Slashdot Mirror
Privacy Pitfalls in No-Swipe Credit Cards
Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."
Let them do this. I think it's time these idiots suffered a really big catastrophe; it'd probably the most (only?) effective way to really set the tone re. RFID.
Meantime, don't carry these cards yourselves, and avoid banks that use them...
Tired of Political Trolls? Opt Out!
In the old days, you used to actually have to stick your hand into someone's pocket or purse.
In the new days, you apparently only have to sit next to them on the bus.
FINALLY! Us geeks have something to be happy about. For once we can walk confidently sporting our tinfoil wallets and WE'LL be the ones laughing...all teh way to the bank!
I thought they could not get even dumber then not having people sign their credit card slips or have the user swipe it themselves and sign so the cashier does not even look at them. Let who ever chooses this "easier" way to crash and burn
Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html
I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!
Okay, magnetic swipe cards are better than the old way of making a carbon from the raised info on the little plastic cards, but what is the advantage of an RFID credit card? I still need to get the RFID-thing out of my wallet or out of my pocket to use it. Is saving five seconds such a big deal that I wouldn't spend that five seconds in order to protect my identity?
Upgrades for the sake of the "wow-factor" are stupid.
Here will be an old abusing of God's patience and the king's English.
...then you have nothing to hide, right? So why are you bothering hiding your credit card from the other law abiding citizens, are you a terrorist?
Lead-lined sleeves for credit cards, driver's licences, passports, and airport visitor tags. In an assortment of new colors for our autumn lineup!
http://prisms.cs.umass.edu/~kevinfu/papers/RFID-C
gentlemen, start your soldering irons
...swipe cards aren't secure? Hell, I'm still waiting for CREDIT cards to become secure.
I've been waiting for 2 years for cashiers and salespeople to check my signature whenever I buy something with my credit card. Sometimes I'll sign "Mickey Mouse" or "Donald Trump", or even write a phrase like "Yankees suck!", and I still have yet to be asked even once. With the lack of security on older cards, it doesn't surprise me that these newer ones are no less safe.
When did we get too lazy to swipe credit cards?
If you're too lazy to have any security, you won't have any.
In NYC, you can use Citi's PayPass as a metrocard at 6 station terminals (the green line).
And, that's pretty much the only thing I've used it for.
I'm not really worried about theft of the information on the device -- there's zero liability and all that -- but, who knows how much hassle I might have to go through, to get the credit card company to actually credit the charges. Oh -- the paypass (and amex's expresspay) has a different credit card number embedded then the credit card it's associated with -- so, even if the paypass is 'lost', you only need to replace the paypass, and not your credit card.
Cripes we were doing this with the building access cards 3 years ago. Readingthem from 6 feet away, rfid is not much more different so doing this from the new cards is just as simple and is no suprise to anyone.
As a former employee of one of the credit card companies, I'd like to explain a little bit of how they think. Banks and credit card companies take fraud for granted. They have departments which analyze potential and reported fraud. They set certain thresholds which they consider acceptable. Since they know it's going to happen they study it and figure out the best way to flag accounts. To the credit card companies it makes the most financial sense to not bother with the technological blocks and catch the fraud on the tail end. For example, with smaller purchases no longer requiring a signiture, card use for small purchases has gone up. If a few percent of those purchases are fraud the banks and credit card companies don't care because in the end they're making more money. People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases. Banks who suspect fraud has taken place simply block the accounts until the card holder calls. It all works out to the benefit of the banks and credit card companies.
So even though the credit card companies should do more to protect the information from a logical and PR perspective, they've already decided that the small potential increase in the cost of fraud is outweighed by the increased use of these cards that some people consider more convenient.
Developers: We can use your help.
Aren't the credit card companies liable in the case that someone war-drives your credit card info? I mean, if it's not encrypted and it's effectively broadcasting the number, could there really be a bigger security risk? Maybe we should all just get stainless steel wallets.
stuff |
Can the RFID tag be removed/destroyed on the card? My card has this no-swipe crap and i've wanted it gone since it was introduced several months ago.. Would there be any downside to removing it? Like will my bank no longer be able to read it, I'm sure they still use the old swipe method so i dont see how. How do I go about removing/destroying it without damaging the magnetic strip?
Finally the tin foil hat brigade has something to teach us. To stop your RFID cards being read you simply need two sheets of tin foil (aka bacofoil) on either side of your wallet. I predict that such wallets will soon be on sale as will metalized pockets for coats.
