Slashdot Mirror
Would You Trust RFID-Enabled ATM Cards?
race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.
Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"
Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.
Not surprised about HSBC. In fact surprising about some sense from Chase.
HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.
So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.
Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.
I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.
As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.
The reality is that by forcing a "swipe" of a card through a reader, this enforces the act of choosing to provide the information. With RFID, you can read it from across the room given a good transmitter and a sensitive receiver. Why should we need to add a new layer when the old physical layer works just fine. The new RFID does NOT save time. You can't just wave your wallet or purse over the weak reader (which is far weaker than a hacker would be using) if you had multiple cards. How would it tell it apart. You still end up having to take the card out. The difference is Mag Stripe (physical contact.. almost), or RFID, Radio Broadcast. I'll take the Mag Stripe or the Smart Card chip (which required physical contact).
Not only no but hell no.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.
-Charlie Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.
Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.
Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.
My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:
If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.
If the bank pays, then I can leave the security to the bank; if someone designs a remote reader and uses it to take $10 from every customer, that's the bank's problem, not mine. I therefore don't need to worry about the security of the card design (although I do need to keep authorisation secrets secret), as if RFID cards are as hackable as they appear, the bank will do something about it to avoid eating too large a loss.
I appear to have a blog. Odd.
No more than tatooing my credit card number on my forehead.
as fun and futuristic as it may seem - RFID gives you as much protection as a condom with a wee little hole in it.
Locksmith
What use is an RFID to a bank?
--
E
Well, they could install "on/off" switch right on the card. You then can turn on the card right before checkout, and card would turn itself off after 5 seconds (so you have just enough time to go through checkout scanner thing)
there is no issue with my network
My credit card company replaced my card last time with an RFID card. I'm not too worried about it though because I keep all of my cards in a metal cigarette case.
Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!
Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...
Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.
Someday, I'll have a real sig.
Well lets take a current implementation..ie SpeedPass.. How many events of a speedpass stolen and used? Until we have the stats there is no use of debating ether..
Fred Grott(aka shareme) http://mobilebytes.wordpress.com
Roll up Roll up come on you lovely people.
& oe=UTF-8&scoring=pd&price1=&price2=225.00&lnk=prsu gg P ath=63&gclid=CJ7p383q_YgCFSJ4MAodJDDrAg s .htm
Buy your RFID Readers http://froogle.google.co.uk/froogle?q=RFID+reader
Buy your RFID Tag/Chips http://www.gaotek.com/index.php?main_page=index&c
Buy your blank credit sized cards http://www.smartcardsupply.com/Content/Cards/card
What was the question again "Would You Trust RFID Enabled ATM Cards" mmm let me ponder that, NOOOOO.
Personally i have little hope or no, for are open/free society, mainly after talking to friends, people on the train anyone who understands RFID, and most people that i have talked/chatted to really do believe that rfid is a good thing, when questioned about some basic fact they just do not get it but follow on blind F^^KING FAITH.
RFID good for packages and tracking your stuff you ordered, useful for the company and client.
RFID good for making people belive that if a dick fits up your arse then it is compatible and you should adopt, even if it is not comfortable or useful, no questions just sit on it and smile.
Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.
I only need the Preview button when I haven't used the Preview button.
With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.
With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.
It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.
FATMOUSE + YOU = FATMOUSE
The same benefit any big company finds with technology
Step 1: Higher up finds he's got all this money, but it's tied up in the company and he wants to sneak it out into my own pocket.
Step 2: Contract out with a friend for a zany new technological upgrade that does nothing for the business or it's customers. Overspend like it's going out of style.
Step 3: Split profit
I can't wait for these new RFID chips... Because no one knows how to use them or what they mean anyway.
Note: I'm kidding.
Its one thing to present a choice between security and convenience and have a whole bunch of suckers take the easy way (aka personal responsibility, ignorance is no excuse), but its another thing when that right to choose is taken away (remember Sony DRM?).
Maybe you are still not being clear, because his point is valid. Maybe you meant 'cannot read ANY of the information remotely.' Your statement says that you don't mind if it can be read remotely, as long as some of the information is still not remote-readable.
Cannot read all = might read some. It's the contrapositive, see?
Cannot read any = can read none.
The GP was stating that if you are so uncaring about your details, you might as well post them here. It'd be just as safe as walking around the mall with your RFID card blaring for anyone with an RFID reader.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
No... he's saying that a pin in and of itself will not protect the rest of the info on your card. If every gas station, used tire store and cigarette depot can get access to the card scanners it is likely that "the bad guys" can get access to the card scanners and figure out a way to reverse engineer them into a remote reader. Entering the PIN is something that happens on the scanner, so your privacy is not ensured. At the very least the customer behind you in line could watch you enter it. What he was saying is that carrying an RFID card around is as stupid as posting all that info on a public internet forum.
(Yes, it is possible to dupe and make a fake credit card now, but RFID would simply make it easier to steal your money.
I'll never make that mistake again, reading the experts' opinions. - Feynman
For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.
:)
At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.
They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice.
Most Americans have much better credit than that.
