Are Contactless Payments Really Secure?

berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."

yeah yeah

[Colin+Smith]

Except that banks magic money into existence so they're not actually losing anything (maybe but a little profit) when someone commits fraud.

Re:yeah yeah

[UbuntuDupe]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Anyway ... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.

Re:yeah yeah

[Anakron]

http://www.ingrimayne.com/econ/Banking/Commodity.h tml
for those who don't get what the parent is talking about. Although banks don't quite "magic" money into existence.

Re:yeah yeah

[rnelsonee]

Right. The signature on the back of the card is not there for security - it's there to protect the merchant from having to pay a chargeback.

Basically, the signature is the signature to the Cardholder's Agreement you get with the card. Except that instead of the signature being on a piece of paper that no one wants to carry around, they let you sign the card itself. Once you sign it, the merchant knows that the card is valid, and they are now free to charge the card without fearing a complaint come back saying "I never authorized that!". As long as there's a signature, even if it doesn't match the person who's holding it, the merchant is not liable for fraudulent purchases.

Which is why writing "See ID" is frowned upon, and merchants will sometimes refuse to take a card with that writte on the back.

Re:yeah yeah

[ushering05401]

As of 1 1/2 years ago this is how fraudulent charges were handled.

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.

In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).

Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.

Regards.

Re:yeah yeah

[Colin+Smith]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that. Yes they are, they really do get permission to magic money into existence. They don't have to borrow it from The Reserve, or pay interest on it. The limit they can magic is based on their reserve ratio (seems to be about 3% for most banks) and the amount of deposits they can acquire. I couldn't believe it either at first. I wish I'd understood this while I was at school, I'd be a banker now.

Money doesn't grow on trees, it's easier than that, it's magic'd into existence.

Back on topic. This does explain the bank and credit card companies extremely relaxed attitude to credit card fraud. They're not actually taking a loss when they money gets spent, and then queried, the money has been magic'd. They are simply not going to make as much profit as they might have.

Re:yeah yeah

[AndersOSU]

Merchants will do whatever the hell they want with a credit card, with no apparent rhyme or reason.

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't want to have to show her my ID. (lets not even get into the one with the three teeth and the short line three registers down)

Not that I've ever been outraged enough to raise a stink (I carry the CCs for convenience after all,) but I've been considering sending the CC company an email every time someone asks for my ID, maybe they'd have a word with the merchant for me.

Re:yeah yeah

[Rakishi]

They don't create any money in this way at all, they simply move it about. When you put your money into a bank the whole point is that the bank is free to do whatever they want with the money. They never claim that they will hold it in their vault or some such. The great depression was partially caused by that very fact, everyone wanted their money out of the banks and the banks couldn't give it to them since they no longer had it.

Re:yeah yeah

[Blnky]

With respect to credit card signatures, I think most readers will find these very interesting...

• How crazy would I have to make my signature before someone would actually notice?
• How far could I go before they would check my credit card signature?
• Do credit card companies really care about identity theft fraud?

Re:yeah yeah

[eln]

So what about those stupid electronic signature collectors? Some of those things are so badly broken that all you can manage to produce is one line after signing your entire name. Even if they are working properly, they will often only produce a blocky straight-line approximation of your real signature. How can these be accepted as valid signatures by anyone?

Re:yeah yeah

[AuMatar]

You realise its the exact opposite- its far better to have them ask for id. The chance that someone steals a credit card and makes a matching fake id is low. It actually gives you and the merchant a measure of security. The only risk of showing id is the risk of the checkout person remembering enough information to do something with it 4 hours from now when they get off shift. I get pissy when a merchant *doesn't* ask for id.

Re:yeah yeah

[Colin+Smith]

They don't create any money in this way at all Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.

How else do you explain the fact that the credit card companies aren't breaking down the doors of the fraudsters and auctioning off everything they own? It's because credit card fraud is no big deal.

In fact, in the UK the police aren't even told about credit card fraud.

http://www.fairinvestment.co.uk/financial-news-Ban ks-defend-new-credit-card-fraud-reporting-rules-18 188855.html

And that is because it's not real money. It's magic'd money.

Very few people understand this yet, which is why there's still outrage over the new rules.

http://news.bbc.co.uk/player/nol/newsid_6220000/ne wsid_6225000/6225020.stm?bw=bb&mp=wm#

Re:yeah yeah

[gurps_npc]

You have a serious lack of knowledge about this subject.

You are making several false beliefs.

1. People that take out loans generally do NOT deposit the full amount back into the bank. Usually they deposit a minutre fraction.

2. People default on loans is an immediate and DIRECT loss to the bank.

Here it works like this in real life.

I deposit 100 to the bank.

The bank loans out 900 to various people (using my 100 and a 10% reserve)

The bank really wishes those people would deposit it back to them, but they don't. Instead they spend it, where it eventually gets deposited into a DIFFERENT bank. Currently the bank is +100 real, -100 withdrawable, -900 loaned out, with 900 IOU to the bank.

A year goes by.

The bank has received about 70 in interest on the money they loaned out, but paid me 3. 167 real, -100 withdrawable, -900 loaned, 900 IOU

80 has been paid off by people that made their money and closed out their accounts, in real cash (likely from another bank's loan). 247 real, -100 withdawable, -820 loaned, 820 IOU

I withdrew 50 of my original money. 197 real, -50 withdawable, -820 loaned, 820 IOU

AND MOST IMPORTNATLY, they have 100 in defaults, that they sold off to a collection agency for 5. 203 real, -50 withdawable, -820 loaned, 720 IOU.

Now, they technically have a problem. They are not allowed to just keep -820 loaned on the books unless they have 820 IOU. So they do book keeping and in effect pay off their extra 100 loaned dollars with real money.

103 real, -50 withdrawable by me, -720 loaned, 720 IOU.

This ends the year. They have a net 53 real profit, and can loan out approximately 310 more dollars.

The loss was a real loss, cause they HAVE to pay off their own loan when it defaults.

Re:yeah yeah

[Rakishi]

Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out. They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't. As I said, if people tried to withdraw more money from a bank than there are reserves of the bank would be screwed (well not that much, thanks to federal insurance on deposits). If they actually made money then there would be no problems with this scenario. A bank is essentially an investment in essence. You give them your money so they can loan it out to other people, thats how it works.

How else do you explain the fact that the credit card companies aren't breaking down the doors of the fraudsters and auctioning off everything they own? It's because credit card fraud is no big deal.

And that is because it's not real money. It's magic'd money. Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud.

Re:yeah yeah

I always just say no to the request for additional ID. I've never had anyone refuse to take the card because I didn't provide ID.

Re:yeah yeah

[Colin+Smith]

They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't. Well now you're getting philosophical.

You give them your money so they can loan it out to other people, thats how it works. uhuh. I give them 100 in cash. They take that cash and loan 95 out. Strangely, it comes back to them because that's what you do with money. They now have 195 on deposit. They get to loan out 185 of that, which comes back again as more deposits. Giving them deposits of 380 and loans worth 280, on an initial deposit of 100. Repeat until total money equals up to 2000 for a 5% ratio.

How is that not multiplication? They are multiplying the money and the debt.

Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud. That's just icing. There's nothing for them to lose, maybe a bit of interest.

Re:yeah yeah

[allacds]

According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures

So you can't *mandate* that someone provide ID in order to complete their transaction. But at least with Visa, merchants do have the right to ask (knowing that you don't have to give it to them).

Re:yeah yeah

[Actually,+I+do+RTFA]

How was parent modded Informative? Read the wikipedia article he references. The bank has a stack of IOUs (from borrowers to it) a stack of IOUs (from it to depositors) and a stack of singles. Notice how the IOUs from the borrowers plus the stack of singles always equals (in this example) the stack of IOUs that the bank owes? This is because their assets (IOUs from the creditors and I'm folding cash in as well) balance their liabilities.

They are forced to have a certain percentage of the money they owe in their pocket so to speak, that is, as a cash reserve. This percentage is the reserve ratio.

So in other words, the banks take money from me, and instead of just putting it in the vault and then giving me more money later, they loan it to someone else (and charge them interest). They do this for many many people. So while we cannot all get our money at the same time (the proverbial "run on the bank") we can get our money back.

If you watch "It's a Wonderful Life" they have this scene where a banker has to explain this to someone.

And now, in a shameless appeal to authority, I've got to put on my 21st hat and deal with my company's books.

Re:yeah yeah

Just sign it AND write "See ID'. Then you too can avoid being frowned upon by postal employees and not asked for ID anyways by everyone else.

Re:yeah yeah

[Firethorn]

Uh... it sounds like you're talking about profits. Which at a normal bank would be paid in a dividend to the investors.

Strangely, it comes back to them because that's what you do with money.

If you think that people just borrow money to put it into a bank, you're mistaken. I borrow money, it's for a car, house, whatever. Now yes, fractions of that are likely to end up in banks, but not to the extent you're talking about. In the case of a new home - it goes towards paying for all the building materials and salaries for the construction workers who put it together. Physical goods.

Even if stuff ends up in the bank - remember, they have assets in the form of loans - it's not as secure as cash - but it's pretty good. Otherwise interest rates wouldn't be so low.

Re:yeah yeah

Well merchants can refuse to sell you anything for (almost) any reason (not they have to give one). They're not obligated to have you as a customer.

Re:yeah yeah

[jack455]

Banks can loan many times their actual capital as I undertand it.

Re:yeah yeah

[Rakishi]

How is that not multiplication? They are multiplying the money and the debt. No, they're multiplying the debt only. The amount of money stays exactly the same. By your logic I can generate infinite money as well. All I need is say $1 and a friend. I lend him $1. He lends me $1 back. I lend it to him again. Repeat for however long we want. I now owe him $1 million and he owes me $1 million and a dollar. In the end there is still only a single dollar with which I can buy things.

That's just icing. There's nothing for them to lose, maybe a bit of interest. A bank is based on interests and profits. To a company losing either is no different from you losing money.

Re:yeah yeah

[glitch23]

How does this process (charge backs, preventing fraud, etc.) work when the purchases were made over the Internet using a credit card (and thus no physical signature)? Is it totally different or irrelevant?

Re:yeah yeah

[Dare+nMc]

Giving them deposits of 380 and loans worth 280

as you say, they are paying interest on $380, getting interest on $280, so they do have to pay that money back, and thus get it back.

Once you multiply it out to the $2000, thier is just $1 out in someones pocket to be spent of the original $95, granted from that original $95 the banks are paying interest on $2000, and getting paid interest on $1800 (granted some of that money is really low interest, IE you checking account may draw no interest, and their only paying you in paper work, and services for your money.)

That still leaves the bank needing to get back their credit card debt in order to pay their creditors, but since they are making the difference in interest rates on more than the original $95 it happens quicker than otherwise expected.

Re:yeah yeah

[fluffman86]

Amen to the parent. I ALWAYS write "CHECK ID" on the back of my card with a Sharpie (R), and I EXPECT the cashier to ask for it. They often apologize--"Sorry, but I have to check your ID. The card says so."--to which I reply with a big smile and a "No, *thank you* for protecting me from unauthorized purchases. I actually get kinda mad when people don't ask for my ID."

Re:yeah yeah

[Blkdeath]

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't want to have to show her my ID.

Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?

Re:yeah yeah

[Blkdeath]

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.

When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.

The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?

It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?

Re:yeah yeah

[SimonBelmont]

You apparently lack knowledge on the subject too. If you desposit $100 in a bank with a reserve ratio of 10%, they can loan $90. Not $900. The way that (theoretically) that deposit creates $900 of "funny money" is that if they lend me $90, I buy something with it, and the seller then deposits that $90 in the same bank, they can then loan another $81. They can keep loaning progressively smaller amounts as long as the money comes back to them, up to a limit of $900. This is *not* the unbounded system you and so many other people seem to think, where the bank can loan more than it has and grow its IOUs exponentially. Every dollar loaned is a real paper dollar deposited by someone. The "inflation" comes from the fact that the bank doesn't actually keep enough in the vault to back all of its own IOUs. As long as people don't all rush the bank simultaneously to withdraw their money, this isn't a problem. It also doesn't matter a whole lot which bank the money goes to. They're all part of one reserve system. And if there's enough economic activity, then the loaned money *will* come back to the bank indirectly. If a bank is loaning out more than is coming back to it, that means they have a decreasing share of deposits, so if the market is stable, the money has to come back.

