"My point, which you stated more clearly, is that all of these cards implement EMV (with SDA) and use the t=cl protocol."
That was NOT my point. MY point was that the cards that Visa will deploy in the US, along with the cards that MasterCard and Amex will deploy in the US, do not implement EMV with T=CL or anything else. The Visa product deployed in Malaysia does.
Just checked this out on my Al 15 1.67 and it's so cool it superconducts.
This is the first piece of software that's had me drop my jaw for ages. Well done. I swear I will pay good money for the first "shake the machine and the window clears" etch-a-sketch plug-in for Pages or Keynote:)
"I'm objecting that I don't want people reading my credit cards remotely"
Then don't use them. Take your stripe card to the slow lane with the people still writing checks.
P.S. The range of these cards is about two inches absolute maximum. If you wanted to read them from a couple of yards away, you'd have to pump out enough RF to cook the victim. Wrong threat model, man.
"It is difficult to tell since you did not respond."
I apologise, I have a job.
But let's review the situation and you can be clearer on what it is you don't understand, thus trending the conversation toward education.
1. Visa have announced that they will (but haven't yet) deploy a contactless card in the US. This will be an ISO 14443 card, just as Amex and MasterCard have been piloting.
2. The only contactless card that Visa have deployed so far is not in the US but in Asia-Pacific. This is also an ISO 14443 card but it uses the EMV application over the 14443 interface. No contactless EMV standard has yet been released.
3. Although the Visa, MasterCard and Amex solutions transit more than a simple ID number (in fact they transmit the mag. stripe Track 2 data with a cryptogram appended) it is strictly speaking incorrect to call them RFID. But who are we against so many?
"Interesting that 2/3rds of the time you have posted to/. it has been in response to me."
"There is a difference between an RFID tag and a contactless smart card implementing EMV."
I know.
"Calling it RFID is inaccurate as it is not an an identification tag"
Yes, and inflammable means not flammable. So what? RFID is the generic term used in the industry for reader-powered microprocessors.
" Yes some RFID devices use ISO 14443"
Such as, for example, the Visa cards discussed in the original article (which are not "contactless EMV", nor could they be since such a standard has yet to be released). What's your point?.
"Does that make all ISO 14443 devices RFID tags?"
No. But you cannot negate a universal affirmative (as the old saying goes).
Hey! Quick someone better call Visa: I bet THEY NEVER THOUGHT OF THIS. That's why they're so poor, I guess, because they keep getting outwitted by evil geniuses like you.
Since your amazing plan does not depend on the deployment of contactless Visa card -- you could perpetrate your perfect fraud using the existing stripe cards -- what is it doing in this thread?
You are wrong. VisaWave (the only contactless product that Visa have deployed) is RFID: it uses ISO14443 proximity interface (as does Mastercard Paypass and American Express Expresspay). ISO15693 is for read-only vicinty tags.
"Because of security functionality you can't just sit down, write a Java applet to store your passwords, and load it to your Visa card. "
Why not? If Global Platform worked as advertised, and if the JVM really is as secure as Multos, then what woud the bank care if you had some game high score, web passwords or personal data applet on your Visa card? Surely it would be a good way to cut churn: you wouldn't want to switch Visa cards if you had to re-enter all of your web passwords.
Slashdot Mirror
I bet the lawyers are rubbing their hands about this already. And this time they've got itemised bills on their side!
That was NOT my point. MY point was that the cards that Visa will deploy in the US, along with the cards that MasterCard and Amex will deploy in the US, do not implement EMV with T=CL or anything else. The Visa product deployed in Malaysia does.
Because it's fast (you don't have to take the card out of your wallet -- I saw people in London using cards like these on the subway.
Because it doesn't need to be a card. These things can be keyrings, badges, buttons or whatever the marketing guys want.
Because it's cheaper. Over the long term, terminals with no slots and no contacts are more robust.
This is the first piece of software that's had me drop my jaw for ages. Well done. I swear I will pay good money for the first "shake the machine and the window clears" etch-a-sketch plug-in for Pages or Keynote :)
Then don't use them. Take your stripe card to the slow lane with the people still writing checks.
P.S. The range of these cards is about two inches absolute maximum. If you wanted to read them from a couple of yards away, you'd have to pump out enough RF to cook the victim. Wrong threat model, man.
I apologise, I have a job.
But let's review the situation and you can be clearer on what it is you don't understand, thus trending the conversation toward education.
1. Visa have announced that they will (but haven't yet) deploy a contactless card in the US. This will be an ISO 14443 card, just as Amex and MasterCard have been piloting.
2. The only contactless card that Visa have deployed so far is not in the US but in Asia-Pacific. This is also an ISO 14443 card but it uses the EMV application over the 14443 interface. No contactless EMV standard has yet been released.
3. Although the Visa, MasterCard and Amex solutions transit more than a simple ID number (in fact they transmit the mag. stripe Track 2 data with a cryptogram appended) it is strictly speaking incorrect to call them RFID. But who are we against so many?
"Interesting that 2/3rds of the time you have posted to /. it has been in response to me."
Well, I wouldn't go so far as to say interesting.
I know.
"Calling it RFID is inaccurate as it is not an an identification tag"
Yes, and inflammable means not flammable. So what? RFID is the generic term used in the industry for reader-powered microprocessors.
" Yes some RFID devices use ISO 14443"
Such as, for example, the Visa cards discussed in the original article (which are not "contactless EMV", nor could they be since such a standard has yet to be released). What's your point?.
"Does that make all ISO 14443 devices RFID tags?"
No. But you cannot negate a universal affirmative (as the old saying goes).
Since your amazing plan does not depend on the deployment of contactless Visa card -- you could perpetrate your perfect fraud using the existing stripe cards -- what is it doing in this thread?
You are wrong. VisaWave (the only contactless product that Visa have deployed) is RFID: it uses ISO14443 proximity interface (as does Mastercard Paypass and American Express Expresspay). ISO15693 is for read-only vicinty tags.
Why not? If Global Platform worked as advertised, and if the JVM really is as secure as Multos, then what woud the bank care if you had some game high score, web passwords or personal data applet on your Visa card? Surely it would be a good way to cut churn: you wouldn't want to switch Visa cards if you had to re-enter all of your web passwords.