Slashdot Mirror
Would You Trust RFID-Enabled ATM Cards?
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.
Not surprised about HSBC. In fact surprising about some sense from Chase.
HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.
So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.
Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.
Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.
-Charlie
No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.
I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.
As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.
Not only no but hell no.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
No.
An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.
Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.
My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:
If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.
If the bank pays, then I can leave the security to the bank; if someone designs a remote reader and uses it to take $10 from every customer, that's the bank's problem, not mine. I therefore don't need to worry about the security of the card design (although I do need to keep authorisation secrets secret), as if RFID cards are as hackable as they appear, the bank will do something about it to avoid eating too large a loss.
I appear to have a blog. Odd.
Absolutely not.
:o)
Next question please.
Seriously though, the security on RFID devices have been broken time and time again so you cannot trust it. What with criminals managing to swipe cards by attaching devices to ATM machines it will be a lot easier to swipe cards if they are RFID enabled as most people are idiots and would not know how to protect their cards.
Also, if they are accepted would the banks take liability if you are scammed because of the RFID technology? The whole idea of chip and pin was not about security but about moving the responsibility of the losses from the bank to the customer, although the banks would swear blind that it was about security.
And what with most ATM machines being run by a versions of Windows anyway you could guarantee they are running as Wireless Access Points.
Seriously though, don't americans only have like $750 limits on their credit cards? And that's if you've been a good customer for ten years with the same financial institution? Unless, of course, you have one of those unlimited american express cards. I had one of those, but the fees are just insane and only half the stores take them as a result.
How we know is more important than what we know.
No more than tatooing my credit card number on my forehead.
as fun and futuristic as it may seem - RFID gives you as much protection as a condom with a wee little hole in it.
Locksmith
What use is an RFID to a bank?
--
E
My credit card company replaced my card last time with an RFID card. I'm not too worried about it though because I keep all of my cards in a metal cigarette case.
Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!
Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...
Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
Someday, I'll have a real sig.
My question is, what's the big benefit of using an RFID-enabled card? Is it really worth the security risk to swipe your wallet instead of your card? I'm content with how fast the money exchange already is, to be honest.
Quiz: True or False -- On a scale of 1 to 10, what is your middle name?
It looks like I am about to change Banks pretty soon, before the current HSBC one runs out...
Well lets take a current implementation..ie SpeedPass.. How many events of a speedpass stolen and used? Until we have the stats there is no use of debating ether..
Fred Grott(aka shareme) http://mobilebytes.wordpress.com
Roll up Roll up come on you lovely people.
& oe=UTF-8&scoring=pd&price1=&price2=225.00&lnk=prsu gg P ath=63&gclid=CJ7p383q_YgCFSJ4MAodJDDrAg s .htm
Buy your RFID Readers http://froogle.google.co.uk/froogle?q=RFID+reader
Buy your RFID Tag/Chips http://www.gaotek.com/index.php?main_page=index&c
Buy your blank credit sized cards http://www.smartcardsupply.com/Content/Cards/card
What was the question again "Would You Trust RFID Enabled ATM Cards" mmm let me ponder that, NOOOOO.
Personally i have little hope or no, for are open/free society, mainly after talking to friends, people on the train anyone who understands RFID, and most people that i have talked/chatted to really do believe that rfid is a good thing, when questioned about some basic fact they just do not get it but follow on blind F^^KING FAITH.
RFID good for packages and tracking your stuff you ordered, useful for the company and client.
RFID good for making people belive that if a dick fits up your arse then it is compatible and you should adopt, even if it is not comfortable or useful, no questions just sit on it and smile.
Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.
I only need the Preview button when I haven't used the Preview button.
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
FATMOUSE + YOU = FATMOUSE
There are certain Mobil stations that you run across where you have to punch in your zip code to be able to use Speedpass every time you use Speedpass there.
I'd suspect those are stations that were hit by Speedpass fraud.
One of these stations is off I-80 near the California/Nevada state line.
I can't wait for these new RFID chips... Because no one knows how to use them or what they mean anyway.
Note: I'm kidding.
Its one thing to present a choice between security and convenience and have a whole bunch of suckers take the easy way (aka personal responsibility, ignorance is no excuse), but its another thing when that right to choose is taken away (remember Sony DRM?).
Maybe you are still not being clear, because his point is valid. Maybe you meant 'cannot read ANY of the information remotely.' Your statement says that you don't mind if it can be read remotely, as long as some of the information is still not remote-readable.
Cannot read all = might read some. It's the contrapositive, see?