I'll never make that mistake again, reading the experts' opinions. - Feynman
Dear world,
While credit and debit cards may have their problems, the speed of checking out isn't one them. Come on, how much of hurry must someone be that they can't take on more 30 more minutes to press a few buttons on the keypad and sign? With every new article about RFID being release, it seem that RFID is solution to fewer and fewer problems. It will only create privacy and security issues for credit and debit cards, and I don't want the tech in mine.
Later,
-Slashdot Junky
.
Landfill Mining Co.
Managing the (Un)natural Resources of Tomorrow
The problem with RFID encoded is they can be viewed by anyone that has the right equipment. I work for a company that uses RFID encoded labels because of there ease of reading the data off the label. Since you don't have to be within close proximity of the RFID chip to get a good read, someone can point a RFID reader at your butt and read the card from thirty yards away. Also, some RFID chips are very fragile and can be altered given the right condition which are not that extreme. My vote is we go back to the day where ten cows would buy you a year supply of donuts and fig newtons.
These are non-powered RFID tags. There is no "on/off" for them. If you wanted powered RFID, you'd have to include a battery, making the new card larger and bulkier than the old cards.
Not a Twitter sockpuppet... but I wish I was.
Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.
Not a Twitter sockpuppet... but I wish I was.
``Until we have the stats there is no use of debating ether..''
Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.
Please correct me if I got my facts wrong.
been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.
Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.
Alas, television has lied to me once again.
How we know is more important than what we know.
If you have halfway decent credit, you maximums can be way higher than that. In fact, I've repeatedly had limits raised automatically, without asking - sometimes by over $3000 at a time.
Also, for the Amex, "no pre-set limit" doesn't mean "no limit".
I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.
First of all it probably isn't an RFID tag but a contactless smart card. Yes there is a meaningful distinction.
Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.
Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and put some security standards in place.
Lasers Controlled Games!
I work on security systems and I've proposed "security paranoia"
Fear isn't going to help grow technology. There are hundreds of social engineering, web based, technical equipment base, and good old scam based ways to get your info.
We can't fear new technologies...everything will have its bumps and flaws and with time they get worked out...if they are accepted by users.
Your not a whole lot more vunerable then you are now with a chip in your credit card.
Watch and work your money like a job...get proper coverage for inevitable loss and go with it!
If your really worried about being vunerable...get off the internet!!! (At least I can't get flamed by those paranoid people now)
-- Disclaimer: I can't really back up anything I post on
No! Because it is way too easy to compromise the system
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
So, How long until wallets start coming with built in shielding to discourage unauthorized RFID readout?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
No. No, no no.
I call computer-illiteracy job security
I called chase for an rfid-less card. they said they would send one. They did not. they sent YA 'blink' card. I called again and was told that if I want one that is still a 'check card' I have to pay a fee. So basically, in order to get the same security I had before I have to *pay* for it, but for free I get a feature I don't want.
I have already written my senator.
My guess is that he, like I, does not live in the US and is only informed with your customs by the few times we've visited and the drivel we see on television.
But thanks for being a prick about it. Karma I suppose.
How we know is more important than what we know.
A European guy asked me recently why American companies are using unproven RFID technology in their credit cards, when Smart Cards are not only proven, but more easily shown to be secure.
I think there are several reasons.
First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US less attractive.
This explains why Smart Cards were adopted in Europe and not initially the US. But why even consider new RFID technology when a proven technology already exists? I believe the answer comes from the culture of technology adoption. The RFID tag on these cards is not being used in a way that does anything fundamentally new. It's just a incremental improvement on the mag stripe. Smart Card technology would involve going to a two factor approach; familiar to ATM users, but it would change the way we process credit card transactions. So RFID is a "state of the art" technology, yet it looks like a non-disruptive drop in replacement for mag stripes on credit cards. These are both killer advantages from the CIO standpoint. Since most ATM cards are supposed to function as credit cards, they come along for the ride.
The final reason is that US companies favor RFID over Smart Cards is that they face fewer consequences from mishandling private data than EU companies. This is due to differing cultural perspectives on privacy and regulation.
The US politics is relatively more libertarian in its privacy outlook. Under US law, the government is generally restricted, but with specific exceptions to the restrictions; the private sector is generally permitted -- but with specific exceptions to the permissions. US laws only address a few of the most egregious of private sector abuses. Even then are typically drafted with extreme care to minimize business exposure to new regulation or private lawsuits, whichever seems to be the greatest threat to business.
Europeans have more of a human rights perspective, in which the right of privacy can be asserting against anyone. Consequently, EU directives do not make a fundamental and general distinction between government and private sector data privacy practices. This means that EU companies are less able to externalize the costs of sloppy data privacy practices, because they face both regulatory action and private lawsuits, because EU law imposes duties upon them which US companies do not have.
The US has a strong cultural bias against regulation and government enforced standardization. You can see this in our mobile phone systems, where we have several competing standards, each of which is arguably superior to GSM in some way, but the net result is that the overall phone system is not as good. We're seeing the same thing happen with the introduction of RFID credit cards (which is probably why ATM cards are starting to sport tags too). We're seeing a spate of non-standardized solutions, some of which may be reasonably secure, some of which rely totally upon the assumption that RFIDs cannot be read at more than a few millimeters.
