MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

More fraud?

[Hidyman]

How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.

Re:More fraud?

[The+Clockwork+Troll]

On the flipside, the card never has to leave your physical possession.

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates, while simultaneously encouraging consumers to buy more goods and services, because the PayPass transaction is perceived to be "easier" than exchanging cash or presenting plastic.

Re:More fraud?

[jrockway]

This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.

The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)

Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.

But for credit cards, this is a security risk.

Re:More fraud?

[petej2310]

Spreading FUD...u should all work for BILL!!!
These cards are based on SMARTCARDS and the EMV standards (3DES, PKI, challenge-auth techniques) against which millions of credit and debit cards have been issued. The only difference is that they use an RF interface to provide comms and power the chip.
See http://en.wikipedia.org/wiki/ISO_14443/
They ARE NOT RFID tags, they do not emit your card number, banks (as other have correctly posted) are smart enough to NOT provide OTHER avenues of fraud.

Re:More fraud?

[Neil+Blender]

I was in Hong Kong a while back. They have something called an Octopus card, which is a RFID card that you can charge with dollars money. It's mostly used for mass transit, but you can use it in many stores, phones, parking, etc. It was pretty slick - you'd scan it and the reader would tell you how much you had left on it.

The cool thing about it is you just add money to it as needed, it's not tied to any personal bank account or linked to you in any way. If you lose it, you are out of luck but even if someone could hijack your signal, the most you'd ever lose is what was on the card.

Thinking of it just now, Hong Kong is pretty damn high-tech. You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers. Everyone, and I mean everyone, has one of these Octopus cards in Hong Kong (well, I read 95% of them do because noone has cars.)

Re:More fraud?

[iamdrscience]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

Have you ever used your credit card? It's pretty rare that cashiers will check your signatures, particularly if you're paying for something under $100. Try working as a clerk somewhere and notice the looks you get if you take the time to compare a signature, not to mention the arguments that will erupt with the few customers whose signature doesn't match, but are the legitimate owner.

People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.

Re:More fraud?

[Jim+Haskell]

This is completely contrary to my experience. Every time I've ever payed with a credit card, the person accepting my credit card has never looked at the back of my card. In fact, (and, yes, I just looked,) my credit card isn't even signed. Signatures are not a security measure -- they're a formality. There's a light-hearted look at the issue here.

Re:More fraud?

[jrockway]

I believe that JR's (Japan Railways) Suica card is now being accepted as cash in a number of places. I know that if I still lived in Tokyo I would definitely use this to pay for things like coffee, etc, just because it's so damn convenient.

I would appreciate that when I buy a laptop or something that they would pretend to watch me sign the receipt, though :)

Re:More fraud?

[gravij]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I disagree. When I worked on a checkout in a supermarket I found the most time consuming part of the transaction was:

• waiting for the customer to get search through their wallet for the right card,
• swiping it a few times,
• forgetting to press ok to confirm transaction,
• waiting for the system to connect and authenticate,
• waiting for the slip to print out.

Handing the slip to the customer, them squiggling on it and me having a quick look to see if the two squiggles was not the hold up in the process.

Re:More fraud?

[E8086]

"On the flipside, the card never has to leave your physical possession."

It rarely has to anymore. Most stores have installed credit/debit card readers for their customers, thanks to that scare a while back that cashiers were stealing credit card numbers. The only time my card leaves my posession is with the older style BoA/Fleet ATMs that still want to hold on to your card until the transaction is complete. I hope they will still require a PIN/passcode along with the card or maybe a thumb held on a scanner while the PIN is entered with the other hand.

Or they could try making the cards smaller. Who says a credit/debit card has to be 3.5"x2"? Yes, it fits perfectly in a wallet, but so does a 3.5" floppy in a shirt breast pocket. I remember seeing commercials of credit cards designed to fit on a keychain, it even had a protective case. A credit card can easily be reduced to 1" high, if you examine one you'll see that the top half contains the magnetic strip and the signature box and the bottom has the number, exp date and name. And they're on opposite sides of the card.