Cannot read any = can read none.
The GP was stating that if you are so uncaring about your details, you might as well post them here. It'd be just as safe as walking around the mall with your RFID card blaring for anyone with an RFID reader.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
No... he's saying that a pin in and of itself will not protect the rest of the info on your card. If every gas station, used tire store and cigarette depot can get access to the card scanners it is likely that "the bad guys" can get access to the card scanners and figure out a way to reverse engineer them into a remote reader. Entering the PIN is something that happens on the scanner, so your privacy is not ensured. At the very least the customer behind you in line could watch you enter it. What he was saying is that carrying an RFID card around is as stupid as posting all that info on a public internet forum.
(Yes, it is possible to dupe and make a fake credit card now, but RFID would simply make it easier to steal your money.
I'll never make that mistake again, reading the experts' opinions. - Feynman
"Besides, RFID is not meant for privacy or security. It's meant to track inventory."
You hit the nail, maybe. Wasn't there a plan to link up all social-security numbers, bank-accounts, tax-numbers etc. to the creditcard-numbers, so it would be possible to trace 'terrorrist' suspects?
Wouldn't it be even more convenient to place transmitters around stations and crossroads, to track the people passing by?
Ursa..
For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.
:)
At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.
They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice.
Dear world,
While credit and debit cards may have their problems, the speed of checking out isn't one them. Come on, how much of hurry must someone be that they can't take on more 30 more minutes to press a few buttons on the keypad and sign? With every new article about RFID being release, it seem that RFID is solution to fewer and fewer problems. It will only create privacy and security issues for credit and debit cards, and I don't want the tech in mine.
Later,
-Slashdot Junky
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.
Not a Twitter sockpuppet... but I wish I was.
``Until we have the stats there is no use of debating ether..''
Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.
Please correct me if I got my facts wrong.
Remember basic economics (simplified), if the bank is profitable, then the customers pays for all the costs (and the profits). Therefore, even if the banks pretends to cover the costs of RFID fraud, the bank will have other charges that make up the cost of RFID fraud. Nice sounding PR announcements about limits of liability only serve to give the "not too intellectual" customer a warm fuzzy feeling! Now repeat after me: All the costs of any profitable company are paid for by the customers.
The only potential gain a customer might gain from "limits of liability" MIGHT be in not have their credit rating hurt. Unfortunately this is only a maybe, not a guarantee.
been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.
Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.
First of all it probably isn't an RFID tag but a contactless smart card. Yes there is a meaningful distinction.
Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.
Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and put some security standards in place.
Lasers Controlled Games!
I work on security systems and I've proposed "security paranoia"
Fear isn't going to help grow technology. There are hundreds of social engineering, web based, technical equipment base, and good old scam based ways to get your info.
We can't fear new technologies...everything will have its bumps and flaws and with time they get worked out...if they are accepted by users.
Your not a whole lot more vunerable then you are now with a chip in your credit card.
Watch and work your money like a job...get proper coverage for inevitable loss and go with it!
If your really worried about being vunerable...get off the internet!!! (At least I can't get flamed by those paranoid people now)
-- Disclaimer: I can't really back up anything I post on
No! Because it is way too easy to compromise the system
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
So, How long until wallets start coming with built in shielding to discourage unauthorized RFID readout?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
No. No, no no.
I call computer-illiteracy job security
I called chase for an rfid-less card. they said they would send one. They did not. they sent YA 'blink' card. I called again and was told that if I want one that is still a 'check card' I have to pay a fee. So basically, in order to get the same security I had before I have to *pay* for it, but for free I get a feature I don't want.
I have already written my senator.
A European guy asked me recently why American companies are using unproven RFID technology in their credit cards, when Smart Cards are not only proven, but more easily shown to be secure.
I think there are several reasons.
First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US less attractive.
This explains why Smart Cards were adopted in Europe and not initially the US. But why even consider new RFID technology when a proven technology already exists? I believe the answer comes from the culture of technology adoption. The RFID tag on these cards is not being used in a way that does anything fundamentally new. It's just a incremental improvement on the mag stripe. Smart Card technology would involve going to a two factor approach; familiar to ATM users, but it would change the way we process credit card transactions. So RFID is a "state of the art" technology, yet it looks like a non-disruptive drop in replacement for mag stripes on credit cards. These are both killer advantages from the CIO standpoint. Since most ATM cards are supposed to function as credit cards, they come along for the ride.
The final reason is that US companies favor RFID over Smart Cards is that they face fewer consequences from mishandling private data than EU companies. This is due to differing cultural perspectives on privacy and regulation.