As should be clear, I think that on the privacy issue at least, Europeans have it right, and we Americans have lost our way. The US attitude towards privacy is inconsistent and impractical, at least if you value privacy at all. It is our unwilligness to regulate the behavior of private industry towards individuals or to even let individual hold companies accountable makes the adoption of technologies like RFID inevitable. Private enterprise never has to worry whether the security costs outweigh the benfits, becuase they can impose the costs on the consumer.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
So, say I've got three RFID credit cards in my wallet when I go through a checkout. Is there some standard prtocol that all three cards are using to have me choose a card? Do all three cards get used?
If I still have to pull my card out of my wallet, I don't see any advantage to me.
Years ago I was tought the most important phrases to learn in any language. Two more beers. My friend is paying.
The second phrase becomes much harder to dispute if my friend has an RFID credit card.
Researchers at the RFID CUSP (ConsortiUm for Security and Privacy) published an informative report in October. They show how to build skimmers, describe relay and replay attacks, and how the transaction counter can be used to invade privacy. They show in the current generation of RFID-enabled smart cards there is no mutual authentication between the reader and the card, so it is not difficult to build or buy a reader to scan cards. Track 1, which usually contains the card holder name, is transmitted in the clear. Track 2 is transmitted in the clear, with PAN (account number) in 3 of the 4 types of cards currently being issued. The nominal read distance is 10 cm, but only if the reader complies with the IS0 14443 spec. http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC -manuscript.pdf
What about getting the kind of equipment used to work with these RFID tags, and clear it out so it no longer has any interesting info to steal? Is that possible, or are these things read-only? You could also try to microwave it. :)
It's the only way to be sure.
I saw it on Slashdot, it must be true!
Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.
:/
As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!
If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!
With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it??
Possibly, but is that Speedpass fraud as in "RFID read remotely and then the Speedpass device was duplicated", or is it Speedpass fraud as in "someone dropped their Speedpass in the parking lot, and then someone else used it"?
I wouldn't be surprised if it's the latter.
Next question.
[Insert pithy quote here]
When you have two or more RFID cards in your wallet, chances are neither of them will work on any given attempt to use them unless you take the card you want to use out of your wallet....
So what's the benefit?
While I carry around a Lead Lined wallet :)
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
I have a merchant account, so I tested it to see the minimum amout of info needed to complete a transaction.
Account Number
Expiration Date
Amount to charge
That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.
Contactless smartcards comply with ISO14443. Guess what... so do RFIDs. The ATM cards that people are talking about have the same information that is on the magnetic stripe encoded onto the chip. They use the EMV format that was defined for contact cards, with a different application identifier. The data includes the information that is on tracks 1 & 2 of the card. They do not include the CCV number that is printed on the back of the card.
The ONLY difference is that instead of swiping the card, you wave it in the proximity field of the RF reader.
The security PROBLEM with contactless credit/debit cards is that the card details can be read at a distance. It's the same as if someone used one of those pocket mag swipe readers to capture exactly the SAME details.
With a credit card, there is not as much of an issue as with a debit card. Credit cardholders are protected against fraud by legislation. If you contest the charge, it is up to the merchant and/or acquirer to prove the transaction to the issuer.
With a debit card, there is a greater risk. Normally a debit card requires a PIN or signature, but you are not as well protected against fraud, and the money comes out of your account first.
A bit of actual explanation of this from Visa/MC would make it easier to at least make an informed decision, but their marketing people are DUMB.
I work with this stuff every day, and Visa/MC still can't actually work out how to make all of this work, especially offline for low value transactions like transit.
Which, of course, defeats the purpose of speedpass, which was to avoid any interaction other than pumping the gas. I'm always amused when I got to Lowes and OfficeMAx, and after I swipe my card in the user terminal, the cashier is required to enter the last four digits of the card manually into the POS terminal. Wouldn't it have been faster for me to hand the cashier the card to begin with and have him/her swipe the card on the POS terminal, since they then don't have to key the digits?
Is it just my observation, or are there way too many stupid people in the world?
Wholely crap NO!!! A question to you is, what the hell is wrong with you that you'd even need to ask this question?
There was a recent local news alert about a gang of thieves making their way across Canada. One of their scams was this:
Canada is very big on ATM debit payments. A gang member stands behind you in the cashier line-up to buy something miniscule, and watches while you pay with debit. Many Point-of-Sale machines have very poor privacy shields. They memorize your PIN number, and watch where you put the debit card afterward.
As you leave the store, another gang member does the classic "bump" pickpocket routine, or does a serious "collision and spill", and steals your card. Done well, you won't realize there's a problem until after the account is cleaned out. Smart would be to leave a hundred bucks or so, so that nothing bounces for a day or two, so you may forget where this happened.
With this new technology, they don't even have to steal your card - just be within a few feet when you pull your card out of the tin-foil. SO much easier!