Re:yeah yeah

[SimonBelmont]

The signature on a credit card is NOT a form of ID. The cashier is NOT required (and should not) compare your signature on a receipt to the signature on the card. The signature indicates that you have accepted the cardholder agreement, thus making the card legitimate (otherwise you would not be liable for charges to the card). What the cashier is supposed to do is ask for a photo ID such as a driver's license, to compare with the name on the card. For a large enough purchase, they will always do this. The real reason you don't need to sign or show ID for small purchases is that the bank figures, at a certain incidence rate of fraudulent charges, and with the cost of investigating fraudulent charges and initiating proceedings to recover the money, for charges less than a certain amount it is cheaper for them to eat the loss from fraud than to try to prevent it. Really, you as the end consumer shouldn't really care one way or the other - as long as the bank says you are not liable for fraudulent charges (most do), and they are reasonable about handling fraud complaints (i.e. don't try too hard to screw you), then security is the bank's problem, not yours. And since banks are large businesses with lots of books to keep, they are probably pretty good at figuring out what it worth doing or not as far as preventing fraud.

Re:yeah yeah

[jabberw0k]

Wrong. According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf

Page 28 directs the sales clerk, "The final step in the card acceptance process is to ensure the customer signs the sales receipt and to compare that signature with the signature on the back of the card..."

On page 29, note "Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures..."

(emphasis mine)

There is no requirement to possess, much less carry, much less produce on demand, any identification other than your signature.

Re:yeah yeah

"Top 5 companies who like shoving acceptance of homosexuality on TV: Ford, Toyota, ATT, Procter and Gamble, and Revlon."

God forbid we should promote tolerance - much better that bigotry is espoused as a national value.

Re:yeah yeah

[Bastardchyld]

This is true... However if they have already made a binding agreement (with say, i dunno, VISA) that they will not make ID a requirement for purchase then that takes precedence over there right to refusal of service, they did after all agree that away once the transaction has gotten to that point. Not to say they can't excercise that right at all, they just can't do it for that reason.

Re:yeah yeah

[AndersOSU]

I guess the way I see it is that I can protect myself from unauthorized CC transactions by not losing my card, or at least be aware if my card gets stolen or goes missing. (sure that doesn't protect me from a clerk writing down or memorizing the info on the card, but hey it's pretty easy to dispute a fraudulent CC purchase.

What I can't protect against, or foresee is someone getting the information from my ID and my CC and using that to impersonate me.

Re:yeah yeah

[oncebitter]

I always thought the signature provided the retailer with some degree of security.
Which made me very confused when I bought a $400 iPod at the Apple Store in San Francisco and they just swiped my card and sent me on my way. I asked the clerk what they'd do if I denied making the charge and he just looked at my blankly and confused, insisting the card-swipe was sufficient.

Re:yeah yeah

[tthomas48]

Which is more likely? #1. You'll only get stuck with about $50 worth of charges if you report it missing right away. The poor merchants on the other hand.

Re:yeah yeah

no, she'll have a camera, a card reader, etc at hand and promptly make the relevant copies. at least thats a rough idea of where i'd start if i was going to do it.

Re:yeah yeah

[glitch23]

God forbid we should promote tolerance - much better that bigotry is espoused as a national value.

I don't have to accept their lifestyle nor do I have to tolerate it. I don't see any other special interest group trying to get society to accept them so why do homosexuals need to do it? I don't tolerate murderers and rapists for the same reason I don't tolerate homosexuals: it is wrong. Nothing says that I have to accept any of those groups or their actions. Even a hate crime only comes into play if I invoke physical violence on a homosexual (although they are getting so much special treatment lately that a bill is trying to be passed where simply saying something that may hurt their feelings would be a hate crime). Promoting tolerance is the same as saying it is okay and it is not. Even Christians, who are always branded as pushing their beliefs onto others, do not have corporate backing like the homosexuals do. If corporations promoted tolerance of Christianity people like you would be up in arms saying "Don't push your beliefs onto others when it isn't invited" or something to that effect. I don't want homosexual beliefs pushed onto me because it isn't invited and millions of other people feel the same way. Care to explain that double standard? God forbid we should promote tolerance of Christians - much better that bigotry is espoused as a national value.

Re:yeah yeah

[pintpusher]

Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? I actually know two people who can do this and they've both worked as doormen at my bar. That means they could pick out any id-card from the stream coming through the door each night and use it to make a fake id whenever they wanted. Thankfully, they're both decent guys.

You should see how the cops react when they encounter that. We had a cop chatting with the doorman one night (there was some altercation on the street and they were yucking it up about drunk people). The doorman checked an id while continuing the conversation, and waved the girl in. The cop stopped her and asked for her id again and proceeded to quiz the doorman about it. He got every fact right. The cop was just shaking his head in disbelief.

So yeah, people can do it.

not saying its likely, but knowing two of them is pretty freaky.

Re:yeah yeah

[Blkdeath]

no, she'll have a camera, a card reader, etc at hand and promptly make the relevant copies. at least thats a rough idea of where i'd start if i was going to do it.

I'm so sure somebody can look at dozens of IDs all day and then pick one of them from memory and re-iterate a 15 character license number, full name, address, birthdate, issue date and expiry date, all the while recalling and re-creating the very same individual's credit card, getting the security digits from the back and making a reasonable likeness of their signature during a particular 15 second transaction.

... all without the slightest inkling of something awry by the cardholder.

Please, stand still so I can take a picture of you, your ID, and your credit card. Don't mind the second card reader sir; it's just procedure.

As to the doorman who can recite pieces of information after viewing an ID? Yeah, great party trick. I know people who can do that too. Now, show them about 200 drivers licenses over the course of an eight hour shift and then have them recall all the details about number 74. Uh-huh. Thought not.

Credit card companies warn against letting a server walk away with your card so that it will be swiped away from your presence. It is, however, much more difficult to accomplish all this while the customer is standing in front of you; especially if the customer is already aware enough that their ID is being checked.

For the record; I'm carded all the time at the beer store. Not related to the fact that I'm using my credit card to pay, but because I have a very young face so I've been ID'd constantly for the past ten years. My ID remains in my hand, the person behind the counter takes a quick visual scan then proceeds to ring in the transaction. It's not rocket science and I've never been worried about my identity being stolen.

You black helicopter folks can put down the X-Files DVDs and join us here in the real world where people don't scan your identity with their bionic eyes. You're more likely to have your credit card number stolen in a computer/database security breech than you are by being double-swiped in front of your eyes. (Reference the recent 'Winners' breech that netted theives several hundred thousands credit card numbers, etc.)

I dunno.....

maybe??

--
Jaap van Ballspoogen

ofcourse..

is contactless sex safe? ofcourse.. I rest my case, your honor..

Re:ofcourse..

[Idbar]

Typical /. user... showing off about their knowledge on "contact-less sex".

Re:ofcourse..

get a funny bone, oh wait, you are spineless

Cost of investigation

[nuggz]

It's simply not worth it for anyone to investigate and verify small charges. So why even bother paying to keep a paper trail nobody will ever use?

If it's a fraudulent charge report it.
It seems to me the usage based flagging works just fine anyway.

Are they insecure... Yes.

[Irvu]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.

Lacking the independent verification this is begging for an attack.

Re:Are they insecure... Yes.

[gurps_npc]

Not really. The chip can also include a simple clock. Then it changes per the time, not a handshake response. If the time says 5:43 and 12 seconds, but the RFID signal decrypts to 4:23, yesterday multiplied by the secret number, that is a lot different.

Re:Are they insecure... Yes.

[ad0gg]

RFID uses a challenge/response system which prevents replay attacks. The secret code is never sent over a non secured channel. If you manage to capture the transaction and replay the capture data, it won't work since the challenge will be different. The attack that you have to worry about is hacking the challenge response encryption.

Re:Are they insecure... Yes.

[bogado]

The real problem here is a "man in the middle" attack, the bad guy can be the fellow with a big bag beside you in a crowded train he would have a friend in a store that could be anywhere in the world that accept the wireless card, with his card he would start the negotiation, the friend would relay every bit sent to his card to your card and vice versa. Those communication are low speed and since the card need to charge up to reply I would guess that even with a reasonable lag this could still work.

Things could be badder, I don't know how close one must be to actually talk to a card, would a powerful transmitter be able to talk to a card from a far away distance?

Re:Are they insecure... Yes.

[swillden]

I don't know how close one must be to actually talk to a card

Nominal maximum range for an ISO 14443 device (a contactless smart card) is 4 cm. Under carefully controlled laboratory conditions, you can get 2-3 times as much range, with difficulty. In real-world conditions it's pretty rare to get even 2 cm. Normally it's less than 1 cm.

would a powerful transmitter be able to talk to a card from a far away distance?

Not really. A very powerful transmitter can power the chip from farther away, but the nature of the way the chip is powered by the transmitter's RF field means that power drops with the cube (not square) of distance. So to do it from very far you need a *lot* of power -- and be careful not to get this powerful transmitter too close and fry the chip. The bigger problem, though, is receiving the chip's replies. It doesn't matter how much power you feed in, the chip's transmissions are very weak. A high-gain, tightly-directional and precisely-aimed antenna in a low-noise environment can pick up the signal from a few meters, sometimes.

No, if you want to talk to a card at a distance, your "man in the middle" idea is the way to go. Put a battery powered smart card reader within a couple centimeters of the card, and have it communicate to a remote computer via a Wifi or some other long-range technology.

No, but they're secure enough

[tbo]

It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.

I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.

Re:No, but they're secure enough

[Loether]

Great points about the vulnerabilities.

Although you are incorrect about who will take the hit from fraudulent activities. It's the businesses that will take the hit. As any business that accepts credit cards will tell you fraudulent charges comes straight out of the businesses pocket not the banks.

The merchant is generally liable for credit card charge backs, even when the bank has authorized the transaction. After a merchant is stung by a fraud, the credit card processors often hike their rates, citing increased risk. The merchant also risks losing their accounts with the card companies if their fraud rate gets too high.

http://www.wiscocomputing.com/articles/ccfraud.htm

Re:No, but they're secure enough

[Threni]

> Although you are incorrect about who will take the hit from fraudulent activities. It's the businesses that will take the hit. As
> any business that accepts credit cards will tell you fraudulent charges comes straight out of the businesses pocket not the banks.

Not in the UK with Chip and Pin cards. Read this:

http://en.wikipedia.org/wiki/Chip_and_PIN

Especially the section "Decreased liability for banks". Now you have to prove you didn't let anyone see you entering your pin number. Any idea how you can do that? Several people in the UK who've been ripped off and not compensated by the banks would love to know...

Re:No, but they're secure enough

[AnyoneEB]

There seems to be a trivial solution to this, although it does impact ease of use: the user has to press a button on their card to accept a transaction. Even better if there is a screen on the card showing the amount of the transaction. Then again, this would make the card more expensive and may not be considered worthwhile. Also, it would just narrow the window for the attack you described. It would still be possible, just more difficult.

Re:No, but they're secure enough

[RobertLTux]

of course "button" may just be a tiny area on the card that has a make/break zone (think a pair of traces that overlap but dont connect).
maybe even a momentary connect would be needed (so you hit the button and then release to trigger)

What?

[BobMcD]

This just doesn't track with me. The article fails to explain:

1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?

2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?

3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?

Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.

Who wants a Big Mac?

Re:What?

[p0tat03]

1 - For someone to copy the data on my magnetic strip card, they would have to physically swipe it. This has been done before (gas stations, anyone?). For RFID devices, however, this data is accessible to anyone in your near proximity with a reader (which is easy enough to hide). So basically, your data is only at risk when your magnetic card leaves your wallet (and sight!), but your contactless card is at risk of copying always.

So while contact cards are not exactly foolproof, they are much harder to thieves to get their hands on.

Contactless becomes much more secure (than even contact cards!) if you implement a challenge-response system. In this case since the signal sent is different for every transaction, it is impossible for someone to read the present value of your card and re-use said value later on a copied card.

Re:What?

[ScrewMaster]

In this case since the signal sent is different for every transaction, it is impossible for someone to read the present value of your card and re-use said value later on a copied card.