Ahhh this is complete BS because do you really think the CC companies just say ok we will pay for this NO we all pay for it they pass the cost on to us all. Not to mention all the time we will spend on hold trying to get a rep on the phone to clear up all the mess. We should be compensated for our lost time.
I'm surprised the papers don't pick this up and make an example out of these thugs. They're really rude, thuggish and arbitary and need to be held to account.
...an airport that regularly checks wireless credit cards from walking through the door, to boarding the plain.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
check the small print, you might find the bank owns the card and you're not allowed to alter it.
Why not just get an RFID Blocking Wallet? http://slashdot.org/articles/06/10/03/2133244.shtm l from http://www.difrwear.com/ and not worry.
Are you suggesting his fiancé is Ann Coulter? That's pretty low...
Ben Hocking
Need a professional organizer?
There seems to be a really huge gap between the security research community and the companies developing RFID credit cards, RFID passports and voting machines, in other words, the people making the practical applications. It is clear that these companies have absolutely no competence whatsoever regarding information security and don't care to ask anyone for advice either. Beautiful. Security by obscurity is the default and often there's not even much obscurity..
Aren't there any rules regarding the handling of sensitive customer information? No laws? Is it enough to just say: "Don't worry. Your data is safe with our technology." when it is actually not?
I probably sound like a paranoid nut, but banks are pushing this 'touchless' card technology because we buy more when we use it. By 'we' I mean consumers. And we buy more when using plastic than when using cash. In this USAToday article - http://www.usatoday.com/money/perfi/credit/2006-10 -09-credit-cards-usat_x.htm - a great quote sums it up:
Merchants, too, benefit from faster no-signature transactions, credit card companies say, because the stores can serve more customers -- resulting in higher overall sales. And "people will spend more if they come in with a card vs. cash," says Gareth Forsey of MasterCard Worldwide (MA).
"People will spend more".
So, if people already spend more by putting a card in a reader, it stands to reason that they'll spend even more when they don't even have to get the card out of the wallet - just wave it around in front of the reader. The speedpass technology is pretty much doing this already, and McDonald's adopted it a few years back. Obviously it was a pretty big expense for them to put the machines in, refit their networks to accomodate it, etc. Why would they do it unless it meant people were buying more? In fact, Visa's own website (http://merchants.visa.com/solutions/qsr.jsp) states that
A recent Visa study of 100,000 QSR transactions showed that customers using payment cards spent an average of 30 percent more than those who paid with cash. Other industry studies suggest that the average spread may be even higher.
So for everyone saying "when did we get so lazy?" and similar notions, it's not that we're lazy. We simply spend more the less psychologically painful it is to do so. If I lay down 5 $20s to do my grocery shopping, it's more painful than swiping a card, because it's not as real at that moment. When I get view my statement later, yes, it all tallies up, but there's no difference between using plastic for groceries, clothes, the movies, or anything else, even if all the prices are wildly different.
creation science book
For years I had a Mobil speedpass. I found it incredibly convenient. Take out the keys, pass them near the pump, and go. For those rushed commutes when I wanted to get back to the road and back to my audiobook, getting out of the gas station was a priority and I thought it was great. And even when it was clear the system was hackable http://www.marketingshift.com/2005/1/exxon-mobile- speedpass-hack-via-rfid.cfm I still used it. WTF? You get cheated, you call the credit card company and take care of it. How many websites already have my credit card information? How many bills do I pay online? There is a huge amount of trust that I put in these institutions. But I've decided that my time and convenience in the long run are more important than worrying about a few hundred dollars.
you know, I think that it's stupid crap like this that makes it so easy for people's idedtities to be stolen...Let the dumbasses keep the card...papa needs a new pair of shoes...:D
I'm I the only one who can't wait for their bank to get these RFID cards in for their Check Cards? My magnetic swipe is always wearing out. And it will be so great to not even have to pull my card out of my wallet. Now finally cashiers might stop going against the Visa merchant agreement by asking for my ID. Nothing grinds my gears like being asked for ID when using a credit card especially my Check Card. I mean that was the whole point according to the commericals.
I'm not really worried about people stealing the RFID information either. I don't think many people will be making these for credit card fraud. And if it does get stolen screw I'm not responsible for fraudulent purchases.
