FTC to Scrutinize Contactless Payment Technology

← Back to Stories (view on slashdot.org)

FTC to Scrutinize Contactless Payment Technology

Posted by ScuttleMonkey on Monday May 12, 2008 @07:34AM from the after-they-are-already-in-passports dept.

coondoggie writes to tell us that the Federal Trade Commission (FTC) will be taking a look at contactless payment systems and the consumer protection issue surrounding them. "RFID technology provides obvious benefits, the FTC said. For example, the ability of producers using RFID to track exactly where in the supply chain their products are and by which retailer they were ultimately sold to a consumer has the potential to make product recalls more effective. However, there also may be costs regarding consumers' individual privacy rights associated with it."

17 of 103 comments (clear)

Min score:

Reason:

Sort:

What I don't get... by tgd · 2008-05-12 07:37 · Score: 5, Insightful

Is why we're once again bucking the trend and doing something different?

A lot of the world is using chip+PIN, which while not perfect is still drastically better than what we've got, can't be sniffed from remote, is much more of a distinct action and has a huge install base.

I'm not sure what this obsession with RFID payment methods is.
1. Re:What I don't get... by JrOldPhart · 2008-05-12 07:43 · Score: 3, Insightful
  
  Chip+PIN... have you noticed all of the cameras? Like one over each register at my local Wal-Mart.
  I don't like entering the PIN where it can be seen.
  
  --
  Nothing is foolproof, fools are too ingenious. - Murphy
2. Re:What I don't get... by Anonymous Coward · 2008-05-12 07:45 · Score: 3, Insightful
  
  Thats why you have two hands. Cover your PIN with your other hand. Duh?
3. Re:What I don't get... by moosesocks · 2008-05-12 07:57 · Score: 1, Insightful
  
  The PIN is useless without the Card(Chip) and vice versa.
  
  That's the whole point of the system. Unless you get mugged by the security guard watching the cameras, you shouldn't have too much to worry about.
  
  (And like the other poster said, it's pretty trivial to cover the number pad with your other hand)
  
  --
  -- If you try to fail and succeed, which have you done? - Uli's moose
4. Re:What I don't get... by spectrokid · 2008-05-12 08:09 · Score: 4, Insightful
  
  Because safety is a non-issue? You see there are two possibilities. Either you develop a safe system, or you make all your customers pay a little extra to cover for the thieving. In a huge market like the US, and with no real push to go for safety, bankers will do what bankers do best: they will think in money, not in safety (read: engineering). RFID on the other hand, has the possibility to make payments easier. With the payment going faster, shops will need fewer cashiers, customers get the impression things are going faster, everybody wins!
  It is realy social security all over again. Americans have to pay less taxes, because they don't spend so much on keeping the poor of the street. The money they spend on guns, alarm systems, private security is conveniently forgotten. I mean tax is like, well..tax. The fact that you pay for armed security every time you buy a tshirt in the mall, well that is not tax now is it?
  
  --
  10 ?"Hello World" life was simple then
5. Re:What I don't get... by Firehed · 2008-05-12 08:17 · Score: 3, Insightful
  
  How is waving a closed wallet (holding a tagged card) over a sensor in any way whatsoever more secure or distinct than having to pull out that card and swipe it though the magnetic strip reader? Some more recent readers prompt me to punch in a ZIP code or some sort of PIN rather than scribble any random thing on a signature pad which I consider a vague improvement, but I don't find holding a card over a sensor any more convenient than swiping it through and do feel it less secure.
  
  --
  How are sites slashdotted when nobody reads TFAs?
6. Re:What I don't get... by Firehed · 2008-05-12 08:28 · Score: 2, Insightful
  
  The payment is by far the fastest part of the checkout process. Put the RFID tags directly on the items (and not just the shipping crates for SCM tracking) and eliminate the actually time-consuming process of scanning dozens of bar codes. Remember that old IBM commercial with the shoplifter and the security guard handing him a receipt as he walks out the door with the "stolen" goods? Yeah, kind of like that.
  
  Right concept, wrong place. Considering the deployment cost of a POS terminal, an RFID-based, cashless system wouldn't be a large additional cost to implement provided that inventory on the shelf has the tags - and since passive tags are quite cheap when produced in sufficient bulk, it's just a matter of getting manufacturers to do it. The only thing that would go up in price is a result would be ramen noodles, from 16.6c/pack to 16.7c.
  
