Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Pitfalls in No-Swipe Credit Cards

Posted by ryuzaki0 on from the swipe-this dept.

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

25 of 261 comments (clear)

  1. Hah. Screw it. by Concern · · Score: 4, Insightful

    Let them do this. I think it's time these idiots suffered a really big catastrophe; it'd probably the most (only?) effective way to really set the tone re. RFID.

    Meantime, don't carry these cards yourselves, and avoid banks that use them...

    --
    Tired of Political Trolls? Opt Out!
    1. Re:Hah. Screw it. by denebian+devil · · Score: 3, Insightful

      Which assumes that if there were a huge privacy breach caused by the sort of device talked about in the article, that it would be widely known how the breach occurred. It's possible that the only thing people--and even experts--would know is that somehow a massive number of credit card numbers were comprimised. But considering there are so many other, low-tech ways of getting people's CC numbers, unless there were hard evidence that the method was through the swipeless reading method, Occam's razor would dictate that a simpler method of breach would be the most likely culprit.

    2. Re:Hah. Screw it. by ac7xc · · Score: 5, Insightful

      When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.

    3. Re:Hah. Screw it. by rainman_bc · · Score: 2, Insightful

      When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.

      Isn't it still up to the merchant to verify the signature?

      As long as that safeguard exists, tough shit for the merchants if they don't check that signature.

      --
      09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    4. Re:Hah. Screw it. by AuMatar · · Score: 3, Insightful

      First off- what about the thousands of merchants who don't use signatures? Internet merchants, phone merchants, gas stations, etc.

      Secondly- most people never actually sign the damn things. I know I don't. And no, that doesn't mean they need to ask for id- I get asked for id once every 20 or 30 face to face transactions.

      Thirdly- you think cashiers actually know how to check a signature? You think the average mom and pop store owners do? Of course not. People who do this for courts get paid big bucks.

      Fourth- handwriting matching is a questionable security method. People's handwriting differs, you'd be hard pressed to look at any 2 copies of mine and say they're by the same man. Question 2 experts on wether a pair of signatures match and you'll frequently get different answers. THinking of handwriting analysis as anything approaching accurate is laughable.

      --
      I still have more fans than freaks. WTF is wrong with you people?
  2. Pickpocketing at a new level by Anonymous Coward · · Score: 5, Insightful

    In the old days, you used to actually have to stick your hand into someone's pocket or purse.

    In the new days, you apparently only have to sit next to them on the bus.

  3. Dumber then not signing by SirMrStatic · · Score: 3, Insightful

    I thought they could not get even dumber then not having people sign their credit card slips or have the user swipe it themselves and sign so the cashier does not even look at them. Let who ever chooses this "easier" way to crash and burn

    1. Re:Dumber then not signing by spectral · · Score: 5, Insightful

      Encryption isn't magic. All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it. If I read "CastrTroy, 1234-5678-9012-3456, 12/09" from a credit card, stuck ", $1000" on the end and sent it to the credit card company, that's no different than being able to read "oinasdfomasdfpmweasdfhqervsad, $1000". The credit card company still associates that random crap with you. It's always the same, so it means nothing.

      There are ways around this, but maintaining the physical security of the card is one of the better ways. Not being able to shoot your wallet with radiation and get money back seems like a good first step.. having the data only available after physically plugging/sliding the card in to a reader AND be encrypted while still on the card (smart chip) using a public key granted to the store (so the store would be able to reproduce the data, but you wouldn't have any real information available to you to use on a different place, so all the stolen transactions are quite quickly tracked back) would be a good first start.

      There's probably flaws in that plan that I'm unaware of.. though the fact that my credit card has one of these chips and I didn't ask for it to and have no idea how to turn it off is one of the flaws, I'm suspecting. :P

  4. When did this happen by Zadaz · · Score: 4, Insightful

    When did we get too lazy to swipe credit cards?

    If you're too lazy to have any security, you won't have any.

    1. Re:When did this happen by budgenator · · Score: 3, Insightful

      It's a matter of cost/benefits ratios, when the last time you went to a retailer and swiped the CC in the reader and nothing, clerk says something stupid like, "wrap the card in paper and try again" nothing, " hold it the other way and try a again"? The problem is they got a bad card reader, it's probably wornout after 6 months and needs replacing and it's expensive, and it's not on corporates budget for 6 more months. The bottom line is the retail corporation has judged the costs of using RFID credit cards and the increased charge-backs to be less then the costs of keeping the card-swipe readers working. The credit card companies are judging the cost of doing encryption processing to be more than the marginal savings from using ineffective security.