That's only true so long as details of the algorithm used to generate the codes stay secret. They won't forever, and eventually the bad guys will be able to duplicate the functionality of a legitimate reader. There's a lot of money in credit card fraud, and a lot of very bright people (at least as smart as the folks developing the technology itself) willing and able to crack any scheme. Honestly though, that really won't matter.

This is like any security system: can it be broken? Sure. Will raising the bar keep a lot of lower-level thieves from coming to the party? Absolutely. Take CSS ... there are tools out there to crack a commercial DVD in minutes, but CSS is still a perfectly good content protection system because only a small fraction of viewers have any idea how to find or use such programs. If you can make your system good enough that only the really smart ones can get around it, you've won the battle.

Re:What?

[lgw]

A good challenge-response system is much harder to crack than you seem to think. The goal is *not* to prevent someone who has an unlimited amount of time to work on a card from duplicating it (as is the case with CSS and its ilk). It's a much simpler problem: make it harder to duplicate a card than it currently is to duplicate a magstripe card. And that's quite doable. Merely recording an exchange (or 1000 exchanges) between the card and the reader gets you nothing.

Of course, that fact that the crypto exists to make is possible to produce hard-to-duplicate cards in no way means the banks will choose such a method. The threat is not that this is a hard problem to solve, but that the banks simply won't care enough to solve it.

Fraud Considerations

[VorpalRodent]

I've noticed this more and more as of late, and hadn't really considered what the rationale behind it was. However, I do wonder: what impact does it have for credit card fraud and related crimes? As it stands, no one near where I live checks the signature block on my card (except rarely). Now, they won't even have to.

The other concern I have is that the onus is being shifted more and more onto me to identify when I may be at risk. While I admit, I should be aware if I misplace my card and should get the card immediately canceled, it certainly doesn't help matters when the card can be used without even handing it to the cashier (and they just click through the prompt that tells them to verify the signature).

I suppose its the same as any of the trade-offs we make in this society - I like the convenience, when it benefits me, but you can bet I'll be complaining should that ever come back to bite me.

Signatureless, no change. Contactless, problem

[russotto]

Since almost nobody checks the signature anyway (other than occasionally to check if the card has a signature), eliminating the signature requirement doesn't change much. However, using contactless for credit card transactions has the same security issues as any other contactless system. One of which is that the system can be surreptitiously interrogated by a fraudster. Sit down with your fraud-o-matic for 15 minutes on a Saturday in any mall, and collect hundreds of card numbers as people walk by. (and yes, if you RTFA, you'll find that some of the systems really do transmit the number in the clear)

Signature is pointless

[Mr.+Underbridge]

Visa, for instance, doesn't require your signature for purchases at or below $25."

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained.

The signature provides virtually no up-front protection. As far as I can see, the signature serves one purpose: to allow the card company/merchant to investigate, after the fact, whether purchases you are claiming are fraudulent were actually signed by you (and even that's tenuous). At best, it allows them to compare a signature in question to your past signatures to see if it matches. A signature might, at best, prevent cardholders from buying something, getting remorse, realizing they can't return it, and claiming fraud.

If I have a stolen card (and preferably a fake driver's license to accompany), and practice the signature on the back of the card 100 times, there is no way it'll get spotted at the counter.

Re:Signature is pointless

Well, your post is a bit disturbing because it shows that you either have never made a credit card purchase before or never read what you were signing. The purpose of the signature is to indicate your agreement to pay for the goods or services rendered to you and not decide to charge them back after you receive them and claim you did not purchase them.

Re:Signature is pointless

[Control+Group]

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained

Beyond which, the security measures they put on the signature line on the back of the card conspire to mean the signature is virtually impossible to see (unless you sign with a Sharpie...in which case it doesn't fit), and even if you were able to read it, sliding the card in and out of readers (esp. gas pumps) smudges out whatever you wrote there.

I've been kind of surprised lately at the number of cashiers who have checked the back of my card against the paper slip, but I have no idea what they think they're looking at, since the signature on the card is barely visible - much less easily susceptible to accurate scrutiny.

Re:Signature is pointless

[c_sd_m]

Sign with a fine point Sharpie, let dry, and cover with scotch tape. Replace tape as necessary. If a cashier doesn't like it then peel off the tape.

Re:Signature is pointless

[Mr.+Underbridge]

Well, your post is a bit disturbing because it shows that you either have never made a credit card purchase before or never read what you were signing. The purpose of the signature is to indicate your agreement to pay for the goods or services rendered to you and not decide to charge them back after you receive them and claim you did not purchase them.

No shit Sherlock, my point is that the signature is pointless as an authentication device regarding that selfsame authorization. I'd thought that would have been obvious, but if you sign your posts I'll use smaller words and state the obvious in the future.

Main problem with RFID

[vlad_petric]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems. (between secure and cheap, cheap seems to always win). So manufacturers use proprietary hacks to allegedly achieve the same type of operations (e.g., authentication via challenge/response). However, these hacks are nothing more than security via obscurity.

Re:Main problem with RFID

[swillden]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems.

Depends on what you mean by "cheap". A $3 contactless smart card can perform AES, SHA-256 and RSA operations sufficient to execute a high-security transaction in < 500 ms. If you can eliminate the need for PK (which you can), then transactions of less than 200 ms are possible with cards that cost less than $1.

Re:Main problem with RFID

[vlad_petric]

Interesting!! Can you provide a link to a spec page?

Re:Main problem with RFID

[swillden]

Look at any of the current-generation, RSA-capable cards from the major manufacturers, which these days is pretty much down to G&D, Oberthur, Gemalto and NXP. For a while, JCOP was the only Javacard OS to get such fast transaction times, but that was a few years ago and they can all match it now (or close), at least with the symmetric crypto. Most of these chips even have hardware DES coprocessors that execute DES operations in microseconds. I worked with JCOP 40 on a Philips/NXP chip a couple years ago, and according to the manual each DES operation takes 10 microseconds -- in contact or contactless mode. I haven't seen any specific timing information on AES ops, but AES is significantly more efficient than DES. Of course, at present AES is mostly implemented in software, so 3DES on hardware is a little faster. But the times are still very, very fast I'm sure.

There's a good chart of timings floating around, but I can't find it right now. If you look at page 22 of this slideshow you can see some old timings of JCOP. These times were industry-leading a few years ago, but they're nothing special now. I keep mentioning JCOP because it's an IBM OS, and I work for IBM so it's what I'm most familiar with.

Note that to get the prices I mentioned, you have to buy tens of millions of units. The smaller the order the larger the unit price.

DMCA based security

[cromar]

The industry says it has collectively invested in a substantial backend solution designed to dynamically validate contactless payments on the fly using card verification numbers (CVCs) that are securely generated and transmitted along with account information. How this system works exactly is not known to the public, and that makes security researchers like Fu very nervous.

Translation: The industry will rely on the DMCA for security.

P.S. RFID is crap. Get a clue!

Re:DMCA based security

[Orange+Crush]

P.S. RFID is crap. Get a clue!

I think RFID is great! Much better than barcodes for inventory tracking. Maybe someday RFID readers will be common in cell phones and I can wave my phone by a product and find out if it's available at a lower price down the road. I mean, there are lots of really great uses for passive RFID tags.

Living in Orlando which has lots of toll roads, I'll even commend the RFID toll payment system--whiz through the fast lane and pay the toll without even slowing down. It's a battery powered device that sticks behind my rearview mirror and has reasonable security and accountability. There's a limited amount in that account, I must authorize re-fills, and if the balance recorded in the tag doesn't match DOT/Expressway Authority's records, the potential breach would be detected quickly.

That being said, I don't want one in my credit card. Ever. I'm even paranoid about RFID "keyless" entry and ignition systems appearing in cards. If RFID product tracking is compromised a cashier or stock clerk might have to key in a few UPC codes manually. If my E-pass is compromised, I stand to lose, at most $25.00. Credit limits and car values are much much higher. Call me old fashioned, but I prefer at least a *touch* of physical security for non-trivial amounts.

It's not a question of whether they're secure.

It's not a question of whether they're secure. It's a question of the fiscal sense that it makes to require or not require contact. It's very possible that the cost to require contact is greater than the cost to rectifiy fraud.

Re:Signatureless, no change. Contactless, problem

[Delta-9]

"Since almost nobody checks the signature anyway"

Its been my experience that about 10-20% of the people I had my credit card to actually look at and read the signature on my credit card. I have "PLEASE SEE ID" written in that box and it would be a stretch to say that more than 1 out of 5 purchases result in the person asking for my ID.

Often times the cashier will flip it over and look at it, but won't bother to ask for my ID. I partially do this to see if they will ask for my ID. I hope that if I ever lose my wallet and someone tries to use my credit card that they get that 1 out of 5 that actually asks for the ID.

I also make an effort to thank the people that actually do ask for my ID.

Immuneid RFID

[ktija]

Present This Our new Venture, www.immuneid.com - Patented and ready to be a terrific oportunity to move on. Immune ID works in a very simple, safe and practical way. With Immune ID on documents, credit cards and credentials, the identification device on them will always remain deactivated unless the user activates them through physical touch. Without human contact, any reading and/or writing attempt will fail. Thus, your information is protected from harmful use. The user will also have a visual and/or audio confirmation included in the device*. Immune ID is an innovative protection system for all electronic documents using technologies such as RFID, Rubee, Smart Dots, EAS, etc.: passports, credit cards, driving licenses, access cards, etc. Some recent and important information regarding the Immune ID initiative. Hillary Clinton Initiative: http://www.washingtontechnology.com/online/1_1/298 88-1.html?topic=daily_news (following our communication) http://rfidlawblog.mckennalong.com/archives/federa l-legislation-senator-hillary-clinton-to-introduce -comprehensive-consumer-privacy-legislation .html US Passports Shield Demo Vulnerabilities http://www.youtube.com/watch?v=-XXaqraF7pI http://www.theregister.com/2007/03/06/daily_mail_p assport_clone/ http://www.infoworld.com/article/07/02/26/HNblackh atrfid_1.html http://www.infoworld.com/video/archives/2007/02/rs a_ioactive.html Translated article appearing in German site about Immune ID http://64.233.179.104/translate_c?hl=en&ie=UTF-8&o e=UTF-8&langpair=de%7Cen&u=http://www.gulli.com/ne ws/immuneid-den-angeblichen-2007-01-24/&prev=/lang uage_tools Sincerely, - Fernando Catania fernando@immuneid.com

A signature is completely insecure too

[Bert64]

Why the hell do people think having to sign something ever made anything even remotely secure?

a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please

*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.

Re:A signature is completely insecure too

[feepness]

*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper. I've been making little smiley faces, writing "HI!!", etc, etc... for years.

I haven't had the guts to write "STOLEN!" yet.

Re:A signature is completely insecure too

[Jherek+Carnelian]

The signature is not authentication, it is for proof validation after the fact. If a charge is disputed as fraudulent, but the charge slip contains your signature, then the bank is going to rule against you.

Thus the people who sign all kinds of funny stuff instead of their actual name would probably be able to dispute any of those charges and get away with it. At least once or twice until the bank started to realize that maybe they are really the ones signing as "princess leia."

Re:A signature is completely insecure too

[Solandri]

Why the hell do people think having to sign something ever made anything even remotely secure?

The banks and credit card companies have managed to offload all the financial risk associated with fraud onto the merchants. Merchants use signatures because when a charge is disputed, the first thing the credit card company asks for is a fax of the authorization slip with signature showing that their client did in fact authorize the charge. If the merchant can't provide that, they automatically lose the dispute and the charge is taken out of the merchant's account and refunded to the customer.

a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please

Again, because the merchant bears all the risk associated with fraud, it is up to take responsibility for preventing it. If the merchant feels comfortable not getting or checking the signature, that's fine. It's up to them to determine who much risk they're willing to take for convenience. Where I work, the register clerks are taught to check the name and signature against the driver's license name, signature, and picture.

Re:A signature is completely insecure too

[JimBobJoe]

Where I work, the register clerks are taught to check the name and signature against the driver's license name, signature, and picture.

Is that happening in the US? Visa/MC merchant agreements forbid the checking of driver's licenses if the card is signed, in the US at least.

*looks at watch*

[overcaffein8d]

It's time for a RFID-blocking wallet!

Don't like RFID?

If you don't like the RFID on your card, you can always apply a hammer.

People may be able to clone your I-pass or EZ-pass

[Joe+The+Dragon]

but transactions are tracked and they can disable it and get the plate of the car that has a cloned tag you should be able to do the same thing with other contactless payment systems.

