MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

More fraud?

[Hidyman]

How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.

Re:More fraud?

[The+Clockwork+Troll]

On the flipside, the card never has to leave your physical possession.

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates, while simultaneously encouraging consumers to buy more goods and services, because the PayPass transaction is perceived to be "easier" than exchanging cash or presenting plastic.

Re:More fraud?

[Neil+Blender]

I was in Hong Kong a while back. They have something called an Octopus card, which is a RFID card that you can charge with dollars money. It's mostly used for mass transit, but you can use it in many stores, phones, parking, etc. It was pretty slick - you'd scan it and the reader would tell you how much you had left on it.

The cool thing about it is you just add money to it as needed, it's not tied to any personal bank account or linked to you in any way. If you lose it, you are out of luck but even if someone could hijack your signal, the most you'd ever lose is what was on the card.

Thinking of it just now, Hong Kong is pretty damn high-tech. You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers. Everyone, and I mean everyone, has one of these Octopus cards in Hong Kong (well, I read 95% of them do because noone has cars.)

Re:More fraud?

[Jim+Haskell]

This is completely contrary to my experience. Every time I've ever payed with a credit card, the person accepting my credit card has never looked at the back of my card. In fact, (and, yes, I just looked,) my credit card isn't even signed. Signatures are not a security measure -- they're a formality. There's a light-hearted look at the issue here.

Re:More fraud?

[jrockway]

I believe that JR's (Japan Railways) Suica card is now being accepted as cash in a number of places. I know that if I still lived in Tokyo I would definitely use this to pay for things like coffee, etc, just because it's so damn convenient.

I would appreciate that when I buy a laptop or something that they would pretend to watch me sign the receipt, though :)

Re:More fraud?

[gravij]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I disagree. When I worked on a checkout in a supermarket I found the most time consuming part of the transaction was:

• waiting for the customer to get search through their wallet for the right card,
• swiping it a few times,
• forgetting to press ok to confirm transaction,
• waiting for the system to connect and authenticate,
• waiting for the slip to print out.

Handing the slip to the customer, them squiggling on it and me having a quick look to see if the two squiggles was not the hold up in the process.

Re:More fraud?

[Gordonjcp]

It's a lot harder to clone "Chip and PIN" cards, because they are very difficult to program. There is surprisingly little security-by-obscurity involved, and lots of things like 3DES and rotating keys uploaded from the till on a regular basis, and stuff like that.

The big problem is with vending machines and the like that use Chip and PIN. We have a cashless vending system that can be topped up with either cash or a credit or debit card. Great. The problem is that instead of a small (calculator-sized) PIN pad that's difficult to shoulder-surf, you enter your pin on a 6" square keypad on the big, bright touchscreen on the front of the unit. This kind of defeats the purpose.

Re:More fraud?

[Tony+Hoyle]

A pickpocket who gets your card can also get your PIN and clean you out... no cloning needed (that's actually quite hard although not impossible). The whole point of C&P was to shift responsibility - if someone uses your pin to make a transaction *you* are liable even if the card was stolen.. there's a basic assumption that only you know your pin.

I *really* hate the way they limited it to 4 digit pins. I'd rather have a 10 digit one - much less chance of a casual thief being able to memorise it on the first shot. Leave it at 4 for the AOL users, but I'd rather have some security thanks.

Signatures were way better in many ways... everywhere round here was really strict about checking them.

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

Re:More fraud?

[Skye16]

When I worked for Pac-Sun (don't ask), we had to match signatures. It wasn't a cursory glance. One signature was completely off. I told them I couldn't accept that card. She said "It's okay, it's my Daddy's!" and I'm like "uhh...you can't sign your Dad's name for a purchase you're making." She got all pissy, the manager came over and she told her the exact same thing. So then the girl called Corporate. They told her the same thing. She left, all pissed off.

Personally, I do the see ID route. I get angry when most stores don't check. A gas station we have in western PA, Sheetz, doesn't actually require a signature for amounts under 20$. So they don't bother checking. I don't know whether I'm okay with that or not, but I guess that, since it's under 20$, it's no big deal, to either party.

But that's enough rambling anecdotes for the day. :]

Theft

[jedie]

Well okay, you don't need physical access to the card anymore to steal money from it.

They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.

Re:Theft

[samael]

Will it ask you which of the 4 cards in your wallet you want to pay with?

Conflicting RFIDs

[Cytos]

This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.

Re:Theft!

[MoralHazard]

I thought of this immediately, too. But there HAS to be something more going on, right?

