Slashdot Mirror
Are Contactless Payments Really Secure?
berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."
Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.
Lacking the independent verification this is begging for an attack.
This just doesn't track with me. The article fails to explain:
1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?
2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?
3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?
Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.
Who wants a Big Mac?
Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.
For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.
One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.
She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.
Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.
You realise its the exact opposite- its far better to have them ask for id. The chance that someone steals a credit card and makes a matching fake id is low. It actually gives you and the merchant a measure of security. The only risk of showing id is the risk of the checkout person remembering enough information to do something with it 4 hours from now when they get off shift. I get pissy when a merchant *doesn't* ask for id.
I still have more fans than freaks. WTF is wrong with you people?
Let me preface this by saying I don't like government control of the money supply for the same reason I don't like government control of anything. However, that's no reason to permit flawed arguments against either, which is why I feel the need to address these points (I'd do the same for someone too gung-ho about the Federal Reserve):
What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).
I don't understand this: they are being paid in some medium that can purchase real goods. That's all it needs to be real money.
Let's say a bank has $1,000 in the vault. In a fractional reserve system with a fractional reserve ratio of 9:1, the bank is allowed to lend up to $9,000 based on the $1,000 it has and since the federal reserve system is a closed circuit of banks, the money lent from one bank will be necessarily deposited into another bank wherein that bank can lend out a fractional percentage of the deposit (which was imaginary money from the first bank). You can see after a few iterations of this, you've generated enormous amounts of fictional money from very little actual money all based on the promise of the borrow to repay the amount borrowed.
First of all, the bank is lending $9000 out of $10,000 that was deposited in it. Instead of having $10,000 in the vault, it has $1,000 and $9000 worth of bonds (loans). All of the money it lent is backed.
Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.
If that happened, the Federal Reserve would, as lender of last resort, buy the banks' loans at par value. (Part of its goal is to maintain liquidity in the loan market so you can get the "full price" of a loan you sell, when you'd otherwise have to wait for someone to be available.) If this sudden desire to hoard caused the banks' debtors not to be able to repay their loans, the Federal Reserve would eat the loss.
Likewise, if we were to eliminate all debt, the circulating money would cease to grow because there would be no debt on which to gain interest nor any need to pull new money into existence for a loan and they system would collapse because the value of the paper money is in reality not backed by anything of value.
Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money.
Apology to Ubuntu forum.
According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf
Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures
So you can't *mandate* that someone provide ID in order to complete their transaction. But at least with Visa, merchants do have the right to ask (knowing that you don't have to give it to them).
Depends on what you mean by "cheap". A $3 contactless smart card can perform AES, SHA-256 and RSA operations sufficient to execute a high-security transaction in < 500 ms. If you can eliminate the need for PK (which you can), then transactions of less than 200 ms are possible with cards that cost less than $1.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.
When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.
The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?
It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?
BD Phone Home!
Shameless plug. Like you weren't expecting it.