MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

Not a big change

[drivinghighway61]

The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.

Security?

[Mateito]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

How long will it take the collectives minds of the criminal fraternity ... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?

Re:More fraud?

[jrockway]

This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.

The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)

Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.

But for credit cards, this is a security risk.

Re:More fraud?

[iamdrscience]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

Have you ever used your credit card? It's pretty rare that cashiers will check your signatures, particularly if you're paying for something under $100. Try working as a clerk somewhere and notice the looks you get if you take the time to compare a signature, not to mention the arguments that will erupt with the few customers whose signature doesn't match, but are the legitimate owner.

People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.

What's the incentive to change for each party?

[200_success]

Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.

The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?

• Retailer: The store wants to minimize the likelihood of chargebacks while being quick and friendly to the customer. In addition, the card reader needs to be cheap, since they have to buy or lease the equipment. They have all adopted real-time authorization because it eliminated a lot of fraud. In countries where magnetic stripe cloning is prevalent, they have already acquired contact smart chip readers. The only ones who would be interested in RFID might be the industries clustered around the American car culture, where every second counts: tollbooths, fast food/coffee places, gas stations.
• Issuing banks: The bank wants secure cards that can be issued cheaply. Although most of the risk of fraud is borne by the retailers, the banks do assume some liability, not to mention the expense of running the call center and the fraud check departments. Although the RFID signals might be intercepted and cracked, I think that thieves will prefer to steal credit card numbers by other means (the same security holes that are there today will continue to exist for backward compatibility). The RFID chip is relatively cheap, so they might go for the new tech. Or Mastercard could force them to embed RFID in the cards.
• Cardmember: The typical cardmember mainly cares about convenience, with security as a secondary concern. Being able to wave your entire purse or hump your butt against the contactless card reader is marginally more convenient, assuming that the signal can overcome shielding and interference problems. If RFID cards become common, you'll have to specify which of the several cards you are carrying you want to charge, or there it's possible that it will read a card other than the one you intended to charge. So I don't think you would really be saving any time. However, cardmembers are not really in any position to promote or protest technological decisions -- you just get to use whatever card comes in the mail.

In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.

I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.

Kneejerking?

[Malor]

From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.

It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.

Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.

Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.

Snooping, at least, doesn't appear to be a potential problem.