Open Source, Open Standards, Open Minds
Really - if they did, don't you think they would at least REQUIRE A PIN? This is something that can easily be turned on with the flip of a switch - hell the infrastructure is already in place for ATM and Debit Card transactions.
If they can't be bothered with PIN numbers, why would they be bothered with encryption and authentication?
-ted
These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.
They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
Franklin's Contributions to the Conference on February 17 (III) Fri, Feb 17, 1775
chillie
http://www.ghostsandexorcism.info/
I have invested in an amazing technology that is 100% secure, is accepted at more locations than ANY credit card, can be used even if there is no card reader present, does not bear my name or any identifying characteristics, and best of all, if someone does duplicate it or use it fradulently, I cannot be held liable. It's called cash.
I solved the security issue in about 10 seconds with a drill press. Now there's just a little hole where the RFID chip used to be....
This sig has exceed its monthly bandwidth allotment.
Personal data including owner's name, card number and expiration date will always be stolen, since they're shared with other parties by nature.
The killer security method is SMS notification of each transaction. Here in Italy it's widely used. What about your own countries?
That is exactly the point - they want to factor out their risks. Not increase our safety. The banks are using the bling/ease of use to get us to stop signing dockets.
Once your signature is no longer present the banks will be in a position to stop reversing fraudulent activity - this will now be the consumers problem. There will be no way to say "Please show me the signed docket", since there won't be one.
This I believe is the underlying reason for them pushing the new technology. As long as dockets are around they have a problem - with this new uber-secure technology no need for dockets. Once dockets are out of the way watch out for them saying - "Okay Mr Consumer, you say you didn't purchase XYZ - please prove it". You can't prove it - therefore you'll end up paying!
our
Everyone keeps saying, "Who cares, I'm not liable if someone takes my card and uses it", and that "The banks eat it".
No, they don't. The merchants do. And the customers end up covering it in the end.
I own an online retail business. If someone disputes a purchase and we lose the dispute, the credit card processor simply takes the money back from *us*. We're out the money. Nobody else.
We go to great lengths to try and prevent this (AVS, CVV, etc), but you will get one every once in a while no matter what you do.
So fraud rates are built into retail *pricing*. When we get a new product, we have a formula to decide our selling price. It's based on our business costs. Fraud is one of those costs - we know how much we incur per year, so we build it into the profit margin. Every business does this in one way or another.
If fraud goes up, so do our prices. Therefore, it goes full-circle back to the consumer.
Brian Roach
weellllllllllll duuuuuuuhhhhhhhhhhh ?
The reason that we have the credit card fraud protection that we do today is not just because the banks thought it was a good idea, but because federal law makes them liable for all fraudulent charges up to a certain amount. Regardless of what arguments they put forth about who is most at fault, it is the bank and not the consumer who is liable, period. The credit card companies can and do write conditions into it's merchant contract that say they won't pay the merchant for fraudulent charges, especially if they don't have a signed receipt. In this case PIN numbers actually push liability further away from the merchant and back to the bank. When the actual perpetrator of fraud is caught, they are required to pay the money to the bank. But if these don't occur it is the bank who must ultimately swallow the losses.
This is why the banks have invested a ton of money into programs that detect patterns of fraud, and why I am not too worried about these new technologies. If they increase fraud, then the bank will be the one that gets hurt and if it becomes too great a problem they will move back to the old solution or onto better solutions (smart card authentication using PINs and public/private keys). So just stick with regular credit card accounts, not debit cards - the legal protection is the same, but you are out the money until the bank gets around to refunding it - and you will be fine. Of course, this is US specific, YMMV in the EU.
This quote from the article particularly bothered me:
""It's a small sample," said Art Kranzley, an executive with MasterCard. "This is almost akin to somebody standing up in the theater and yelling, 'Fire!' because somebody lit a cigarette.""
I thought smoking was banned from theaters 'for the children'. Smoky the bear would be upset too. Who cares HOW SMALL the sample is; the issue still needs addressed. That 'little cigarette' could cause a 'fire', and shouldn't be allowed in the first place! As much as I am against some governmental overlording, this is an appropriate time for the government to in act legislations to require credit comapnies to safe guard against this sort of danger.
Where is the greater threat?
1. Stealing information from card holders one-at-a-time with a soon to be illegal device?
2. Card holder data at rest by the thousands in some DB somwhere?
Where is the liability in each instance?