The US politics is relatively more libertarian in its privacy outlook. Under US law, the government is generally restricted, but with specific exceptions to the restrictions; the private sector is generally permitted -- but with specific exceptions to the permissions. US laws only address a few of the most egregious of private sector abuses. Even then are typically drafted with extreme care to minimize business exposure to new regulation or private lawsuits, whichever seems to be the greatest threat to business.
Europeans have more of a human rights perspective, in which the right of privacy can be asserting against anyone. Consequently, EU directives do not make a fundamental and general distinction between government and private sector data privacy practices. This means that EU companies are less able to externalize the costs of sloppy data privacy practices, because they face both regulatory action and private lawsuits, because EU law imposes duties upon them which US companies do not have.
The US has a strong cultural bias against regulation and government enforced standardization. You can see this in our mobile phone systems, where we have several competing standards, each of which is arguably superior to GSM in some way, but the net result is that the overall phone system is not as good. We're seeing the same thing happen with the introduction of RFID credit cards (which is probably why ATM cards are starting to sport tags too). We're seeing a spate of non-standardized solutions, some of which may be reasonably secure, some of which rely totally upon the assumption that RFIDs cannot be read at more than a few millimeters.
As should be clear, I think that on the privacy issue at least, Europeans have it right, and we Americans have lost our way. The US attitude towards privacy is inconsistent and impractical, at least if you value privacy at all. It is our unwilligness to regulate the behavior of private industry towards individuals or to even let individual hold companies accountable makes the adoption of technologies like RFID inevitable. Private enterprise never has to worry whether the security costs outweigh the benfits, becuase they can impose the costs on the consumer.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
So, say I've got three RFID credit cards in my wallet when I go through a checkout. Is there some standard prtocol that all three cards are using to have me choose a card? Do all three cards get used?
If I still have to pull my card out of my wallet, I don't see any advantage to me.
Years ago I was tought the most important phrases to learn in any language. Two more beers. My friend is paying.
The second phrase becomes much harder to dispute if my friend has an RFID credit card.
Researchers at the RFID CUSP (ConsortiUm for Security and Privacy) published an informative report in October. They show how to build skimmers, describe relay and replay attacks, and how the transaction counter can be used to invade privacy. They show in the current generation of RFID-enabled smart cards there is no mutual authentication between the reader and the card, so it is not difficult to build or buy a reader to scan cards. Track 1, which usually contains the card holder name, is transmitted in the clear. Track 2 is transmitted in the clear, with PAN (account number) in 3 of the 4 types of cards currently being issued. The nominal read distance is 10 cm, but only if the reader complies with the IS0 14443 spec. http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC -manuscript.pdf
what matters is can they prove it's trustworthy....then there is no question...
Donald Ray Moore Jr. (mindrape)
Suspected Terrorist
What about getting the kind of equipment used to work with these RFID tags, and clear it out so it no longer has any interesting info to steal? Is that possible, or are these things read-only? You could also try to microwave it. :)
It's the only way to be sure.
I saw it on Slashdot, it must be true!
Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.
:/
As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!
If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!
With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it??
Possibly, but is that Speedpass fraud as in "RFID read remotely and then the Speedpass device was duplicated", or is it Speedpass fraud as in "someone dropped their Speedpass in the parking lot, and then someone else used it"?
I wouldn't be surprised if it's the latter.
Next question.
[Insert pithy quote here]
ATM card or debit card, it doesn't matter. The bottom line is they both connect to your money, not the credit card company's money. And the law protecting your money via debit/ATM cards (Electronic Funds Transfer Act) is completely different than the law protecting the credit card company's money via credit/charge cards (Fair Credit Billing Act).
Why would someone knowingly want to place more risk on their own money? I'm ok with RFID tags on credit only cards, but when it comes to ATM and debit cards, do what I have done. Take a hole puncher and punch the chip it out of the card! You can protect your money better than the govt can...
When you have two or more RFID cards in your wallet, chances are neither of them will work on any given attempt to use them unless you take the card you want to use out of your wallet....
So what's the benefit?
While I carry around a Lead Lined wallet :)
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Commuter Annual (July-June) $552.00
I could use a backup. Just post your name, cc number, and exp date. Thanks mate!
I have a merchant account, so I tested it to see the minimum amout of info needed to complete a transaction.
Account Number
Expiration Date
Amount to charge
That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.