Signature?

[deaton]

Visa, for instance, doesn't require your signature for purchases at or below $25. You don't need a signature for purchases > $25 either, just buy something online.

Re:Signatureless, no change. Contactless, problem

[residieu]

More and more places are putting the card reader on the customer's side of the counter, so the cashier doesn't even have a chance to look at the signature on your card. Sometimes the card reader will ask you to show the card to the cashier, but I've never had to do it, and never even tried to give it to them.

Hmmm... Are Contactless Payments Really Secure?

[Shadow+Wrought]

Short answer: no.
Long answer: not so much.

Slashdot: you ask, we answer.

The Hustle is On

[mpapet]

This is a play by the banks to privatize the role of the Treasury as a no-cost micro-transactions service provider.

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

I anxiously await the uninformed posts to follow.

Are cash payments really secure?

[mi]

As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.

As if the correct change is always given.

As if a wrong bill (50 instead of 20, for example) has never changed hands.

As if counterfit money is not an ongoing problem for the last several centuries.

Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...

I should also mention...

[ushering05401]

Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.

For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.

One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.

She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.

Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.

Re:I should also mention...

[taustin]

Considering that most police agencies (including the FBI) flately refuse to even take a report over less than $50,000, color me a little skeptical about how "serious" these guys are.

(And yes, I've worked in retail management, and above, for all my adult life, and have been directly involved in retreiving those records. A couple of times. In 25 years. The local cops will occasionally have time for such fraud, but they're generally only interested in the shoplifting aspects of it, because it's a far lower amount to qualify for a felony charge that way.)

Re:I should also mention...

[harl]

s/most/some

Your anecdote differs from my life experience. When I was bartending I talked to detectives a few times about stolen credit cards. One was for a $15 tab. They didn't seem to care it was small time.

I never talked to any feds though.

Re:I should also mention...

[taustin]

Were they interested in the fact that it was a stolen credit card, or were they looking for a mugger or burglar?

In California, using a stolen credit card for a small amount is a misdemeanor, which means the police can't arrest you unless they personally see you commit the crime. But if you mug someone to get it, that's a felony robbery, and a violent one, to boot.

They really don't care about small-time economic crime. They don't have time to.

Re:I should also mention...

[lgw]

Note that "police can't arrest" != "police can't investigate, leading to charges being pressed". Of course, I've (more than once) had the police ignore it when I was openly assaulted on the street, so it's really up to what the police care about that day.

Re:I should also mention...

[Bastardchyld]

Considering that most police agencies (including the FBI) flately refuse to even take a report over less than $50,000, color me a little skeptical about how "serious" these guys are.

(And yes, I've worked in retail management, and above, for all my adult life, and have been directly involved in retreiving those records. A couple of times. In 25 years. The local cops will occasionally have time for such fraud, but they're generally only interested in the shoplifting aspects of it, because it's a far lower amount to qualify for a felony charge that way.)
The FBI is better suited for Counter-Terrorism, Bank Robberies, Crimes against Children, and monitoring of Foreign Intelligence Services on US soil. Here is a link to the FBI webpage which explains the agency's priorities: http://www.fbi.gov/hq.htm

I am sure that the FBI would make a fine addition to the credit card company's army of lackies. However that is not their purpose, the "serious guys" referred to by the above poster was not law enforcement it was the credit card companies. They actually have very large teams of people who will collect evidence and basically hand a District Attorney a case wrapped in ribbon. That way the DA has no real way out. Otherwise the DA could simply say that there is not enough evidence to pursue charges.

If you had that much money riding on some schmuck like me I think you would have your ducks in a row as well.

Missing The Point

[mpapet]

r. These guys are serious and have entire departments dedicated to identifying patterns of fraud.

Thanks for perpetuating the myth that banks care. The banks place an enormous burden of proof on the retailer. The bank is assuming no liability whatsoever.

Question: what the retailer does to cover his fraud costs?

Answer: Raise prices.

Funny, nowhere in there are the banks assuming any risks.

Re:Signatureless, no change. Contactless, problem

If the merchant has to verify that your signature matches the card, what should be on the signature box on the transaction slip?

Lots of transactions don't need signatures anymore

[z_gringo]

Gasoline hasn't needed a signature for years whether it is under $25 or not.

Most any online purchases don't need signatures. Some ask for the special 3 digit code, but many don't.

Put another way -- Money is created from Debt

[StringBlade]

Paul Grignon has created a video called Money as Debt which is recommended viewing to understand the Fractional Reserve system we have today.

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).

Let's say a bank has $1,000 in the vault. In a fractional reserve system with a fractional reserve ratio of 9:1, the bank is allowed to lend up to $9,000 based on the $1,000 it has and since the federal reserve system is a closed circuit of banks, the money lent from one bank will be necessarily deposited into another bank wherein that bank can lend out a fractional percentage of the deposit (which was imaginary money from the first bank). You can see after a few iterations of this, you've generated enormous amounts of fictional money from very little actual money all based on the promise of the borrow to repay the amount borrowed.

Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.

Likewise, if we were to eliminate all debt, the circulating money would cease to grow because there would be no debt on which to gain interest nor any need to pull new money into existence for a loan and they system would collapse because the value of the paper money is in reality not backed by anything of value.

Scary huh?

Re:Put another way -- Money is created from Debt

Or to put it in simpler terms:

"No, no, you're thinking of this place all wrong, as if I had the money back in a safe. The money's not here. Your money's in Joe's house, right next to yours. And in the Kennedy house, and Mrs. Macklin's house, and a hundred others Why, you're lending them the money to build, and then, they're going to pay it back to you as best they can. Now what are you going to do, foreclose on them?"

Re:Put another way -- Money is created from Debt

[Rakishi]

Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts. Bank accounts are government insured up to $100k I think, great depression caused that one to come about if I remember correctly. Anyway, the worst that would happen is that the federal reserve pays out the loans and if needed prints enough money to cover it. Massive inflation but everyone would get their now much less valuable money back.

Re:Put another way -- Money is created from Debt

[lotusdriver]

Everyone, everywhere withdrawing all their money at the same time is *exactly* what happened in Argentina back in 2001.

Re:I paid $25

Money well spent, for you would have looked like a fucking retard if you got 2nd post.

Bad Assumptions

[mpapet]

Then I realized that the bank will take the hit on any losses

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.

You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.

Re:Bad Assumptions

I don't pay for it. The group pays for it. If I'm smart, on things like rewards cards, I pay much less, or even make money, compared to the average member of the group.

Re:Bad Assumptions

[swillden]

Nowhere in the process does the bank assume any liability.

This isn't true. There are plenty of circumstances in which one of the banks ends up holding part or all of the liability. In some rare cases even the clearinghouse that settles transactions between the merchant acquiring bank and the card issuing bank takes the liability. You're right that it generally falls on the merchant, but not always.

However, even if the liability is shared, the cost of that fraud obviously must eventually make its way into the pockets of the consumers, because we are ultimately the source of all of the funds in question. Does that mean then that your claim that it does cost us is correct?

Sort of, but not really.

Fraud is just another expense on the balance sheets of these businesses. As long as it's relatively small, they'll just eat it and pass it back to us in the form of slightly higher prices. As it grows, however, there becomes a point at which it is cheaper for them to pay for better technology or processes to reduce the fraud. Smart merchant acquiring and card issuing banks are looking for ways to save money so they can beat out their competitors, to extract a slightly greater short-term profit. What better way to boost profits than by cutting fraud? Of course, once some of them are doing it, others will have to, so that, ultimately, the amount of fraud consumers have to pay for has an upper limit.

Re:Bad Assumptions

[tbo]

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity.

That depends on the price elasticity of demand. Furthermore, retailers usually only pay a penalty if fraud exceeds a certain threshold. Since retailers have a choice (for now, at least) about installing contactless readers, they presumably won't do it unless it makes financial sense. If fraud is a major problem, retailers won't adopt the system.

Depends on the system

[billsf]

As a former engineer of DigiCash in Amsterdam, I know a little about smartcard technology. There are a number of problems and risks:

1) The technology used is very old and few improvements have been made over the last 20 years or so.

2) The latest technology can cost over $10 while the older chips are a few cents.

3) Banks and politics have done their best to stifle development and have mostly succeeded.

In a word: NO. Chances are you get some 'exportable' model that supports 40bit crypto if money is involved. Otherwise, say for transit use, it may be a simple account number that is (usually) broadcast at 13.1MHz. Just because the readers appear to work at only close range does not mean the information cannot be intercepted at a range of 10's of meters or more.

The very expensive units can support 128bit or better crypto. Apart from being costly, they may be 'export restricted' and there are a number of governments that only allow very weak security. 40bits will take about a half hour to crack on a 'high-end' desktop and only a handful of minutes on a halfway decent workstation. A shielded wallet may be a common item if these chips see widespread use. A card (or passport) carefully wrapped in aluminium foil will work (to prevent unauthorized use/interception) despite any propaganda that may be out there.

As long as the 'value' is very low and you can accept losing it, there is really nothing wrong with using them. Keep in mind the chips can be destroyed accidently a number of ways and easy verification and recovery of funds is doubtful. Banknotes are still better and their use for 'small ticket' purchases is not likely to go away anytime soon.

Re:Depends on the system

[swillden]

Your information is dated.

Cards that support 3DES and AES-128 can be purchased in volume for ~$1 each. Cards with RSA coprocessors cost a little more, and contactless costs a little more, but cards with 64KB EEPROM, RSA, ISO-14440 contactless are around $5.

Export restrictions aren't really a problem, and haven't been for a long time, partly because the US relaxed its restrictions and partly because most of the cards are manufactured in Europe.

Let's take those in reverse order

[Control+Group]

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

Uh...yes, they do. And who else should assume those costs?

No, not even should, who else can assume those costs? The credit card company? If the CC company doesn't pass on the costs of fraud to the consumer, the CC company goes out of business (note: using their profits to cover the cost doesn't work - if they still have profits left over, they can be accused of building the cost of fraud into their interest rates and fee schedules, which is passing the costs on to the consumer. The only way to satisfy not passing the costs to the consumer is to operate at zero or negative net gain).

If the government absorbs the costs of fraud, it takes that money from the taxpayer. Taxpayers fall into pretty much two groups: consumers and businesses. If the government passes the cost of fraud onto consumers, we haven't gained anything. If the government passes the cost onto business, then we're back to the business has to operate at zero or negative net gain, otherwise they can be accused of passing the cost onto consumers.

Perhaps the CC companies could outsource the risk to insurers - but then you just shift the profit problem up to the insurers, and you haven't gained anything (the CC company will pass the cost of the premiums onto the consumer, and assuming the premiums are such that the insurer makes money, the consumer is paying for more than the cost of fraud).

You could make a case for rewards programs just being scams, insofar as any consumer who benefits (net) from one is costing another consumer who isn't. I don't know that I buy into this, but I accept that there's a rational point of view there.

Complaining that consumers bear the cost of fraud is just silly, though. Of course they do, and there isn't another way to do it.

This is a play by the banks to privatize the role of the Treasury as a no-cost micro-transactions service provider.

I don't even know what this means. I admit, my intial reaction is that you sound like you're about to bust out a conspiracy theory starting with fiat money and ending with Roswell by way of fringed flags in courtrooms, the Kennedy assassination, and the Time Cube Truth...but I'd be more than happy to entertain your idea if you'd care to explain further.

Re:Let's take those in reverse order

[mpapet]

Complaining that consumers bear the cost of fraud is just silly, though. Of course they do, and there isn't another way to do it.

You completely fail to acknowledge that are lower-cost alternatives. Which suggest you have no experience, much less given the topic any thought.

'd be more than happy to entertain your idea
Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun. Please examine micro-payments and currency implementations and get back to me when you have some experience in the industry.

The currency system costs less than letting private industry do it. There. No buzz words and totally accurate.

Re:Let's take those in reverse order

[Control+Group]

You completely fail to acknowledge that are lower-cost alternatives. Which suggest you have no experience, much less given the topic any thought.

Irrelevant. Unless you can propose a no cost alternative, consumers will bear the cost. Which is what you started complaining about.

Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun.

More like poke fun at the joker who makes a bold claim with no explanation of what he means, much less a justification for why it's pertinent or applicable. Which he still hasn't done.