      The only way this will change is if the states figure out someway to keep them from deducting the sales tax back off the books for charge-backs; punish them for bad security.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  5. Re:Why are we upgrading again? by aadvancedGIR · · Score: 4, Insightful

    I mostly agree with your point of view, but I would like to react on magnetic strip:
    -Yes, it is better than the good old carbon, but it is still easy to copy in a couple of sec with 50bucks of equipment. The PIN-protected chip is the only relatively safe part of the card.
    -As long as you can still buy stuff on the net or by phone with only the card number and validity date, the thief only needs a good visual memory or a camera to steal that from you when you are removing your card from your tinfoil wallet to pay for your grocery.

  6. Re:Why are we upgrading again? by Aladrin · · Score: 3, Insightful

    Actually, part of the problem with these is that you DON'T need to take it out of your wallet. They can easily be read while it's still in your pocket, even.

    And yeah, that five seconds is the world to some people, apparently, nevermind that you could combine that five seconds with the 5 minutes you stand there and watch them scan the items in the first place.

    The first time I saw an RFID credit card thingy, I nearly screamed out loud. Outrage mixed with panic, all at once. So amazingly stupid. I obviously won't be asking my bank for one. Those tinfoil wallets are looking better every day.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  7. Accountability? by 192939495969798999 · · Score: 2, Insightful

    Aren't the credit card companies liable in the case that someone war-drives your credit card info? I mean, if it's not encrypted and it's effectively broadcasting the number, could there really be a bigger security risk? Maybe we should all just get stainless steel wallets.

    --
    stuff |
  8. Re:If you are innocent by Opportunist · · Score: 4, Insightful

    Not yet. But it sounds more and more tempting.

    Seriously. When the law turns against you, it's time to turn against the law.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:You mean... by finkployd · · Score: 4, Insightful

    You honestly think a minimum wage counter jockey at the 7/11 is going to perform a proper signature analysis on your credit card slip? Why would they check your signature? They are in no position to validate it against the one on the card anyway. The only reason you sign it is so that there is a record in case you contest the charge later. It gives the CC company a way to try to prove you DID buy something.

    Finkployd

  10. Re:How they think about fraud by maxume · · Score: 2, Insightful

    This is why there need to be laws making the credit card companies more liable for fraud. As long as it is profitable not to worry about it, they won't. I was also under the impression that they just charge contested transactions back to the merchant.

    The big problem is that somebody who has the misfortune of having a credit card company issue a card in their name/identity to someone who is not them still has to clean up the mess -- in a sane world, the company that issued the fraudulent card would at least have to help in the clean up. It's not identity theft, it's sloppy, crappy security.

    --
    Nerd rage is the funniest rage.
  11. Re:Why are we upgrading again? by ajs318 · · Score: 3, Insightful

    The PIN protected chip is tantamount to useless, since no signature is required. It takes about an hour to learn to forge a signature convincingly. But a person can be persuaded to disclose a four-digit number in a matter of seconds, with suitable application of blade to throat. If there are two of you, one can hold the victim while the other carries out a transaction in a nearby store to verify that the PIN worked. Alternatively, you can obtain a PIN non-intrusively by watching a person entering it on a keypad -- they are still unlikely to twig that anyone else knows their PIN. (For obvious reasons, this is easiest in the Summer months.) Then you can lift their card subtly. You might even be able to replace the card before they suspect a thing.

    From the point of view of the banks, chip and PIN is excellent because it eliminates a human decision (is that signature correct?). If money went out of your account, it must have been because somebody used your PIN -- but as far as the bank are concerned, only you know your PIN, so it must have been you.

    --
    Je fume. Tu fumes. Nous fûmes!
  12. Re:You mean... by magicchex · · Score: 4, Insightful

    I've only ever had to use a PIN in a debit card transaction and never in a credit card transaction. Why? Because when they ask for your PIN, it's being processed as an ATM transaction and I assume you don't want to pay for your groceries or gas with a cash advance at 25%APR. The reason they try to get you to use your PIN when paying with debit is that it's significantly cheaper for the vendor to accept PIN debit than signed credit. On the other hand, you will most likely get charged by your bank for using "another banks'" ATM. They're pushing the cost of accepting plastic onto you.

