my wife's purse.

Re:Get some facts

[Skapare]

Within an inch, eh? I guess this gives "pick pocket" a new twist. While standing in the crowded train, you feel that bump on your backside and wonder if your wallet just got lifted. You put your hand in back to check ... nope ... it's still there so you don't need to worry. Yeah, right!

And besides, what's to stop me from boosting the gain on my own reader?

Re:Get some facts

Why are you still putting your wallet in the back pocket anyways? Considering how easy it is to get pick pocketed back there, and how easy it is to have stuff fall out, isn't that pretty stupid to begin with?

The smarter thing to do is to stick it in the front pockets..that way if someone reaches in, it will either:

A)Feel really good (you pervert)
and/or
B)You'll know someone is going for it, time to spin around and sucker punch the sorry sod!

Re:Get some facts

[Widowwolf]

Is that a sacnner in your pocket or are you just happy to see me!

Re:Get some facts

[scdeimos]

Whilst it's not all the fault of the credit card companies, Credit Card Security is nothing better than pathetic.

You don't need to look far to see stories about millions of credit card details getting stolen, or Hotel chains putting full unencrypted card details and address information on their swipe cards. Whilst Google, Yahoo and major search engines are very good now at filtering them from their results, online shopping sites for small businesses are still lax in their security by having their online order files with customer names, addresses and credit card details freely downloadable (if you know the URL), often in something as simple as a CSV file maintained by FrontPage extensions.

So why would Johnny Hacker spend time and money acquiring an RFID Card Reader so he can tour buses and trains to swipe card details for a few individuals, with the increased risk of getting caught, when he can stay in front of his computer to get hundreds, thousands or millions of cardholder details with far more ease? Again I say: The issue of Card ID theft isn't really that much more than it already is.

Re:Get some facts

[zurab]

So why would Johnny Hacker spend time and money acquiring an RFID Card Reader so he can tour buses and trains to swipe card details for a few individuals, with the increased risk of getting caught, when he can stay in front of his computer to get hundreds, thousands or millions of cardholder details with far more ease? Again I say: The issue of Card ID theft isn't really that much more than it already is.

Well, you could say anything you want to, but I disagree. With the traditional credit card you, the customer, have a choice of giving your details to only those merchants who you trust - and you know at all times who you gave your info to. If the security of those merchants is not adequate, then that's the risk you are taking. With the RFID credit cards, not only is that same risk related to merchant data security still there, but also there is an added risk of getting scanned by a malicious RFID data thief in a public place.

As for why would someone do that:
1. The list you find online may no longer be valid - numbers on watch or cancelled by credit card companies
2. Online list may be out of date or have incomplete information - e.g. no phone number, zipcode, security code, etc., etc.
3. You can't use the list you find online in brick & mortar shops unless you manage to write that CC data onto a physical card
4. You know that you only have to get the RFID "card" close to a scanner - it doesn't have to be a card, can be any similar transmitter
5. RFID CC data stolen from the street has a much larger chance of being valid and useful - most people don't carry their expired credit cards around
6. Go to a ballgame, movie theaters, subway stations, shopping malls - provided these cards become very popular you could literally collect hundreds of numbers per day. Sell for profit to people with even more malicious intent.

So, yes, there are added risks for RFID cards on top of already existing risks of traditional credit cards.

More erronious charges??

[icecow]

I can't look at a receipt from Stater Bros without seeing a price mistake, keep my cable bill from jumping to a new rate, and I stress out when I'm driving barely too slow to stop when the light turns yellow, and now this?!

Limit of liability

[NoGuffCheck]

Here in Australia we have zero liability on credit cards. That means if the card is stolen or even if your charged for something you didnt buy and you still have your card, then the bank takes the money back from the retailer and credits you. It can actually be quite simple depending on which finacial institution and in the spirit of crappy customer service who answers the phone when you call said company to report the missuse.

I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.

So I'm guessing that as the current situation is, security is to a large part down to the retailer.

The same security issues will remain, most credit card fraud is done remotely ie: without the card in hand. So this will always remain, unless the new RFID cards will require you to be present, but with online shopping booming, this would be a step in the wrong direction.

Re:Limit of liability

[Motherfucking+Shit]

I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.

In the US, federal law limits a cardholder's total liability for fraudulent charges to $50. If someone steals your card info and goes on a shopping spree, by law the credit card company cannot ask you to pay any more than $50, no matter how high the total of fraudulent charges. In practice, liability for fraudulent charges is normally zero here too. Almost all of the major issuing banks will immediately credit you for the amount of a disputed charge, and then debit the merchant for the same amount. Unless the dispute turns out to be false (i.e. the retailer has a receipt with your actual signature on it) you never pay a cent.

Speaking as someone who's been on the merchant side of things in both online and brick-and-mortar situations, I can say that this policy is a double-edged sword. Proving cardholder fraud (where the customer buys something, then decides they don't want to pay for it) and winning a chargeback is dead easy when you're using a point of sale terminal. Proving cardholder fraud with internet based transactions, especially when you're selling a service instead of a tangible (shipped) product, is next to impossible and the merchant will almost always lose.

OTOH, when someone used my credit card to order $600 worth of Victoria's Secret merchandise online a few years ago, it was nice that all I had to do was fill out a form on my bank's website to dispute the charge and get my money back. I still have that card, with the same number, and it's never been abused since. I always wondered where they got it from, and why they only used it once.

Re:Limit of liability

[200_success]

Under US Federal law, the cardmember is liable for up to $50 (that's 65 Australian dollars) for unauthorized usage of a credit card. In practice, many of the better issuing banks go beyond the requirement and offer zero liability.

Not the same "RFID"

[RzUpAnmsCwrds]

The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.

ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.

Re:Not the same "RFID"

[Panaflex]

Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.

From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1

Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.

To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.

AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Pan

Re:Not the same "RFID"

[Panaflex]

Forgot my source for the crypto info. First item listed is "New ISO 14443 Solution for MasterCard PayPass(TM)"

Re:Not the same "RFID"

[PowerKe]

So 2 people need to work together to steal some money. One stands close to the victim and the other walks over to the cashier. Instead of recording the signal you now proxy it. The one at the cashier picks up the signal from the reader and uses a wireless transmitter to get the signal to the person by the victim who sends the data to the card. Send the response from the card back to the reader and you're done.