This is also an interesting high horse for the guy who was awaiting all the "ignorant" posts to make.

Please examine micro-payments and currency implementations and get back to me when you have some experience in the industry.

In light of your previous comment, I should point out you know nothing about what I do or don't know about currency. Even assuming you're right, and I either know nothing about it or know all the wrong things, making obscure statements that only those with an intimate knowledge of the industry can understand is inherently pointless: questioning your statement indicates the reader doesn't understand the industry. The corollary to which is that anyone who understands the industry agrees with your statement.

So, since it can't be understood by anyone who doesn't already agree, why bother?

The currency system costs less than letting private industry do it. There. No buzz words and totally accurate.

That's another fascinating, and completely unsubstantiated, assertion. Being the private industry fan that I am, it's even a statement I'm predilected towards agreeing with. But you still haven't provided any argument - much less evidence - for such an assertion. In the spirit of the thing, then, I counter your assertion:

The currency system guarantees wealth for all participants. There. No buzz words and totally accurate.

Or, alternatively, I counter it thus:

Nuh-uh .

Though that might be a buzzword.

Mod Parent Informative

[mpapet]

This is what you all should have learned in high school.

Except. I don't agree with the outcome of eliminating all debt.
1. There will always be *some* need for credit. It's just human behavior.
2. People will always find something shiny and new to pay more than they paid last year for something a little less shiny.

Re:Mod Parent Informative

[Colin+Smith]

I agree actually, credit is useful. My problem is that money itself is made out of it. It isn't necessary, or particularly healthy.

Re:Mod Parent Informative

[Control+Group]

The difference between his post and yours that I responded to is that he provided explanation and backing for his claims - which weren't bold indictments of the entire banking industry to begin with.

Re:Mod Parent Informative

[lgw]

For all its flaws, the current system works better than anything else that's ever been tried. Economic stability requires a system that allows the central bank to control a country's money supply, even when the government itself is spending borrowed money like there's no tomorrow. "Hard" currency simply doesn't allow this, and since of course the consquences don't in any way cause the government to spend less, the result is economic catastrophy.

So it has proven healthier than any alternative, and is in fact necessary given current financial technology.

Don't you guys in the new world...

[itsdapead]

Don't you guys in the new world have chip and pin yet?

Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Not sure any system can be high security *and* not hack off customers. OK, we use it for big payments too (perhaps they should limit the amount to 10% of the PIN!)

Alternatively, instead of setting a per-transaction limit, have a system where the *user* 'loads' the card with cash and when that is exhausted they have to provide extra verification. Otherwise, crooks just go from shop to shop notching up small purchases. I've noticed some stores limiting how many packets of cigarettes they'll sell on a card, presumably for that reason.

Re:Don't you guys in the new world...

[JamesRose]

Surely thats basically a debit card....

Re:Don't you guys in the new world...

[itsdapead]

Surely thats basically a debit card....

Nope - a debit card will, usually, happily let you (or Mr Bad Hat) drain your bank account and possibly max out your agreed overdraft. If it has a cap, its usually quite high. I'm talking about a "virtual cash" system that lets you load up your card with (say) $100-$200, so if it gets "lifted" its no worse than losing a wallet with some cash (I'm pretty sure such "virtual cash" systems exist, and its not unlike a pay-as-you-go phone). Of course, part of the attraction of cards is that you *can* make big purchases - so how about a card that worked like "virtual cash" without authentication for micropayments, needed a PIN for payments over X and PIN + second form of ID for payments over Y?

Re:Don't you guys in the new world...

[Slackcity]

Don't you guys in the new world have chip and pin yet?

Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Actually, the more likely attack vector is to subvert the card reader such that the card number is read from the magnetic strip and the PIN from the keypad. The genuine hardware in the reader has no idea that other hardware has been added. It's happened to me twice but the bank repaid the money (they believed me when I said I wasn't in Dubai *and* London simultaneously).

I worked as a developer for a company making tills and back-office retail systems when chip and pin was introduced in the UK. The above attack was the first we thought of and the first that we demonstrated to horrified management who'd swallowed the 'chip and pin is secure' BS.

Codes are not unique.

[EmbeddedJanitor]

It depends on the RFID chips. These don't always just send out a unique code... there would be little point to that.

There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.

Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.

Signatures.....

[iknownuttin]

The only thing that gets transmitted to the CC clearing houses is the CC number and expiration date.

Once, when a duplicate charge showed up on my statement, I chewed out my bank for not checking the signature or time stamp. That's when they clued me in what data they really do receive. Then I had the opportunity to talk to a guy who writes code for CC machines (I worked with him). You know, the ones by the register. He confirmed it.

Don't believe me? Next CC purchase, I don't care where - including online - sign your name Heywood Jablowme, Dick Hertz, Mike Hunt or Whatever. Your charge will go through and nobody will ever contact you about it.

I've doing this for years with the same bank. Credit Card transactions were never safe - they're made safe by the CC companies taking the risk of BS charges.

Re:Signatures.....

[Dunbal]

they're made safe by the CC companies taking the risk of BS charges.

And so they should - at 5% or whatever it is they charge in commission - the risk should ALL be theirs. The technology has been paid for by now and so has the infrastructure. That's a lot of profit, and the huge profits banks have seen in the past few years has reflected that (ok they're in trouble now, but sub-prime is a whole different ballgame).

Re:Signatures.....

> they're made safe by the CC companies taking the risk of BS charges.

That has never been true. No CC company assumes liability for their actions. It's the merchant that has to pay for the CC company's mistakes. The CC company will do a chargeback and take the money out of the merchant's merchant account. Fraud costs the CC companies nothing. They just pass the buck. Because they have no incentive to fix the system, they haven't.

This is one reason retail has to have such a large mark-up. For example where I worked as an IT director, at Best Buy in some stores some days we would have more in money taken by the CC companies than we did in profit. Someone would buy a $1k laptop then do a chargeback and cost us $1k. You have to sell several $1k laptops to make-up for the CC fraud so we had to charge more for the laptop to make-up for the CC company's problem. It really costs consumers. It costs the banks nothing.

To you and Colin Smith

[UbuntuDupe]

Let me preface this by saying I don't like government control of the money supply for the same reason I don't like government control of anything. However, that's no reason to permit flawed arguments against either, which is why I feel the need to address these points (I'd do the same for someone too gung-ho about the Federal Reserve):

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).

I don't understand this: they are being paid in some medium that can purchase real goods. That's all it needs to be real money.

Let's say a bank has $1,000 in the vault. In a fractional reserve system with a fractional reserve ratio of 9:1, the bank is allowed to lend up to $9,000 based on the $1,000 it has and since the federal reserve system is a closed circuit of banks, the money lent from one bank will be necessarily deposited into another bank wherein that bank can lend out a fractional percentage of the deposit (which was imaginary money from the first bank). You can see after a few iterations of this, you've generated enormous amounts of fictional money from very little actual money all based on the promise of the borrow to repay the amount borrowed.

First of all, the bank is lending $9000 out of $10,000 that was deposited in it. Instead of having $10,000 in the vault, it has $1,000 and $9000 worth of bonds (loans). All of the money it lent is backed.

Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.

If that happened, the Federal Reserve would, as lender of last resort, buy the banks' loans at par value. (Part of its goal is to maintain liquidity in the loan market so you can get the "full price" of a loan you sell, when you'd otherwise have to wait for someone to be available.) If this sudden desire to hoard caused the banks' debtors not to be able to repay their loans, the Federal Reserve would eat the loss.

Likewise, if we were to eliminate all debt, the circulating money would cease to grow because there would be no debt on which to gain interest nor any need to pull new money into existence for a loan and they system would collapse because the value of the paper money is in reality not backed by anything of value.

Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money.

why not use a reprogrammable RFID

the chip sends a identifier and a security number. It then performs some mathemagical calculations based on the card identifier and the security number. It then processes the charge, and flashes the chip with the newly created security number as a seed for the next security number, then reads the security number to make sure it worked....You can even have a system that sends an email to a specific address whenever it is used.

Its just like the keyfobs that change every few minutes, the security code changes every time you use it, only the CC processing house and your card know the currently valid security code. If your codes are ever intercepted, the next time the theif uses it, their card gets the new code. Your card would not get the new security code, so the next time you tried to use it, its refused and you know you've been fraudulently charged... This does not allow for charges over the phone, or internet, unless you create a personal card swipe to be used for this purpose, but it allows the RFID signal to be used for convenience while minimizing risk.

Mod Parent Informative

[mpapet]

The other person on /. who knows something about the payment card industry.

Read the post carefully. It's 100% right.

No Virgil...

[mpapet]

it's probably not an average american debit card.

Some systems store currency value on the card. No complex or burdensome network necessary. Most authentication is handled between the chip and the terminal. Secure. Simple. Efficient. Much cheaper than letting American banks handle micro-transactions.

how about an opt-out?

[amigabill]

OK, so let people who for whatever reason desire this no-swipe charge method, but also let people who don't trust it to keep a swipe-only method or ability to disable the RFID in their credit cards if we so choose.

Re:how about an opt-out?

[SimonBelmont]

You do have an opt-out. Nobody is forcing you to get an RFID credit card. And if they do, there's always a microwave. :)

The easy way.

[SCPaPaJoe]

Check your accounts online every day. Report any suspicious activity to the CC company. I saved myself twice by doing this. One time the number was used in the same town as a recent e-purchase, and the other turned out to be a bartender using my number to buy *free* rounds for his friends.

Promises promises promises.

[Colin+Smith]

All of the money it lent is backed. LOL. Yes of course... What's it backed by?

A promise.

Really that's it. The monetary system is backed by trillions of promises. No problems there then, and, credit card debt is unsecured (even if that wasn't a farce).

Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money. Most of the growth on the stock market is simply inflation. Increased supply of money making it's way into the the investment markets. It just isn't called inflation. Sure some companies increase efficiency and profitability, but most of it's just soaked up liquidity.

So anyway. Back on topic. There's really no need to worry about credit card fraud, the credit card companies don't care so why should anyone else? Just check the statement with a fine toothed comb and make sure they take any fraud hit and not you. I've already explained they aren't actually taking a loss, just a slight reduction in profitability.

Hell, I wouldn't even worry all that much about declaring bankruptcy. It used to mean virtually the theft of gold, hence the rather nasty punishments. These days all it means is a little bit more inflation.

Re:Promises promises promises.

[UbuntuDupe]

LOL. Yes of course... What's it backed by? A promise. Really that's it. The monetary system is backed by trillions of promises. No problems there then, and, credit card debt is unsecured (even if that wasn't a farce).

It's hard to see how any multi-stage financial transaction could ever be acceptable to you. A mortgage is backed by a PROMISE to cede the house on non-payment. A share of stock is backed by the PROMISE to acknowledge your voting rights in that busines and to pay you proportional dividends. A checking account is backed by the PROMISE to redeem checks written against it for dollars. Even on a gold standard, dollars are only backed by the PROMISE to actually redeem them at the predefined rate.

So, what's exactly wrong with backing something with a promise?

Most of the growth on the stock market is simply inflation. Increased supply of money making it's way into the the investment markets. It just isn't called inflation. Sure some companies increase efficiency and profitability, but most of it's just soaked up liquidity.

Not true. Stock market nominal (not-inflation-adjusted) returns have been ~11% since 1927, while inflation (CPI) has averaged ~3.5%, tops. Google it if you don't believe me, but that's pretty well-accepted. And before you object to the inflation calculation methodology, let me again sympathize. It certainly seems like inflation is understated. And maybe wages don't keep up. But if you want to convince me that inflation's ravaging of the value of invested money is bigger, name the basket of commodity futures I can buy that predictably appreciates faster than the official inflation rate. If inflation is really higher than official CPI, there should be corresponding commodity derivatives reflecting these real prices, and I would like to invest and get these high risk-adjusted returns.

(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)

Re:Promises promises promises.

[homer_s]

So, what's exactly wrong with backing something with a promise?
Imagine this scenario :
You join a poker game. You give $100 to Mr.A to buy some chips. Mr. A puts the $100 in a box along with the other dollars others have given him for the chips and Mr. A gives you 100 chips.
At the end of the game, *everyone* in the game will give their chips to Mr. A and get back real money. Hopefully, everyone will tip Mr. A for services provided.