There's no incentive for the banks to do this any differently.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
This is why I am always amazed that people carry the 'check cards'. It is so easy to commit credit card fraud that it is just silly. So, what do people do? They start carrying around a credit card that has access directly to their checking account. Of course the banks will try to tell you it is safe because if the money is stolen, they will return it in one business day. Of course that is one business day after you notify them, and the way you find out about it is that your mortgage/rent check bounces, and your real credit card bill check bounces causing all of your interest rates to shoot up from 6% to 22%. Hell, Visa's orginal check card TV adds showed exactly how to commit fraud with the cards!
There is absolutly no benifit to a check card over a real credit card, and huge drawbacks, but people keep carrying them.
How about Visa in Canada (CIBC to be exact)?
Recently, I received a bunch of $2.50 charges on my card. When I called Visa about it, they couldn't figure it out at first, but they appeared to be "cash advance fees," so they went to investigate. Later, they called to inform me that the fees were from when I bought lottery tickets, which were now treated as a cash advance: $2.50/transaction + interest, and that I had received in the mail a new policy stating such. I stated I hadn't recieved said changes, so they refunded the $2.50 fees (probably not the interest, buggers), and mailed me a new copy of the policy.
So I checked it out, and the closest thing they have is to the effect of:
Cash-like transactions: Some transactions are treated as a cash-advanced and are charged a service fee + interest. These include casino chips, money orders, wire transfers, etc. Transactions that are indicated by your teller as a cash-advance may also be treated in this manner, if in doubt, ask your teller.
Now a lottery ticket is a far fucking cry cash-wise from gambling chips or wire transfers. All the items indicated has a real-world value, with a consistent, fair exchange of cash-to-item value. Lottery tickets might win you cash, but if they want to go that far I could also go buy a bloody car and then sell if off for extra bucks at a loss.
In other words, with anyone who handles the big-bucks, you're pretty much screwed for anything that's not cash. As for the bottle of coke, with many cards you have a tied-in debit account, which gets charged accordingly with either a monthly amount, a per-transaction amount (not near $4), or a varying amount depending on your balance (in my case, so long as I keep $1000 in the account, which is always, I don't get charged on debit transactions, but if I ever dipped below for a moment, it would be like $1.50/transaction).
Personally, I was using Visa because I gain travel points and don't pay interest (always paid on time), unless I started getting fucked-up fees like the ones above. But when they've got the big-bucks, who do you complain about their very vague policies to?
The Bush administration's genius for Homeland Security and planning is replacing our passports with this untrustworthy "wireless scanning" tech starting next year.
What happens when someone changes your passport data without you're knowing, outside the country, and they send you to Guantanamo. Years of of "interviews" on an electric waterboard, while all you've got for the "interview consultants" is "I don't know what happened" - years everyone thinks you got kidnapped by terrorists, because your lawyer never heard from you.
--
make install -not war
Well, I got my "new fantabulous" debit card several (6?) months ago - they included very exciting documentation about how ez this woule make transactions ahref=http://www.mastercard.com/us/personal/en/abo utourcards/paypass/index.htmlrel=url2html-14326htt p://www.mastercard.com/us/personal/en/aboutourcard s/paypass/index.html>
I immediately called the customer service dept. The customer service rep, who tried to be very nice, and was very well trained on how easy, simple and secure this card was - but didn't know exactly much about how RFID actually works! I asked her if she thought EZ Pass was a good idea... and she knew what that was. When I explained that essentially my card and hers, I'm sure) was essentially the same thing - there was a long, quiet pause on the other side.
long story short - I said "well, I don't want this feature in my card, please send me an 'old' one." I was told that they didn't have the old ones anymore. I told them I would take my business elsewhere... and I was told that the cards were being driven/produced by Mastercard - and ALL hte banks were doing the same thing. Hmmm... Should have shorted that stock the next day!
Yours, with a pocket full of aluminum foil & Duct tape
CA in NY
So, what exactly is wrong with a system like Suica? It's anonymous and convenient. Not having to wait in line in Tokyo for a JR ticket in the morning was quite nice. So was running into a combini and buying a Pocari Sweat with my Suica card.
'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?'
No, but I think it'd be cool to have a t-shirt with LEDs that could put up multi-line data, and capture other peoples' names, CC-#s, etc and display _their_ info on _my_ shirt!