Re:Not the same "RFID"

[RzUpAnmsCwrds]

Which is more likely: someone cracking the encryption (which, even in 20 years, will require time, resources, and experise far beyond what most criminals are capable of), or having the card stolen through a mugging or pickpocketing.
Door locks work because they require criminals to have more time and more resources. Picking a lock takes specialized equipment and knowledge. Breaking down a strong door requires time and heavy equipment.
The more work a crime requies, the less attractive the payout becomes. Credit card theft is an unattractive crime because it is difficult to actually get away with:
- Buying goods in a store means that you are videotaped. You also have to come up with a plausible fake card (unless you steal the original - difficult to do without the victim knowing). Moreover, if the card is reported stolen, you may be arrested on the spot.
- Buying goods online requires a shipping address.
- Cash advances mean getting photographed at an ATM, and they tend to raise fruad alerts
- Selling stolen goods is always a problem
The security behind this system accomplishes the same thing as a decent lock. Is it unbreakable? Absolutely not. Is it enough to deter most fruad? Yes.

Re:Not the same "RFID"

[EiZei]

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Not if you are supposed to make profit. The customers won't care when it comes to cryptography anyways.

Re:Not the same "RFID"

[geekpowa]

THe 3DES crypto used on these cards is safe from brute force attack because you have to brute force the card itself - and since a authentication cycle takes anywhere from 20ms to complete so you are looking at several thousand years of processing to discover a single key. The biggest issue issue with them is that they generally a single globally a shared secret that is built into cards and readers. So potentially alot of people need to know what the secret is for purposes of card and reader provisioning/manufacture. Also apparantly it is possible to attack the silicon directly - both cards and readers. Once the secret is discovered the whole system is compromised and there is nothing you can do. It is a very brittle security system. ISO14443 can be strengthened via various tricks such as making sure data on the card is signed using PKI - EMV relies on this heavily. To my knowledge PKI on the cards themselves is not practical - PKI is too computationally intensive for passive cards.

Re:Not the same "RFID"

[Twylite]

Your crypto background doesn't matter. The banking industry has a massive investment in infrastructure that takes years to change, and cannot be changes any faster because of the huge cost involved.

By the beginning of 2006 most security in the retail banking industry will have moved off single DES and on to Triple DES. Those that haven't will foot the bill for fraud on their systems rather than passing it on to their banks or Visa/Mastercard.

The system is expected to be based on TDES until at least 2012. By then it will still not be advantageous to attack the system: the cost will exceed the gain. This is a factor not only of the current strength of Triple DES, but of monitoring systems that will detect fraud patterns in time to respond appropriately.

The algorithm is also of little concern because there are far weaker points to attack in a payment network -- ones that are inherent to the existing infrastructure and that are going to take some time to go away.

Because the entire payment network is based on TDES, there is no option but to use TDES at the moment. SHA1 is used in conjunction with RSA as part of the new EMV payment system, which I'm guessing Pay Pass uses (I haven't seen the specs).

Chances are also good that Pay Pass will only permit transactions up to a certain value unless a PIN is entered, providing a balance between security and convenience.

Re:Not the same "RFID"

[Detritus]

DES, and its variants, have the advantage of not having succumbed to decades worth of cryptanalysis. AES may be better, but it is relatively new, and hasn't received the same amount of cryptanalysis as DES. New isn't always better.

Re:Not the same "RFID"

[madman101]

Wonderful. You know have an encrypted string that you can't decrypt. What have you accomplished?

Re:Not the same "RFID"

[PowerKe]

The idea is to proxy the signal, without interpreting it. The only thing I want to accomplish is to have the card reader talk to a card that's far away. It's kinda like a walky-talky, but instead of transfering voice, it's tranfering an rfid conversation.

So I stand over at the cashier with a receiver that picks up the authorization request and retransmits it via wireless. A friend stands next to you, picks up the wireless signal and re-transmits the rfid authentication request to your card. Then he uses his rfid receiver to pick up the response and re-transmit it back to my device which will send it to the card reader again. That way I don't have to understand anything from what the rfid data is about (it could even be transfered in analog form), but the card reader would be talking to someone else's card.

Re:Not the same "RFID"

[PowerKe]

Apparantly it already has been tested and found working: http://www.cl.cam.ac.uk/~gh275/relay.pdf

I found the link thanks to this post by gaetan-g.

Re:I'm an honest person... I'm an honest person...

[rincebrain]

I agree. It's so very sad how many people believe in the inherent security of all systems, without any evidence...

It's even sadder, however, how many system developers don't care, or don't have the knowledge to implement it.

Multiple cards...

[Palal]

This is another thing I don't quite get... If you have multiple cards, as most of us now do, will we get double-charged for swiping a wallet on the scanner, or does MasterCard want full and complete monopoly here? BTW, the only reason train passes have not been hacked yet is the fact that the rewards are much less than those associated with credit cards.

security?

[weighn]

worried about security? It's such an obvious question, so I read TFA - not a mention.

Perhaps we can opt to have these RFID thingos embedded into an appendage. But then, wouldn't that tempt someone into cutting my leg off?

Lazy people

[pair-a-noyd]

will reap what they sow.

What a brilliant idea

[jandersen]

Just imagine having paid for things you don't know about just by standing in the wrong place ;-)

They will go the extra mile to rid the kinks...

[icecow]

The next natural step is to install dozens of hi-res video cameras in check out areas, snap pictures of people when as they enter the front sliding doors, and at check out areas. That alone almost sounds good. The problem is they will only show the parts of video tape they want to. That's scary. The police are doing that sort of thing now. It might also make it 'reasonable' to scan people at the door for criminal electronic devices.. Like Ipods! MwaHahaAhaHA..

Protection available already!

[gaetan-g]

A company called Taiyo (located in Shibukawa city, Gunma prefecture) recently developed a super thin (0.4mm) credit card size device for skimming protection. Consumers put it on top of RFID cards to prevent the cards from secretly read by strangers etc. It's called "Skimming Card" (though I would rather call it "Anti-Skimming Card"). What's interesting about it is in how it works -- When (Anti-)Skimming Cards are exposed to electro-magnetic fields created by RFID readers, they create excess electric current in it and actively create "reverse" electro-magnetic fields that is approximately the same strengths as the readers' fields, thereby, prevents RFID readers to read RFID cards. We can relax now :-)

Re:Protection available already!

[E8086]

That's nice for when you're walking around not using your card, but what about during those few seconds when you take your card out to pay for something?
Unless you're refering to a device that would restrict reading of the card to one direction.

I may be thinking of something else, do you have a link with pictures?

Re:Protection available already!

[gaetan-g]

there's a few links on Google bit I cannot find any pic...

http://www.google.com.au/search?hl=en&q=anti+skimm ing+rfid&spell=1

I am asking a Japanese friend to look for me... but I guess as mentioned by kf6auf, probably a bit of foil around your wallet.

Once you take the card out of the wallet... well... make sure you keep it foil wrapped...

time to buy shares in foil companies ;-)

You may also want to check this :
http://www.semiconductors.philips.com/markets/iden tification/articles/success/s65/

Tinfoil, or...

