Slashdot Mirror
MasterCard To Distribute RFID Credit Cards
wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.
How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.
You can't take the sky from me
Well okay, you don't need physical access to the card anymore to steal money from it.
They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.
"The majority is always sane, Louis." -- Nessus
http://slashdot.jp
The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.
No more shoplifting now. They just scan my creid card as I walk out the door, after they scanned the merchandise that was in my backpack. What has the world come to?
It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.
... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?
How long will it take the collectives minds of the criminal fraternity
Norman Cook's Ode to Sl
MasterCard RFID Credit Card: free
Checking out at the grocery store without signing your name or entering a pesky PIN number: effortless
Having your account drained by a 12 year old who bought a high-gain RF antenna off eBay: priceless
Not only will thieves be able to capture your CC#, they will be able to do it without you knowing it! Think of the possibilities! Subways, buses, crowded trains, elevators, escalators, and other public places! I guess that gives me another reason to not leave home and to spend all day reading slashdot about how others have had their identity stolen.
-Palal
Now you can get pickpocketed without ever getting touched by the thief!
Anagram("United States of America") == "Dine out, taste a Mac, fries"
With the known security flaws of RFID it is surprising that a credit card company would go this route. Oh, wait MasterCard wants people to be in debt to them. Now it all makes sense.
about people walking through the mall with rfid readers? Will /. readers line their wallets with tinfoil? :-)
SecureThe.Net - Practical Resources for Securing Systems
This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.
I only ask because my train pass (in Japan, the Suica card) is RFID, and you pretty much have to touch the sensor for it to work at the ticket gates. Anything more than about 5mm and it won't be read. You pretty much have to touch it to the sensor.
So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK. If you are paranoid about it, you could always wrap your cards in tinfoil or something. ;)
Or am I missing something, and these things are more remotely scannable than I thought?
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
More like on the back of your jacket where you can't see who is taking a note of you number.
This message has been ROT-13 encrypted twice for higher security.
Quick, start selling Tinfoil hats!!!!.. for WALLET!!!
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
PayPass FAQ page: http://www.paypass.com/faq.html
I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.
The issue of Card ID theft isn't really that much more than it already is.
Here in Australia we have zero liability on credit cards. That means if the card is stolen or even if your charged for something you didnt buy and you still have your card, then the bank takes the money back from the retailer and credits you. It can actually be quite simple depending on which finacial institution and in the spirit of crappy customer service who answers the phone when you call said company to report the missuse.
I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.
So I'm guessing that as the current situation is, security is to a large part down to the retailer.
The same security issues will remain, most credit card fraud is done remotely ie: without the card in hand. So this will always remain, unless the new RFID cards will require you to be present, but with online shopping booming, this would be a step in the wrong direction.
serenity now!
The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.
ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.
Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.
Many many people are posting along these lines. Do you all really think that Mastercard hasn't already thought of this and solved it???
A simple solution would be to have an RSA key + engine on the card, so that the 'scanner' issues a challenge to the card and if the card can supply the decrypted string then it passes. A limit of 1 challenge per 30 seconds would stop anyone getting any useful data out of it. Presumably this is do-able using today's technology... or would an RSA engine use more power than could be received via the RF?
I'm sure there are many other solutions too.
A company called Taiyo (located in Shibukawa city, Gunma prefecture) recently developed a super thin (0.4mm) credit card size device for skimming protection. Consumers put it on top of RFID cards to prevent the cards from secretly read by strangers etc. It's called "Skimming Card" (though I would rather call it "Anti-Skimming Card"). What's interesting about it is in how it works -- When (Anti-)Skimming Cards are exposed to electro-magnetic fields created by RFID readers, they create excess electric current in it and actively create "reverse" electro-magnetic fields that is approximately the same strengths as the readers' fields, thereby, prevents RFID readers to read RFID cards. We can relax now :-)
- It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.
- It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."
#include coolsig.hby simply waving their cards at readers posted near cash registers
Is it just me, or is waving your card in front of a reader pretty much the exact same motion as swiping it in a slot?
ISO14443 RFID cards have been on the market for years and are often used in public transportation. These have a range of at most 10 cm and implement challenge handshake encryption such as triple DES.
So you can only communicate with such a card if you have the proper encryption key. And if you manage to intercept the communication between such a card and a legitimate reader, it will contain no meaningful information unless you are somehow able to break the encryption.
Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.
What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.
My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.
The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.
I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.
Scared of flying, pointy things snce 1979!
I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.
I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.
So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?
Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...
Just a couple of thoughts..
m
The thing about this is that there are a lot of people that have multiple credit cards. If these are keyring style cards, they'd all be close enough that it would be a real hassle to make sure that the right one is getting read.
Another problem I see if these are keyring "cards" is that, well, having a bunch of shit hanging all over your keychain is a pain. In the future will we all have big janitor-style keyrings hanging off our beltloops?
Why would I want the worry an security, and the act of stupidly waving my card over a petrol pump like an access card when I can just swipe it.
Card swipe... card... swipe the card... hurray.
The same result, no complex expensive worries about security. I can just hear their security chief now:
"The RFID cards will be secure, because we will use a *really* big number in the cards..."
"Bigger than... erm... one kajillion million fafillion bajillion?"