Remeber, RFID that claims to be read at only up to 6" can really be read at up to 70'
The tinfoil wallet is too passive an approach and can only protect the card while it's in the wallet, not in use. It's time to modify a PDA RFID scanner to be an RFID jammer.

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards? That will add a new level to wardriving and even war/RFID walking in malls.

Re:More fraud?

[DrXym]

I believe some countries allow you to use your rapid transit card to make small purchases. In addition of swiping your card to be allowed through a gate you can buy a bar of chocolate or a newspaper or other small transactions. Apparently London is piloting doing such a thing with their Oyster card.

It makes sense that if you have a card which is acting like pocket change to allow this. You deplete the credit and then you top it up. You can only spend as much as you have on the card so it has a natural cutoff. Since you buy the card with cash from a machine, the card is effectively acting like semi-anonymous currency.

It doesn't make much sense to do the same with a credit card, unless the credit card imposes a hard limit on what you can spend in such a manner. And I don't mean per item - I mean total that you deplete and must be topped up either by you or a preset top up. Otherwise what's to stop someone reading your RFID and making their own purchases by spoofing yours?

It doesn't really make sense to even embed the RFID into the credit card anyway. Are Mastercard going to be happy with reissuing cards to hundreds of people for the sake of thieves leeching $10 a day off them? How does a customer or Mastercard even spot suspicious transactions for tiny items anyway until the statement arrives?

It seems smarter for the RFID to be on separate card - to be more like a gift card that can be topped up at the discretion of main card holder. These could be sold anywhere and it would be easy for someone to buy a couple of them and set them up with their main account. Then if someone steals one, you simply don't top it up anymore. This would of course require Mastercard or whoever to stop gouging owners of these cards by charging a monthly "administration fee", but if they wanted to see the scheme work, they'd waive it.

Re:More fraud?

[Tony+Hoyle]

A pickpocket who gets your card can also get your PIN and clean you out... no cloning needed (that's actually quite hard although not impossible). The whole point of C&P was to shift responsibility - if someone uses your pin to make a transaction *you* are liable even if the card was stolen.. there's a basic assumption that only you know your pin.

I *really* hate the way they limited it to 4 digit pins. I'd rather have a 10 digit one - much less chance of a casual thief being able to memorise it on the first shot. Leave it at 4 for the AOL users, but I'd rather have some security thanks.

Signatures were way better in many ways... everywhere round here was really strict about checking them.

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

Theft

[jedie]

Well okay, you don't need physical access to the card anymore to steal money from it.

They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.

Re:Theft

[samael]

Will it ask you which of the 4 cards in your wallet you want to pay with?

Not a big change

[drivinghighway61]

The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.

Security?

[Mateito]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

How long will it take the collectives minds of the criminal fraternity ... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?

I have a bad feeling about this...

MasterCard RFID Credit Card: free

Checking out at the grocery store without signing your name or entering a pesky PIN number: effortless

Having your account drained by a 12 year old who bought a high-gain RF antenna off eBay: priceless

Re:I have a bad feeling about this...

[RzUpAnmsCwrds]

12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.

The RF component of these cards is considerably more secure than even the magstripe component.

Theft!

[Palal]

Not only will thieves be able to capture your CC#, they will be able to do it without you knowing it! Think of the possibilities! Subways, buses, crowded trains, elevators, escalators, and other public places! I guess that gives me another reason to not leave home and to spend all day reading slashdot about how others have had their identity stolen.

Re:Theft!

[MoralHazard]

I thought of this immediately, too. But there HAS to be something more going on, right?

In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

Conflicting RFIDs

[Cytos]

This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.

Fraud Prevention.

[ciroknight]

Quick, start selling Tinfoil hats!!!!.. for WALLET!!!

Re:Range?