  --
  How are sites slashdotted when nobody reads TFAs?
7. Re:What I don't get... by dgatwood · 2008-05-12 08:48 · Score: 3, Insightful
  
  The thing is, the credit card companies don't care at all about security, but they actually do "C"---make the vendors bear the cost of security. Your card gets stolen and used, they refund the money and reverse the charge and the vendor eats the cost of not verifying the identity of their customers. In the end, everyone pays for it through higher prices for goods and services, but the CC companies don't care about that because they aren't out anything and don't have to answer to cardholders when the price of food goes up a penny due to credit card theft. The costs are so small in the grand scheme of things that for the most part, the customer doesn't notice or care. (If theft increases by two or three orders of magnitude, that will likely change, of course.)
  
  If the credit card companies cared at all about security, they would have solved the problem completely by now; it is trivially solvable. Instead of using a static RFID chip with an identifier on it, they would use an active device. When you make a transaction, the reader would make the request to the CC company. The CC company would generate a large random number. The card would then encrypt that random number with a secret key and return the result along with a card number (which should NOT be the same as the number on the card to prevent people from using the data to make fake non-RFID cards). The CC company, knowing the private key, would then encrypt the number with the secret key, and if the values match, the card is the real card. At that point, only physical theft would matter, and the whole theft-by-wire would cease to be an issue..
  
  More to the point, such a system would also not be vulnerable to interception and replay attacks because the CC computers would send a different random number every time. In effect, if deployed universally, such a solution would eliminate all credit card theft except for that which occurs through physical assault or somebody leaving a card at a restaurant. Of course, for online purchases, this would mean that everyone would need some sort of home equivalent of the transaction device, but that could be as simple as a $10 USB dongle and some software.
  
  The fact that most (all?) cards still don't work this way is ample proof that the CC industry doesn't care. The whole design of the current system is to basically have the RFID data stream look almost exactly like a credit card magstripe so that they don't have to do any extra work and can pass the data through existing legacy systems without bringing them into the 21st century. As long as the primary focus of RFID-based credit cards is on minimizing the cost of upgrading the infrastructure, they will always represent a security hole the size of a planet.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
We are too lazy.. by Junta · 2008-05-12 07:46 · Score: 5, Insightful

When doing anything that requires something to physically touch is considered too much work and we'd rather risk our financial info being wirelessly transmitted than have to swipe a card, we have serious issues.

And all this about inventory tracking is kind of an orthogonal point to payment isn't it? I for one certainly don't mind them being able to wave rfid wands around a vague area and account for an entire big package without having to scan a unique barcode for every item. I wouldn't mind a checkout system where they didn't even need to find the upc (or for that matter, could scan the whole cart in one go instead of item by item). However, I don't see the big benefit of avoiding physical contact with my payment device (which I wish was more technically secure than my mag-stripe credit card).

--
XML is like violence. If it doesn't solve the problem, use more.
1. Re:We are too lazy.. by fahrbot-bot · 2008-05-12 07:53 · Score: 3, Insightful
  
  However, I don't see the big benefit of avoiding physical contact with my payment device.
  I think the (only real) benefit is the ability to get away from card-shaped items and allow key-fobs and the like. Technically, the RFID chip could be put in a ring, bracelet, or on a key chain, etc...
  I'm not saying all this is/would be better and I certainly don't have any problem yanking out and swiping my CC when I want to buy something.
  
  --
  It must have been something you assimilated. . . .
2. Re:We are too lazy.. by dreamchaser · 2008-05-12 08:07 · Score: 3, Insightful
  
  Heck, I still use cash most of the time, mainly because I hate those damn Visa commercials that make it look like if you don't use your card you are just holding everyone else up. I was using my debit card all the time until those started, now I use cash just because I can and I'm an ornery bastard.
  
  I wouldn't mind contactless payment via RFID, as long as the chip in each item I bought is disbled as I check out and leave the store.
Personally by esocid · 2008-05-12 07:48 · Score: 4, Insightful

I won't use any contactless methods of payment. I know there are ways to capture info from a swiped card, but it's at least harder to get away with that just sniffing for RFIDs in the area. I'd rather not have my financial info available no matter where I go, as opposed to it being available when I use my magnetic strip once per payment. It's selling point is ease and quickness of use, but I've never heard anything about security.
And yes, I abhor the idea of RFIDs in passports too. I'll cover it in tin foil, along with my head.

