Would You Trust RFID-Enabled ATM Cards?

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?

race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

Re:Yes but.....

[tttonyyy]

I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

-Charlie Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.

Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?

Nuke it

[brunes69]

An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.

Re:Not suprised about HSBC

[Bazman]

Talk to a financial journalist. Not only will they have contacts at the bank, but the bank will fear them more than they fear you...

Re:Liability for unauthorised transactions?

[bhima]

Do you honestly think that banks don't pass every single expense they incur along to the customer?

No matter who pays at first, in the end we all pay more because of shitty security.

why should they care abotu security, it's...

been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.

Re:why should they care abotu security, it's...

[multisync]

When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

They may be at fault, but you are the one who is screwed.

Re: Check the incentive

[Erick+Lionheart]

Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.

As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!

If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!

With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it?? :/

Re:Disable the RFID

[race_k2]

Ha, and a tinfoil hat for me to wear in the checkout line as an accessory. I seriously doubt that wrapping a card in foil is a 'practical', not to mention durable, day to day solution to this issue. I can imagine the skeptical look of cashiers everywhere when they see my foil wrapped card. I wonder how long it would take before someone was accused of possible identity theft or similar mis-deeds using this method

Re:Absolutely not

[jambarama]

Would You Trust RFID-Enabled ATM Cards?

Sure why the heck not? We've got rfid passports and government IDs, rfid in our cars (toll passes), and rfid boarding passes just on the horizon. I mean, we've even got rfid in our TIRES making is possible to TRACK OUR CARS!!

Would /. trust rfid atm cards? No. Will the general public? If it is either pushed on them (see the rfid tires) or if it adds some kind of convenience (see the toll passes) you bet they'll trust it and they'll love it.

I don't think this is a good idea, but it sure isn't as bad as some of the rfid implementations we ALREADY have. We should loudly oppose this implentation, but we should fight the existing ones.

Re:Absolutely not

[nasor]

If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? I've never understood why people care so much about credit card security. If someone steals your credit card number and uses it to buy something, you just report the charge as fraudulent. No credit card company charges customers from fraudulent charges made on there account.

Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.

Re:Disable the RFID

[gsfprez]

how about a read button?

If you are pressing the button, the circuit closes and your card will enable a reader.

If you are not pressing the button, the circuit is open, and disables the RFID on the chip?

I mean, even my MacBook has a power button.

Re:Yes but.....

[gsfprez]

Yes, they are powered. They are powered by RF.

If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.

That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and passports until you pressed the button - closing the circuit between the antenna recieving the RF power signal and the part that generates and broadcasts the signal back.

how it would work in the real world is - you'd pull our your credit card at the store, squeeze the pressure button, and wave the card over the reader. If you waved the card over the reader without squeezing the button, nothing would happen.

Don't worry, no one else seems to understand how insanely simple this is.