Slashdot Mirror
MasterCard To Distribute RFID Credit Cards
wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.
I only ask because my train pass (in Japan, the Suica card) is RFID, and you pretty much have to touch the sensor for it to work at the ticket gates. Anything more than about 5mm and it won't be read. You pretty much have to touch it to the sensor.
So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK. If you are paranoid about it, you could always wrap your cards in tinfoil or something. ;)
Or am I missing something, and these things are more remotely scannable than I thought?
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
PayPass FAQ page: http://www.paypass.com/faq.html
I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.
The issue of Card ID theft isn't really that much more than it already is.
The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.
ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.
The signature isn't required at all to process transactions. The signature is only there to protect the store if you decide to contest your purchase.
Credit fraud is trivially easy.
A company called Taiyo (located in Shibukawa city, Gunma prefecture) recently developed a super thin (0.4mm) credit card size device for skimming protection. Consumers put it on top of RFID cards to prevent the cards from secretly read by strangers etc. It's called "Skimming Card" (though I would rather call it "Anti-Skimming Card"). What's interesting about it is in how it works -- When (Anti-)Skimming Cards are exposed to electro-magnetic fields created by RFID readers, they create excess electric current in it and actively create "reverse" electro-magnetic fields that is approximately the same strengths as the readers' fields, thereby, prevents RFID readers to read RFID cards. We can relax now :-)
Spreading FUD...u should all work for BILL!!!
These cards are based on SMARTCARDS and the EMV standards (3DES, PKI, challenge-auth techniques) against which millions of credit and debit cards have been issued. The only difference is that they use an RF interface to provide comms and power the chip.
See http://en.wikipedia.org/wiki/ISO_14443/
They ARE NOT RFID tags, they do not emit your card number, banks (as other have correctly posted) are smart enough to NOT provide OTHER avenues of fraud.
...They're gonna need to put in some confirmation thing in this...
Dunno how's it in states, but in Russia, France and more countries you have to type in your PIN in order to approve a payment.
Long range RFID would be much easier because you won't need to get your card out of your wallet that's stuck somewhere in your pouch full of other stuff. Just type the PIN.
Supermarkets should greatly welcome this initiative because their lines will go much faster that way.
Speaking as someone who's been on the merchant side of things in both online and brick-and-mortar situations, I can say that this policy is a double-edged sword. Proving cardholder fraud (where the customer buys something, then decides they don't want to pay for it) and winning a chargeback is dead easy when you're using a point of sale terminal. Proving cardholder fraud with internet based transactions, especially when you're selling a service instead of a tangible (shipped) product, is next to impossible and the merchant will almost always lose.
OTOH, when someone used my credit card to order $600 worth of Victoria's Secret merchandise online a few years ago, it was nice that all I had to do was fill out a form on my bank's website to dispute the charge and get my money back. I still have that card, with the same number, and it's never been abused since. I always wondered where they got it from, and why they only used it once.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
In the paper 'picking virtual pockets using relay attacks on contactless smartcard systems' by Avishai Wool and Ziv Kfir, it has been shown that a simple relay attack on RFIDs is feasible, and the range of those cards can be maliciously extended.
... ...
Here's a link to the paper:
http://eprint.iacr.org/2005/052.pdf
and from http://www.uncoveror.com/rfid2.htm
The manufacturers of these devices insist that they have a limited range, but hackers have always been able to build antennas to extend the range of any wireless device. Sometimes a simple Pringles can, a coax connector and a soldering iron are all they need to rig one up. A similar home-brewed contraption was how they got Paris Hilton's address book. Also, if a hacker, mugger or terrorist's RFID reader is too far away from a chipped passport, it can always piggyback data from a legitimate reader, and no one will ever know.
It makes sense that if you have a card which is acting like pocket change to allow this. You deplete the credit and then you top it up. You can only spend as much as you have on the card so it has a natural cutoff. Since you buy the card with cash from a machine, the card is effectively acting like semi-anonymous currency.
It doesn't make much sense to do the same with a credit card, unless the credit card imposes a hard limit on what you can spend in such a manner. And I don't mean per item - I mean total that you deplete and must be topped up either by you or a preset top up. Otherwise what's to stop someone reading your RFID and making their own purchases by spoofing yours?
It doesn't really make sense to even embed the RFID into the credit card anyway. Are Mastercard going to be happy with reissuing cards to hundreds of people for the sake of thieves leeching $10 a day off them? How does a customer or Mastercard even spot suspicious transactions for tiny items anyway until the statement arrives?
