Slashdot Mirror
FTC to Scrutinize Contactless Payment Technology
coondoggie writes to tell us that the Federal Trade Commission (FTC) will be taking a look at contactless payment systems and the consumer protection issue surrounding them. "RFID technology provides obvious benefits, the FTC said. For example, the ability of producers using RFID to track exactly where in the supply chain their products are and by which retailer they were ultimately sold to a consumer has the potential to make product recalls more effective. However, there also may be costs regarding consumers' individual privacy rights associated with it."
Is why we're once again bucking the trend and doing something different?
A lot of the world is using chip+PIN, which while not perfect is still drastically better than what we've got, can't be sniffed from remote, is much more of a distinct action and has a huge install base.
I'm not sure what this obsession with RFID payment methods is.
I'm guessing contact payment devices have the exact same issues with RFIDs as the new biometric passports.
Perhaps we should just all switch to carrying aluminum foil wallets and purses around...
When doing anything that requires something to physically touch is considered too much work and we'd rather risk our financial info being wirelessly transmitted than have to swipe a card, we have serious issues.
And all this about inventory tracking is kind of an orthogonal point to payment isn't it? I for one certainly don't mind them being able to wave rfid wands around a vague area and account for an entire big package without having to scan a unique barcode for every item. I wouldn't mind a checkout system where they didn't even need to find the upc (or for that matter, could scan the whole cart in one go instead of item by item). However, I don't see the big benefit of avoiding physical contact with my payment device (which I wish was more technically secure than my mag-stripe credit card).
XML is like violence. If it doesn't solve the problem, use more.
I won't use any contactless methods of payment. I know there are ways to capture info from a swiped card, but it's at least harder to get away with that just sniffing for RFIDs in the area. I'd rather not have my financial info available no matter where I go, as opposed to it being available when I use my magnetic strip once per payment. It's selling point is ease and quickness of use, but I've never heard anything about security.
And yes, I abhor the idea of RFIDs in passports too. I'll cover it in tin foil, along with my head.
Absolute power corrupts absolutely. indymedia
We can send a man to the moon, but we can't make a reliable number pad? The failure rate of the 9 buttons should (hopefully) be extremely small.
Developers: We can use your help.
What's wrong with "contact" payment technology?
The iButton looks like it can do pretty much everything RFID can, without the risk of sniffing.
Beauty is in the eye of the beerholder.
And it doesn't seem that anyone in decision making positions are getting that message.
So roll on RFID everywhere, let the crooks benefit, just like with DRM.
Seven Days with Ubuntu Unity
Its a proprietary protocol in a proprietary device made by a company that lives on it's proprietary products.
I do like their products for some things and they do promote them well with hobbyists. Their prices are painful though.
Actually, we're currently technically not capable of sending a man to the moon. Check back around 2020 though, then we can start saying that again.
I think you might have missed the intent of the parents post. Hey meant failure point as a way to protect the owner of the card. If I steal your card a failure point is me having to enter your pin number. It is extremely small if you know your pin, otherwise the possible failure rate should be extremely high as it is a guess of finding the one right combination out of 10,000 possible combinations.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Problem is that the cost of Credit card and Debit card fraud is incredibly small compared to the cost of even giving slightly improved security to the system we have now. The number pad could have dynamic numbers. the numbers on the pad change for every use, scrambled so a camera off axis cant see the numbers from the pattern. Even changing to the smart-card based cards is far more expensive than the amount lost to fraud.
Banks, contrary to what they advertise and tell you, do not give a rats ass if someone steals your money or identity. So they will do as little as possible to make sure information is secure. If it costs them money, they will do everything possible to not do it.
The RFID based card system has even died. Most banks did not offer the cards and almost every store and restaurant I saw that had the readers installed now have them removed, almost everyone is abandoning it. Glad to see the government researching a dead technology. I wonder when they will research if the 6809 processor is safe for use in space.
Do not look at laser with remaining good eye.
Or its possible I missed the point. I must be tired. I'm going home.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Doing something just because a commercial tells you not too.
I'm the same way..
Sean
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
Sounds like these guy's product: http://www.emvelope.com/products/show/1 , a Faraday Cage for your wallet. Could be worse.
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
While I have serious misgivings about the privacy and security issues surrounding RFID (or other) contactless payment systems, I have to say that they can be extremely convenient. On a recent trip to Hong Kong, my wife's aunt (resident of HK) gave us each an Octopus card pre-loaded with a few dollars when we arrived.
Super convenient. My wife put hers in her purse, I put mine in my wallet. Going somewhere on the subway? Just pull out my wallet, slap it on the reader, and I'm through the gate. My wife could just wave her purse across the reader without even taking it off her arm (assuming the card was in her wallet near the bottom of the bag - it seemed to have a useful range of only 3-4 inches). No searching around for the right card, no worrying about losing the ride card between stops, just slap it down and it automatically calculates the fare and deducts from the amount on the card. When you need to increase or recharge the value on the card, you just take it to the recharge machine, pop it in, and put in a few dollars (or credit/atm card, whatever).
In HK the cards are accepted on pretty much all forms of mass transit (trains, subway, buses) as well as at an increasing number of convenience (too many 7-Elevens) and other stores (and supposedly taxis are supposed to be accepting them soon).