Now, the next day you join the game and you notice there is a new player, Mr. Fed.
Mr. Fed gives Mr A $10, but instead of getting 10 chips, he gets 100 chips. Now, you forsee a problem at the end of the game and you ask Mr. A how he plans to honor his obligation.
Mr. A replies "I promise to pay you the $1 for all your chips. What's exactly wrong with backing something with a promise?"

Mr. A is betting on the fact that not all players leave the game at once. Many players play for years and never redeem their chips. Also, players exchange the chips among themselves for other debts unrelated to the poker game. But the fact is Mr. A does not have the $$$ to match the chips in circulation.

So, what's exactly wrong with backing something with a promise?
A promise, just like a contract, must be made in good faith. I can promise my client that I can build a rocket to Mars in 2 weeks and get a payment - but it is not made in good faith. Now, my client is a fool for believing this and should lose his money, but in the scenario with the Fed, there is the threat of violence involved. And that is what many people object to.

And btw, this is the definition of inflation. The players in the fictional game, realizing that 1 chip < $1, start charging more and more chips for other services. Roman emperors reduced the % of gold in coins, the Fed just reduces the amount of wealth each dollar represents.

If you peel the layers of this onion, you will find that this is a giant Ponzi scheme except that the Fed prints its own money and you get thrown in jail if you try to leave the game.

Re:Promises promises promises.

[Colin+Smith]

A mortgage is backed by a PROMISE to cede the house on non-payment. uhuh. Can you define the value of the house? Yesterday, it was worth 100,000. Today, when it's auctioned, it's worth 50,000. That's now 50,000 worth of non backed cash. What's a new car worth once it's been driven off the lot?

So, what's exactly wrong with backing something with a promise? Not everyone is as trustworthy or as responsible as you or I. And I don't have a problem with credit at all. It's credit backed currency I have a problem with, for various reasons.

Not true. Stock market nominal (not-inflation-adjusted) returns have been ~11% since 1927, while inflation (CPI) has averaged ~3.5%, tops I think you missed my point. If the money supply to the economy is increasing at 10% per year, the 3% which hits the high street and increases commodity prices is called inflation. The 7% stock market increases are called growth. In reality it's mostly the same phenomenon in different places. Whether the liquidity goes into the stock market, high street inflation, bonds or whatever is frankly culture, psychology etc.

Re:Promises promises promises.

[Firethorn]

(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)

There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.

As for wage stagnation, I think that it's a side effect of globalization. We were on the high end of wages for over a century. With China and India industrializing, their low wages are pushing down our high wages(outsourcing). Now, we're still doing pretty good(4.5% inflation), but I don't think that we're going to see huge improvements in our effective wages until their wages catch up somewhere near were ours are. This is happening, but it's going to take time. I only hope that technology gains manage to keep up with wage stagnation to the point that we don't backslide(on average) until then.

Re:Promises promises promises.

[Firethorn]

Wrong analogy, I'd think. It'd be like Mr. A taking a portion of the money in the box and using it to supply the bar. The bar is supposed to pay Mr. A back(it's not a free bar) at the end of the night, more money than what went in with the chips. Mr. A is required to keep 20% of the money in the box in case somebody wants or needs to cash in early.

Keep in mind that when you go to banks, you're talking about amounts of money and depositors that make this more a function of mathematics than luck, much like how a casino can predict it's nightly profits to within a few dollars despite having a profit scheme dependent upon small skews in odds for games of chance.

While it might seem precarous, it's actually far better than a no-credit world. Imagine having to pay rent on a house until you could afford to buy it outright - most would never be able to own their own home.

Re:Promises promises promises.

[feepness]

While it might seem precarous, it's actually far better than a no-credit world. Imagine having to pay rent on a house until you could afford to buy it outright - most would never be able to own their own home.

You're looking at it the wrong way. Think how CHEAP houses would be if people couldn't borrow 10x their income to pay for them.

Re:Promises promises promises.

[Planesdragon]

The monetary system is backed by trillions of promises. the most basic of which being "I will give you food for that shiney bauble."

Money itself is a fiat. If it weren't, we wouldn't call it money. The fact that this fiat is based on interconnected promissory notes shouldn't surprise you.

Re:Promises promises promises.

[StringBlade]

Or if you simply paid for your house over a period of years without interest. People would be able to afford their homes without actually having to pay 2-3 times the price of the house after interest.

Re:Promises promises promises.

[UbuntuDupe]

[poker story]

Okay, I agree -- in that instance, the claim is fraudulent and the chip issuer has screwed the players. No argument there.

But the problem with extending that example to the present world is that the chip issuer -- and the Fed -- can only do that once. Every point thereafter, people *know* what's going on with the chips. They know what the fed/chip issuer is doing to the currency and, for all future bets (in the poker game), they know to mentally account the chips as 1/10 of their face value (or whatever) for purposes of estimating losses. Likewise, people trade dollars at a discount, knowing the currency will be inflated. That is why future dollars (in the form of bonds) trade at a discount -- to adjust for the inflation the market predicts the Fed will induce. They may underestimate inflation -- buy they can also overestimate inflation.

So yes, the Fed screwed over people before, but now its inflation is priced into the currency, and interest rates compensate for its future devaluation.

A promise, just like a contract, must be made in good faith. I can promise my client that I can build a rocket to Mars in 2 weeks and get a payment - but it is not made in good faith. Now, my client is a fool for believing this and should lose his money, but in the scenario with the Fed, there is the threat of violence involved. And that is what many people object to.

If you peel the layers of this onion, you will find that this is a giant Ponzi scheme except that the Fed prints its own money and you get thrown in jail if you try to leave the game.

What violence? You're not personally required to accept USDs, and even if you do, you can instantly convert them to your preferred store of value if you think it will do better.

Look, I don't like defending the Fed, but over time, I've found that I can't quite buy that the Fed can cause the damage some people claim it does. All off its powers brush up against the so-called "rational expectations" so that markets "price around" and kind of goofiness it wants to inject into the economy.

Oh, and put me back on your friends list, you vindictive knave.

Re:Promises promises promises.

[Firethorn]

Question, how are you going to convince me to lend you money, delaying my own gratification, without any pay for it? Worse yet, the chance that you'll default on the payments, leaving me without my money?

Interest is the whole reason why people lend money in the first place.

Re:Promises promises promises.

[Firethorn]

A house still involves a substantial amount of labor and resources. Without the ability to get high enough prices for a home, you're not going to see anywhere as many being built, nor as large or good of quality*.

What happens then? People with capital build the homes and everybody poor rents from the rich, because they can't afford to buy. Yay.

*Yes, I know about sucky poorly built McMansions

Re:Promises promises promises.

[StringBlade]

It's called collateral. You don't pay me back, I take your house/car/wife/whatever you put down as collateral on the loan.

Granted this doesn't address the issue of motivation to lend, but then perhaps the lending should be done by a central government bank that does not earn interest. It's simply there to provide a public service (namely interest-free loans), not to make money as the for-profit banks do.

Re:Promises promises promises.

[feepness]

I realize when I say "couldn't" that's a bit excessive. I wouldn't want to prevent people from doing so if they really wanted to.

On the other hand, the cost of labor and resources does not remotely account for the doubling (or tripling!) of home prices in the last ten years. Crazy financing does.

Re:Promises promises promises.

[feepness]

It's simply there to provide a public service (namely interest-free loans), not to make money as the for-profit banks do.

The problem is that humans are sometimes not very good at assessing the price of things. Especially really really expensive purchase made a few times in one's lifetime. It's happen all the time even though the for-profit banks really hate losing money. If this were a government agency, this cost would be passed onto the government reducing the budget for other more vital activities.

Also Fannie Mae and Freddie Mac ARE government sponsored agencies designed to do just that. They are not part of the government but supposed to be monitored by the OFHEO. And oh look, they are the ones sponsoring the current boom!

Re:Promises promises promises.

[Firethorn]

Yes, crazy financing has certainly had a hand in it. Still, look at the response - home building went on a huge boom as well. Now the crazy financing isn't quite as available, many new homes have been built, and prices are coming down a bit.

Still, I tend to value a home like a car - it's only worth what it would cost to build a replacement, with modifiers for the fact that a new replacement home will, on average, be nicer and safer(built to newer codes). In order to maintain value it needs to be kept up. Antique homes - like antique cars, will have additional value based on their historical value. It all ends up being very complicated.

What significantly increases in value is the land the home is on - and don't forget things like utility hookups, impact fees, etc... The population of the USA is increasing and urbanizing - a home on cheap land that was originally out on the edge of town can now be effectivly in the center of a major city. It seems that everybody* wants to live in California or Florida, in/near a major city. No wonder prices spike there! Demand far outstrips supply, especially when cities dig in their heels and restrict homebuilding. This creates bidding wars, which guarentees pain on the part of buyers - as only the richest/most willing to accept pain win.

As real estate agents say - location, location, location. There are areas where an extra 15 minutes of commute can literally halve the price of equivalent housing.

*Yes, I know, exceptions...

Re:Promises promises promises.

[Firethorn]

It's called collateral. You don't pay me back, I take your house/car/wife/whatever you put down as collateral on the loan.

Collateral often doesn't cut it. That's the major reason why people with poor credit scores end up paying more interest than people with good scores, even with secured loans such as for cars and houses.

As for interest free loans - how to you make sure people only get them as necessary? We have enough people going hog-wild with 20+% interest loans.

Fact is, as long as we have inflation it would be in my best interest in such an enviroment to borrow as much money as possible under your scheme(government provided 0% interest loans), and pay it back as slowly as possible. Money represents goods and resources, the only way to cover said regime would be massive amounts of inflation - which would only drive more loans.

If you think that the government could responsibly handle this - you have more faith in it than I do.

Re:Promises promises promises.

[feepness]

And most of the homebuilding corporations are getting slaughtered with inventory. It was a speculative boom caused by easy credit, nothing more.

I live in downtown San Diego so I know what you are talking about. Hell, I own two houses here so I've made out like a bandit. But it did not get three times more desirable here in the last eight years. Incomes did not triple over the last eight years. The only thing that has changed has been financing. In fact, people have been LEAVING San Diego for other states since prices go too high.

Again, I'm not saying we need to get rid of banks or anything, I'm simply saying that lending has temporarily distorted prices. They will come back in line.

Re:Promises promises promises.

[UbuntuDupe]

uhuh. Can you define the value of the house? ...

Irrelevant. Lengthen your attention span. The point I was making was that that (multi-stage) financial transaction involves a promise. Whether the bank can recoup its loan's value on default is irrelevant to the question of whether the transaction's value hinges on a promise (to cede the house on non-payment, whether or not it covers the principle). Certainly, a mortgage on the same terms except without the right to foreclose on the debtor, is worth less. So try again to explain your objection to financial transactions that hinge on a promise.

Not everyone is as trustworthy or as responsible as you or I.

Uh huh -- and that's why loans have a risk premium. A riskier loan *that promises the same payments at the same times* will be worth *less* if you sell the loan to someone. (In other words, it charges a higher interest rate.) It is not necessarily worth *zero*. The credit industry already does a decent (though with a small fraction of outliers) job of gauging risk.

And I don't have a problem with credit at all. It's credit backed currency I have a problem with, for various reasons.

The reasons you've given don't seem to make sense. A loan can have a current market value and be sold, just like gold. And transactions involving gold also involve promises. Yet you seem to believe that ownership of a loan (i.e. right to the income promised under the loan) isn't "real backing". Yet it is not much different from owning gold. I can sell gold for money now. I can sell a loan (i.e. the right to the future payments from the loan) for money now.

I think you missed my point. If the money supply to the economy is increasing at 10% per year, the 3% which hits the high street and increases commodity prices is called inflation. The 7% stock market increases are called growth. In reality it's mostly the same phenomenon in different places. Whether the liquidity goes into the stock market, high street inflation, bonds or whatever is frankly culture, psychology etc.

But under this theory, how can money inflate goods' prices without inflating, by the same amount, the value of the companies selling them. It seems the inflation-induced gain to both would have to be equal, since higher final-goods prices must feed directly into their sellers' market values (i.e. their stock).

Re:Promises promises promises.

[homer_s]

and using it to supply the bar.

This implies that Mr.A is running a business on the side to generate wealth. Nothing wrong with that (well, as long as he lets everyone know that they cannot get their money on demand if they all do it at once).