Contactless smartcards comply with ISO14443. Guess what... so do RFIDs. The ATM cards that people are talking about have the same information that is on the magnetic stripe encoded onto the chip. They use the EMV format that was defined for contact cards, with a different application identifier. The data includes the information that is on tracks 1 & 2 of the card. They do not include the CCV number that is printed on the back of the card.
The ONLY difference is that instead of swiping the card, you wave it in the proximity field of the RF reader.
The security PROBLEM with contactless credit/debit cards is that the card details can be read at a distance. It's the same as if someone used one of those pocket mag swipe readers to capture exactly the SAME details.
With a credit card, there is not as much of an issue as with a debit card. Credit cardholders are protected against fraud by legislation. If you contest the charge, it is up to the merchant and/or acquirer to prove the transaction to the issuer.
With a debit card, there is a greater risk. Normally a debit card requires a PIN or signature, but you are not as well protected against fraud, and the money comes out of your account first.
A bit of actual explanation of this from Visa/MC would make it easier to at least make an informed decision, but their marketing people are DUMB.
I work with this stuff every day, and Visa/MC still can't actually work out how to make all of this work, especially offline for low value transactions like transit.
Which, of course, defeats the purpose of speedpass, which was to avoid any interaction other than pumping the gas. I'm always amused when I got to Lowes and OfficeMAx, and after I swipe my card in the user terminal, the cashier is required to enter the last four digits of the card manually into the POS terminal. Wouldn't it have been faster for me to hand the cashier the card to begin with and have him/her swipe the card on the POS terminal, since they then don't have to key the digits?
Is it just my observation, or are there way too many stupid people in the world?
Wholely crap NO!!! A question to you is, what the hell is wrong with you that you'd even need to ask this question?
There was a recent local news alert about a gang of thieves making their way across Canada. One of their scams was this:
Canada is very big on ATM debit payments. A gang member stands behind you in the cashier line-up to buy something miniscule, and watches while you pay with debit. Many Point-of-Sale machines have very poor privacy shields. They memorize your PIN number, and watch where you put the debit card afterward.
As you leave the store, another gang member does the classic "bump" pickpocket routine, or does a serious "collision and spill", and steals your card. Done well, you won't realize there's a problem until after the account is cleaned out. Smart would be to leave a hundred bucks or so, so that nothing bounces for a day or two, so you may forget where this happened.
With this new technology, they don't even have to steal your card - just be within a few feet when you pull your card out of the tin-foil. SO much easier!
RFID is meant to allow you to scan a pallet of goods - so should have a range of at least 4 to 6 feet. Anything with more than a 3-inch range sounds frightening. Direct contact would be preferrable - you should specifically have to do something active to allow payment. Anything without a "smart" challenge-response also sounds frightening - as others have mentioned, in that case you might as well post your details on the internet.
The other thing to think about. Cracks to supposedly "secure" systems (WEP? Garage door openers?) seem to rely on analysis of volume of transmissions. SO if a "Smart RFID" card needed to be cracked, perhaps someone could sit next to you on the train. During the ride into the city, his laptop could be running a continuous challenge and analyzing responses to figure out the necessary "key" for all the credit cards within 10 feet. Or, while everyone is standing around waiting for the train, he can do a 15-minute deep scan.
The scary part about "Smart" type cards is that they then make payment automatic (EZ-Pass?). You may not know or approve of every transaction. They had better be damned secure. IIRC, the Euro-cards have metal contacts and still require a physical connection, not a remote read.
I suspect that the reason EZ-pass hasn't been stolen yet is economic; what are you going to do with a fake EZ-Pass, except drive through gates where they're continuously taking pictures of you and your car? The system is not widespread enough to be publicly analyzed - no readers in small stores to be "stolen" and played with, not as easy to tap the computer lines from a reader to the central computer, etc. Compare that with a payment card system that every tiny store would have, and the incentive of easy money by the bucket-load...
My company's "wave and enter" ID cards are actually magnetic, only reach about a foot, and (so I'm told) have the added benefit of setting off some store anti-theft security monitors - as if we needed more hassles.
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't have the correct crypto keys in the RFID tag and the RFID reader, they will refuse to speak to each other, and anyone trying to listen to the signals will get nothing but encrypted data.
That helps to ensure that random Joe Scumbag can't get himself a handheld reader, wave it a few feet from people's wallets and electronically pick pockets in the simple case. We're assuming that crypto keys are kept secure, so that only authorized card readers have the crypto keys required to authenticate themselves to the cards, and only authorized people have the keys required to encode the cards in such a way that they'll authenticate to the readers, and that the readers have secure connections to the credit card networks. Unfortunately, that's a big assumption to make.