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Speaking of past and future predictions, how about we all step back in time a bit down digital memory lane...
a tion-gets-facial-scan-payment-systems/
t 2006/tc20061009_971601.htm
/ index.php?page=all
c ards_big_....html
Tokyo train station gets facial scan payment systems
http://www.engadget.com/2006/04/27/tokyo-train-st
----
RFID subway pass? Sure, New York says
http://news.zdnet.com/2100-1035_22-6033364.html
----
Radio-Frequenci ID: Asian Impediments
http://www.businessweek.com/technology/content/oc
(page was ALL jacked up in my Konqueror browser....)
----
Suica
http://www.answers.com/topic/suica
Suica stands for "Super Urban Intelligent CArd"
"a rechargeable contactless smart card used as a fare card on train lines in Japan. Launched in November 2001,..."
"Technology
The card incorporates contactless radio frequency identification RFID technology developed by Sony, called FeliCa. The same technology is also deployed in the Edy electronic cash cards used in Japan, the Octopus card in Hong Kong, and the ezlink Card in Singapore."
----
RFID in Japan
http://ubiks.net/local/blog/jmt/archives3/2005/02
----
RFID Cards Big in Tokyo
http://www.smartmobs.com/archive/2003/03/15/rfid_
"Pockets in Japan, however, are getting lighter with the growing use of integrated-circuit smart cards. The size of a credit card, they are packed with thin antennas and an encrypted integrated chip that can be used thousands of times to pay for train fares, meals at restaurants and snacks at convenience stores. In less than two years, nearly seven million people in Japan have started using one of two types of cards, both based on technology developed by Sony.
So far, the main client for the cards is JR East, the largest railway company in Japan. Nearly six million train and bus commuters have started using the first of the two types, known as Suica cards, since they were introduced 18 months ago."
For those interested in similar devices (well, actually key fob) in the US, read 5-Peter Davidson's post about "Speedpass"
BUT, be sure to read # 7- "SUICA IS NOT RFID"
http://www.eurotechnology.com/store/suica/
----
heheh, slash image word: "rescuing"...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
SSIA, mod parent down
At least SOMEONE else realizes that the signature is in NO WAY a security measure on a credit card. It is only there to show that you've agreed to the terms of the contract you signed when you activated the card. Now retailers may take issue with no signature on the card meaning you dont accept the terms of use of the card, which may make them liable for taking the card knowing that fact, however I've seen a few websites now where people run around signing their CC reciepts all sorts of names and junk thinking they can go back later and dispute charges. No matter what you signed, the fact is, you signed for it, it's yours. I'm sure court of law would also agree.
These people need to read their CC contracts to understand what it really is they signed in the first place, instead of trying to be an idiot and sign their recipts, Mickey Mouse or something else rediculous.
http://www.spychips.com/press-releases/flawed-cred it-card-security.html
. html?ref=business
1 023_CARD/techreport.pdf
FOR IMMEDIATE RELEASE
October 23, 2006
CONSUMER WATCHDOGS DEMAND RECALL OF SPYCHIPPED CREDIT CARDS
CASPIAN Advises Consumers to Immediately Remove Cards from Wallets
Consumer watchdog group CASPIAN is demanding a recall of millions of RFID-equipped contactless credit cards in light of serious security flaws reported today in the New York Times. The paper reports that a team of security researchers has found that virtually every one of these cards tested is vulnerable to unauthorized charges and puts consumers at risk for identity theft.
Radio Frequency Identification (RFID) is a controversial technology that uses tiny microchips to transmit information at a distance. These RFID microchips have earned the nickname "spychips" because the data they contain can be read silently and invisibly by radio waves without an individual's knowledge or consent. The technology has long been the target of criticism by privacy and civil liberties groups.
"For these financial institutions to put RFID in credit cards, one of the most sensitive items we carry, is absolute lunacy," said Dr. Katherine Albrecht, founder and director of CASPIAN, a consumer group with over 12,000 members in 30 countries worldwide.
Researchers are showing how a thief could skim information from the cards right through purses, backpacks and wallets. This information includes the cardholder's name, credit card number, expiration date and other data that would be sufficient to make unauthorized purchases. They say the information could even be used to identify and track people, a scenario Albrecht and co-author Liz McIntyre lay out in their book, "Spychips: How Major Corporations and Government Plan to Track Your Every Purchase and Watch Your Every Move."