The problem is that that is not what the Fed does. The Fed does not take a portion of wealth deposited into its system and invest it into a profitable entity. And it certainly does not tell its depositors that they cannot get their money on demand under certain conditions.

What it does is like what I described - it creates more chips than it has dollars and gives these new chips to its friends. There is no investing and wealth generation going on here.

Re:Promises promises promises.

[homer_s]

But the problem with extending that example to the present world is that the chip issuer -- and the Fed -- can only do that once. Every point thereafter, people *know* what's going on with the chips.

Well, I'm not totally clear on what you mean by "they can only do that once". They do that 24x7x365.

Likewise, people trade dollars at a discount, knowing the currency will be inflated. That is why future dollars (in the form of bonds) trade at a discount -- to adjust for the inflation the market predicts the Fed will induce. They may underestimate inflation -- buy they can also overestimate inflation.

What you are saying is like "I know I'm on a treadmill, so I'll just run a little bit faster". Don't you think you'll be further ahead if you aren't forced to be on this treadmill? What about poor folk who do not have the financial savvy to invest in bond markets?

And you are also ignoring the fact that Mr. A (or the Fed) is stealing from you. You are ignoring the fact that the real wealth your chips (or dollar bills) are supposed to represent is declining every day. And just because everyone knows about this and adjusts their prices (and they do in any market), does not mean that your wealth is not being transferred to someone else.

The inflation created by the Fed is in principle the same as that of the inflation created by the Roman emperors. This is not necessary.

What violence? You're not personally required to accept USD

Well, I was under the impression that you have to accept dollar bills for debts and you cannot refuse them. And just because I can transfer them to another form does not justify the original threat of violence.

I've found that I can't quite buy that the Fed can cause the damage some people claim it does. All off its powers brush up against the so-called "rational expectations" so that markets "price around" and kind of goofiness it wants to inject into the economy.

Well, if the market "prices around" the Fed's shenanigans, why is it that I can buy less goods for $100 in 2007 than I could in 1950? I should not have to go to any extra effort to maintain the value of the $100 I had in 1950. Because of higher productivity, I should be able to buy *more* stuff in 2007 than in 1950, not less (I'm talking average price of all goods, if such a thing can be calc). If this is not proof, I do not know what is.

Oh, and put me back on your friends list, you vindictive knave.

Not until you renounce your heathen Fed-loving ways and return to the TRUE WAY.

Re:Promises promises promises.

[UbuntuDupe]

Well, I'm not totally clear on what you mean by "they can only do that once". They do that 24x7x365.

By "that" I mean "expropriate your wealth". In other words, the FIRST time they deny 1:1 convertibility, they have transfered real wealth (actually a claim thereto, but same diff here) from you, but every point thereafter, market prices accurately reflect this capriciousness and any time you are paid, you get the full value, because the person paying you must pay more since the dollars are worth less, and interest rates advance to capture the inflation, preserving your cash value if you keep it in a bank (see below).

What you are saying is like "I know I'm on a treadmill, so I'll just run a little bit faster". Don't you think you'll be further ahead if you aren't forced to be on this treadmill? What about poor folk who do not have the financial savvy to invest in bond markets? ...

You don't have to invest in bond markets, you just have to put your money in a bank. Your claim amounts to "The Fed is doing a horrible injustice to everyone and ruining the economy because people have to put their money in banks to preserve its value." I accept that this inconvenience is an injustice (though a minor one). It's just ... come on. Is it REALLY that bad that you have to put your money in a bank (or perhaps buy gold) to preserve its value over long periods of time?

Well, I was under the impression that you have to accept dollar bills for debts and you cannot refuse them.

You cannot refuse them as payment for debts specified in US Dollars. You're still free not to accept USDs as payment altogether. For that, you can blame your customers (and clients and employers which are types of customers).

This isn't an unjust requirement, merely an implication of the wrongness of fraud. It did, of course, screw over people before say 1900, who specified debts in USDs thinking they would get gold ... but that obviously doesn't apply to today's traders.

And just because I can transfer them to another form does not justify the original threat of violence.

I don't think the Fed today has any powers that a private company doesn't have, other than the historical inertia advantage. Printers of Magic cards have the right to print all the cards they want, since they don't claim convertibility, and neither does the Fed. The Fed has a monopoly on printing its "official" notes, just as anyone else with a copyright or trademark would. (Correct me if I'm wrong here.)

Well, if the market "prices around" the Fed's shenanigans, why is it that I can buy less goods for $100 in 2007 than I could in 1950? I should not have to go to any extra effort to maintain the value of the $100 I had in 1950. Because of higher productivity, I should be able to buy *more* stuff in 2007 than in 1950, not less (I'm talking average price of all goods, if such a thing can be calc). If this is not proof, I do not know what is.

See above -- your $100 in 1950 will buy equally-good goods today if you had kept it in a bank.

Not until you renounce your heathen Fed-loving ways and return to the TRUE WAY.

LOL! How many times do I have to say it? I don't love the Fed. You and I are in many respects on the same page. I just can't accept that the harms of it are that big a deal. The worst thing you can come up with is "they make me suffer the injustice of using banks".

Re:Promises promises promises.

[Firethorn]

This implies that Mr.A is running a business on the side to generate wealth. Nothing wrong with that (well, as long as he lets everyone know that they cannot get their money on demand if they all do it at once).

He isn't running the business; Mr. A is lending the money to the bartender to buy the stuff, because for some reason the bartender's broke and can't afford to stock for the night.

The feds control the printing presses; they can guarentee the money to the banks. It's essentially a big insurance program. By assuring people that they can get their money out*, you actually reduce the chance of a run on the banks.

What it does is like what I described - it creates more chips than it has dollars and gives these new chips to its friends. There is no investing and wealth generation going on here.

Actually, yes there is. It enables business startups, normal people to buy large cost goods that enable them to make more money(car, for example**). It allows a great number of things.

*Unless they have huge amounts of it in there.
**Yes, I know about mass transit and all that.

Re:Promises promises promises.

[Firethorn]

There's plenty of swings in markets - For home prices credit availability does have a large effect. Still, market forces to bear - home prices go skyhigh, construction companies and speculators get houses built to take advantage of it, overbuild, causing home prices to fall. Though rarely to the point that they don't make a profit on their buildings, just not quite what they hoped for. Since not so much profit is available, they slow/stop building houses.

Classic economics.

Re:Promises promises promises.

[homer_s]

You don't have to invest in bond markets, you just have to put your money in a bank. Your claim amounts to "The Fed is doing a horrible injustice to everyone and ruining the economy because people have to put their money in banks to preserve its value." I accept that this inconvenience is an injustice (though a minor one). It's just ... come on. Is it REALLY that bad that you have to put your money in a bank (or perhaps buy gold) to preserve its value over long periods of time?.

Say inflation is at 5%. Say the bank pays be an interest of 5%. So it looks like you are correct - my money does not lose value and it is a wash. But, without inflation, would I have not come out ahead? This is what I meant by the treadmill. This holds true even if inflation is 1% and my investment fetches me 1001% - without inflation I would've made 1001% instead of the 1000% I make with it.

If your point (that ppl and markets can easily work around inflation) is valid, then it should be true for 2% inflation or 5000% inflation. But why does higher inflation cause such devastation (see Brazil and Yugoslavia(?)) when a lower one does not?

Think about it this way - the guy who gets the free chips from Mr. A got some real wealth for nothing. Where did that wealth come from? According to your logic, that wealth came from thin air (you do not accept that ppl lose wealth due to inflation; if no one lost wealth and someone gained wealth without producing, then that must have come from thin air).

Obviously, that wealth he obtained did not come from thin air - it was taken (or will be taken) from the pockets of other players. The players might realise this and adjust. But that does not mean that real wealth was not transferred from the players to Mr. A's friend.

The point you are missing is that inflation is a drain on the economy. It takes wealth (or chips) from people who are productive and create wealth and moves it to people with connections. When this is manageable (2-5%), people can just run a little bit quicker to make up for it. When it is >10%, people cannot run hard enough.

And we are still looking at it at a micro level. I haven't even mentioned how inflation distorts the market and causes misallocation of resources which is an even bigger problem.

Pricing does not reflect cost

[jeko]

Businesses love to trot this argument out -- Fraud raises prices -- but unfortunately, it's just not true. Say it with me -- Prices are already as high as they can be, and the cost of materials doesn't enter into it. Prices reflect demand, not costs.

Most people assume, and it used to be this way when the catholic Church ruled Europe, that prices are set by adding material cost, plus labor, plus reasonable profit. For instance, I sell chairs. I paid 10 bucks for the wood, I had to pay the carpenter 10 bucks to cut and assemble the wood, and I want to make 10 bucks profit so I'll sell the chair for 30 dollars.

This is not the way prices are set. Chairs are priced at What the Market Will Bear. I ask as much as I can get away with for my chairs, and I can even plot a curve between price and sales. There's a point on that curve where I maximize my profit, and that's where prices are set.

What, you think I'm only going to ask $30 when the market would pay $100 just because I'm such a great guy? No business ever, anywhere, at any time, has ever really "passed the savings on to you." Sorry, Crazy Eddie at the Furniture Store is lying to you on late night TV.

My costs don't enter into it. If the price of wood is higher than the market will bear, I don't raise the price of my chairs -- I stop making chairs.

Now, there is one case where increased costs do result in increased prices, and this is when true scarcity enters the picture, because scarcity alters the supply/demand ratio. Crop failure results in increased prices for lettuce because supply falls below demand and thus prices rise.

But costs that aren't tied to scarcity, don't alter the price. This is why when Sams began frisking you on the way out, prices didn't fall, and why when banks began requiring fingerprints to cash checks, fees didn't fall.

Businesses aren't going to leave money on the table. Prices are already as high as they can get away with.

Re:Pricing does not reflect cost

[qbwiz]

Prices are as high as they can get away with, true, but even in a monopolistic competition system, there is competition between sellers for your money. If you'll go to where it's cheapest, they'll continually have to lower prices (unless they attempt to cooperate explicitly or implicitly, but one of those is illegal and the other is unlikely among enough sellers). At some point they can lower their prices no more: when the price equals their (economic) cost.

signatures..

[uolamer]

I have 3 cards, only one is signed on the back. Merchants never check or seem to care. I often sign "best buy sucks" or "wal-mart sucks" and it doesnt seem to matter, even when they can see it on their screen.. Or just draw a smiley face or whatever on that touch/pen pad thing... seems a bit pointless and for a few years now signing that way has never ever caused me any problems.

Re:signatures..

[eihab]

Accurate signature is not a prerequisite for processing payments.
No one really cares until you dispute the charges and say it wasn't you.

At that point handwriting specialists come into play.

Re:signatures..

[uolamer]

Does it still count when i write VOID instead of my name? Or something more legal to that effect? done that a few times.. but i've never disputed a charge claiming it wasn't me, maybe disputed 2 charges in my life..

Re:signatures..

[eihab]

I honestly don't know. I got my information from a few store/coffee shop owners that I usually talk to (and joke about signing someone else's name).

I do know that there's a time limit for you to dispute charges, I'm not sure how long exactly but I believe after that you cannot do anything about it.

I could be wrong.

horray!

ar..err what?
finally i can read u crap articals.
how u survive this long. accepting.
anonyomous browser(whts that bwosers?) coonnections?
how friendly.
anyway what the f##$ck u think is an enemy now?
a "highly" connected stated with only (how can they
afford it anyway?) 6 million people state?
or some random selfmade (where are/ who are we)
people on still so cooool
dial-up?
get lost already.
see the signs. the REAL ones. no poins, sorry (>>)

Free version

http://www.rpi-polymath.com/ducttape/RFIDWallet.ph p

You're wrong. And right.

[swillden]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused.

You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.

You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.

With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.

The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.

What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.

Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.

Contactless Payments

The whole point of this shit is moot because many places still want to see the card and ID, and that takes almost as much time ( if not more ) than a regular debit purchase.

It's not like there isn't someone to ask.

[Zadaz]

Why don't we ask any of the dozens of countries who have been using these systems for billions of transactions the past decade?

No.

[Nephroth]

No, not really. In fact most financial transactions are pretty insecure.

You're forgetting supply

[Solandri]

Businesses love to trot this argument out -- Fraud raises prices -- but unfortunately, it's just not true. Say it with me -- Prices are already as high as they can be, and the cost of materials doesn't enter into it. Prices reflect demand, not costs.

