MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

Not a big change

[drivinghighway61]

The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.

Security?

[Mateito]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

How long will it take the collectives minds of the criminal fraternity ... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?

Re:More fraud?

[jrockway]

This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.

The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)

Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.

But for credit cards, this is a security risk.

Re:More fraud?

[iamdrscience]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

Have you ever used your credit card? It's pretty rare that cashiers will check your signatures, particularly if you're paying for something under $100. Try working as a clerk somewhere and notice the looks you get if you take the time to compare a signature, not to mention the arguments that will erupt with the few customers whose signature doesn't match, but are the legitimate owner.

People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.

This is easier how?

[el_womble]

Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.

What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.

My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.

The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.

I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.

Do you carry just ONE credit card in your wallet?

[Mike_K]

I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.

I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.

So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?

Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...

Just a couple of thoughts..

m

Re:More fraud?

[E8086]

"On the flipside, the card never has to leave your physical possession."

It rarely has to anymore. Most stores have installed credit/debit card readers for their customers, thanks to that scare a while back that cashiers were stealing credit card numbers. The only time my card leaves my posession is with the older style BoA/Fleet ATMs that still want to hold on to your card until the transaction is complete. I hope they will still require a PIN/passcode along with the card or maybe a thumb held on a scanner while the PIN is entered with the other hand.

Or they could try making the cards smaller. Who says a credit/debit card has to be 3.5"x2"? Yes, it fits perfectly in a wallet, but so does a 3.5" floppy in a shirt breast pocket. I remember seeing commercials of credit cards designed to fit on a keychain, it even had a protective case. A credit card can easily be reduced to 1" high, if you examine one you'll see that the top half contains the magnetic strip and the signature box and the bottom has the number, exp date and name. And they're on opposite sides of the card.

Remeber, RFID that claims to be read at only up to 6" can really be read at up to 70'
The tinfoil wallet is too passive an approach and can only protect the card while it's in the wallet, not in use. It's time to modify a PDA RFID scanner to be an RFID jammer.

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards? That will add a new level to wardriving and even war/RFID walking in malls.

What's the incentive to change for each party?

[200_success]

Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.

The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?

• Retailer: The store wants to minimize the likelihood of chargebacks while being quick and friendly to the customer. In addition, the card reader needs to be cheap, since they have to buy or lease the equipment. They have all adopted real-time authorization because it eliminated a lot of fraud. In countries where magnetic stripe cloning is prevalent, they have already acquired contact smart chip readers. The only ones who would be interested in RFID might be the industries clustered around the American car culture, where every second counts: tollbooths, fast food/coffee places, gas stations.
• Issuing banks: The bank wants secure cards that can be issued cheaply. Although most of the risk of fraud is borne by the retailers, the banks do assume some liability, not to mention the expense of running the call center and the fraud check departments. Although the RFID signals might be intercepted and cracked, I think that thieves will prefer to steal credit card numbers by other means (the same security holes that are there today will continue to exist for backward compatibility). The RFID chip is relatively cheap, so they might go for the new tech. Or Mastercard could force them to embed RFID in the cards.
• Cardmember: The typical cardmember mainly cares about convenience, with security as a secondary concern. Being able to wave your entire purse or hump your butt against the contactless card reader is marginally more convenient, assuming that the signal can overcome shielding and interference problems. If RFID cards become common, you'll have to specify which of the several cards you are carrying you want to charge, or there it's possible that it will read a card other than the one you intended to charge. So I don't think you would really be saving any time. However, cardmembers are not really in any position to promote or protest technological decisions -- you just get to use whatever card comes in the mail.

In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.

I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.

Kneejerking?

[Malor]

From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.

It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.

Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.

Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.

Snooping, at least, doesn't appear to be a potential problem.