"Yes sir!"
"*evil laugh*"
"*evil laugh*"
I am expert! BTW this isn't a mvoe for technology, they will use RFID as a marketting bait to get more credit card customers, think about it, what other reason than to get people to sign up for the new 'wow' rfid card.. yeah, give us your debt.
To confirm you're not a script,
please type the word in this image: expert
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
No. You'd have to be bats to use sonar.
http://www.rootstrikers.org/
Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.
The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?
In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.
I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.
try this
or make your own
When I was a shoplifter I used one of these works a treat for rf frequency shifting security tags.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The true range for that power is *much* more than 3000 yards. Using "some surplus telephone house wire" this amateur received signals from 1531 miles away at 12 milliwatts. Can you imagine what a true professional could to to your 64.2W RFID?
But here in EU, they give a cursory glance at the signature. Even if this is for a small amount of 10. Granted it won't stop fraudster which just scrible a similar signature and pass the test, but they certainly check it.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.
It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.
Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.
One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.
Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.
Snooping, at least, doesn't appear to be a potential problem.
Now they can read the name off your card and welcome you to every store.
Payment can be secure, or it can be quick and easy. It can't be both. The easier you make it to do a legitimate transaction, the easier you also make it to do a dodgy one.
Contactless reading is going to cause problems. With the current generation of credit card readers, the information is read from the memory chip on the card by physical contact with the chip, and confirmed by entering a PIN into a numeric keypad. Unfortunately, the arrangement of the numbers on the pad is static. So, by careful observation, it is possible for an attacker to determine what number is being entered {the fingers may be concealed by a shroud, lulling the shopper into a false sense of security as the movements of elbow and shoulder reveal the number to a trained observer}; and at some later date, obtain the actual card -- possibly with the assistance of a third party -- and make several expensive purchases. {A phone with a video camera helps tremendously}. When the system was first introduced, customers were heard -- against all advice -- to say their PIN out loud.
While a legitimate reader is reading an RFID device, another reader could be snooping on the same signal. Now, one hopes that a rolling code system would be in operation; that is to say, the encryption key would not be the same each time the card is used. However, the fact that several readers must be able to work with the same card suggests that there must be some sort of key exchange per transaction. Given the small amount of storage space on present-generation smart cards, we can hypothesise that once-used keys are not blocked against re-use.
With a PIN discovered by traditional methods, and a simulated non-contact card, one can make purchases and other transactions, and the legitimate cardholder need not be aware until their limit has been exceeded. {Of course, too low a limit renders payment less convenient}.
The physical appearance of a traditional credit card is a very simple first test -- a cashier would be immediately suspicious of one of the plain white cards that are supplied in smart card development kits. A card which is not shown to the cashier need not bear any visual resemblance to the card it is pretending to be -- the first prototype could be a rucksack full of equipment, just so long as it produces the correct responses to the RF signals. If the non-contact cards have to be physically shown to a cashier, then there is little point in their being contactless in the first place.
At the end of the day, this is pointless willy-waving. Technology for technology's sake. And it will end up with another layer being badly grafted onto it, completely defeating the original purpose {which nobody will remember by then}.
Je fume. Tu fumes. Nous fûmes!
1. A ten cent charge for entering the mall doors.
--After all, it takes HARD WORK to make and install doors! Somebody had to design and build them! Do you feel you are so special that you shouldn't have to pay for the privilege of using doors? Jeez, it's just a dime. (Though, that price can change once the populace has been acclimated to being dinged for simply walking. I'm sure that, as per usual, there will be a host of worthy Slashdotters eager to argue on behalf of the corporations; who can be counted on to cry 'Thief' whenever somebody wonders why they can't use doors for free anymore; and who will happily parrot terms like, 'entrance-theft' once such terms have been appropriately astro-turfed into place by the corporate PR monkeys.)
2. People think that RFID is a close-range affair and so are lulled into a false sense of security. While it is true that an RFID chip does need to be within a few feet in order to be charged by a magnetic field, the signal it subsequently transmits can be picked up by satellite.
3. If there is no third element involved in the transference of data, (a pin number held in the user's brain), then any sneaky person with a satellite or closer range receiver can 'over-hear' all the info s/he needs to access an account and make a fraudulent purchase.
4. The big corporations and big government know all of this and are eager to have it all in place. The more base-level fear there is humming in the background, the more easily controlled a population becomes and the better fed the overseers are. Fear is food.
-FL
I already replied on this thread, or I'd mod the parent comment up a notch. A lot of folks have been griping about the reader not being able to handle multiple cards in your wallet simultaneously, when really RFID is designed to do that just fine. In fact, the problem, as "iamdrscience" has identified, is precisely the OPPOSITE problem - RFID is a little TOO good at multiple simultaneous identifications. He's right - how do you prevent the system from reading the wrong card - or multiple cards - and double charging or charging the wrong account?
Very insightful.
--Brandon / Split Infinity Music
This is pretty common in a lot of software systems. The thing is, the people who designed the system already built a confirmation into it, and then forgot. It's the signature.
When I'm doing design, I always look for places where security requirements of the system have placed an automatic confirmation step, and eliminate any confirmations before that. If necessary, put a summary of what's about to happen in the same place that the security check takes place.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.