Read the first sentence of the Wikipedia entry on supply curves. It tells you right there that the primary reason for a shift in the supply curve is a change in cost. So yes prices reflect cost. Increased cost means less supply means higher prices.

This is not the way prices are set. Chairs are priced at What the Market Will Bear. I ask as much as I can get away with for my chairs, and I can even plot a curve between price and sales. There's a point on that curve where I maximize my profit, and that's where prices are set.

Right, except the supply / demand curve doesn't tell you where you maximize profit. It tells you where you maximize revenue. Profit is revenue minus cost. If the optimal price point is lower than the business' per-unit cost, they're just not going to sell the item because they'd be losing money with each sale. That'll reduce the supply, allowing the stores remaining in the market to raise their prices.

If the price of wood is higher than the market will bear, I don't raise the price of my chairs -- I stop making chairs.

Exactly, so now the supply of chairs has dropped, causing the supply curve to shift closer to zero, moving the intersection further up the demand curve, causing an increase in price. Once enough people like you stop making chairs, chairs have become so scarce that their price now exceeds the cost of wood. So the remaining chair makers are able to sell their chairs at the higher price, one that exceeds their cost of the wood.

Wrong Question

[gweihir]

The right one is "Are they secure enough". Personally I think they are. One thing however is who pays, in practice, pays if there is a security breach. The customer or the card company? Legally it is the card company and at least I have never had any issue. Just ignore their statement when you report a fraudulent use and tell them to cancel that. Once they sent me a nice letter stating that if I ever had bought anything over the Internet, I was not eligible to dispute charges. Complete nonsense, of course. I just requested the "original reciept", which the vendor has to provide (or some other hard proof) and they reversed the booking without further comment.

So, customers need to know their rights. On the security angle, if it turns out there is too much fraud, this payment option will just be removed again. The risk is however quite manageable.

Most obvious way to skim funds out of felica cards

[Koutarou]

Felica terminals that are not directly tied to the register. You ring up the correct value, it pops up on the register display. The cashier enters a higher value debit into the felica terminal. You plop your card down and are distracted by the cashier and miss the deduction which only shows up on the tiny terminal display for about a second.

I caught a cashier in Japan doing this to me.

Re:I paid $25

Instead, you and I do for replying...

It can be more than secure if you want it to be

NIST Special Pub 800-73-1 outlines the security methods for what's called the Personal Identity Verification or PIV spec. In a contactless smart card application (not really RFID other than that it works with the same near-field principles to power it), you can use 283-bit binary field elliptic curve for PK and DS and AES-128 CBC for the symmetric cryptography (if needed). That's equivalent cryptographic security to US government secret information and is more than overkill given the potential payoff of cracking a credit card. Fast near-field smart card design is not only possible, it's being done today without the need for exotic hardware. NXP's smart card designs also happen to use asynchronous logic design for additional power savings as opposed to synchronous logic design, but both are more than capable even if you revert to good old RSA1024. Whether a scheme like this has been implemented is a different issue, but you can easily do it.

LIke the dude in my story

There was only one young black male in the airport terminal bearing enough of a resemblance to Cassik, but that was enough. The man was waiting in the ticket line just a few paces away, purchasing a ticket on Freedarian Airways. Just close enough... for a swipe.

Cassik slipped his hand into his pockets as he stepped up to the counter. He fondled the tiny homemade device in search of the activation switch. Finding it, he flipped it, and it began to vibrate in the tale-tale pattern he designed. It was searching, scanning for accessible DynaCred account cards, the universal standard currency that the World Union Bank had recently implemented. The machine seemed to take forever to normalize it's vibrations onto the signal. Cassik was trying to smooth-talk the airline agent while she looked over his forged identity card.

"Yeah, those things never look anything like you," he remarked as she suspiciously scanned the embedded chip on the I.D. card. He followed the slyly-spoken words with an equally flattering grin.

Flattery, however, took the backstage in Cassik's carnival of trickery. After-all, he had been up for two days perfecting his burn, the stolen identity embedded on his counterfeit I.D. card, and the device in his pocket. He also hadn't bathed, shaved, slept, or even rested, in any of those 48 hours,. The agent wasn't very beautiful, but she could clearly fetch someone better looking than a wrung-out Cassick, so his attempts at flattery served only as embellishment to the vastly more intricate plan he was executing.

The device was finally done searching and it made it's noisy succession of beeps. Cassik had designed the device from a cell phone; to look sound and operate like a cell phone. He raised a finger to the agent, pretending that the fraudulent call was an urgent one. It was actually a text message.

"Just a text message," He said with another hopelessly charming smile. As he said so, however, he handed over his DynaCred account card, making sure to pass it over the infra-red transmitter on his fake cell phone. The DynaCred card was also a forgery, of course. A good one. Cassik had been making similar forgeries since he was in high school and had only been caught once in the eight subsequent years. Now, his burn passed and the lifted DynaCreds successfully ghost-linked into his account, everything was now in place and Cassik smiled even more graciously than before. She smiled back this time, taking the card into her hand.

Cassik sighed a sigh of relief as this part of his plan went into it's final stages. If the lift was good, then there shouldn't be any problems, but if one digit was miscalculated, then disaster would ensue. The DynaCred authentication system was designed to silently notify first the authorities, then to display an error to the agent's terminal. Then, after the agent swipes the card a second time as instructed by the terminal, the system would re-authenticate the card, this time paying special attention to each code-bank in the passkey and if that fails the terminal is locked, and an audible alarm is sounded to alert any near-by security agents. In a high security place as an airport, the guards that were originally alerted via silent alarm would already have arrived before the second swipe had finished authenticating. That won't happen today, Cassik thought as he smiled back at the pretty airport ticket agent.
...

RFID is perfect for 'busses.

[chris_sawtell]

Goodness only knows if RFID cards are secure, but for small transactions like a 'bus fare they are really convenient. The whole bus system in Christchurch NZ, my home city runs like clockwork almost all the time. As you can see from the metrocard page you can check the balance in your card over the Web at any time.

I use it every day.

[wvmarle]

Contact-less payments that is. In Hong Kong we have the "Octopus" payment card - particularly for small payments, such as bus fares (typically HK$3-15, or US$0.38-1.92), vending machines, parking fees, small purchases supermarkets and convenience stores, etc. etc. This is a pre-charged card, and mostly anonymous (as in: the card has a serial number, records of payments are being kept, but they are not registered to your name or anything unless you specifically ask for that). Charge-up is done at many points, such as 7-11 stores.
These cards are secure from the vendor point of view: payments are guaranteed made, and no cash needed. Nothing can be stolen from the shop (well the machine can be stolen but no value in that for a thief). From the customer's point of view, they are as secure as cash. Hence the maximum stored value of $500 (abt US$64), can't lose more than that amount.
And if the card breaks down, I've had that once over the last five years that I'm using them, you return the card, get a receipt and a new card, and a week or two later you can come back for a full refund of the remaining value of that card. So even then no money lost!
This system, Japanese developed and introduced some 10, 12 years ago, works really great and fast. Card is in my wallet, just swipe my wallet near the reader (few cm distance), and it's done. In a fraction of a second. At the MTR (metro) you see people swipe complete hand bags, or sometimes just their wrist as there are watches with an Octopus chip built in.
Of course no way secure enough to use as credit card, but that's not the purpose of the system. This is for small payments, anything under say $50. For bigger payments there is the (secure - "somthing you have and something you know") ATM card with PIN authorisation, or the insecure ("something you have" only) credit card. Or plain old cash of course.

Wouter.

Re:You're wrong. And right.

"With respect to contact vs. contactless, the difference is irrelevant from a security point of view. "

Not so. Proxies are much easier to implement for wireless. E.g., if you have a credit card in your pocket, and PIN is not needed, I would be able to use your credit card for transactions. How? One antenna around your pocket, and one at the payment terminal. The data can easily be digitized and send to the other side of the world, if necessary. It's just an advanced way to make the antenna work over *very* long distances, it's not even a man-in-the-middle attack.

This has been demonstrated a few times, once even at the (really big) Cards show in France. This is not an idle thread, and implementing wireless credit cards without PIN is a *really* bad idea.

Re:You're wrong. And right.

[swillden]

Not so. Proxies are much easier to implement for wireless.

Easier, slightly, but certainly possible for wired or wireless. Even for contact cards, secure application designers always have to assume that man-in-the-middle attacks are possible.

Tinfoil wallets

[blueZ3]

come into their own!

Never Secure Enough

[SnailNobra]

Firstly, security is black and white. There is no gray.

That being said, why would anyone want to copy your card in the first place? There are so many easier ways of beating the system. It would be possible to get a merchant account using fraudulent information, obtain a card reader, spend a day on the subway or walking the streets of Manhattan and charge $25 to every card you could read durring the day. The ideal amount to charge is the maximum that doesn't require a paper trail. The next step would be to withdrawl the money, cancel your merchant account, and lay low. Honestly, it's as simple as walking next to someone and all you need is a card reader, PDA and internet access.

And if you've ever tried to dispute fraudulent charges, it's not a fun time.

It's secure

[angus_rg]

as an escaped mental patient.

wow

[encoderer]

wow, if I were you I'd be begging for a "Delete Post" function to be "magic'd" into existence. You show a complete lack of understanding about the way the banking system actually works. I mean, it's so bad that one could easily assume you posted these things just for the amusement of your fellow slashdotters, as there's no way a "nerd" could be this retarded about such things.

As somebody else said, NOTHING IS MAGIC.

1. The money that you claim they "created" actually comes from the promissory notes from the loans they give out. Loans are usually secured in some way, either by collateral or real property. Even with credit cards: many of the things you buy can and will be repo'd if the bank needs to. This is why negative equity is such a bad thing in our economy. If you have a $500k mortgage on a home that is now only worth $400k, the bank just has to HOPE that you pay it back (Well, not really, they just have to hope that EVERYONE doesn't stop paying, because they could easily foreclose your home and hold on to it until the market is better. The real problem would be if this happened enough to harm the liquidity of the bank)

2. Your little scenario assumes that there is basically only one bank, where everyone in the world banks, and that every dollar they lend out goes back into the bank as a deposit into someone elses account. Needless to say, this is not exactly how things work.

Re:wow

[encoderer]

Sorry to reply to my own post, but i just have to ask one more question:

Didn't you even read the Wiki article you linked to? The table at the top of the page showing the fractional banking scenario explains it pretty clearly. The last line of the table reads:

Action | Assets | Liabilites | Reserves
Customer C deposits 49 paper dollars | IOUs worth $119 | $219 in interest-bearing deposits | 100 paper dollars

You see that? $219 in interest bearing deposits. That's how much was deposited as REAL MONEY into the bank.

Now, look at assets. If your "magic'd" theory was correct, assets would be > than deposits. They're not. The banks assets are $119 in IOUs and $100 in reserves. $219.

How is this not mind numbingly simple for you?

Yes, some of the "deposits" came from, for example, Customer-C who was loaned the money, technically speaking, from the deposit from Customer-A. But THAT DOESN'T MATTER because the ASSET that covers that $49 is the value of the IOU from Customer-C. Your problem just occured to me: You don't, for whatever reason, count promissory notes as assets. Well, they are. Now go run the math again and you'll be a lot more comfortable that voodoo magic isn't being performed at the local Bank of America...

Re:You're wrong. And right.

[rjstegbauer]

I'd like to make a single clarification to an excellent posting.

It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business. It's my understanding that the banks (or credit card companies) usually make the merchant eat the cost of the fraud. The banks want the cards to be as cheap and simple as possible. They also want every transaction to be authorized since that is one way that they get paid. They have no financial interest in preventing the fraud.

-- Sorry...no clever sig.
Randy.

Re:You're wrong. And right.

[swillden]

I'd like to make a single clarification to an excellent posting.

It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business. It's my understanding that the banks (or credit card companies) usually make the merchant eat the cost of the fraud. The banks want the cards to be as cheap and simple as possible. They also want every transaction to be authorized since that is one way that they get paid. They have no financial interest in preventing the fraud.

They do try to leave the merchants with as much of the fraud as they can, but banks do eat part of it, and depending on the circumstances they sometimes have to eat all of it. They care about preventing fraud when it gets excessive. I'm a consultant in this industry who works with banks, merchants and technology vendors, so I see all sides of it.