Despite earlier assurances by the issuing companies that the data contained in the credit cards would be secure, researchers found that the majority of cards they tested did not use encryption or protect the data in any way. The information on them was readily available to unauthorized parties using equipment that could be assembled for as little as $50, the researchers said.
"We cautioned companies against using item-level RFID, and they didn't heed us. Now the credit card industry is facing an unprecedented PR and financial disaster," says McIntyre, who is also a former bank examiner. She points to the astronomical cost to replace the cards, not to mention the potential financial losses, litigation expenses, and erosion of consumer trust.
Albrecht and McIntyre are calling on the industry to issue a public alert detailing the dangers of the cards they've issued, institute an active recall, and make safe versions without RFID available to concerned consumers.
"This recall has to be very clear and very directed since consumers may not know their cards contain RFID tags," says Albrecht. "The industry has repeatedly resisted calls to clearly label the cards. Rather, they've given the cards innocent-sounding names like 'Blink.'"
CASPIAN is advising consumers to immediately remove the credit cards from their wallets and call
the 800 number on the back to insist on an RFID-free replacement card. The group is cautioning consumers not to mail the cards back or simply throw them away due to the risk of their personal information being skimmed.
Today's New York Times article by John Schwartz can be found here: http://www.nytimes.com/2006/10/23/business/23card
A research report detailing the findings can be found here:
http://www.nytimes.com/packages/pdf/business/2006
Help achieve Liberty in your lifetime - join the Free State Project - http://www.freestateproject.org
Just a thought, but couldn't this technique be used for something more covert, like passively recording the info from the rf card keys in someone's pocket to gain access to secure places? hehe
Both the RSA and CASPIAN are trying to sell something, and actually stand to benfit from this crap.
Notice how they took all the quotes out of context to paint the worst picture.
Gotta love this one, "The group is cautioning consumers not to mail the cards back or simply throw them away due to the risk of their personal information being skimmed."
Like this isn't the case with magnetic stripe cards?
Someone needs to steal the author's identities to keep them busy for a while...
Isn't it a whole lot simpler to just to pay the admins 3 dollar (or whatever amount of money that is sufficient) of the India based servers for every credit card number they give to you? I suppose they are earning a "decent" salary...
So, you have a wallet full of these things. Which one does it read?
If you mail the card back, it can be read without even opening the envelope. If you cut the card in 2 (or 4 or 8), the mag stripe is unlikely to be able to be easily read. The only thing the tiny rfid chip needs is to be intact... it's that small. I cut a card open and it's about 1mm square, embedded in the card.
Want to know if your card has a chip?: does the signature lines go all the way across the card, or stop early? If it stops early, that's a chipped card. The chip is at/near the part that would be sig lined.
And finally: someone should steal your identity and keep you busy instead.. Oh wait, they DID, Mr Anonymous Coward. Talk about ironic: someone afraid to post his own identity complaining when others are concerned about their own. If I didn't know better, I'd suspect you were a shill for the RFID folks. We know they troll like that... go read Katherine's book where she documents the slimy stuff they've done.
Help achieve Liberty in your lifetime - join the Free State Project - http://www.freestateproject.org
A few points though:
a) The card number on the chip is worthless - the authorization system won't accept a payment from a card bearing that number, unless the ISO 8583 auth record contains the signature that the chip generates. In other words, even if you can intercept the transaction (which I don't believe, because it really is 3DES'd in transmission), you can't use it in any way other than through the reader infrastructure. And, you can't replay the transaction, because the elements that go into the signature have transaction count (etc.) material in them.
b) I had a long argument with TI about the risk of remote reading. Remember that these chips use two frequencies - one for energizing the chip itself and one for reading. Any kind of parabolic antenna will substantially increase the read range - if the chip is properly energized. However, the field strength has to be within a certain "Goldilocks" range (not too weak; not too strong) in order to properly energize the chip. Because of the frequencies used, TI engineers claimed that it is exceedingly difficult to get the right energy levels, because the field strength drops so rapidly. I personally worried about someone building a wave-guide like structure around a mall entrance, although I am still unsure that this is technically doable.
c) Here's the bit I've been waiting for. Right at the end of the design process, the business folks came along and said, "oh, we need to be able to display the customer name on the receipt, so the merchant can give the receipt to the right customer". By the time that they came up with this requirement, the protocol (which my ex-employer was standardizing with Mastercard) was frozen. So, the only way to "solve" the problem was to make the fob transmit the customer name in plaintext. Everyone agreed that this was ugly. The way that we were able to convince ourselves that it was acceptable, is because name - on it's own - is essentially worthless. It arguably isn't much worse than wandering about the RSA conference with a badge with your name on it - except in one regard, you don't know that it's doing it. My ex-employer intended to change the customer T&Cs to make it clear that the fob would indeed do that, although I don't know if they ever did.