[Trejkaz]

I guess if you made a duct tape wallet out of metallic duct tape, it would block radio waves for free. :-)

Convenience for Thieves

[LuYu]

I can just see the commercial now:

In the old days, stealing used to be difficult: You had to be quiet and stealthy or very tough. Nowadays, with the convenience of MasterCard(tm), you can steal from just about anybody as they pass down the street with just the simple press of a button. From across the street or from your living room, MasterCard(tm) allows you acquire credit card numbers with no access to the physical card. Truly, it has never been a better time to be a thief.

Or, as my friend put it:

rfid credit cards, $2, scanner for rfid chips, $1, easy theft, priceless

Is this really as stupid as it sounds? Or is it yet another plot to make biometrics appear more "safe"?

PayPass vs. Octopus

[fuzheado]

Here in Hong Kong, we've had one of the earliest and most successful RFID "touch card" payment systems in Octopus Card, but here's why I'm wary of PayPass:

• It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.

• It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."

#include coolsig.h

Re:PayPass vs. Octopus

[Motherfucking+Shit]

PayPass vs. Octopus

I can't wait until these two companies eventually merge. "PayPuss: Don't leave home without it."

Re:PayPass vs. Octopus

[marko123]

"PayPuss: pay for it if your married or single."

Re:PayPass vs. Octopus

What about when they merge with PayPal:

PussPal.

That sounds like a business that would get some interest around here.

MOD PARENT DOWN

He is a known troll

Maybe not now, but soon enough...

[Lawfer]

Correct me if I'm wrong, but doesn't RFID technology work similarly to sonar? The scanner sends out a certain frequency wavelength, the chip uses the wavelength as an energy source and sends back data for the scanner to interpret. So while the technology might not be here and easily accessable/affordable yet, wouldn't it be reasonable foresight to assume that the technology to scan a person's credit card from a distance of even a foot or so will be soon coming and completely undefended against?

Re:Maybe not now, but soon enough...

[Concerned+Onlooker]

Correct me if I'm wrong, but doesn't RFID technology work similarly to sonar?

No. You'd have to be bats to use sonar.

Soooooo lame, make it stop!

[TheLittleJetson]

by simply waving their cards at readers posted near cash registers

Is it just me, or is waving your card in front of a reader pretty much the exact same motion as swiping it in a slot?

Re:Soooooo lame, make it stop!

[Widowwolf]

Yes and you maybe be a "I am a REAL American from Canada , not a wanna-be from the country , self called "last remaining superpower" "of America" but you still cant spell worth a damn...oh and if its that cold you have to pull out your rfid card anyway...so is there any real difference..it really is the same motion, and whos to say the SWIPING (notice only 1 p there)will work every time without fail. While i do think that getting away from the Mag strip reading strips is good(they wear out and sometimes cannot be read unless you put a plastic bag over em)i dont think that rfid is the way to go..

RFID can be secure.

[Serious+Simon]

It won't be so easy to copy an RFID credit card as many people here seem to think.

ISO14443 RFID cards have been on the market for years and are often used in public transportation. These have a range of at most 10 cm and implement challenge handshake encryption such as triple DES.

So you can only communicate with such a card if you have the proper encryption key. And if you manage to intercept the communication between such a card and a legitimate reader, it will contain no meaningful information unless you are somehow able to break the encryption.

Re:RFID can be secure.

Oh, and what about the guy in France who BUSTED their system, in 486 era days by being able to buy and experiment with the readers and get the private key(s). Will the card lock up/slowdown if it is hit with millions of challenge/ responses or given the electron scanning microscope treatment which will reveal the master key to the lot?

Remember, encryption need not be broken, it can be recorded, and a GPU or DES card made to work on the solution, with the mark being whacked months or years later. The banks fear this, as the recall cost for issued cards once the key escapes can be sizable. (ie Sat cards).

Lastly RFID cards cost a lot more than magstripe, yet that pesky law that makes banks liable for fraud, means they have no interest in secure systems, and the cost of irate customers telling them their mobile 'cooked' the card.

Articles by Ross Anderson boil down to $40 RFID cards are good, $2 consumer grade RFID cards are less good. Unlikey anyone will issue $40 cards for $15 or less.

Re:RFID can be secure.

[MobyDisk]

Whatever happened to these systems? As I understood it, an encrypted handshake combined with some other well-known techniques provides for an anonymous digital cash system. Why is there no company that has implemented this?

Not an accurate argument

The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.

ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.

The point here is that transmitting this through the air makes eavesdropping possible, thus your argument of better security falls apart.

A computer that is not connected to the internet is much more secure than one that is, no matter how much security-packages is installed on either of them.

Gas Pumps?

[JamesTheBoilermaker]

You can only use the RFID on purchases of less than $25, so I guess it won't really work too well at gas pumps.

Re:Gas Pumps?

Do you spend that much more at Gas pumps? I don't and gas is expensive where I live in Europe.

Re:Gas Pumps?

[sagenumen]

Do you have a 6-gallon tank or something? I rode until 'E' last week and it cost me $50 to fill all the way...

I *routinely* spend more than $25 at the pump.

This is easier how?

[el_womble]

Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.

What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.

My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.

The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.

I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.

Re:This is easier how?

FWIW, the cashier isn't supposed to touch your card with Chip & PIN, that's how it stops skimming, also there is supposed to be a visor over the keypad, but most shops take them off for some reason. The PIN identification was introduced as a protection for banks, not customers. If someone uses your card the bank can just say "You must have told someone your PIN" and voila no liability for them (I worked at a bank when they introduced this and that's how it was sold to me).

Personally I don't like signatures as they always rub off and most cashiers don't check them. I think (as someone mentioned) a better solution is a limited value card that you 'top up' at a more secure station, you could even block it easily if it's stolen. This way you can't lose more than you have in your 'wallet', any form of identification, bar human knowledge, can be hacked.

Re:This is easier how?

[l-ascorbic]

I've never known the cashier to handle the card when I've used chip and pin. Sure they'll handle it if you give the card to them, but you;re suppoed to put it into the reader yourself. That's why it's right in front of you. It's also easy enough to shield your pin with your hand as you enter it, to stop shoulder-surfing. As for beating your PIN out of you: they've never needed to do that, and don't now. If they have you they can do what they've always done: take you to an ATM and force you to withdraw cash. Chip and PIN vs signature is only an issue when they just have the card, not the owner.

Fingerprints

What they really should do is store biometric finger print data that can be confirmed against your card in the machines. If its stored on the card then you dont have as much problem with the general public moaning about their rights etc.

I really don't see why they went with pin numbers (apposed to signatures)... someone can easily know and use that.

Obvious excuse for a Max Headroom reference

[hackwrench]

Zig-Zag Burgers: Don't go reaching for your leather wallets, folks, because that's what they taste like!

Do you carry just ONE credit card in your wallet?

[Mike_K]

I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.

I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.

So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?

Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...

Just a couple of thoughts..

m

A problem I see...

[iamdrscience]

The thing about this is that there are a lot of people that have multiple credit cards. If these are keyring style cards, they'd all be close enough that it would be a real hassle to make sure that the right one is getting read.

Another problem I see if these are keyring "cards" is that, well, having a bunch of shit hanging all over your keychain is a pain. In the future will we all have big janitor-style keyrings hanging off our beltloops?

So, Visa too?

I wonder when Visa will start doing this, too?

(You guys *do* all remember that MasterCard and Visa are owned by the same company, right? Which is why they always attack Discover in the advertisements...)

Cause we all know...

[Lispy]

the hardest part about paying something was the signing part not the weeks of labour that went into earning the money in the first place. :)

Contactless Smart Cards

[ryan_fung]

Contactless smart cards (called Octopus, which is actually Sony FeliCa) are widely used in Hong Kong for at least five years. It's still not cracked yet. I wonder where all this security concerns come from? Am I missing something?

Works fine for me

[MochaMan]

I have three in my wallet, and use all three everyday without pulling them out; one is a Suica card for JR trains here in Tokyo, one is my company ID, and one is an Edy card (contactless cash/credit card). In Japan, this sort of technology has been in widespread use for years.

nothing but trouble..

This will certaintly be nothing but trouble.

If anyone can remember back ten years or so, Phreakers (cell phone hackers) had a device that could steal the identity of a cell phone mearly by being close to it. Basically they would drive around until they saw someone talking on their phone and then get close enough to capture the phones identification and then transfer it to the chip in their device, which they would then install in the hacked phone. Some would use the phone for their personal use or they would sell them on the street to whoever needed a phone.

Now I know this and I know it well...anything that travels through the airwaves, can be intercepted. It would only be a matter of time before the encryption would be broken and allow the hacker(s) to do what they wish.(Look at satellite tv and radio,cell phones ect.)
Sure, RFID is great for many different things, but when it comes to personal data..........

Don't worry

[Rogerborg]

I'm sure there are unbreakable technical safeguards built in to the system. Reeeeal secret ones, that no Bad Person will ever discov-

Pfffn, it's no use, I can't type that with a straight face. We need a new word for RFID pickpockets. Wifpockets?

Big flaw in their thinking

[tod_miller]

Why would I want the worry an security, and the act of stupidly waving my card over a petrol pump like an access card when I can just swipe it.

Card swipe... card... swipe the card... hurray.

The same result, no complex expensive worries about security. I can just hear their security chief now:

"The RFID cards will be secure, because we will use a *really* big number in the cards..."

"Bigger than... erm... one kajillion million fafillion bajillion?"

"Yes sir!"

"*evil laugh*"

"*evil laugh*"

I am expert! BTW this isn't a mvoe for technology, they will use RFID as a marketting bait to get more credit card customers, think about it, what other reason than to get people to sign up for the new 'wow' rfid card.. yeah, give us your debt.

To confirm you're not a script,
please type the word in this image: expert

random letters - if you are visually impaired, please email us at pater@slashdot.org

Protection has been available!

[kf6auf]

I prefer to call it a Faraday Cage and I prefer to make it myself out of tin foil as it tends to be cheaper.

From wikipedia: A Faraday cage is best understood as an approximation to an ideal hollow conductor. Electric fields produce forces on the charge carriers (i.e., electrons) within the conductor. As soon as an electric field is applied to the surface of an ideal conductor, it generates a current that causes displacement of charge inside the conductor that cancels the applied field inside.
And it works exactly as you described for magnetic fields.

Yay physics.

Lame sig there

Lamer

Which Card are you charging

[keelay]

So when you carry more than one card in your wallet, how do you choose which one gets charged? There isn't a good way aroung this without forcing some interface with the customer to make the choice. I agree with previous posts about signatures being pretty useless. Pin numbers should be implemented and enforced even when running "credit"

Microwavable?

Will those cards still work after spending perhaps 30 seconds in the microwave? Seriously though, will they?

Use of PIN numbers

[InAbsentia]

At http://www.rfidgazette.org/2004/11/mastercard_ones .html they say: A reader located on a retailer's till captures the card holder's details, with the card holder then approving the transaction in the same way they would with a Chip and PIN card, although for micro-payments - buying a 99p burger and the like - tapping in a PIN or signing a receipt can be skipped. So looks like they do require more than just the cards presence.

Visa

[gaetan-g]

Check this out: http://www.semiconductors.philips.com/markets/iden tification/articles/success/s65/

Attack on ISO 14443

[gaetan-g]

Damn seems like there is nothing really secure... www.cl.cam.ac.uk/~gh275/relay.pdf

Attack on ISO 14443 Proximity

[gaetan-g]

I have just found this.. I also posted it in the corresponding ISO 14443 thread... www.cl.cam.ac.uk/~gh275/relay.pdf

What's the incentive to change for each party?

[200_success]

Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.

The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?

• Retailer: The store wants to minimize the likelihood of chargebacks while being quick and friendly to the customer. In addition, the card reader needs to be cheap, since they have to buy or lease the equipment. They have all adopted real-time authorization because it eliminated a lot of fraud. In countries where magnetic stripe cloning is prevalent, they have already acquired contact smart chip readers. The only ones who would be interested in RFID might be the industries clustered around the American car culture, where every second counts: tollbooths, fast food/coffee places, gas stations.
• Issuing banks: The bank wants secure cards that can be issued cheaply. Although most of the risk of fraud is borne by the retailers, the banks do assume some liability, not to mention the expense of running the call center and the fraud check departments. Although the RFID signals might be intercepted and cracked, I think that thieves will prefer to steal credit card numbers by other means (the same security holes that are there today will continue to exist for backward compatibility). The RFID chip is relatively cheap, so they might go for the new tech. Or Mastercard could force them to embed RFID in the cards.
• Cardmember: The typical cardmember mainly cares about convenience, with security as a secondary concern. Being able to wave your entire purse or hump your butt against the contactless card reader is marginally more convenient, assuming that the signal can overcome shielding and interference problems. If RFID cards become common, you'll have to specify which of the several cards you are carrying you want to charge, or there it's possible that it will read a card other than the one you intended to charge. So I don't think you would really be saving any time. However, cardmembers are not really in any position to promote or protest technological decisions -- you just get to use whatever card comes in the mail.

In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.

I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.

Re:What's the incentive to change for each party?

[fraudrogic]

I have run into the embossed/carbon copy scheme recently:

Buying beer on the golf course when I forgot cash. It's a life saver. The cart girl takes my card rolls a carbon copy of it, I sign, she gets tipped, I get tipsy and play like $hit. Great fun!

Re:What's the incentive to change for each party?