RFID is meant to allow you to scan a pallet of goods - so should have a range of at least 4 to 6 feet. Anything with more than a 3-inch range sounds frightening. Direct contact would be preferrable - you should specifically have to do something active to allow payment. Anything without a "smart" challenge-response also sounds frightening - as others have mentioned, in that case you might as well post your details on the internet.
The other thing to think about. Cracks to supposedly "secure" systems (WEP? Garage door openers?) seem to rely on analysis of volume of transmissions. SO if a "Smart RFID" card needed to be cracked, perhaps someone could sit next to you on the train. During the ride into the city, his laptop could be running a continuous challenge and analyzing responses to figure out the necessary "key" for all the credit cards within 10 feet. Or, while everyone is standing around waiting for the train, he can do a 15-minute deep scan.
The scary part about "Smart" type cards is that they then make payment automatic (EZ-Pass?). You may not know or approve of every transaction. They had better be damned secure. IIRC, the Euro-cards have metal contacts and still require a physical connection, not a remote read.
I suspect that the reason EZ-pass hasn't been stolen yet is economic; what are you going to do with a fake EZ-Pass, except drive through gates where they're continuously taking pictures of you and your car? The system is not widespread enough to be publicly analyzed - no readers in small stores to be "stolen" and played with, not as easy to tap the computer lines from a reader to the central computer, etc. Compare that with a payment card system that every tiny store would have, and the incentive of easy money by the bucket-load...
My company's "wave and enter" ID cards are actually magnetic, only reach about a foot, and (so I'm told) have the added benefit of setting off some store anti-theft security monitors - as if we needed more hassles.
I don't know if this is the case. Everyone seems to assume you can "intercept" the RFID information from many meters away. I guess I'm not sure which technology is used in credit cards, but if it's anything like ISO 14443 standard or even ISO 15693, the max distance is only going to be 1.5 meters or less.
In the end, it's always the path of least resistance. It's easier just to steal a credit card or dig up some old receipts or bank statements from the trash then to spend the hundreds of dollars to make a sophisticated reader device capable of reading and decoding these tags.
I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.
Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't have the correct crypto keys in the RFID tag and the RFID reader, they will refuse to speak to each other, and anyone trying to listen to the signals will get nothing but encrypted data.
That helps to ensure that random Joe Scumbag can't get himself a handheld reader, wave it a few feet from people's wallets and electronically pick pockets in the simple case. We're assuming that crypto keys are kept secure, so that only authorized card readers have the crypto keys required to authenticate themselves to the cards, and only authorized people have the keys required to encode the cards in such a way that they'll authenticate to the readers, and that the readers have secure connections to the credit card networks. Unfortunately, that's a big assumption to make.
Personally, the scenario of electronic pickpocketing does concern me. I've seen RFID tags read from 30 feet away (though you need a reader with a relatively powerful transceiver, which isn't as portable.) Handheld readers are more likely to have ranges between a few inches and a few feet, depending on the power level of the reader's signal, the type of tag, the phase of the moon, and the number of RF gremlins present. If the authentication can be circumvented, it probably will be, since there is significant money involved.
Meldroc, Waster of Electrons
They just need to put the check-out "beep" noise into the card itself -- make the reader charge up a capacitor with induction so the tag has enough power to sound off before it gives up the goods. Then if somebody reads it from 100ft away it still goes "beep" in your wallet and they can blame you for not reporting your RFID code as 'stolen' right away.
The only credit card parent company that requires a CID for online purchases is American Express. Visa, MasterCard, and Discover do not enforce this policy.
Source: I work in e-Commerce for a catalog company.
Clones are people two.
I tried this with my card (almost identical, but a different bank) and you can see the chip, just use a bright bright source. http://wvp.diablops.com/index.php?option=com_conte nt&task=view&id=37&Itemid=1/
The credit card offers you might see in the mail (you know, with $100-300 initial fees) often offer only $500 lines of credit. Getting credit through your bank, etc. often gives you thousands of dollars of credit.
Clones are people two.
No.
It's that simple. I absolutely would not trust RFID on any debit or credit card despite any assurances I received from my bank. No matter how secure you think the encryption is there is always someone that will attempt to break it and will probably succeed.
Let's say you carry a big luggage, and stop with it by the bank's door (shop's door, whatever). You wait a bit, drink a bit of water, and bank customers come and go. And their credit card RFID info with them, registered in the luggage. There will be plenty moving less than 1m from the luggage. Or you are with your wife, and she goes inside to do something, while you wait.
But when you go with the subway, you won't hear a beep from inside your wallet
Lets be clear what we are talking about here. The risk is that with special equipment someone might be able to read the same information that is printed on the card. RFID credit and debit cards have been around for awhile speedpass being an example. And while it is possible to read the information passed between the card and reader with enough effort, you probably hand your credit card to the waiter in a restaurant and don't even think about it. That person walks out of your sight and in some cases steals the information.
The solution is to watch the data and flag suspicious transaction. Most credit card companies now offer a zero liability identity theft policy.
This is a separate issue from the RFID passports raised by some of the other posters. The danger there is not really identity theft, although that's bound to happen as it does today with the paper form. The danger in a remote readable passport is that it can be used as a trigger for an explosive or to target persons of a certain nationality in a crowd. There's no reasonable defense for using RF over a contact coupling to read a passport. There's no added danger in a card that has to touch the reader to be read.