--
Absolute power corrupts absolutely. indymedia
1. Re:Personally by Talennor · 2008-05-12 09:07 · Score: 4, Insightful
  
  the danger of an RFID tag in your wallet being randomly sniffed is almost nothing. . . . [they] have an extremely limited range - a couple inches Actually, the range depends almost entirely on the antenna and power of the reader, not the card. You can do a lot more than a couple inches (though the reader will be directional and may need to be aimed).
  It's not until you start working with battery-powered active transmitters (highway EZ-Pass boxes for the fast toll lanes, etc) where there would be a realistic security risk Another example of what I just said, in Atlanta the toll passes are now just the inductive-powered cards, thin paper you stick on your windshield. No card-side power and it's read >70mph. Quite like how someone could read your credit card while you pass by on the interstate.
  
  --
  
  //TODO: signature
2. Re:Personally by srollyson · 2008-05-12 09:09 · Score: 2, Insightful
  
  While I'm not big on the idea of wireless payment (in this form anyways), the danger of an RFID tag in your wallet being randomly sniffed is almost nothing. This is certainly true now, but there's also no incentive to go the extra mile for RFID tag reading. Don't you think that making credit card info available on the airwaves would encourage more sophisticated RFID readers?
  
  I've heard stories of thieves putting fake mag-stripe readers on top of ATMs, which leads me to think that RFID payment would be a criminal's dream come true.
Re:Lower repair costs. by truthsearch · 2008-05-12 08:00 · Score: 2, Insightful

We can send a man to the moon, but we can't make a reliable number pad? The failure rate of the 9 buttons should (hopefully) be extremely small.

--
Developers: We can use your help.
PRIVACY IS DEAD!! by StevenABallmer · 2008-05-12 08:20 · Score: 0, Insightful

Admit it people! Privacy has been dead for years now and the latest technologies only bury it deeper! The only privacy you have is whats in your head and we are trying to get to that too! http://fakesteveballmer.blogspot.com/

--
The Secret Diary of Steve Ballmer
Octopus by demonbug · 2008-05-12 08:38 · Score: 4, Insightful

While I have serious misgivings about the privacy and security issues surrounding RFID (or other) contactless payment systems, I have to say that they can be extremely convenient. On a recent trip to Hong Kong, my wife's aunt (resident of HK) gave us each an Octopus card pre-loaded with a few dollars when we arrived.
Super convenient. My wife put hers in her purse, I put mine in my wallet. Going somewhere on the subway? Just pull out my wallet, slap it on the reader, and I'm through the gate. My wife could just wave her purse across the reader without even taking it off her arm (assuming the card was in her wallet near the bottom of the bag - it seemed to have a useful range of only 3-4 inches). No searching around for the right card, no worrying about losing the ride card between stops, just slap it down and it automatically calculates the fare and deducts from the amount on the card. When you need to increase or recharge the value on the card, you just take it to the recharge machine, pop it in, and put in a few dollars (or credit/atm card, whatever).
In HK the cards are accepted on pretty much all forms of mass transit (trains, subway, buses) as well as at an increasing number of convenience (too many 7-Elevens) and other stores (and supposedly taxis are supposed to be accepting them soon).

I think this is really the ideal use for contactless payment. Basically a replacement for carrying cash around, used to pay for the multitude of small-ticket items and services that you make use of during the day. We do it here in California with FasTrak for paying tolls, but there are a lot of other potential uses. It also makes particular sense for transit, where it not only works to make the actual payment but also replaces the need for a fare ticket, doing the journey tracking by itself. These types of uses also in many respects counter some of the privacy concerns - if you're worried about someone tracking what you are doing, you can always just use cash to increase your balance on your card, or even get a new card every time rather than recharge (though that seems wasteful). Requiring recharge, rather than tying it directly to a bank account, also means that you only ever have to worry about the amount you put on the card. Just like carrying cash around, but more convenient.

On the other hand, I really don't see any reason to have an RFID-enabled credit card. If I could use a cash card for small purchases then I'd only be using a credit card for larger ones; the few times a week (or whatever) I'm doing this it really isn't a hardship to have to pull out a card.

I think there are some awesome, efficient, all-around great reasons to introduce contactless payment systems for some purposes. However, due to privacy and security concerns (and the lack of any real advantage) I don't see why anyone would want something like an RFID-equipped credit card. Too much potential for abuse, with little or no real benefit (to the individual - no doubt businesses would find all sorts of fun uses for cards tied to individual people that they can remotely sniff).