[nausicaa]

Interesting. The card I got issued most recently had a smart chip on it. It doesn't work yet but so far as I hear it's supposed to replace the magnetic strip, at least locally (In my case that means Sweden), and possibly in a few other countries. I haven't actually looked into this yet but I've seen the readers in a few stores being replaced with ones that take both the old style cards as well as the chip-sporting ones.

Magnetic Strips Wear Out

I've worked as a cashier, and I've seen the magnetic strip on people's cards worn down to the plastic. This is a Way better idea than having to swipe that guy's card 14 times and then punch it in manually when you've given up (and really you are supposed to take a physical imprint of the card if you just type in the number.. yea.. remember 1982? Cha-CHUNK and hope your card isn't broken in half.)

You can still have the signature/photo for confirmation and the retailer can still require you to give the cashier the card for a transaction so these can be verified.. but now all they have to do is lay the card on the reader instead of swiping over and over.. and taping the the failing magnetic strip/putting it in a fold of paper/plastic bag/etc to voodoo it into working.

No need for tinfoil

[DrSkwid]

try this

or make your own

When I was a shoplifter I used one of these works a treat for rf frequency shifting security tags.

Re:No need for tinfoil

[abulafia]

or make your own

Hm, I'm not sure that I want to purchase product from someone who informs me that:

"Raping The Phone Can Cause A Increase In Power Out Put"

(Scroll down to the red text.)

Credit Card jacket?

[js3]

couldn't there be some sort of cover or jacket around the card or an area of it that will prevent it from being read? Then all you simply have to do is cover your card when you're not using it, just like you lock your door when you leave home

Saves Times

[SlothB77]

I like this b/c:

1) The magnetic strip wears out over time and it is annoying when you slide your card and it doesn't work.

2) No signatures, no pin #'s - this will save time

I don't like this b/c:

1) If the RFID is overambitious, you may start paying for things you didn't mean to pay for. (say, for the person in the checkout aisle next to yours)

2) Without a sig or pin, it is harder to prove fraud

these are brand-spanking new, so if any of my fears are misplaced, i will hear about it in 5.4.3..

Actual range is 8190850 miles

[mangu]

These new 4th generation RFIDS (or 4GRFIDs as known in the industry) broadcast at a strength 64.2W

The true range for that power is *much* more than 3000 yards. Using "some surplus telephone house wire" this amateur received signals from 1531 miles away at 12 milliwatts. Can you imagine what a true professional could to to your 64.2W RFID?

Ask For ID

[clarkw]

So much for having "Ask For ID" written on the signature strip on the back of the card. Now when a thief has your card, he can steal with impunity.

Maybe in the US

[aepervius]

But here in EU, they give a cursory glance at the signature. Even if this is for a small amount of 10. Granted it won't stop fraudster which just scrible a similar signature and pass the test, but they certainly check it.

Re:Maybe in the US

[Cat_Byte]

I wish they would do that here in the US. Every credit/debit card I own has my signature with (check ID) right next to it. I have yet had anyone ask for my ID...sigh.

Re:Maybe in the US

[mikael]

The latest credit cards in the UK have a four digit PIN that you type in on a keypad, which replaces scribbling your signature on a bit of a paper. Although with the way that the keypads are mounted vertically on a pole for easy access, I don't think they're any more secure than a signature.

Re:Maybe in the US

[assassinator42]

They have that in the US for debit cards.

I bet...

[Teechur007]

...they'll set off the alarms at store entrances?

Or is that only if you're approved for the Platinum card? :)

--Teechur007

Digital money...

[dimension6]

...in Japan, you can buy things by scanning in the barcode with your cell phone. These scannable barcodes really are everywhere there (you can even buy a soda from many vending machines using your phone)...

FireWallet Patent

[codepunk]

I have to quickly patent the tin foil lined wallet which will keep hackers from obtaining my card information remotely....yea I will call it the FireWallet

Swiping got ya down?

Are people really so goddamn lazy that they can't be bothered to swipe their cards through the magnetic readers?

What will we do when waving the card becomes too tiresome?

Kneejerking?

[Malor]

From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.

It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.

Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.

Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.

Snooping, at least, doesn't appear to be a potential problem.

Re:Kneejerking?

[greg_barton]

As long as the encryption is good...

Right. We all know this is always the case. It's virtually guarenteed!

Re:Kneejerking?

[swillden]

If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

But how would you actually get the money?

See, what a retailer collects at the point of sale isn't money, it's a transaction record. That transaction record has to get forwarded to a merchant acquiring bank, which runs it through a clearinghouse, which checks it against the issuing bank's records and ultimately routes the money to the retailers bank account. There are audit trails generated at every point along this process.

Unless you can swipe enough money fast enough that you can flee the country, this scheme is just a good way to go to prison. The problem is that you can't swipe enough money fast enough, because even if you manage to snag millions worth of transactions, for large dollar amounts like that, the merchant acquirer is going to be very slow about releasing the funds to you until enough time has passed that they can be sure the transactions aren't all going to be reported as fraudulent. If the transactions are fraudulent, when they get reported it's the merchant acquirer who's going to be left holding the bag if they've already paid off the retailer and the retailer has skipped town, so they're cautious about paying. Not to mention that they like to collect interest on your money.

So to make this work, you have to first establish yourself with a merchant acquirer as a retailer who regularly accepts millions per week, say, in valid transactions. The only way to do that is to actually sustain that level of legitimate transaction volume for a few months.

So, here's a plan that will work, and not land you in prison:

1. Start a business which pulls in millions per week in credit card transaction revenues. Run it for six months until you can force the acquirer to pay you quickly, which means in less than three or four days.
2. Build your collection device and find a good, rich crowd to walk through.
3. Collect millions worth of transactions, making sure that they look just like your regular transactions. Major shifts in transaction volume or structure might make the acquirer nervous and convince them to slow your payments.
4. Wait long enough to get the bulk of the fraudulent money in your account, but not long enough that the fraud reports roll in.
5. Flee the country with your ill-gotten millions.

Re:Kneejerking?

[Malor]

But with very small charges.... like, say, 10 cents, or 25 cents -- how many people would actually bother to file a fraud report? You might be able to get away with it even in your first month, and keep it up for a long period of time, as long as you didn't get too greedy. You could probably siphon off a few thousand a month, 25 cents at a time, almost forever, particularly if you wrote in duplicate-checking, so that you didn't charge the same person more than once a month or so.

Re:Kneejerking?

[Malor]

But that's a weakness of the encryption, not the broadcast. Are you comfortable sending SSL transactions to Amazon? An awful lot of people can see that traffic, you know.

Re:Kneejerking?

[swillden]

But with very small charges.... like, say, 10 cents, or 25 cents -- how many people would actually bother to file a fraud report?

