MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

Range?

[interactive_civilian]

Really? Just out of curiosity, what is the range of RFID in these cards?

I only ask because my train pass (in Japan, the Suica card) is RFID, and you pretty much have to touch the sensor for it to work at the ticket gates. Anything more than about 5mm and it won't be read. You pretty much have to touch it to the sensor.

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK. If you are paranoid about it, you could always wrap your cards in tinfoil or something. ;)

Or am I missing something, and these things are more remotely scannable than I thought?

Re:Range?

[tooth]

When you bring the card near the reader it induces a current in the card to power it (Passive RFID). This is why you need to put it close to the reader. Once this happens you can snoop the signal from the card from nearby.

Re:Range?

[joe_bruin]

You put your card up to the reader not because that is the range of the signal coming out of the card. Rather, it is the range of the magnetic induction field coming out of the reader to power the card. The signal the card emits can probably be read at 100 meters by a person with a high gain directional antenna.

Of course, Suica cards are not that prone to theft because the most that person could do is take a spin around the Yamanote Line at your expense. When there's serious money involved, you will see someone place a high powered field generator in a trash can by the entrance to a mall, and then sit in a car nearby and gather access numbers from everyone going in or out and massively cash out. Non-contact based transactions are a bad idea. Faraday-cage wallet, here I come.

Re:Range?

[StrawberryFrog]

it is the range of the magnetic induction field coming out of the reader to power the card

This is true.

Anecdote: During the early trials of the Oyster RFID transport card in London, there was a problem with passing buses dinging the accounts of people waiting at the stop who didn't get on that bus. The Solution was to reduce the power of the reader on the bus.

Get some facts

[scdeimos]

PayPass FAQ page: http://www.paypass.com/faq.html

I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.

The issue of Card ID theft isn't really that much more than it already is.

Not the same "RFID"

[RzUpAnmsCwrds]

The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.

ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.

Protection available already!

[gaetan-g]

A company called Taiyo (located in Shibukawa city, Gunma prefecture) recently developed a super thin (0.4mm) credit card size device for skimming protection. Consumers put it on top of RFID cards to prevent the cards from secretly read by strangers etc. It's called "Skimming Card" (though I would rather call it "Anti-Skimming Card"). What's interesting about it is in how it works -- When (Anti-)Skimming Cards are exposed to electro-magnetic fields created by RFID readers, they create excess electric current in it and actively create "reverse" electro-magnetic fields that is approximately the same strengths as the readers' fields, thereby, prevents RFID readers to read RFID cards. We can relax now :-)

Re:More fraud?

[petej2310]

Spreading FUD...u should all work for BILL!!!
These cards are based on SMARTCARDS and the EMV standards (3DES, PKI, challenge-auth techniques) against which millions of credit and debit cards have been issued. The only difference is that they use an RF interface to provide comms and power the chip.
See http://en.wikipedia.org/wiki/ISO_14443/
They ARE NOT RFID tags, they do not emit your card number, banks (as other have correctly posted) are smart enough to NOT provide OTHER avenues of fraud.

Re:Theft

[Begemot]

...They're gonna need to put in some confirmation thing in this...

Dunno how's it in states, but in Russia, France and more countries you have to type in your PIN in order to approve a payment.
Long range RFID would be much easier because you won't need to get your card out of your wallet that's stuck somewhere in your pouch full of other stuff. Just type the PIN.

Supermarkets should greatly welcome this initiative because their lines will go much faster that way.

Re:Limit of liability

[Motherfucking+Shit]

I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.

In the US, federal law limits a cardholder's total liability for fraudulent charges to $50. If someone steals your card info and goes on a shopping spree, by law the credit card company cannot ask you to pay any more than $50, no matter how high the total of fraudulent charges. In practice, liability for fraudulent charges is normally zero here too. Almost all of the major issuing banks will immediately credit you for the amount of a disputed charge, and then debit the merchant for the same amount. Unless the dispute turns out to be false (i.e. the retailer has a receipt with your actual signature on it) you never pay a cent.

Speaking as someone who's been on the merchant side of things in both online and brick-and-mortar situations, I can say that this policy is a double-edged sword. Proving cardholder fraud (where the customer buys something, then decides they don't want to pay for it) and winning a chargeback is dead easy when you're using a point of sale terminal. Proving cardholder fraud with internet based transactions, especially when you're selling a service instead of a tangible (shipped) product, is next to impossible and the merchant will almost always lose.

OTOH, when someone used my credit card to order $600 worth of Victoria's Secret merchandise online a few years ago, it was nice that all I had to do was fill out a form on my bank's website to dispute the charge and get my money back. I still have that card, with the same number, and it's never been abused since. I always wondered where they got it from, and why they only used it once.

Re:More fraud?

[DrXym]

I believe some countries allow you to use your rapid transit card to make small purchases. In addition of swiping your card to be allowed through a gate you can buy a bar of chocolate or a newspaper or other small transactions. Apparently London is piloting doing such a thing with their Oyster card.

It makes sense that if you have a card which is acting like pocket change to allow this. You deplete the credit and then you top it up. You can only spend as much as you have on the card so it has a natural cutoff. Since you buy the card with cash from a machine, the card is effectively acting like semi-anonymous currency.

It doesn't make much sense to do the same with a credit card, unless the credit card imposes a hard limit on what you can spend in such a manner. And I don't mean per item - I mean total that you deplete and must be topped up either by you or a preset top up. Otherwise what's to stop someone reading your RFID and making their own purchases by spoofing yours?

It doesn't really make sense to even embed the RFID into the credit card anyway. Are Mastercard going to be happy with reissuing cards to hundreds of people for the sake of thieves leeching $10 a day off them? How does a customer or Mastercard even spot suspicious transactions for tiny items anyway until the statement arrives?

It seems smarter for the RFID to be on separate card - to be more like a gift card that can be topped up at the discretion of main card holder. These could be sold anywhere and it would be easy for someone to buy a couple of them and set them up with their main account. Then if someone steals one, you simply don't top it up anymore. This would of course require Mastercard or whoever to stop gouging owners of these cards by charging a monthly "administration fee", but if they wanted to see the scheme work, they'd waive it.

No need for tinfoil

[DrSkwid]

try this

or make your own

When I was a shoplifter I used one of these works a treat for rf frequency shifting security tags.

WOo double confirmation

[xant]

This is pretty common in a lot of software systems. The thing is, the people who designed the system already built a confirmation into it, and then forgot. It's the signature.

When I'm doing design, I always look for places where security requirements of the system have placed an automatic confirmation step, and eliminate any confirmations before that. If necessary, put a summary of what's about to happen in the same place that the security check takes place.