Personally, the scenario of electronic pickpocketing does concern me. I've seen RFID tags read from 30 feet away (though you need a reader with a relatively powerful transceiver, which isn't as portable.) Handheld readers are more likely to have ranges between a few inches and a few feet, depending on the power level of the reader's signal, the type of tag, the phase of the moon, and the number of RF gremlins present. If the authentication can be circumvented, it probably will be, since there is significant money involved.
Meldroc, Waster of Electrons
The only credit card parent company that requires a CID for online purchases is American Express. Visa, MasterCard, and Discover do not enforce this policy.
Source: I work in e-Commerce for a catalog company.
Clones are people two.
I tried this with my card (almost identical, but a different bank) and you can see the chip, just use a bright bright source. http://wvp.diablops.com/index.php?option=com_conte nt&task=view&id=37&Itemid=1/
Not NO but Heck NO
Take Care
Sue
When it's time
It's time
And it may be sooner then you think
No.
It's that simple. I absolutely would not trust RFID on any debit or credit card despite any assurances I received from my bank. No matter how secure you think the encryption is there is always someone that will attempt to break it and will probably succeed.
I may be missing the point here, but it's not the card that's the problem per say. The card (whatever the technology) carries the critical information. Wouldn't the problem be solved if the card carried only an ID and then the balance of the info was in a secure location that would have to be hacked to get the goods? This would be the same level of security as any bank system (as good as or as bad as, but not worse).
JJW
Lets be clear what we are talking about here. The risk is that with special equipment someone might be able to read the same information that is printed on the card. RFID credit and debit cards have been around for awhile speedpass being an example. And while it is possible to read the information passed between the card and reader with enough effort, you probably hand your credit card to the waiter in a restaurant and don't even think about it. That person walks out of your sight and in some cases steals the information.
The solution is to watch the data and flag suspicious transaction. Most credit card companies now offer a zero liability identity theft policy.
This is a separate issue from the RFID passports raised by some of the other posters. The danger there is not really identity theft, although that's bound to happen as it does today with the paper form. The danger in a remote readable passport is that it can be used as a trigger for an explosive or to target persons of a certain nationality in a crowd. There's no reasonable defense for using RF over a contact coupling to read a passport. There's no added danger in a card that has to touch the reader to be read.
That's actually a fine solution for credit cards as well, although the risks are much less.
Disclaimer: I did write a book on RFID http://www.oreilly.com/catalog/rfid/, but other than that I don't have any vested interest in the technology.
[-- Trust the Monkey --]
RFID is getting to be like VoIP: there are a wide variety of applications which fit the acronym but are otherwise unrelated, and people lump them together. These bank cards and inventory tags in clothing have about as much similarity to each other as they have to 802.11. They use radio waves, and they use identification.
A well-designed smart bank card will use SASL to prove its identity to the bank without revealing information that would allow anybody else to use the identity. So it doesn't matter if people can snoop the transmission; they don't find out anything that they can use anyway. And it would use some mechanism (probably a capacitive contact sensor) to detect that somebody's touching it, and only authenticate then.
A particularly well-designed smart bank card would have a touch-sensor keypad, such that you type your PIN into the card to get it to authenticate you to the bank, and the ATM doesn't even find out the PIN. This wouldn't work with magnetic cards, because the card can't interact with both the user and the ATM at the same time, so RFID is needed for improved security of that sort.
Of course, the dumb, buzzword-compliant way to have RFID bank cards would be to just have them broadcast your card number to anyone who happens to ask. But that doesn't actually offer any advantage over magnetic stripes, aside from using a term that most people don't recognize, and those who do find scary. Of course, they could offer the advantage of not having to get out the card when you use it. But since you might have two different cards, you need to somehow tell the one you're not using to stop responding, or tell the one you are using to transmit. So you're holding the thing, and you might as well make physical contact between the card and the machine at that point, since you'll have to touch the machine yourself to type the PIN.
I wrote a short paper concerning RFID technology about a year ago, it mostly concerned the hardware and systems architecture. There was no shortage of reports and studies of RFID keys being cracked like the mobile speedpass http://www.jhu.edu/news_info/news/home05/jan05/rfi d.html.