It seems smarter for the RFID to be on separate card - to be more like a gift card that can be topped up at the discretion of main card holder. These could be sold anywhere and it would be easy for someone to buy a couple of them and set them up with their main account. Then if someone steals one, you simply don't top it up anymore. This would of course require Mastercard or whoever to stop gouging owners of these cards by charging a monthly "administration fee", but if they wanted to see the scheme work, they'd waive it.
With the olde-fashioned disposable magnetic stripe cards we use in london you can walk through the readers without breaking stride (unless you are a tourist, grr.). There are oyster cards (rfid) too but they're just for big brother's benefit.
Two factor authentication can be (relatively) easily side stepped by using a relay attack. This is a crude yet effective way of using stolen ISO14443A card data. Possibly easier than a mag stripe. And if I could clone Japanese pay phone cards when I was 12 (and I did, out of curiousity), then I could certainly do this too.
/. seem to think that RFID charge/credit card data theft is just as easy as cloning mag stripe cards, except easier, because you don't need physical access. This is not true. You don't need to be a genius to skim through the ISO14443 work group papers to realize that it's a LOT more than just handing over the entire data content of the card to a reader, as is the case with mag stripes.
Of course, such an attack is mostly meaningless in a real world context... By using a relay attack to collect the data, and not actually decrypting the stream, you're limited to the exact same transaction. Which most likely would only work for a train or bus, and not for a credit card transaction where the communicated content will vary each time.
I find it interesting that people on
So I'll explain a bit. With mag stripes, the reader will read the entire data stored on the magnetic strip. As long as you can clone this (which is trivial), whether or not you understand the data (meaning crypto or not), you have a working copy at hand. Security measures around this are varied, but a good one is the requirement of a PIN number which is NOT stored on the card, and needs to be checked against an online database. But as long as you have the PIN, there's nothing to stop you from using a clone. Think of it like a backup card.
On the other hand, the entire content of the card is NOT transmitted with an RFID. Better yet, the communication is encrypted, so you don't know what part of the data is being transmitted, or even what the request was from the reader. The data transmission is not static. The encryption method could use any common crypto, such as SHA-1, meaning that even if you did pick up the signal from a distance away, you would have no way to (easily) understand what it meant, and would need to decrypt the message.
So, in the relay attack mentioned above, you COULD simply do a "If reader asks XXX, reply YYY" without understanding what it meant, and that would probably work for mass transit. But, getting a free ride probably isn't worth the investment beyond the simple satisfaction of knowing that you proved your point.
In order to make it profitable, you would need to decrypt the entire card content, re-create it, and be able re-transmit data in an encrypted format in order to place transactions on a credit card. This is not easy, and will require considerable more work than just scanning someone's pocket with a directional antenna. I won't deny that it's possible though. However, if someone actually uses this data, it will be no different than people that skim mag stripe cards right now. The only difference is that people will no longer require physical access to your card... but will require considerable effort per card they obtain. Much easier to pay a Wal-Mart employee to skim mag stripes for you.
try this
or make your own
When I was a shoplifter I used one of these works a treat for rf frequency shifting security tags.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Your comment deserves to be marked as funny, rather than informative; I laughed out loud.
Having done a lot of bar work, it's surprising how much the customer does hold up the whole process of paying. The whole hunting for cash thing is irritating, but so is the downright stupid "I don't know what I want yet". Uh-huh...
What irritated me the most though were the customers who carefully placed their money on the bar in front of you, while you stand there with your hand out to receive said money. All too often I was tempted to place their change on the bar just as they did to me, to make my point crystal clear, but unfortunately never did.
Payment can be secure, or it can be quick and easy. It can't be both. The easier you make it to do a legitimate transaction, the easier you also make it to do a dodgy one.
Contactless reading is going to cause problems. With the current generation of credit card readers, the information is read from the memory chip on the card by physical contact with the chip, and confirmed by entering a PIN into a numeric keypad. Unfortunately, the arrangement of the numbers on the pad is static. So, by careful observation, it is possible for an attacker to determine what number is being entered {the fingers may be concealed by a shroud, lulling the shopper into a false sense of security as the movements of elbow and shoulder reveal the number to a trained observer}; and at some later date, obtain the actual card -- possibly with the assistance of a third party -- and make several expensive purchases. {A phone with a video camera helps tremendously}. When the system was first introduced, customers were heard -- against all advice -- to say their PIN out loud.