That's actually a fine solution for credit cards as well, although the risks are much less.
Disclaimer: I did write a book on RFID http://www.oreilly.com/catalog/rfid/, but other than that I don't have any vested interest in the technology.
[-- Trust the Monkey --]
RFID is getting to be like VoIP: there are a wide variety of applications which fit the acronym but are otherwise unrelated, and people lump them together. These bank cards and inventory tags in clothing have about as much similarity to each other as they have to 802.11. They use radio waves, and they use identification.
A well-designed smart bank card will use SASL to prove its identity to the bank without revealing information that would allow anybody else to use the identity. So it doesn't matter if people can snoop the transmission; they don't find out anything that they can use anyway. And it would use some mechanism (probably a capacitive contact sensor) to detect that somebody's touching it, and only authenticate then.
A particularly well-designed smart bank card would have a touch-sensor keypad, such that you type your PIN into the card to get it to authenticate you to the bank, and the ATM doesn't even find out the PIN. This wouldn't work with magnetic cards, because the card can't interact with both the user and the ATM at the same time, so RFID is needed for improved security of that sort.
Of course, the dumb, buzzword-compliant way to have RFID bank cards would be to just have them broadcast your card number to anyone who happens to ask. But that doesn't actually offer any advantage over magnetic stripes, aside from using a term that most people don't recognize, and those who do find scary. Of course, they could offer the advantage of not having to get out the card when you use it. But since you might have two different cards, you need to somehow tell the one you're not using to stop responding, or tell the one you are using to transmit. So you're holding the thing, and you might as well make physical contact between the card and the machine at that point, since you'll have to touch the machine yourself to type the PIN.
I wrote a short paper concerning RFID technology about a year ago, it mostly concerned the hardware and systems architecture. There was no shortage of reports and studies of RFID keys being cracked like the mobile speedpass http://www.jhu.edu/news_info/news/home05/jan05/rfi d.html.
1 0-05.shtml. Some of these passive rfid tags have no access control whatsoever. Meaning one take a small RFID programmer into their favorite store and start changing prices, or worse, write a virus to the RFID tag so the next time it's polled it'll get injected into their SQL DB. Possibly compromising their entire POS system. Ironically, this sort of stunt if done well enough could result in a jackpot of creditcard numbers so it wouldn't matter if you used an RFID enabled card or not at that point :).
d _security_a.html3 9/2/129/a sp?ArtNum=20s _articles/RFID/Link_budgets.html
6 0208D-9ECF-4F0B-B964-4DD779BFF905
i ty/story/0,10801,100459p2,00.html
http://www.ti.com/rfid/shtml/news-releases-rel02-
Some random RFID links.
http://www.schneier.com/blog/archives/2005/03/rfi
http://www.rfidgazette.org/2004/06/rfid_101.html
http://www.rfidjournal.com/article/articleview/13
http://www.technovelgy.com/ct/Technology-Article.
http://www.enigmatic-consulting.com/Communication
A nice article on RFID virus attack
http://www.cbronline.com/article_news.asp?guid=B9
http://www.computerworld.com/securitytopics/secur
From which comes a nice quote, this is from 2005.
"The TI technology is vulnerable to attack because it uses a decade-old, 40-bit cryptographic key to encrypt communications between the RFID DST tags and readers, the researchers found. TI also used an unknown and proprietary encryption algorithm on its DST devices. But Rubin's team reverse-engineered the secret algorithm by observing how DST tags responded to specially crafted challenges. Once they guessed the algorithm, researchers created a software program that could be used in so-called brute-force attacks on DST devices to recover the secret cryptographic keys, Rubin said."
The site, http://rfidanalysis.org/ that hosted these findings no longer exists but you could probably find it cached on the net somewhere, wayback machine maybe.
Remember that RFID represents a system and not one piece of technology. The implementation of the system is dependent on the deployment plan. I could make an "RFID system" with 2 933Mhz radios and a pair of 8-bit microcontrollers from digikey for around $150. Sure, you could pull my data out of the air, but technically speaking I'm using RFID. I could also build my own RFID key system with 2048-bit encryption to act as the keys to my car. It's not that difficult to develop, really just assembling existing technologies. RFID can be done "right" and it is a promising technology. I wouldn't shun it for alot of commercial applications but for personal applications, well ask yourself the question. Is this thing a necessary part of your life?
Peter
www.alphalinux.org
And what happens when someone doesn't follow the standard? When they put more juice into the card and use a stronger antenna?
A standard dictates how something should work but has nothing to do with how it does work. It is entirely possible to follow the standard to the letter and still have the card readable at over 1.5 m.
Shit we buried an ethernet cable to the building next door for a project. Yes that was the easiest way at the time. The run was much longer than the standard dictated. The cable worked.
I find being offended by me offensive.
Yes! Bring it on, baby. What with all these old ladies doing pilates and such, it's getting too dangerous to snatch purses anymore.
