Slashdot Mirror
MasterCard To Distribute RFID Credit Cards
wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.
How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.
You can't take the sky from me
Well okay, you don't need physical access to the card anymore to steal money from it.
They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
Now you can get pickpocketed without ever getting touched by the thief!
Anagram("United States of America") == "Dine out, taste a Mac, fries"
With the known security flaws of RFID it is surprising that a credit card company would go this route. Oh, wait MasterCard wants people to be in debt to them. Now it all makes sense.
This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.
I thought of this immediately, too. But there HAS to be something more going on, right?
In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.
So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??
I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.
Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.
the range always depends on the censor, i'm pretty sure that some adequate h4x0rs can make their scanners work on 2-3cm distance or even more. if you have 10k cash on your account that a thief could "use", he will definetly "bump" into you and probably into some other people too :)
imagine the power of such a scanner in a wall street elevator, you struggle through some people and "pay" a few minutes later while they are struggling for stocks.
seems awfully insecure and i would advise against using this stuff. you could as well have cash hanging out of your pocket.
i guess wrapping it into a tinfoil will make it quite prone to magnetical defects, not sure about that, but when the tinfoil gets magnetically/electronically charged by some external strong magnetic force, it may cause damage to your card in the long run.
isnt it just easier to stick with the old cards ?
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
I don't know about the range and all. What I can tell is that I used to keep my company ID card (RFID based) in my wallet.
I never really needed to bring my card out for swiping. I just brought my wallet in front of the scanner (at least 2 cms distance), and it worked.
I wonder if in a subway, a guy could bring a scanner close enough to my pocket and sniff our my CC info.
Worse, if the info is static, all he needs to do is replicate the same signals using any damn device. He doesn't even need to build another card, or decode the info.
Here in Australia we have zero liability on credit cards. That means if the card is stolen or even if your charged for something you didnt buy and you still have your card, then the bank takes the money back from the retailer and credits you. It can actually be quite simple depending on which finacial institution and in the spirit of crappy customer service who answers the phone when you call said company to report the missuse.
I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.
So I'm guessing that as the current situation is, security is to a large part down to the retailer.
The same security issues will remain, most credit card fraud is done remotely ie: without the card in hand. So this will always remain, unless the new RFID cards will require you to be present, but with online shopping booming, this would be a step in the wrong direction.
serenity now!
12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.
The RF component of these cards is considerably more secure than even the magstripe component.
I have, actually, experienced CC fraud. Card got double-swiped at a restaurant in San Jose, and a few years before that a shady acquiantance of a college roommate nicked my wallet and bought a few hundreds' worth of audio equipment.
I wasn't that big of a deal, either time. In the restaurant case, I called the CC company, got a CS rep in about 30 seconds, and explained the situation. I got a call back about an hour later and they instantly reversed the second charge--could have just been a mistake by the server, right?
The other time, I called and they told me to fill out a police report. They froze the fraudulent charge, essentially meaning that it was off for the time being, and cancelled that card. I got a call back the next week telling me that they'd looked into it and agreed with me. The only real hassle was the police report, but being as I was living in NYC, the local precinct was two blocks away. It took about 30 minutes, including travel time.
ISO/IEC 14443 has two-factor authentication. You can't steal the card number because the card doesn't transmit the card number.
Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.
Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.
From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1
Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.
To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.
AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.
Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.
Pan
I said no... but I missed and it came out yes.
- It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.
- It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."
#include coolsig.hISO14443 RFID cards have been on the market for years and are often used in public transportation. These have a range of at most 10 cm and implement challenge handshake encryption such as triple DES.
So you can only communicate with such a card if you have the proper encryption key. And if you manage to intercept the communication between such a card and a legitimate reader, it will contain no meaningful information unless you are somehow able to break the encryption.
IMHO, over time this will become part of a more secure credit card system. It's much harder to clone an RFID than it is to clone the mag stripe and graphics of current cards.
It won't completely fix credit card security (think online purchases and manual imprints), but it will help.
Plus it gives MC some marketing bullet points for providing advanced "RFID super-technology" to its members first.
So 2 people need to work together to steal some money. One stands close to the victim and the other walks over to the cashier. Instead of recording the signal you now proxy it. The one at the cashier picks up the signal from the reader and uses a wireless transmitter to get the signal to the person by the victim who sends the data to the card. Send the response from the card back to the reader and you're done.
Why would I want the worry an security, and the act of stupidly waving my card over a petrol pump like an access card when I can just swipe it.
Card swipe... card... swipe the card... hurray.
The same result, no complex expensive worries about security. I can just hear their security chief now:
"The RFID cards will be secure, because we will use a *really* big number in the cards..."
"Bigger than... erm... one kajillion million fafillion bajillion?"
"Yes sir!"
"*evil laugh*"
"*evil laugh*"
I am expert! BTW this isn't a mvoe for technology, they will use RFID as a marketting bait to get more credit card customers, think about it, what other reason than to get people to sign up for the new 'wow' rfid card.. yeah, give us your debt.
To confirm you're not a script,
please type the word in this image: expert
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Will those cards still work after spending perhaps 30 seconds in the microwave? Seriously though, will they?
Within an inch is enough. Your wallet will have to be twice the recommended thickness (ie middle of wallet) for it not work. Anyway if the range is too long, there is the issue of paying for services inadvertantly. My wife and I were in Hong Kong, where they have the 'octopus' card system. It worked well enough to pay for subway/taxi/buses/fast food without taking the card out of my wallet or out of my wife's purse.
1. A ten cent charge for entering the mall doors.
--After all, it takes HARD WORK to make and install doors! Somebody had to design and build them! Do you feel you are so special that you shouldn't have to pay for the privilege of using doors? Jeez, it's just a dime. (Though, that price can change once the populace has been acclimated to being dinged for simply walking. I'm sure that, as per usual, there will be a host of worthy Slashdotters eager to argue on behalf of the corporations; who can be counted on to cry 'Thief' whenever somebody wonders why they can't use doors for free anymore; and who will happily parrot terms like, 'entrance-theft' once such terms have been appropriately astro-turfed into place by the corporate PR monkeys.)
2. People think that RFID is a close-range affair and so are lulled into a false sense of security. While it is true that an RFID chip does need to be within a few feet in order to be charged by a magnetic field, the signal it subsequently transmits can be picked up by satellite.
3. If there is no third element involved in the transference of data, (a pin number held in the user's brain), then any sneaky person with a satellite or closer range receiver can 'over-hear' all the info s/he needs to access an account and make a fraudulent purchase.
4. The big corporations and big government know all of this and are eager to have it all in place. The more base-level fear there is humming in the background, the more easily controlled a population becomes and the better fed the overseers are. Fear is food.
-FL
I've never had anyone check my signature, or ask for id, when using my card. Now, with an RFID card, they certainly won't. That's really besides the point. Someone will come up with a scanner. I'd also have to watch were I walk. Too close to a pump or a register, and I've just paid for something. Granted, I'll probably notice, but if you've ever had to wait for someone to reverse a charge, you know how How much time does this save anyway? It takes me 10 seconds to swip a card, and that's only because I always swipe the wrong side first.