Slashdot Mirror
Are Contactless Payments Really Secure?
berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."
Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.
... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.
Anyway
Apology to Ubuntu forum.
It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.
I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.
Why the hell do people think having to sign something ever made anything even remotely secure?
a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please
*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.
As if the correct change is always given.
As if a wrong bill (50 instead of 20, for example) has never changed hands.
As if counterfit money is not an ongoing problem for the last several centuries.
Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...
In Soviet Washington the swamp drains you.
There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.
Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.
Engineering is the art of compromise.
So what about those stupid electronic signature collectors? Some of those things are so badly broken that all you can manage to produce is one line after signing your entire name. Even if they are working properly, they will often only produce a blocky straight-line approximation of your real signature. How can these be accepted as valid signatures by anyone?
And that is because it's not real money. It's magic'd money. Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud.
1 - For someone to copy the data on my magnetic strip card, they would have to physically swipe it. This has been done before (gas stations, anyone?). For RFID devices, however, this data is accessible to anyone in your near proximity with a reader (which is easy enough to hide). So basically, your data is only at risk when your magnetic card leaves your wallet (and sight!), but your contactless card is at risk of copying always.
So while contact cards are not exactly foolproof, they are much harder to thieves to get their hands on.
Contactless becomes much more secure (than even contact cards!) if you implement a challenge-response system. In this case since the signal sent is different for every transaction, it is impossible for someone to read the present value of your card and re-use said value later on a copied card.
You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.
You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.
With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.
The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.
What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.
Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)
There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.
As for wage stagnation, I think that it's a side effect of globalization. We were on the high end of wages for over a century. With China and India industrializing, their low wages are pushing down our high wages(outsourcing). Now, we're still doing pretty good(4.5% inflation), but I don't think that we're going to see huge improvements in our effective wages until their wages catch up somewhere near were ours are. This is happening, but it's going to take time. I only hope that technology gains manage to keep up with wage stagnation to the point that we don't backslide(on average) until then.
I don't read AC A human right
Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?
BD Phone Home!
Shameless plug. Like you weren't expecting it.