[Anonymous+Crowhead]

These new 4th generation RFIDS (or 4GRFIDs as known in the industry) broadcast at a strength 64.2W (1.9 amps/hz) Though it not might seem like much, the signal is detectable by a dime sized reader at over 3000 yards and does not require line of sight. This reader can be easily assembled by about $13 dollars worth of parts (diodes,wires,etc) from RadioShack. There are instructions on the internet that are so simple, a child capable of drawing crude stick figures of his mommy and daddy with crayons could assemble one, link it to an offshore bank account and be draining bank accounts in less than thirty minutes.

Re:Range?

[gardyloo]

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK.

      It's not the scanners I'm worried about. It's the guys who *call* it a scanner, and are just really happy to see me -- THEM I worry about.

Get some facts

[scdeimos]

PayPass FAQ page: http://www.paypass.com/faq.html

I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.

The issue of Card ID theft isn't really that much more than it already is.

Not the same "RFID"

[RzUpAnmsCwrds]

The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.

ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.

Re:Not the same "RFID"

[Panaflex]

Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.

From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1

Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.

To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.

AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Pan

Re:As a MasterCard customer...

[Joe+Random]

It's like walking around with my card number tattooed on my forehead.

So? It's likely that in an RFID credit card system your account number will not be a very interesting piece of data. What the crooks will need is your private key, which will not be broadcast by the card.

Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.

Re:Range?

[tooth]

When you bring the card near the reader it induces a current in the card to power it (Passive RFID). This is why you need to put it close to the reader. Once this happens you can snoop the signal from the card from nearby.

PayPass vs. Octopus

[fuzheado]

Here in Hong Kong, we've had one of the earliest and most successful RFID "touch card" payment systems in Octopus Card, but here's why I'm wary of PayPass:

• It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.

• It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."

#include coolsig.h

Re:Range?

[joe_bruin]

You put your card up to the reader not because that is the range of the signal coming out of the card. Rather, it is the range of the magnetic induction field coming out of the reader to power the card. The signal the card emits can probably be read at 100 meters by a person with a high gain directional antenna.

Of course, Suica cards are not that prone to theft because the most that person could do is take a spin around the Yamanote Line at your expense. When there's serious money involved, you will see someone place a high powered field generator in a trash can by the entrance to a mall, and then sit in a car nearby and gather access numbers from everyone going in or out and massively cash out. Non-contact based transactions are a bad idea. Faraday-cage wallet, here I come.

This is easier how?

[el_womble]

Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.

What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.

My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.

The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.

I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.

Do you carry just ONE credit card in your wallet?

[Mike_K]

I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.

I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.

So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?

Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...

Just a couple of thoughts..

m

What's the incentive to change for each party?

[200_success]

Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.

The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?

• Retailer: The store wants to minimize the likelihood of chargebacks while being quick and friendly to the customer. In addition, the card reader needs to be cheap, since they have to buy or lease the equipment. They have all adopted real-time authorization because it eliminated a lot of fraud. In countries where magnetic stripe cloning is prevalent, they have already acquired contact smart chip readers. The only ones who would be interested in RFID might be the industries clustered around the American car culture, where every second counts: tollbooths, fast food/coffee places, gas stations.
• Issuing banks: The bank wants secure cards that can be issued cheaply. Although most of the risk of fraud is borne by the retailers, the banks do assume some liability, not to mention the expense of running the call center and the fraud check departments. Although the RFID signals might be intercepted and cracked, I think that thieves will prefer to steal credit card numbers by other means (the same security holes that are there today will continue to exist for backward compatibility). The RFID chip is relatively cheap, so they might go for the new tech. Or Mastercard could force them to embed RFID in the cards.
• Cardmember: The typical cardmember mainly cares about convenience, with security as a secondary concern. Being able to wave your entire purse or hump your butt against the contactless card reader is marginally more convenient, assuming that the signal can overcome shielding and interference problems. If RFID cards become common, you'll have to specify which of the several cards you are carrying you want to charge, or there it's possible that it will read a card other than the one you intended to charge. So I don't think you would really be saving any time. However, cardmembers are not really in any position to promote or protest technological decisions -- you just get to use whatever card comes in the mail.

In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.

I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.

Kneejerking?

[Malor]

From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.

It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.

Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.

Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.

Snooping, at least, doesn't appear to be a potential problem.