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
A common garage door opener has more security than these RFID ATM cards. At LEAST a garage door opener has a table of codes that gets rotated through, it could take literally thousands of uses before the same code shows up twice. Yet what does an RFID ATM have to protect from cloning? Sad.
Cwm, fjord-bank glyphs vext quiz
The thing is, it really isn't a time saver; although it will be advertised as such. You will still have to take the card out of your wallet (at least if you have more than one with RFID) and still bring it near the reader. Then you will still have to walk through any prompts and either sign or enter your pin. The only time saved is the 1 second (tops) that it takes for you to swipe the card. The keychain RFIDs for Mobil's SpeedPass system was a valid time saver, since you generally have your keys already if you are getting out of your car, but this is not.
As far as using biometrics, I will make no judgement about the tracking implications, but as far as security it would be a major improvement over PINs that can be sholder-surfed or signatures that the store associates don't even look at.
Clones are people two.
See Alien technology for examples of UHF tags.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Anyone stating "max distance" for RF is creating limits where none exist. With a correctly-sized transmitter, a sensitive enough receiver, and a large enough antenna, there's nothing preventing reading over much greater distances.
The "hacker" world distance record for reading RFID tags (not necessarily the same technology that's in these credit cards) was set at Defcon in August 2005. It was 69 feet, or over 21 meters. You can see the Make Photo Blog pictures of the gear used. While the kit may look bulky, 69 feet would allow you to have it in a van parked outside a store shooting in through the windows.
Regarding the correctly sized antenna, the WiFi shootout that year scored a record 125 miles for an unamplified 802.11 link. 125 miles from a pair of hundred-milliwatt transceivers chatting at 11 mbps.
And don't assume it's not worth the trouble, either. You don't know what dollar values may be transacted via RFID, nor what thefts may be possible with the intercepted data.
That's not to say that encryption isn't capable of rendering the data useless to an eavesdropper. We don't know if it is or isn't good encryption, but that's immaterial. Don't rely on distance alone to protect you. It won't.
John
Why can't people be satisfied with a very good system. It's not like a new faster checkout method gives anyone a competitive advantage for very long, because everyone will adapt the same technology pretty quickly. Why can't they get it through their heads that a contactless data transfer with no external control (PIN) is just flat out not going to be as secure?
Keep passing the open windows...
You know, like on everything else?
If you aren't pressing the button/leaving the circuit open, zapping the RFID device does nothing.
If you are pressing the button/closing teh circuit, the RFIC device will read?
Why the FSCK am i the only person alive that seems to see RFID as not a problem if you put a power button on it?
guns kill people like spoons make Rosie O'Donnell fat.
I just got a new RFID enabled credit card from Chase, and I asked if they still had a non-rfid enabled card. They were extremely nice and said I would have it in a few days.
I pop it open (which is really easy to do one-handed once you get used to it)
One-handed manipulation of electronic devices shouldn't pose much of a problem to the majority of the /. readers...
Well given the comment by brunes69 that ATM cards are easily replaced for free I went ahead and nuked my HSBC debit card with 'pay pass'. The results were interesting and the odor acrid. Card was microwaved on high setting for 3 seconds. First it should be noted that microwaving a debit/credit/ATM card will have a similar effect on the hologram as it would a CD or DVD disc. Unfortunately I had placed the card face down so I didn't get to see the light show. On the other hand, the burn through from the metallic components in the card was also directed face down so that may have saved the magnetic strip from damage. The chip itself, located just above the 2nd number on the left side of the card made a nice big spark and melted some of the plastic on the front. Curiosity, and the desire to have a smooth flat surface, prompted me to remove the burnt chip as well as the 1 cm^2 or so of plastic covering it. Other cards may locate their chip in a different area. It was easy to find the chip by examining the back of the card in reflected light by the presence of a dimple or indent on the back of the card. The most surprising, though in hindsight obvious, part of this experiment was the fact that the antenna connected to the RFID chip is routed around the entire perimeter of the card, including a region above the entire length of the magnetic strip. Thus, it was fortunate that the metal burned through the face of the card rather than the reverse. There is a fair amount of burnt carbon residue on the short side edges as well as melted line around the perimeter where the antenna had once been. Nonetheless, the card worded just fine at the local branch's ATM machine as well as the counter-top swipe reader that the supermarket.
So as long as the RFID tag isn't under the magnetic strip or another vital part of the card I could just cut it out. Of course looking at it now it seems to be right under the magnetic strip.
Aside from the security issue, I don't think most people would care if their ATM card was RFID vs swipe.
It doesn't save anyone any time, really. At an ATM, I've got my wallet open anyway, to put the cash in. In the grocery checkout, I've got plenty of time to reach briefly into my pocket or purse, while waiting for the checker.
It's a solution in search of a problem.
Right now, I'm in the Netherlands where they have Maestro debit cards that are embedded with a chip, (they call it ChipKnip) that you can load up to 500 euros with to pay quickly (although I usually never load that much on it for security reasons). I love this because it is accepted more places than credit (including, but not limited to: coffee, soda and snack machines, pay-for-parking, and even buses!) and is easy to add money to as ChipKnip refilling machines are always right next to ATMs. I actually wish they would have the chip in the US where I'll be going back to in a few weeks as this chip system is a wonderful idea IMHO.
