Slashdot Mirror
MasterCard To Distribute RFID Credit Cards
wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.
The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.
It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.
... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?
How long will it take the collectives minds of the criminal fraternity
Norman Cook's Ode to Sl
... I will refuse this. If I have no choice, I will cancel the account. It's like walking around with my card number tattooed on my forehead.
After reading this, I'm going to.
The sad part is, I'm completely serious.
It's only an insult if it's not true.
Many many people are posting along these lines. Do you all really think that Mastercard hasn't already thought of this and solved it???
A simple solution would be to have an RSA key + engine on the card, so that the 'scanner' issues a challenge to the card and if the card can supply the decrypted string then it passes. A limit of 1 challenge per 30 seconds would stop anyone getting any useful data out of it. Presumably this is do-able using today's technology... or would an RSA engine use more power than could be received via the RF?
I'm sure there are many other solutions too.
This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.
The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)
Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.
But for credit cards, this is a security risk.
My other car is first.
by simply waving their cards at readers posted near cash registers
Is it just me, or is waving your card in front of a reader pretty much the exact same motion as swiping it in a slot?
People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.
Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.
What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.
My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.
The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.
I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.
Scared of flying, pointy things snce 1979!
I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.
I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.
So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?
Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...
Just a couple of thoughts..
m
Remember Range (in somewhat simplistic terms) is a function of two components. Component 1 is distance the transmitter can transmit a signal at level "X". Component 2 would then be the signal level, or sensitivity, needed by the reciever. Increase the sensitivity (or actually decrease the level at which it can read data.) and you increase the distance the signal can be transmitted.
.... discretion (You might have heard of discrete FM). The ability of a reciver to know the difference between viable data and useless noise. Now suddenly with a few higher quality components (that bus pass reader probably has a manufacturing cost on the order of pennies.) You suddenly can read the data at 3ft line of site.
Increasing the sensitivity of the reciever is much easier and much less expensive than increasing the power of the transmitter. Witness the difference between a 400 dollar (US) FM radio in your car vs the 200 dollar Mono FM radio it came with. The radio station didn't boost it's output, your radio sensitivity improved dramatically. With a simple doubling of retail price you now can listen to stations you previously didn't know existed.
Now take and add in the final component of sensitivity
Now 3 ft line of site would easily translate to 1 foot through 1/4 inch of plywood (like in a counter.) Meaning that while you are giving the OK to a valid transaction you could also be giving authorization at the same moment to a second "hidden" transaction.
Don't believe this could happen? Think about the two gentlemen arrested a while back for reading customer and corporate data from wireless cash registers. Just because you have to touch the intended receiver to register a transaction doesn't mean that that is the distance it can transmit. The actual distance a radio wave can go is when unobstructed and absorbed, infinate. However beyond a certain point a radio wave of signal strength Y is just too decayed to be able to be found in the cacophany of radio signals surrounding us. That guy that just bumped into you might not have picked you pocket. Instead he read your credit card.
In the end promises of "We won't do X, Y, or Z" with the data stream we create is about as useful as websites claiming they won't sell data about you. I can tell you the ones that haven't, I can't predict the ones who won't.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
The thing about this is that there are a lot of people that have multiple credit cards. If these are keyring style cards, they'd all be close enough that it would be a real hassle to make sure that the right one is getting read.
Another problem I see if these are keyring "cards" is that, well, having a bunch of shit hanging all over your keychain is a pain. In the future will we all have big janitor-style keyrings hanging off our beltloops?
"On the flipside, the card never has to leave your physical possession."
It rarely has to anymore. Most stores have installed credit/debit card readers for their customers, thanks to that scare a while back that cashiers were stealing credit card numbers. The only time my card leaves my posession is with the older style BoA/Fleet ATMs that still want to hold on to your card until the transaction is complete. I hope they will still require a PIN/passcode along with the card or maybe a thumb held on a scanner while the PIN is entered with the other hand.
Or they could try making the cards smaller. Who says a credit/debit card has to be 3.5"x2"? Yes, it fits perfectly in a wallet, but so does a 3.5" floppy in a shirt breast pocket. I remember seeing commercials of credit cards designed to fit on a keychain, it even had a protective case. A credit card can easily be reduced to 1" high, if you examine one you'll see that the top half contains the magnetic strip and the signature box and the bottom has the number, exp date and name. And they're on opposite sides of the card.
Remeber, RFID that claims to be read at only up to 6" can really be read at up to 70'
The tinfoil wallet is too passive an approach and can only protect the card while it's in the wallet, not in use. It's time to modify a PDA RFID scanner to be an RFID jammer.
RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards? That will add a new level to wardriving and even war/RFID walking in malls.
F7 doesn't work, ignore spelling and grammar
True they seem to be secure. but smartcards have been hacked to certain amount. the problem is that these kinds of cards make hacking attempts very attractive beacuse the hacker can attempt to hack a card without the owner of the card getting any indication that such a hack is taking place. with a traditional card someone would have to steal the physical card which you would notice within a day or two at max but with these sort of cards you wouldnt know that something went wrong till the monthly bill comes. (i'm only considering the card present transactions here since online transactions only need the cards number and it wouldnt make a difference as to wether its a smart card or a normal card).
If only I could dig up someone saying that about WEP a few years ago...
Get your own free personal location tracker
Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.
The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?
In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.
I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.
DES, and its variants, have the advantage of not having succumbed to decades worth of cryptanalysis. AES may be better, but it is relatively new, and hasn't received the same amount of cryptanalysis as DES. New isn't always better.
Mea navis aericumbens anguillis abundat
But here in EU, they give a cursory glance at the signature. Even if this is for a small amount of 10. Granted it won't stop fraudster which just scrible a similar signature and pass the test, but they certainly check it.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.
It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.
Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.
One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.
Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.
Snooping, at least, doesn't appear to be a potential problem.
Now they can read the name off your card and welcome you to every store.
It would help if the UI wasn't completely different on every single POS machine I've ever used. Even a particular store will sometimes change its POS system often enough that I have to carefully follow the UI prompts, instead of relying on muscle-memory. Then you have the stores where they've modified the UI themselves, using sharpies or masking-tape.
Think of it from the customer's point of view: he would have to remember the UI for every POS system he uses. Meanwhile, you use the same one, all day, and only have to remember it. So it's no wonder that you expect it to be easy - and it's no wonder that it isn't so easy.
I already replied on this thread, or I'd mod the parent comment up a notch. A lot of folks have been griping about the reader not being able to handle multiple cards in your wallet simultaneously, when really RFID is designed to do that just fine. In fact, the problem, as "iamdrscience" has identified, is precisely the OPPOSITE problem - RFID is a little TOO good at multiple simultaneous identifications. He's right - how do you prevent the system from reading the wrong card - or multiple cards - and double charging or charging the wrong account?
Very insightful.
--Brandon / Split Infinity Music