    --
    How many fulltime jobs can one man have?
  13. Re:Why are we upgrading again? by badfish99 · · Score: 3, Insightful

    As far as the banks are concerned, a PIN chip completely eliminates fraud. If you've lost money from your account, it must be your fault (i.e. someone must have discovered your PIN). It's protection for the bank, NOT for the card holder.

  14. Why we're moving to non-swipe cards by mgkimsal2 · · Score: 5, Insightful

    I probably sound like a paranoid nut, but banks are pushing this 'touchless' card technology because we buy more when we use it. By 'we' I mean consumers. And we buy more when using plastic than when using cash. In this USAToday article - http://www.usatoday.com/money/perfi/credit/2006-10 -09-credit-cards-usat_x.htm - a great quote sums it up:

    Merchants, too, benefit from faster no-signature transactions, credit card companies say, because the stores can serve more customers -- resulting in higher overall sales. And "people will spend more if they come in with a card vs. cash," says Gareth Forsey of MasterCard Worldwide (MA).

    "People will spend more".

    So, if people already spend more by putting a card in a reader, it stands to reason that they'll spend even more when they don't even have to get the card out of the wallet - just wave it around in front of the reader. The speedpass technology is pretty much doing this already, and McDonald's adopted it a few years back. Obviously it was a pretty big expense for them to put the machines in, refit their networks to accomodate it, etc. Why would they do it unless it meant people were buying more? In fact, Visa's own website (http://merchants.visa.com/solutions/qsr.jsp) states that

    A recent Visa study of 100,000 QSR transactions showed that customers using payment cards spent an average of 30 percent more than those who paid with cash. Other industry studies suggest that the average spread may be even higher.

    So for everyone saying "when did we get so lazy?" and similar notions, it's not that we're lazy. We simply spend more the less psychologically painful it is to do so. If I lay down 5 $20s to do my grocery shopping, it's more painful than swiping a card, because it's not as real at that moment. When I get view my statement later, yes, it all tallies up, but there's no difference between using plastic for groceries, clothes, the movies, or anything else, even if all the prices are wildly different.

    --
    creation science book
  15. This was done years ago and hacked way back! by genegeek · · Score: 3, Insightful

    For years I had a Mobil speedpass. I found it incredibly convenient. Take out the keys, pass them near the pump, and go. For those rushed commutes when I wanted to get back to the road and back to my audiobook, getting out of the gas station was a priority and I thought it was great. And even when it was clear the system was hackable http://www.marketingshift.com/2005/1/exxon-mobile- speedpass-hack-via-rfid.cfm I still used it. WTF? You get cheated, you call the credit card company and take care of it. How many websites already have my credit card information? How many bills do I pay online? There is a huge amount of trust that I put in these institutions. But I've decided that my time and convenience in the long run are more important than worrying about a few hundred dollars.

  16. Credit Card companies don't care about security by zerofoo · · Score: 2, Insightful

    Really - if they did, don't you think they would at least REQUIRE A PIN? This is something that can easily be turned on with the flip of a switch - hell the infrastructure is already in place for ATM and Debit Card transactions.

    If they can't be bothered with PIN numbers, why would they be bothered with encryption and authentication?

    -ted

  17. Re:Why are we upgrading again? by Feyr · · Score: 4, Insightful

    signatures are next to useless, they don't actually check that it match one that they have on file, only that its there.

    i'd know, my signature is always different and no one ever called me about it, removed a charge, or made any kind of inquiry about it. not on credit cards, not on checks, not even on loan applications.

    it's a social convention based on honor that was extended further that it was ever meant to go

  18. Re:Geeks Rejoice! by mikesmind · · Score: 3, Insightful

    I would send it back to the bank and say, "No thanks!" I would demand a traditional credit card and if I couldn't get it, I would go somewhere else. If a person is against this technology, and the potential for abuse, they need to make their opinion known. Vote with your wallet and your actions. Believe me, if there is a customer revolt, these corporations will change direction.

    --
    www.mikesmind.com - www.daddyworkathome.com - www.freetofarm.org - www.tenfoottable.com
  19. Re:Pickpocketing at the same old level by superflippy · · Score: 4, Insightful

    I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader.

    While I agree that the first scenario is more likely than the second, OTBE, I'm always more wary of the smarter thief.

    --
    Your fantasies contain the seeds of important concepts.