Here's one scenario. You get an RFID enabled credit card. It's probably not encrypted. Even if it is, it doesn't matter, because the encrypted data never changes. You walk into a store, an RFID reader mounted on the door reads your card. From then on, they know how often you enter the store, how long you stay and if the items you buy are tagged, they know what you buy, and even who you are if you make a purchase because they can compare the data they read off your card when you walked in with the data off your card when you made the purchase. You make a purchase but the clerk doesn't scan one of your items, you walk out of the store with something you didn't pay for, but they know who you are, and your credit card company knows where you live. The police show up the next day.
Here's another scenario. You're at a coffee shop. Some crazy creep with an RFID reader reads your card from a few seats away. He installs an RFID reader somewhere in the store and checks on the data every day. He knows how often you come into that coffee shop. He installs more RFID readers in places you might frequent. He knows your every move.
Read my short stories - You won't regret it.
I went into a store the other day and was told that you either had to pay with check or cash. They did not accept credit cards anymore, because of repeated problems with fraudulent use.
I wouldn't be suprised if I didn't start seeing more of this.
I would rather go someplace where I could get something for a cheaper price than have to pay more because the store accepted credit cards.
He who said 1,000,000 monkeys on 1,000,000 typewriters would eventually type the great novel, never saw an AOL chat room
You're quite right. I've been through a PCI audit - the requirements are both unreasonable, non-helpful, wildly unclear, and leave gaping holes in security if you comply with all of it. The requirements document sounds like a college intern went through an event log and came up with requirements based on single vectors from prior events.
But, all that aside, the real problem is that merchants need to store credit card numbers. This is entirely bogus.
As a real simple first blush at a solution, you take the credit card data from the customer, send it straight to visa, signed with your key, and get back a value that you store and then authorize against. It's tied to your key so only you can use it, and it probably expires soon. It probably also allows you to do credits for a longer period of time than you can do debits to handle returns. And you never write the credit card number to disk.
A Web 2.0 thing would probably have the client retrieving the key straight from Visa with a request signed by the merchant so the merchant doesn't see the credit card data ever.
But, like you said, they have no incentive to make this kind of thing happen.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If you could print your credit card information in X-ray ink, bold face, on the back of your jacket, such that only people with special x-ray spec could read them, would you? We don't do that now, why would we suddenly want to change?
Of course "we use encryption". So the info on your jacket is encrypted. But we didn't use encryption before, even though we should have been (depending on how good it was).
By using RFID, companies are trying to trade off the very intuitive insecurities of radio broadcasting with the not-so-intuitive insecurities of unencrypted mag stripes.
The real reason this change is being made would seem to be that much easier to strand customers in ignorance and pull the wool over their eyes when it comes time to actually investigate and point the finger at whose fault particular fraud cases are. Neither customers nor merchants can tell whose in their parking lot snarfing and cracking transmissions - but they can sure as hell tell you who's had access to their card.
I completely agree about the UHF technology. I work directly with UHF and Alien is one vendor who I've done an implementation or two with. I doubt that UHF is going to be used in any credit card implementation.
Depends on the bank. Some actually demand a matching name and delivery address. (e.g. MBNA and American Express). I've had merchants have to contact me because AmEx denied a transaction because they didn't recognize the address.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
The average American has $8,000 in credit card debt. OK, yes, that's spread over multiple cards, but still...
I've only had credit in the USA for 9 years. I currently have a card with a credit limit that was over $16,000 last time I looked. I didn't at any stage ask for it to be increased, either.
Pay off your bills for a few months and banks will throw credit at you, to try and tempt you.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
My assumption in this case is that the RFID technology will be of some standard similar to those stated in my parent post (ISO 15693, 14443 or other HF standards). In this case, the tags are inductively coupled with the reader antenna primarily through the Magnetic field produced by the current through the antenna wire. This field loses strength very quickly as you move from the source which means a VERY limited read range. The technologies mentioned (UHF and WiFi) interact with the Electromagnetic field which propagates nicely through the air and thus gives longer range. (we can, of course, try to discuss all the lovely physics if needed, but this is my attempt at simplification)
Basically, my point is that while I concede it is possible to hack into RFID credit cards, it is NOT as easy as many like to believe, and I don't feel nearly as threatened as some would suggest I should feel. Also, RFID is NOT one technology. It is a mishmash of all kinds of different standards comprising multiple frequencies and technologies and so should not be lumped together as the one evil tech it is commonly identified as.
And what with most ATM machines being run by a versions of Windows anyway you could guarantee they are running as Wireless Access Points. :o)
It was rather disconcerting the first time I used a BNP ATM here in France and heard a distinctive Windows "chime" being emitted from the machine. I don't know what version of Windows it's running, but I'm at a loss to understand why anything more than a simple embedded OS is necessary. Unless it's to drive that pretty ATM GUI with all those colorful flags so that (illiterate?) foreigners can select their language preference.
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Yes, they are powered. They are powered by RF.