1 0-05.shtml. Some of these passive rfid tags have no access control whatsoever. Meaning one take a small RFID programmer into their favorite store and start changing prices, or worse, write a virus to the RFID tag so the next time it's polled it'll get injected into their SQL DB. Possibly compromising their entire POS system. Ironically, this sort of stunt if done well enough could result in a jackpot of creditcard numbers so it wouldn't matter if you used an RFID enabled card or not at that point :).
d _security_a.html3 9/2/129/a sp?ArtNum=20s _articles/RFID/Link_budgets.html
6 0208D-9ECF-4F0B-B964-4DD779BFF905
i ty/story/0,10801,100459p2,00.html
http://www.ti.com/rfid/shtml/news-releases-rel02-
Some random RFID links.
http://www.schneier.com/blog/archives/2005/03/rfi
http://www.rfidgazette.org/2004/06/rfid_101.html
http://www.rfidjournal.com/article/articleview/13
http://www.technovelgy.com/ct/Technology-Article.
http://www.enigmatic-consulting.com/Communication
A nice article on RFID virus attack
http://www.cbronline.com/article_news.asp?guid=B9
http://www.computerworld.com/securitytopics/secur
From which comes a nice quote, this is from 2005.
"The TI technology is vulnerable to attack because it uses a decade-old, 40-bit cryptographic key to encrypt communications between the RFID DST tags and readers, the researchers found. TI also used an unknown and proprietary encryption algorithm on its DST devices. But Rubin's team reverse-engineered the secret algorithm by observing how DST tags responded to specially crafted challenges. Once they guessed the algorithm, researchers created a software program that could be used in so-called brute-force attacks on DST devices to recover the secret cryptographic keys, Rubin said."
The site, http://rfidanalysis.org/ that hosted these findings no longer exists but you could probably find it cached on the net somewhere, wayback machine maybe.
Remember that RFID represents a system and not one piece of technology. The implementation of the system is dependent on the deployment plan. I could make an "RFID system" with 2 933Mhz radios and a pair of 8-bit microcontrollers from digikey for around $150. Sure, you could pull my data out of the air, but technically speaking I'm using RFID. I could also build my own RFID key system with 2048-bit encryption to act as the keys to my car. It's not that difficult to develop, really just assembling existing technologies. RFID can be done "right" and it is a promising technology. I wouldn't shun it for alot of commercial applications but for personal applications, well ask yourself the question. Is this thing a necessary part of your life?
Peter
www.alphalinux.org
Yes! Bring it on, baby. What with all these old ladies doing pilates and such, it's getting too dangerous to snatch purses anymore.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
A common garage door opener has more security than these RFID ATM cards. At LEAST a garage door opener has a table of codes that gets rotated through, it could take literally thousands of uses before the same code shows up twice. Yet what does an RFID ATM have to protect from cloning? Sad.
Cwm, fjord-bank glyphs vext quiz
Why can't people be satisfied with a very good system. It's not like a new faster checkout method gives anyone a competitive advantage for very long, because everyone will adapt the same technology pretty quickly. Why can't they get it through their heads that a contactless data transfer with no external control (PIN) is just flat out not going to be as secure?
Keep passing the open windows...
You know, like on everything else?
If you aren't pressing the button/leaving the circuit open, zapping the RFID device does nothing.
If you are pressing the button/closing teh circuit, the RFIC device will read?
Why the FSCK am i the only person alive that seems to see RFID as not a problem if you put a power button on it?
guns kill people like spoons make Rosie O'Donnell fat.
I just got a new RFID enabled credit card from Chase, and I asked if they still had a non-rfid enabled card. They were extremely nice and said I would have it in a few days.
I pop it open (which is really easy to do one-handed once you get used to it)
One-handed manipulation of electronic devices shouldn't pose much of a problem to the majority of the /. readers...
I have a US bank issued, not an AMEX credit card (I lived worked in the US on a TN visa for four years) with a US$10,000 limit and a Canadian one with a limit of over $11,000. I don't earn anywhere near the salary I'd need to support something like this but the banks simply keep upping the limit as I keep being a good customer over th years. Where'd you get the $750 figure?