I would. More accurately, my wife would. There are plenty of others who would, as well, people who track their finances closely and correct every discrepancy. And it would only take a very small number of fraud reports on out-of-pattern transactions to start an investigation, which would hold up payments. See, acquirers *already* have to deal with this sort of false-transaction fraud perpetrated by retailers who want to make a little extra. They know how to defend against it, and the technology doesn't really change it, except to add additional obstacles the would-be thief has to overcome.

"Hello Dave, Thanks for shopping Walmart!"

[shado07]

Now they can read the name off your card and welcome you to every store.

bad idea

[ajs318]

Payment can be secure, or it can be quick and easy. It can't be both. The easier you make it to do a legitimate transaction, the easier you also make it to do a dodgy one.

Contactless reading is going to cause problems. With the current generation of credit card readers, the information is read from the memory chip on the card by physical contact with the chip, and confirmed by entering a PIN into a numeric keypad. Unfortunately, the arrangement of the numbers on the pad is static. So, by careful observation, it is possible for an attacker to determine what number is being entered {the fingers may be concealed by a shroud, lulling the shopper into a false sense of security as the movements of elbow and shoulder reveal the number to a trained observer}; and at some later date, obtain the actual card -- possibly with the assistance of a third party -- and make several expensive purchases. {A phone with a video camera helps tremendously}. When the system was first introduced, customers were heard -- against all advice -- to say their PIN out loud.

While a legitimate reader is reading an RFID device, another reader could be snooping on the same signal. Now, one hopes that a rolling code system would be in operation; that is to say, the encryption key would not be the same each time the card is used. However, the fact that several readers must be able to work with the same card suggests that there must be some sort of key exchange per transaction. Given the small amount of storage space on present-generation smart cards, we can hypothesise that once-used keys are not blocked against re-use.

With a PIN discovered by traditional methods, and a simulated non-contact card, one can make purchases and other transactions, and the legitimate cardholder need not be aware until their limit has been exceeded. {Of course, too low a limit renders payment less convenient}.

The physical appearance of a traditional credit card is a very simple first test -- a cashier would be immediately suspicious of one of the plain white cards that are supplied in smart card development kits. A card which is not shown to the cashier need not bear any visual resemblance to the card it is pretending to be -- the first prototype could be a rucksack full of equipment, just so long as it produces the correct responses to the RF signals. If the non-contact cards have to be physically shown to a cashier, then there is little point in their being contactless in the first place.

At the end of the day, this is pointless willy-waving. Technology for technology's sake. And it will end up with another layer being badly grafted onto it, completely defeating the original purpose {which nobody will remember by then}.

More fraud, Less Fraud, who cares?

[ivan256]

In the US you're not liable for fraud against your card (unless you committed said fraud) past the first $50. You card issuer has to foot the bill. Do you really think they didn't research this to make sure it wasn't going to cost them a fortune in fraudlulent transactions? And if they didn't, who cares? You don't have to pay for their mistake.

Wohoo! Now I can drink more!

[mpitcavage]

First, I didn't need to fool with money to buy my Wild Turkey, I just had to swipe my card through a slot. NOW instead on the complex motion of finding the actual slot to swipe the card in, I just waive it near the reader! I'll be able to be AT LEAST 25% more drunk in public!

how does this work?

[Ender+Ryan]

What is to stop someone from impersonating a merchant? Hell, even if it's non-trivial to swipe peoples' cards, what's to stop someone, just for "fun," from impersonating a merchant and draining everyones' account who walks by?

Until this stuff is reviewed by security gurus that I feel I can trust(hint: I don't trust the CC companies. Historically, they have been completely inept when it comes to security.), I will continue to question the sanity of this.

Re:how does this work?

[corblix]

hint: I don't trust the CC companies. Historically, they have been completely inept when it comes to security.

I don't agree. It seems to me that CC companies have generally been quite competent at the security issues that they have put serious effort into. And they always put serious effort into protecting themselves from financial loss.

The security failures we've seen, with stolen customer data and the like, have not been due to CC companies incompetence, but rather because they really did not try to protect this data. And the reason they did not try is that they had no financial interest in keeping the data secure; when a customer's personal data is stolen, the CC company suffers no loss.

So the real solution to credit card security from the customer's point of view, is not to talk up all the new technologies, but simply to make the CC companies legally liable for loss of customer data. Then I guarantee you we'll see top-notch security put in place very quickly.

Range is small due to small antenna, inverse r**6

The signal is transformer coupling, inverse sixth power of radius strength. Range gets limited by making antenna small and intrinsic power need of the chip. Distance is not hard and fast fixed but getting out to 1" is a bit of a stretch; in practice you need to pretty near be touching. Of course if enough power is radiated maybe that can be overcome but at some point you start noticing your keys (and maybe parts of your anatomy) heating up. That a crook might sterilize himself (gender choice intentional) could discourage crooks...

replay?

[willCode4Beer.com]

One would hope that instead of transmitting static data that the card would (at a minimum) receive a number, apply a one way hash to it, and return it with whatever its identifying info is.
Only problem, unless the banks had a separate secret barf for each customer, this would get reversed engineered pretty quickly.
Even if they did, maybe someone sits next to you transmitting numbers to build a table of hashes.

Whatever, there is no security. If the reward is high enough, someone WILL figure out a way to break the system. And like all things there is a trade off.
Generally convienence at one end and security at the other. The closer you toward one the further your get from the other.

Wal-Mart does.

[Grendel+Drago]

The folks at Wal-Mart always check my signature for purchases over ten bucks. I think it's a recent development, but over the last few weeks, it's been every single time. An edict must have come down from on high.

These things don't work

[Typingsux]

I have had one of these things for a few months. It was completely futile, no matter how much I waved my card I couldn't get amazon, dell or buy.com to accept the transaction.

Heh. Almost had me.

[Grendel+Drago]

I was totally with you up until "64.2W". Really, I was.

foil wallets or pockets

[peter303]

Just get one of those foil lined wallets or clothing with such pockets. They are novelties in the US now, but would become more common with RFID cards.

Four points from oblivion

[Fantastic+Lad]

A standard trip to the mall twenty minutes into the future. . .

1. A ten cent charge for entering the mall doors.

--After all, it takes HARD WORK to make and install doors! Somebody had to design and build them! Do you feel you are so special that you shouldn't have to pay for the privilege of using doors? Jeez, it's just a dime. (Though, that price can change once the populace has been acclimated to being dinged for simply walking. I'm sure that, as per usual, there will be a host of worthy Slashdotters eager to argue on behalf of the corporations; who can be counted on to cry 'Thief' whenever somebody wonders why they can't use doors for free anymore; and who will happily parrot terms like, 'entrance-theft' once such terms have been appropriately astro-turfed into place by the corporate PR monkeys.)

2. People think that RFID is a close-range affair and so are lulled into a false sense of security. While it is true that an RFID chip does need to be within a few feet in order to be charged by a magnetic field, the signal it subsequently transmits can be picked up by satellite.