While a legitimate reader is reading an RFID device, another reader could be snooping on the same signal. Now, one hopes that a rolling code system would be in operation; that is to say, the encryption key would not be the same each time the card is used. However, the fact that several readers must be able to work with the same card suggests that there must be some sort of key exchange per transaction. Given the small amount of storage space on present-generation smart cards, we can hypothesise that once-used keys are not blocked against re-use.
With a PIN discovered by traditional methods, and a simulated non-contact card, one can make purchases and other transactions, and the legitimate cardholder need not be aware until their limit has been exceeded. {Of course, too low a limit renders payment less convenient}.
The physical appearance of a traditional credit card is a very simple first test -- a cashier would be immediately suspicious of one of the plain white cards that are supplied in smart card development kits. A card which is not shown to the cashier need not bear any visual resemblance to the card it is pretending to be -- the first prototype could be a rucksack full of equipment, just so long as it produces the correct responses to the RF signals. If the non-contact cards have to be physically shown to a cashier, then there is little point in their being contactless in the first place.
At the end of the day, this is pointless willy-waving. Technology for technology's sake. And it will end up with another layer being badly grafted onto it, completely defeating the original purpose {which nobody will remember by then}.
Je fume. Tu fumes. Nous fûmes!
Explain how RF is considerably more secure then magnetic strips. The article mentions nothing about security as far as I can see.
Mastercard claims the RF can be read within an inch distance. Magnetic needs make contact to be read. They both transfer numbers, no cryptographics keys etc. The above said, magnetic strips seem the safer then rfid, albiet the less convenient.
Before I start, I will point out that the RFID based ISO14443A cards DO INDEED transfer data using cryptographic keys. These are NOT static, passive cards like mag stripes are. They are not the same as an office ID card that opens doors.
That said, I'm not saying that using RFID is an increased security issue, but simply that it's not as easy as a lot of tinfoil hatters around here make it out to be.
Here's the reasoning.
Mag stripe: Requires physical contact. However, anyone that has physical contact can easily read the ENTIRE content of the card and create a clone. Mag stripe cards are not intereactive, they are static. That is, you MUST read the entire content off of the card in order for it to work, and there's nothing stopping someone with physical access to the card to do so. Storing the data for later retrieval and cloning is also trivial. There are quite a few sleezy places (especially in Asia) where you will hand the cashier the card, and they will swipe it through a skimmer under the register before using it in the legitimate transaction. Your card data has been 0wn3d.
ISO14443A cards (aka the RFID cards): No physical contact is required. Data transmission can be picked up from quite a distance away at the time the card is activated through a magnetic field (aka the reader). The card, however, is interactive. It does not give out it's entire data bank to anyone that asks for it. There is a shared key, and then it kicks into encryption mode. Even then, the card will only transmit the necessary data for that specific transaction. It's basically 2-way communication. So, what does an attacker do? The attacker can use a trivial relay system to retrieve the exact content of the communication between the card reader and card. Once that is obtained, they COULD replicate the same transaction. However, it would only be good for that specific transaction. Any other transaction, and the data request from the reader would be different.
Another scenario is if, like WEP, the attacker somehow knows the key, or knows of an insecure key that is easily cracked. Even then, the only data s/he will obtain is that from the specific transaction, which may or may not be sufficient for any other transaction, depending on what kinds of security measures on the software level are implemented. Again, the RFID does not transmit it's entire contents in order for a transaction to complete, thus complicating things for an attacker. An attacker may be required to follow the card around and gather data for multiple transactions before having an acceptable chunk of data usable for a forged transaction.
Again, I'm not saying that RFID based credit cards are more secure or anything. I am, however, saying that they are not inherently more dangerous than a mag stripe card. It won't be easy to "skim" a card like it is done now with mag stripes, even if a fake reader is placed in an inconspicuous location. I'm not saying it's impossible, but it's highly unlikely. If someone does that, it shouldn't be any harder to track down the location of the skimmer than it is with modern techniques for fraud detection. 100 people with fradulent billings also made a purchase at retailer XXX. Fishy? You bet! So what do you do then? Same as you would do if your mag stripe got skimmed. Get a new card, and watch where you use it.
This is pretty common in a lot of software systems. The thing is, the people who designed the system already built a confirmation into it, and then forgot. It's the signature.
When I'm doing design, I always look for places where security requirements of the system have placed an automatic confirmation step, and eliminate any confirmations before that. If necessary, put a summary of what's about to happen in the same place that the security check takes place.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.