In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

Re:Range?

[moro_666]

the range always depends on the censor, i'm pretty sure that some adequate h4x0rs can make their scanners work on 2-3cm distance or even more. if you have 10k cash on your account that a thief could "use", he will definetly "bump" into you and probably into some other people too :)

imagine the power of such a scanner in a wall street elevator, you struggle through some people and "pay" a few minutes later while they are struggling for stocks.

seems awfully insecure and i would advise against using this stuff. you could as well have cash hanging out of your pocket.

i guess wrapping it into a tinfoil will make it quite prone to magnetical defects, not sure about that, but when the tinfoil gets magnetically/electronically charged by some external strong magnetic force, it may cause damage to your card in the long run.

isnt it just easier to stick with the old cards ?

Re:Range?

[amodm]

I don't know about the range and all. What I can tell is that I used to keep my company ID card (RFID based) in my wallet.

I never really needed to bring my card out for swiping. I just brought my wallet in front of the scanner (at least 2 cms distance), and it worked.

I wonder if in a subway, a guy could bring a scanner close enough to my pocket and sniff our my CC info.

Worse, if the info is static, all he needs to do is replicate the same signals using any damn device. He doesn't even need to build another card, or decode the info.

Re:I have a bad feeling about this...

[RzUpAnmsCwrds]

12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.

The RF component of these cards is considerably more secure than even the magstripe component.

Re:Theft!

[MoralHazard]

I have, actually, experienced CC fraud. Card got double-swiped at a restaurant in San Jose, and a few years before that a shady acquiantance of a college roommate nicked my wallet and bought a few hundreds' worth of audio equipment.

I wasn't that big of a deal, either time. In the restaurant case, I called the CC company, got a CS rep in about 30 seconds, and explained the situation. I got a call back about an hour later and they instantly reversed the second charge--could have just been a mistake by the server, right?

The other time, I called and they told me to fill out a police report. They froze the fraudulent charge, essentially meaning that it was off for the time being, and cancelled that card. I got a call back the next week telling me that they'd looked into it and agreed with me. The only real hassle was the police report, but being as I was living in NYC, the local precinct was two blocks away. It took about 30 minutes, including travel time.

Re:As a MasterCard customer...

[Joe+Random]

It's like walking around with my card number tattooed on my forehead.

So? It's likely that in an RFID credit card system your account number will not be a very interesting piece of data. What the crooks will need is your private key, which will not be broadcast by the card.

Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.

Re:Not the same "RFID"

[Panaflex]

Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.

From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1

Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.

To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.

AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Pan

PayPass vs. Octopus

[fuzheado]

Here in Hong Kong, we've had one of the earliest and most successful RFID "touch card" payment systems in Octopus Card, but here's why I'm wary of PayPass:

• It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.

• It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."

#include coolsig.h

Re:Not the same "RFID"

[PowerKe]

So 2 people need to work together to steal some money. One stands close to the victim and the other walks over to the cashier. Instead of recording the signal you now proxy it. The one at the cashier picks up the signal from the reader and uses a wireless transmitter to get the signal to the person by the victim who sends the data to the card. Send the response from the card back to the reader and you're done.

Four points from oblivion

[Fantastic+Lad]

A standard trip to the mall twenty minutes into the future. . .

1. A ten cent charge for entering the mall doors.

--After all, it takes HARD WORK to make and install doors! Somebody had to design and build them! Do you feel you are so special that you shouldn't have to pay for the privilege of using doors? Jeez, it's just a dime. (Though, that price can change once the populace has been acclimated to being dinged for simply walking. I'm sure that, as per usual, there will be a host of worthy Slashdotters eager to argue on behalf of the corporations; who can be counted on to cry 'Thief' whenever somebody wonders why they can't use doors for free anymore; and who will happily parrot terms like, 'entrance-theft' once such terms have been appropriately astro-turfed into place by the corporate PR monkeys.)

2. People think that RFID is a close-range affair and so are lulled into a false sense of security. While it is true that an RFID chip does need to be within a few feet in order to be charged by a magnetic field, the signal it subsequently transmits can be picked up by satellite.

3. If there is no third element involved in the transference of data, (a pin number held in the user's brain), then any sneaky person with a satellite or closer range receiver can 'over-hear' all the info s/he needs to access an account and make a fraudulent purchase.

4. The big corporations and big government know all of this and are eager to have it all in place. The more base-level fear there is humming in the background, the more easily controlled a population becomes and the better fed the overseers are. Fear is food.

-FL