If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.
That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and passports until you pressed the button - closing the circuit between the antenna recieving the RF power signal and the part that generates and broadcasts the signal back.
how it would work in the real world is - you'd pull our your credit card at the store, squeeze the pressure button, and wave the card over the reader. If you waved the card over the reader without squeezing the button, nothing would happen.
Don't worry, no one else seems to understand how insanely simple this is.
guns kill people like spoons make Rosie O'Donnell fat.
As far as the crypto goes, there's no reason they couldn't employ the same sort of challenge-response that satellite decryption cards use. Even with a lab setup and full access to the electrical exchange between the cards and the receivers (including the ability to interfere with the data), it took a remarkable amount of effort to break the encryption on a single card. An unreliable RF snooping wouldn't stand a chance if the cryptography were of equivalent design.
However, there are still drawbacks to RF ID cards. While you may not be able to read them, you might be able to detect them, and possibly even identify their nature. The example I frequently use with RFID tags is to picture such an antenna set up at the entrance to the Bada Bing! club from the Sopranos. In this case, imagine a reader mounted in the seat of a barstool. If a reader could determine "what's in your wallet?" without your knowing, what else could a bad guy find out? They be fronting a "man-in-the-middle scam" where a radio-connected henchman is exchanging signals, charging expensive jewelery in a store located in another city? Many things are possible if the exchange can take place without the user's involvement, even without breaking the encryption. And too many people want to steam-roller RFID forward while ignoring legitimate questions about security.
Physical contact readers are the only sure way ordinary people have to prevent surreptitious communications. While the advantages of RF are numerous (convenience, sanitation, no moving parts, no contacts to get dirty, no problems with static electricity) the removal of control from the user is a huge weakness that opens many avenues of exploitation.
John
Most of the Visa/MC credit contactless cards do not encrypt the data. The main reason is that it's a) impossible to distribute hardware SAMs to all of the readers that could contain keys for all of the possible different card issuers, and b) the assumption is/was that the data is the same as what is on the mag stripe, so why encrypt it?
The actual comms between card and reader are encrypted for any writes to the card, but the majority of these transactions do not write to the card, just read the public read-only areas.
The details of how this works are publicly available here.
Shouldnt even trust the ATM.. Aside from adding RFID, your spending habits ( at least the $ ) and general location of your travels are too easily tracked.
Cash only.
---- Booth was a patriot ----
Yeah, because that's so much better than swiping it through a magnetic reader..
Aren't we supposed to be improving things, instead of just changing the time wasting from swiping to pressing and waving?
Not a Twitter sockpuppet... but I wish I was.
and you're both right and wrong.
You're wrong in because smart cards -- including contactless smart cards -- *are* perfectly capable of doing this sort of thing securely. We have the technology, we know how to do it and make it very tight.
You're right because although these banks are issuing smart cards (ISO 14443, T=CL), and they could make the system secure, they've chosen not to do it. In fact, most of them are using stripped down microprocessors that don't have the crypto coprocessors needed to make it secure.
On a credit card, I don't really care all that much, because the worst case for me is inconvenience -- my liability for any fraud is limited to $50 by law and $0 by the policy of any credit card I'd have. Debit cards are scarier, unless the issuer also agrees to take on all of the liability not only for the fraud, but also for any incidental results of the fraud -- late fees and damage to my credit rating caused by bounced checks, etc.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
With all their features and programmatic convenience they offered, I figured that this would be something that could be a real selling point for them, (and a convenience for me.)
While the guy I spoke with (programming support guy) thought it would be a useful feature, I was told that it just wasn't something that was really in demand, and they didn't have any plans for something like this.
(!)
(Well, if someone offered it, I can't see why it wouldn't be in demand, and a gateway processor would be able to offer this as a feature whether visa/mc/amex/dc/... did or not. As long as you *could* get the data back with human intervention, ie, no vendor lock-in, it would be a definite win for customers with any sense of security issues.)
So I was amazed that this wasn't something that had been out there from day one and amazed that folks weren't simply clamoring for left and right. I'm even more amazed that this service is *still* as far as I know, not offered by any gateway provider. (I would have bet money that it would be a standard feature by now.)
And the worst part is that all the while visa has continued their poorly thought-out campaign of requirements that if followed to the letter effectively forces merchants to open security holes in their systems.
Where I live, a disturbing number of ATM machines now bear the Diebold logo. They used to say IBM. Now, I dont belive that IBM are some godlike power of flowing goodness, but damnit, IBM have some semblance of professional attitude. What im trying to say is, I don't bloody trust the ATM system at all right now. Especially with muppets like Diebold in the mix.
I like your idea of handling this as a competitive advantage of the payment gateway.
;)
I was told that it just wasn't something that was really in demand, and they didn't have any plans for something like this.
The single merchant I was working with would be in for a $400,000 bill to be compliant with PCI, according to the letter of the 'law'. With the Web 2.0 version of this, the merchant never handles any credit card information, and thus doesn't need to comply with PCI.
I bet they didn't put it to their customers like that!
Mark, it sounds like you and I should get into the payment gateway business.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)