3. If there is no third element involved in the transference of data, (a pin number held in the user's brain), then any sneaky person with a satellite or closer range receiver can 'over-hear' all the info s/he needs to access an account and make a fraudulent purchase.

4. The big corporations and big government know all of this and are eager to have it all in place. The more base-level fear there is humming in the background, the more easily controlled a population becomes and the better fed the overseers are. Fear is food.

-FL

Re:Four points from oblivion

[kamapuaa]

So you read a lot of science fiction, huh? Plenty of sane people would argue that there is no direct relationship between cards that can be scanned for payment and a future evil Big Brother society that charges you for entering malls.

Why malls in the first place? Isn't that a little inane? Why would charging to go into a mall be so evil? Mostly it sounds like a way to discourage business. Anyway if mall-owners thought it was a good idea to charge people, they could do that now. I don't think people would complain about it being evil. They would just go to another, uhhh, mall.

Also, are people really afraid of cards that you can pay for things with? For me, I'm afraid of getting run over by a bus when I'm not paying attention. I'm a little afraid of heights. But cards that you can pay for things with are not a big fear of mine.

In short, are you sure you're not crazy? Your post seems to be the words of a disturbed mind.

Re:Four points from oblivion

I can predict this one.

The **AA calls copyright infringement "piracy".

When you walk into a mall without paying the 10 cents, they'll call it "trespassing".

--
I'm anonymous.

Re:Four points from oblivion

This message makes me think there is a need for another modifier on /., perhaps "tinfoil helmet". It seems more appropriate than "interesting".

Why better than a swipe? Optical or Magnetic?

[ayeco]

I don't understand how this be better than an optical or magnetic strip. You have so get your card near the rfid sensor anyway, why not just swipe it like traditional cards? Why not a big optical bardcode?

Re:More fraud? I don't think so

[old_klam]

It can take some time. They use ISO-14443 cards (a.k.a mifare), which have mutual authentication with reader and encrypted communications. If you dont have a valid reader, you don't have any info from the card.

Also, readers usually have mutual athentication with higer lever devecies before they can read any card. I know that because we are using this cards in the transport system in Bogotá for 5 years now.

Waving their cash register

[Donny+Smith]

>allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps.

Does the deduction happen when a phreaker starts waving their cash register near near my card?

This nails the problem... mod parent up!

[Goldenhawk]

I already replied on this thread, or I'd mod the parent comment up a notch. A lot of folks have been griping about the reader not being able to handle multiple cards in your wallet simultaneously, when really RFID is designed to do that just fine. In fact, the problem, as "iamdrscience" has identified, is precisely the OPPOSITE problem - RFID is a little TOO good at multiple simultaneous identifications. He's right - how do you prevent the system from reading the wrong card - or multiple cards - and double charging or charging the wrong account?

Very insightful.

My new Chase Visa came with an RFID chip

[pm]

The new Chase Visa card that arrived for me last month had an RIFD chip in it (at least that's what I think it was - and that's waht it looks like). It's called Chase "Blink" and based on the way that it works it sounds like the same scheme.

I've never seen any merchants that can use it.
There's a Flash demo of it at this site:
http://www.chaseblink.com/

Like many other posters here, I don't see the point of this. It's not more secure than a regular credit card, and, as many pointed out, if someone figures out a way to read the information remotely, then it's a security nightmare. I don't understand the motivation for why the credit card companies are doing this - the risk/reward ratio doesn't seem to favor it.

Stupidest idea ever

I've never had anyone check my signature, or ask for id, when using my card. Now, with an RFID card, they certainly won't. That's really besides the point. Someone will come up with a scanner. I'd also have to watch were I walk. Too close to a pump or a register, and I've just paid for something. Granted, I'll probably notice, but if you've ever had to wait for someone to reverse a charge, you know how How much time does this save anyway? It takes me 10 seconds to swip a card, and that's only because I always swipe the wrong side first.

A little OT, but a question

[Myuu]

I heard that at What the Hack they had bracelets that lit up when in the presence of an RFID detector, anyone know more about this?

American Express's Express Pay

[zsazsa]

American Express just rolled this out a few months ago with their Express Pay service. You can even see the RFID loop antenna and chip through the cards if you have one of the clear Amex Blue cards. As you can see from the site, the participating merchants list is rather short right now, but as it's interoperable with other ISO 14443 systems, like MasterCard's will be, support will probably rise.

US Post Office

[DRue]

I have "SEE ID" on my card.. and recently tried using it at a US post office.. The clerk said that my card wasn't valid unless signed, and refused to accept it . At first I thought he was joking or something, but no, he would not take my card. I had to leave and get cash (all my cards say SEE ID). He said it was post office policy.. I havn't tried since then, so I don't know if it was just that guy or if it's at any post office.. But I thought it was pretty ridiculious.

Re:US Post Office

[Apple+Acolyte]

Yeah, [b]exactly[/b] the same thing happened to me too, at my local post office (in Southern California). The clerk offered to accept the card if I would sign it on the spot, which didn't make a whole lot of sense from a security point of view. But that's government for you. . .

Re:US Post Office

[da5idnetlimit.com]

Well, just sign SEE ID on the receipt, ask him if it is a match, and if he refuse, tell him that even if you have a funny signature his job is just to confirm it matches...

On the next card you get you could even draw a funny cartoon character and it would still be legit, as long as you can reproduce it everytime.

In France we had Pin and Chip for 15-20 years minimum, so almost nobody checks your card, as long as the Pin is ok, you're kosher.

The Subway and Buses in Paris uses a RFID contactless scanner and I have had mine for more than a year.

I quite like it, except for the bloody tourists trying to find a hole to put their ticket on a hole-less RFID reader.

Also sometime (in the buses) the RFID Reader won't scan, so you just show the card to the driver...Good to see they have a backup plan...

WOo double confirmation

[xant]

This is pretty common in a lot of software systems. The thing is, the people who designed the system already built a confirmation into it, and then forgot. It's the signature.

When I'm doing design, I always look for places where security requirements of the system have placed an automatic confirmation step, and eliminate any confirmations before that. If necessary, put a summary of what's about to happen in the same place that the security check takes place.

Other places have done away with PIN numbers

[kuzb]

For example, over at CIBC (Canadian International Bank of Commerce) I can purchase certain services with nothing more than my bank card. That's right, no PIN. Just a card swipe and a signature.

I had to get a money order one day, and they were able to complete the transaction without my PIN number. Following this, anyone with a stolen CIBC bank card who happens to also know the cardholder's name can go in to the bank and buy a money order.

RFID credit cards are very similar, but a whole lot scarier. At least with the bank card you can only lose money you have (assuming you don't have an overdraft, which I don't). With a credit card, you can lose money you don't have.