To all those who say, "Just dispute the charge and it will be forgiven," never heard of identity theft. You can't steal someone's identity, but you can defraud a credit card company by posing as someone else. And with some credit cards, this fraud can be carried out simply by someong using your credit card number. So if all disputed charges were simply charged back, we would never have heard "identity theft."
The biggest problems for wireless credit cards are proxies. One reader that reads the card, one connection of sorts (e.g. the internet), and a device that acts like a card somewhere else. Someone can connect your credit card to a reader in Japan while you are in the states. No problem. I've seen very interesting demonstrations of this, and no solution as yet (except for visually verifying the card, that is). Basically you are just extending the antenna.
Thailand should just be renamed to "crookland". At least from the point of view of credit card fraud, which I work with (hence the AC posting).
They don't steal a lot of credit cards in Thailand. There are two possible hypotheses:
1. They are nice enough to the tourists not to destroy their holiday by stealing their wallets - and also piss off the police.
2. Because they get more money from skimming (copying the magstripe) the credit cards and waiting for a number of months before starting to use a copy of that magstripe.
Seriously, in Phuket etc in Thailand, it's so bad that the credit card companies don't make any money from those transactions. Fraud swallows it. The only reason they don't block all credit card transactions in some areas is because their customers would be pissed off and not use their product.
Anyhow, the RFID implementation appears to be very, very flimsy. Good luck on that. Historically, credit card fraud has proven impossible to beat in the long run. Why? Because the decision makers in the industry are too busy golfing and talking to "yes people" to actually fix the problems in whatever design. Or they are too cheap to use the properly designed solution, and use the cheap, insecure version. I don't complain, though. Their incompetency makes sure I have a job. Hah!
Companies like http://www.emvelope.com/ protect against it.
Everyone talks about a tin foil wallet as a fix but all a dedicated scammer would need to do is hang around checkout lanes where people open their wallets to harvest large numbers of cards if these become common enough. If it can be read for purchase, it can be read by anyone who wants it. Hell, you could leave one that was disguised as a harmless object at the checkout lane and just stop by later and pick it up out of the last and found bin. Voila, a big list of victims.
When my credit card number was stolen years ago, I only had to check my receipts to know where I had been during the period when it was stolen. After reporting it to the police, they got security cameras which showed in full view the vile little worm at the gas station who had copied down the number while his back was turned to me. And though the card was protected against fraud, it still took many of hours of my time to prove it was fraud, and then argue with the bank that the purchases were indeed fraudulent. Not only that, but because it was a debit card tied to my checking account, in the mean time my account had been cleaned out and some of my checks bounced. I had to argue for a long time with the bank to get them to take back the overdraft charges which had amounted to hundreds of dollars. They couldn't seem to fathom the fact that if the fraudulent charges hadn't occurred, nothing would have bounced.
Two lessons I took from this:
1. Never, ever use a debit card. Ever.
2. Banks will try to screw you even after you prove that charges were fraudulent.
I stick mostly to hard currency now.
I tried that with HSBC, they don't make the old non-RFID cards anymore. I finally got on the phone with a technical person there who basically gave me a "It's completely safe and we know what we're doing" sales pitch. Grrr.../
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Allay RFID privacy concerns by letting the end user decide when it transmits
There is a concern that RFID tags embedded in credit cards may make the presence of such cards detectable by anyone with an RFID reader.
To answer that concern, we have an easy way to make RFID tagged cards normally invisible, but active when you want them to be.
Background: RFID tags are appearing everywhere. They can be embedded in plastic cards such as credit cards, id cards, passports and other places. There are privacy concerns about these tags being read without the owners knowledge.
Solution: "RFID Shield" lets you choose when your tags are readable.
Information about the RFID Shield is at: http://smarttools.home.att.net/rfshield.htm
Smart Tools Send comments, suggestions to: smarttools@att.net
You sign the back of the card to indicate that you agree to be bound by the terms of the credit agreement.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock