MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

More fraud?

[Hidyman]

How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.

Re:More fraud?

[The+Clockwork+Troll]

On the flipside, the card never has to leave your physical possession.

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates, while simultaneously encouraging consumers to buy more goods and services, because the PayPass transaction is perceived to be "easier" than exchanging cash or presenting plastic.

Re:More fraud?

[Neil+Blender]

I was in Hong Kong a while back. They have something called an Octopus card, which is a RFID card that you can charge with dollars money. It's mostly used for mass transit, but you can use it in many stores, phones, parking, etc. It was pretty slick - you'd scan it and the reader would tell you how much you had left on it.

The cool thing about it is you just add money to it as needed, it's not tied to any personal bank account or linked to you in any way. If you lose it, you are out of luck but even if someone could hijack your signal, the most you'd ever lose is what was on the card.

Thinking of it just now, Hong Kong is pretty damn high-tech. You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers. Everyone, and I mean everyone, has one of these Octopus cards in Hong Kong (well, I read 95% of them do because noone has cars.)

Re:More fraud?

[Jim+Haskell]

This is completely contrary to my experience. Every time I've ever payed with a credit card, the person accepting my credit card has never looked at the back of my card. In fact, (and, yes, I just looked,) my credit card isn't even signed. Signatures are not a security measure -- they're a formality. There's a light-hearted look at the issue here.

Re:More fraud?

[jrockway]

I believe that JR's (Japan Railways) Suica card is now being accepted as cash in a number of places. I know that if I still lived in Tokyo I would definitely use this to pay for things like coffee, etc, just because it's so damn convenient.

I would appreciate that when I buy a laptop or something that they would pretend to watch me sign the receipt, though :)

Re:More fraud?

[gravij]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I disagree. When I worked on a checkout in a supermarket I found the most time consuming part of the transaction was:

• waiting for the customer to get search through their wallet for the right card,
• swiping it a few times,
• forgetting to press ok to confirm transaction,
• waiting for the system to connect and authenticate,
• waiting for the slip to print out.

Handing the slip to the customer, them squiggling on it and me having a quick look to see if the two squiggles was not the hold up in the process.

Re:More fraud?

[Tony+Hoyle]

A pickpocket who gets your card can also get your PIN and clean you out... no cloning needed (that's actually quite hard although not impossible). The whole point of C&P was to shift responsibility - if someone uses your pin to make a transaction *you* are liable even if the card was stolen.. there's a basic assumption that only you know your pin.

I *really* hate the way they limited it to 4 digit pins. I'd rather have a 10 digit one - much less chance of a casual thief being able to memorise it on the first shot. Leave it at 4 for the AOL users, but I'd rather have some security thanks.

Signatures were way better in many ways... everywhere round here was really strict about checking them.

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

Theft

[jedie]

Well okay, you don't need physical access to the card anymore to steal money from it.

They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.

Re:Theft

[samael]

Will it ask you which of the 4 cards in your wallet you want to pay with?

Conflicting RFIDs

[Cytos]

This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.

Re:Theft!

[MoralHazard]

I thought of this immediately, too. But there HAS to be something more going on, right?

In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

Re:I have a bad feeling about this...

[RzUpAnmsCwrds]

12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.

The RF component of these cards is considerably more secure than even the magstripe component.

Re:As a MasterCard customer...

[Joe+Random]

It's like walking around with my card number tattooed on my forehead.

So? It's likely that in an RFID credit card system your account number will not be a very interesting piece of data. What the crooks will need is your private key, which will not be broadcast by the card.

Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.

Re:Not the same "RFID"

[Panaflex]

Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.

From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1

Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.

To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.

AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Pan

PayPass vs. Octopus

[fuzheado]

Here in Hong Kong, we've had one of the earliest and most successful RFID "touch card" payment systems in Octopus Card, but here's why I'm wary of PayPass:

• It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.

• It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."

#include coolsig.h