I wouldn't mind RFID bank/credit cards so much if, in addition to all the built in security they do have, a password of some kind was added and used for verification. Preferably one that is not limited to 4 digits.

Already in TO

[Phantasmo]

Several of the gas stations in Toronto already have their own keychain RFID paypasses. You register for your free keychain and give them your CC details (can be Visa or Mastercard).
IIRC some McDonald's restaurants downtown licensed the system as part of a short pilot. I don't know if they still have the readers. I guess if you have to have your Big Mac right now it's the best way to go.

Other Formats available.

[Phoenix666]

They're also going to roll this out as keychain fobs that you can tap on the reader.

True story

My daughter works for the Sam Goodie store in the mall. One evening she calls me...

"Dad, do you have $80?"

Um, uh, "what do you need eighty bucks for?"

"Not me, YOU. You still looking for a bass?"

"Yeah..."

"We have a brand new Gibson for eighty dollars, but you better get down here fast!"

Well, it was an Epiphone (Gibson now owns the Epiphone company). I snagged the bass and bought a soft shell for it, and handed my daughter my credit card.

"I have to see some ID," she said.

Somewhat related

[farker+haiku]

This page talks about how to steal rfid info from mobile speed pass.
rfid-analysis.org/

Cost of breaking encryption exceeding the gain

[randyflood]

Well, I was going to argue about the "cost" of breaking triple DES exceeding the gain, considering that the system will be based in triple DES until at least 2012. But then I realized that people were just broadcasting their credit cards numbers over unencrypyted wireless networks anyway, or maybe using WEP encryption... Then they are storing them on web servers running IIS in some Access database in plain text, or maybe (if you are lucky) XOR'd with some static value or something... So why would anyone have to bother breaking triple DES to get all their credit card numbers? I think it's not so much that the cost would exceed the gain as it is that the cost of other simpler solutions to the problem.

Re:Days of yore

[symbolic]

When I was a kid, it was common practice for my dad to hand me his credit card and tell me to go get what I needed. It was very convenient, and only once or twice was I ever questioned about the card, or its use. Thanks to the proliferation of all manner of personal information, and the ensuing identity theft crisis, I guess this isn't as much of an option.

Re:Speaking of ease...

[symbolic]

Reading through these posts, something seemed kind of funny - the money transfer industry is making a huge effort to create ways that make parting you from your hard-earned money as effortless as possible. Think about it.

Mastercard not the only one..

[stickyc]

For what it's worth, my Amex Blue replacement card now has an RFID tag in it as well as the old-school smart-chip. Alas, there's only a dozen or so locations listed that support the RFID and none are in the S.F. Bay Area (where I am).

American Express

[dmitriy]

New Blue Cards from American Express also feature RF interface. They no longer have Smartcard pads. RF antenna loop is visible through clear plastic on the promo pictures.

MOD PARENT UP

[IASmaster]

Yea, the american express card sounds kind of cool. I have one and the RFID doesn't do me any good because I need to be in a particular market. (AZ I think)
I don't think that it uses a very far range. I'm not sure what it transmits.
The RFID tags are on all new BLUE cards. It's too bad that they discontinued the smartcard features. I thought they were at least cooler sounding.
Oh, and as a note on how to get your comment read and modded up more easily, post an awesome A+ comment just under a +4 or +5 comment that doesn't have too many replies.

How do you just disable the chip?

[BigLonn]

actually this is the same gripe I pointed out to my bank. they just don't seem to care that an rfid chip with the account information in the card is a big security nightmare waiting to happen. Does anyone know how to permanently diable the chip but leave the card useable??

Three more points. . .

[Fantastic+Lad]

Also, are people really afraid of cards that you can pay for things with? For me, I'm afraid of getting run over by a bus when I'm not paying attention. I'm a little afraid of heights. But cards that you can pay for things with are not a big fear of mine.

In short, are you sure you're not crazy? Your post seems to be the words of a disturbed mind.

Well. . . while I do find these thoughts disturbing, I am afraid to report that my mind is entirely healthy.

Here are three aspects of automatic plastic, (above and beyond being, "cards that you can pay for things with", which you may have not considered and which I think are worth being wary of. . .

1. I was using doors on a mall as a rough example. My point is that it will be possible to charge you for 'services' without you being aware of it. All a company need do is mail out a small-print negative-option agreement which will allow them to legally charge you every time you get within ten feet of their scanner while you walk along unawares. Their service might be as simple as breathing in their air space. --'Negative-option' means that unless you sign the company's form and mail it back to them saying, "NO!", you have 'agreed' to any such charges.

2. The government will be able to track your movements at all times when you are carrying around an RFID tag. If you stray outside the accepted boundaries, the authorities can instantly know it and put you on a watch and harass list. A restricted area might be as simple as an alternative bookshop. --And all of the places you visit to after leaving the bookshop. It's an easy way to spot a 'conspiracy' in the works and pinpoint all the people who need to have their houses watched, their phones rung in the early A.M., and their pets left dead on their front porches. Please reference, "McCarthyism," for more details.

3. When money is all digital, (which is exactly where things are heading), then if you do not comply with the state's wishes, (i.e., Heil Bush with enough vigor), then it is a very simple matter to have your money 'privileges' turned off by way of punishment.

I am aware that some people might think such concerns are the product of delusion. I would recommend to such people that they stop, look and listen for a few minutes every day so as to become better informed as to the nature of the on-going train wreck which is U.S. internal and international policy, and that they do it before they find themselves on the wrong side of the barbed wire in a FEMA detention camp in some otherwise pleasant little mountain retreat. You say you are a little afraid of being run over by a bus when you're not paying attention? I'd suggest that there is little difference.

-FL

RFID hacking

[cjgross]

check this site out if you think RFID is secure.
http://www.rfidanalysis.org/

These guys access a car, pay at teh pump gass, and other RFID services.

While MasterCard and Texas Instruments state that the new credit cards use a new RFID security, i suspect it will not be long before it is also comprimised.

Imagine walking down the street and some guy bumps you. You check your wallet, and it is still there, but the theif stole your RFID data and is alrady on his way. Your sense of security is physical security. I still have my card in my pocket, therefore, it must be secure. Guess again.

Cardless Bliss

Credit cards are completely unsecure today. I wouldn't want one at all.

A $49.00 unauthorized charge appeared on my Chase Bank credit card statement for something called "Old Navy Online" and after 3 months of phone calls and letter writing to Chase, to dispute and remove the charge, and two different employees of Chase confirming they had removed all charges, it still appears on my credit card statement. So I cancelled the card. At this point, I'd rather use cash or check and forget credit cards. I've probably wasted $250.00 worth of time to get that $49.00 charge removed.

I think someone can just make up a credit card number and have anything billed to it, and good luck trying to get it fixed if it happens to be your account.