Well given the comment by brunes69 that ATM cards are easily replaced for free I went ahead and nuked my HSBC debit card with 'pay pass'. The results were interesting and the odor acrid. Card was microwaved on high setting for 3 seconds. First it should be noted that microwaving a debit/credit/ATM card will have a similar effect on the hologram as it would a CD or DVD disc. Unfortunately I had placed the card face down so I didn't get to see the light show. On the other hand, the burn through from the metallic components in the card was also directed face down so that may have saved the magnetic strip from damage. The chip itself, located just above the 2nd number on the left side of the card made a nice big spark and melted some of the plastic on the front. Curiosity, and the desire to have a smooth flat surface, prompted me to remove the burnt chip as well as the 1 cm^2 or so of plastic covering it. Other cards may locate their chip in a different area. It was easy to find the chip by examining the back of the card in reflected light by the presence of a dimple or indent on the back of the card. The most surprising, though in hindsight obvious, part of this experiment was the fact that the antenna connected to the RFID chip is routed around the entire perimeter of the card, including a region above the entire length of the magnetic strip. Thus, it was fortunate that the metal burned through the face of the card rather than the reverse. There is a fair amount of burnt carbon residue on the short side edges as well as melted line around the perimeter where the antenna had once been. Nonetheless, the card worded just fine at the local branch's ATM machine as well as the counter-top swipe reader that the supermarket.
So as long as the RFID tag isn't under the magnetic strip or another vital part of the card I could just cut it out. Of course looking at it now it seems to be right under the magnetic strip.
Being a former Chase employee who worked with such projects in the operations dept, I'd stay far away from anything they do. While I worked there, all these type of products are Time-to-market products and are rushed through with security mostly ignored. Mainly because their product marketing group sells the idea to the industry and says publicly, "we'll have technology x in 3 months." This is said without having any contact with the architects and technology groups.
:) ) like and is done in a patch release format.. or they'll get around to it later. The Audit/Security group for Chase has no power and authority to stop them (and mostly they are clueless any of these projects are going on). I knew a Project Manager who was scolded for having the Audit/Security team involved on one of these time-to-market projects.
Security is seen as a after thought and is more Microsoft (I should get karma points for that if I had an account
so I have closed all accounts related to Chase needless to say...
Aside from the security issue, I don't think most people would care if their ATM card was RFID vs swipe.
It doesn't save anyone any time, really. At an ATM, I've got my wallet open anyway, to put the cash in. In the grocery checkout, I've got plenty of time to reach briefly into my pocket or purse, while waiting for the checker.
It's a solution in search of a problem.
Right now, I'm in the Netherlands where they have Maestro debit cards that are embedded with a chip, (they call it ChipKnip) that you can load up to 500 euros with to pay quickly (although I usually never load that much on it for security reasons). I love this because it is accepted more places than credit (including, but not limited to: coffee, soda and snack machines, pay-for-parking, and even buses!) and is easy to add money to as ChipKnip refilling machines are always right next to ATMs. I actually wish they would have the chip in the US where I'll be going back to in a few weeks as this chip system is a wonderful idea IMHO.
Here's one scenario. You get an RFID enabled credit card. It's probably not encrypted. Even if it is, it doesn't matter, because the encrypted data never changes. You walk into a store, an RFID reader mounted on the door reads your card. From then on, they know how often you enter the store, how long you stay and if the items you buy are tagged, they know what you buy, and even who you are if you make a purchase because they can compare the data they read off your card when you walked in with the data off your card when you made the purchase. You make a purchase but the clerk doesn't scan one of your items, you walk out of the store with something you didn't pay for, but they know who you are, and your credit card company knows where you live. The police show up the next day.
Here's another scenario. You're at a coffee shop. Some crazy creep with an RFID reader reads your card from a few seats away. He installs an RFID reader somewhere in the store and checks on the data every day. He knows how often you come into that coffee shop. He installs more RFID readers in places you might frequent. He knows your every move.
Read my short stories - You won't regret it.
I went into a store the other day and was told that you either had to pay with check or cash. They did not accept credit cards anymore, because of repeated problems with fraudulent use.
I wouldn't be suprised if I didn't start seeing more of this.
I would rather go someplace where I could get something for a cheaper price than have to pay more because the store accepted credit cards.
He who said 1,000,000 monkeys on 1,000,000 typewriters would eventually type the great novel, never saw an AOL chat room
You're quite right. I've been through a PCI audit - the requirements are both unreasonable, non-helpful, wildly unclear, and leave gaping holes in security if you comply with all of it. The requirements document sounds like a college intern went through an event log and came up with requirements based on single vectors from prior events.
But, all that aside, the real problem is that merchants need to store credit card numbers. This is entirely bogus.
As a real simple first blush at a solution, you take the credit card data from the customer, send it straight to visa, signed with your key, and get back a value that you store and then authorize against. It's tied to your key so only you can use it, and it probably expires soon. It probably also allows you to do credits for a longer period of time than you can do debits to handle returns. And you never write the credit card number to disk.