I think this is really the ideal use for contactless payment. Basically a replacement for carrying cash around, used to pay for the multitude of small-ticket items and services that you make use of during the day. We do it here in California with FasTrak for paying tolls, but there are a lot of other potential uses. It also makes particular sense for transit, where it not only works to make the actual payment but also replaces the need for a fare ticket, doing the journey tracking by itself. These types of uses also in many respects counter some of the privacy concerns - if you're worried about someone tracking what you are doing, you can always just use cash to increase your balance on your card, or even get a new card every time rather than recharge (though that seems wasteful). Requiring recharge, rather than tying it directly to a bank account, also means that you only ever have to worry about the amount you put on the card. Just like carrying cash around, but more convenient.
On the other hand, I really don't see any reason to have an RFID-enabled credit card. If I could use a cash card for small purchases then I'd only be using a credit card for larger ones; the few times a week (or whatever) I'm doing this it really isn't a hardship to have to pull out a card.
I think there are some awesome, efficient, all-around great reasons to introduce contactless payment systems for some purposes. However, due to privacy and security concerns (and the lack of any real advantage) I don't see why anyone would want something like an RFID-equipped credit card. Too much potential for abuse, with little or no real benefit (to the individual - no doubt businesses would find all sorts of fun uses for cards tied to individual people that they can remotely sniff).
That's not quite accurate. Both MasterCard and Visa have fraud departments. Both monitor fraud and require their member banks to remain below a certain threshold, otherwise their fees increase or contracts get withdrawn. Fraud is a large expense (customer service, closed accounts, etc.) and is considered harmful to their brand image.
Developers: We can use your help.
I'm wondering how long until some company comes out with (or some government mandates) a contactless cash card with half-assed security measures, to the point where all it takes to pick a hundred thousand pockets becomes a receiver in a suitcase and a few hours in Grand Central Terminal.
I'm a big fan of new technology, the higher the better, but let's just hope that if implemented, it's implemented by those with the most to lose (e.g. banks) rather than those with the most to gain (e.g. legislators).
Oh, you have nothing to worry about. The cameras at every store you've ever been to is not there to watch the customer. It's to watch the person at the register, either as they get shot in a robbery or to accuse them of stealing. Ever watch security camera video from a bank or gas station robbery? You can barely see the perp, but there's a great over-the-shoulder shot of the register and the smokes.
I think FTC scrutiny is absurd in this case. There are most certainly no privacy or banking regulations to be concerned about this technology.
I renewed a Slashdot subscription this morning by sticking the card in front of my computer. I have a USB based reader connected to my computer to make secure transactions. At no point does it transmit the information in plain-text. I'll do it right now to show how useful this is. Here is the actual output:
Card Holder Name:
John Doe
Credit Card Number:
1234 5678 9123 4567
Expiry date:
01/2080
See, what is wrong with that? I think this is a great technology. FTC, Buzz off!
There is a qualitative difference there. Gold -> paper and cash -> credit both significantly increase the amount of money (or access to money) you can reasonably carry on your person. The only difference with an RFID vs mag-stripe is whether you have to swipe or wave vaguely in the general direction of the reader.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
I've been looking into getting one of these, just because I am sick of my magnetic strip getting screwed up a month after I get the card and then having to request another one.
I've heard that at least some of the touch-and-pay systems aren't just passive RFID, but use a challenge-response system which would actually more be secure than a credit card, since the merchant / snooper never sees your card number. If I can verify this then I definitely will be getting one.
So sure, maybe theoretically someone could sit next to me on the bus, and gather enough CR samples to recover the key. But considering all the places that I have used my CC number online, and who knows how many of the merchants store that info, I think that a brute-force cryptanalysis of my keyfob is the least of my concerns.
And besides, since it is a real credit card (not a debit card) the CC company will pay for any fraud anyway, so making sure the system is secure is their problem not mine.
So, if I swing my key chain containing my RFID credit card fobs in the vicinity of the checkout reader... how do I make it scan my American Express(r) card fob instead of my Visa(r) card fob instead of my... ???!!!?
It's not uncommon to see someone open their wallet to reveal a dozen or more credit cards. Besides the majors (Amex, Visa, MC, Discover) there were several more store credit cards and/or gas cards, etc. So what is such a customer going to do... remove the fob they want to use from their key ring, swing THAT fob near the reader, and then reattach it to their key ring? And THAT is supposed to speed things up how? Or, more likely, they'll try and make the desired fob stick out from the others and try and wave that one at the reader... OOPS! It scanned the wrong card. Can you ring that up again, please?
Or, attempting to be helpful, the pin pad displays "We noticed you are carrying the following credit cards; please click on the one you want to use for this transaction." Privacy advocates would just LOVE that one. :/
So, please tell me again what the advantage of having an RFID chip in my credit card(s) is? Given the choice, I'd much prefer sliding my mag stripe through the slot.
http://en.wikipedia.org/wiki/Octopus_card
- I stole your sig.
Except, of course, that the cost of card fraud is borne by the card issuer, not the cardholder. VISA and MC both lose a lot of money each year due to fraud, and you can bet your buttons they're doing something about it.
We've had a form of contactless payments for years.
Put the cash in an unmarked paper bag and we'll call back with instructions on where to drop it.
Have gnu, will travel.
Except, of course, that the cost of card fraud is borne by the merchant, not the card issuer.
Fixed.
Yeah because its ever so more secure having the customer standing and slowly punching the keypad in plain view because the numbers have moved around.
and bind them into debt. (Oblig LOTR ref)
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr