Slashdot Mirror
Are Contactless Payments Really Secure?
berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."
maybe??
--
Jaap van Ballspoogen
Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.
... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.
Anyway
Apology to Ubuntu forum.
http://www.ingrimayne.com/econ/Banking/Commodity.h tml
for those who don't get what the parent is talking about. Although banks don't quite "magic" money into existence.
There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.
Lacking the independent verification this is begging for an attack.
It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.
I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.
This just doesn't track with me. The article fails to explain:
1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?
2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?
3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?
Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.
Who wants a Big Mac?
Basically, the signature is the signature to the Cardholder's Agreement you get with the card. Except that instead of the signature being on a piece of paper that no one wants to carry around, they let you sign the card itself. Once you sign it, the merchant knows that the card is valid, and they are now free to charge the card without fearing a complaint come back saying "I never authorized that!". As long as there's a signature, even if it doesn't match the person who's holding it, the merchant is not liable for fraudulent purchases.
Which is why writing "See ID" is frowned upon, and merchants will sometimes refuse to take a card with that writte on the back.
The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems. (between secure and cheap, cheap seems to always win). So manufacturers use proprietary hacks to allegedly achieve the same type of operations (e.g., authentication via challenge/response). However, these hacks are nothing more than security via obscurity.
The Raven
Why the hell do people think having to sign something ever made anything even remotely secure?
a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please
*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's time for a RFID-blocking wallet!
Those of us who think they know everything annoy those of us who do.
As of 1 1/2 years ago this is how fraudulent charges were handled.
If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).
If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.
In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).
Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.
Regards.
Money doesn't grow on trees, it's easier than that, it's magic'd into existence.
Back on topic. This does explain the bank and credit card companies extremely relaxed attitude to credit card fraud. They're not actually taking a loss when they money gets spent, and then queried, the money has been magic'd. They are simply not going to make as much profit as they might have.
Deleted
As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.
As if the correct change is always given.
As if a wrong bill (50 instead of 20, for example) has never changed hands.
As if counterfit money is not an ongoing problem for the last several centuries.
Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...
In Soviet Washington the swamp drains you.
Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.
For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.
One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.
She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.
Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.
Typical /. user... showing off about their knowledge on "contact-less sex".
Then I realized that the bank will take the hit on any losses
No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.
You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
As a former engineer of DigiCash in Amsterdam, I know a little about smartcard technology. There are a number of problems and risks:
1) The technology used is very old and few improvements have been made over the last 20 years or so.
2) The latest technology can cost over $10 while the older chips are a few cents.
3) Banks and politics have done their best to stifle development and have mostly succeeded.
In a word: NO. Chances are you get some 'exportable' model that supports 40bit crypto if money is involved. Otherwise, say for transit use, it may be a simple account number that is (usually) broadcast at 13.1MHz. Just because the readers appear to work at only close range does not mean the information cannot be intercepted at a range of 10's of meters or more.
The very expensive units can support 128bit or better crypto. Apart from being costly, they may be 'export restricted' and there are a number of governments that only allow very weak security. 40bits will take about a half hour to crack on a 'high-end' desktop and only a handful of minutes on a halfway decent workstation. A shielded wallet may be a common item if these chips see widespread use. A card (or passport) carefully wrapped in aluminium foil will work (to prevent unauthorized use/interception) despite any propaganda that may be out there.
As long as the 'value' is very low and you can accept losing it, there is really nothing wrong with using them. Keep in mind the chips can be destroyed accidently a number of ways and easy verification and recovery of funds is doubtful. Banknotes are still better and their use for 'small ticket' purchases is not likely to go away anytime soon.
There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.
Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.
Engineering is the art of compromise.
So what about those stupid electronic signature collectors? Some of those things are so badly broken that all you can manage to produce is one line after signing your entire name. Even if they are working properly, they will often only produce a blocky straight-line approximation of your real signature. How can these be accepted as valid signatures by anyone?
You realise its the exact opposite- its far better to have them ask for id. The chance that someone steals a credit card and makes a matching fake id is low. It actually gives you and the merchant a measure of security. The only risk of showing id is the risk of the checkout person remembering enough information to do something with it 4 hours from now when they get off shift. I get pissy when a merchant *doesn't* ask for id.
I still have more fans than freaks. WTF is wrong with you people?
Let me preface this by saying I don't like government control of the money supply for the same reason I don't like government control of anything. However, that's no reason to permit flawed arguments against either, which is why I feel the need to address these points (I'd do the same for someone too gung-ho about the Federal Reserve):
What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).
I don't understand this: they are being paid in some medium that can purchase real goods. That's all it needs to be real money.
Let's say a bank has $1,000 in the vault. In a fractional reserve system with a fractional reserve ratio of 9:1, the bank is allowed to lend up to $9,000 based on the $1,000 it has and since the federal reserve system is a closed circuit of banks, the money lent from one bank will be necessarily deposited into another bank wherein that bank can lend out a fractional percentage of the deposit (which was imaginary money from the first bank). You can see after a few iterations of this, you've generated enormous amounts of fictional money from very little actual money all based on the promise of the borrow to repay the amount borrowed.
First of all, the bank is lending $9000 out of $10,000 that was deposited in it. Instead of having $10,000 in the vault, it has $1,000 and $9000 worth of bonds (loans). All of the money it lent is backed.
Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.
If that happened, the Federal Reserve would, as lender of last resort, buy the banks' loans at par value. (Part of its goal is to maintain liquidity in the loan market so you can get the "full price" of a loan you sell, when you'd otherwise have to wait for someone to be available.) If this sudden desire to hoard caused the banks' debtors not to be able to repay their loans, the Federal Reserve would eat the loss.
Likewise, if we were to eliminate all debt, the circulating money would cease to grow because there would be no debt on which to gain interest nor any need to pull new money into existence for a loan and they system would collapse because the value of the paper money is in reality not backed by anything of value.
Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money.
Apology to Ubuntu forum.
And that is because it's not real money. It's magic'd money. Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud.
According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf
Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures
So you can't *mandate* that someone provide ID in order to complete their transaction. But at least with Visa, merchants do have the right to ask (knowing that you don't have to give it to them).
You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.
You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.
With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.
The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.
What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.
Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)
There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.
As for wage stagnation, I think that it's a side effect of globalization. We were on the high end of wages for over a century. With China and India industrializing, their low wages are pushing down our high wages(outsourcing). Now, we're still doing pretty good(4.5% inflation), but I don't think that we're going to see huge improvements in our effective wages until their wages catch up somewhere near were ours are. This is happening, but it's going to take time. I only hope that technology gains manage to keep up with wage stagnation to the point that we don't backslide(on average) until then.
I don't read AC A human right
Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.
When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.
The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?
It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Wrong. According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf
Page 28 directs the sales clerk, "The final step in the card acceptance process is to ensure the customer signs the sales receipt and to compare that signature with the signature on the back of the card..."
On page 29, note "Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures..."
(emphasis mine)
There is no requirement to possess, much less carry, much less produce on demand, any identification other than your signature.