A Web 2.0 thing would probably have the client retrieving the key straight from Visa with a request signed by the merchant so the merchant doesn't see the credit card data ever.
But, like you said, they have no incentive to make this kind of thing happen.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If you could print your credit card information in X-ray ink, bold face, on the back of your jacket, such that only people with special x-ray spec could read them, would you? We don't do that now, why would we suddenly want to change?
Of course "we use encryption". So the info on your jacket is encrypted. But we didn't use encryption before, even though we should have been (depending on how good it was).
By using RFID, companies are trying to trade off the very intuitive insecurities of radio broadcasting with the not-so-intuitive insecurities of unencrypted mag stripes.
The real reason this change is being made would seem to be that much easier to strand customers in ignorance and pull the wool over their eyes when it comes time to actually investigate and point the finger at whose fault particular fraud cases are. Neither customers nor merchants can tell whose in their parking lot snarfing and cracking transmissions - but they can sure as hell tell you who's had access to their card.
Depends on the bank. Some actually demand a matching name and delivery address. (e.g. MBNA and American Express). I've had merchants have to contact me because AmEx denied a transaction because they didn't recognize the address.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
NO.
T.F. Hat
Most of the Visa/MC credit contactless cards do not encrypt the data. The main reason is that it's a) impossible to distribute hardware SAMs to all of the readers that could contain keys for all of the possible different card issuers, and b) the assumption is/was that the data is the same as what is on the mag stripe, so why encrypt it?
The actual comms between card and reader are encrypted for any writes to the card, but the majority of these transactions do not write to the card, just read the public read-only areas.
The details of how this works are publicly available here.
Shouldnt even trust the ATM.. Aside from adding RFID, your spending habits ( at least the $ ) and general location of your travels are too easily tracked.
Cash only.
---- Booth was a patriot ----
Their was a post a couple of weeks ago on Bruce Schneier's blog about getting data off a "secure" RFID credit card:m ming_rfid_c.html
http://www.schneier.com/blog/archives/2006/11/ski
and you're both right and wrong.
You're wrong in because smart cards -- including contactless smart cards -- *are* perfectly capable of doing this sort of thing securely. We have the technology, we know how to do it and make it very tight.
You're right because although these banks are issuing smart cards (ISO 14443, T=CL), and they could make the system secure, they've chosen not to do it. In fact, most of them are using stripped down microprocessors that don't have the crypto coprocessors needed to make it secure.
On a credit card, I don't really care all that much, because the worst case for me is inconvenience -- my liability for any fraud is limited to $50 by law and $0 by the policy of any credit card I'd have. Debit cards are scarier, unless the issuer also agrees to take on all of the liability not only for the fraud, but also for any incidental results of the fraud -- late fees and damage to my credit rating caused by bounced checks, etc.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
With all their features and programmatic convenience they offered, I figured that this would be something that could be a real selling point for them, (and a convenience for me.)
While the guy I spoke with (programming support guy) thought it would be a useful feature, I was told that it just wasn't something that was really in demand, and they didn't have any plans for something like this.
(!)
(Well, if someone offered it, I can't see why it wouldn't be in demand, and a gateway processor would be able to offer this as a feature whether visa/mc/amex/dc/... did or not. As long as you *could* get the data back with human intervention, ie, no vendor lock-in, it would be a definite win for customers with any sense of security issues.)
So I was amazed that this wasn't something that had been out there from day one and amazed that folks weren't simply clamoring for left and right. I'm even more amazed that this service is *still* as far as I know, not offered by any gateway provider. (I would have bet money that it would be a standard feature by now.)
And the worst part is that all the while visa has continued their poorly thought-out campaign of requirements that if followed to the letter effectively forces merchants to open security holes in their systems.
Where I live, a disturbing number of ATM machines now bear the Diebold logo. They used to say IBM. Now, I dont belive that IBM are some godlike power of flowing goodness, but damnit, IBM have some semblance of professional attitude. What im trying to say is, I don't bloody trust the ATM system at all right now. Especially with muppets like Diebold in the mix.
I like your idea of handling this as a competitive advantage of the payment gateway.
;)
I was told that it just wasn't something that was really in demand, and they didn't have any plans for something like this.
The single merchant I was working with would be in for a $400,000 bill to be compliant with PCI, according to the letter of the 'law'. With the Web 2.0 version of this, the merchant never handles any credit card information, and thus doesn't need to comply with PCI.
I bet they didn't put it to their customers like that!
Mark, it sounds like you and I should get into the payment gateway business.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
That's *quite* the post!