Contactless Credit Cards 414
An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
Good and badGood and badGood and Bad (Score:5, Insightful)
Where?s the security? I often wonder why the heck credit card purchases don?t require a PIN at the very least. Yeah, we?re all high tech and thumb prints and/or eye scans would be cool, but I?m all for having to know and enter a PIN on each and every purchase.
I tend to go for EFT payment whenever possible as I do have to enter a PIN. Shoulder surfing or a corrupt security camera guy is always a problem. I?m smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN too. I suppose insurance costs and ?shrink? just isn?t too expensive yet?
I?d be impressed if there was a thumb reader built into each plastic card I waived around buying all my shit.
Mobile gas anyone?
Re:Good and badGood and badGood and Bad (Score:5, Insightful)
At the very least, the signature process should be retained.
Re:Good and badGood and badGood and Bad (Score:4, Insightful)
How I see it working would be, 1 central authority (CA like we know it for SSL certs) issuing certificates to all of the readers on the market (there still needs to be a way to expire the certs incase one gets stolen, put out of service). The cards will contain the corresponding certificate for the CA so it can properly validate any certificates the CA signs. When
Re:Good and badGood and badGood and Bad (Score:4, Insightful)
First, this would be hardware based and it'd be fairly likely that someone out there would sell a legit signed reader to a theif or a theif would get one somehow. Unlike the CA analogy, where this only effects people if the fake store manages to steal the real store's private key as well and the weak point of trust is still a legitimate store, here, we are looking at a stolen card reader and suddenly the weak point in the chain is not just a shopkeeper or retailer, but any random theif who manages to walk by you on the street.
Second, how would this infrastructure work in conjunction with CC# purchases where there is no physical transaction, i.e. online purchases? I suppose you could only implement it for proximity card purchases, some sort of built in smart-card feature as you said, but I don't even see it as providing that much security. As I said, one stolen reader and someone can charge you whatever they like.
The best solution I can come up with, now that I think about it, is to have all the proximity-broadcast information encrypted with a public key for VISA or whoever, and only VISA can decrypt it. That way, even a stolen reader is useless, all someone can do is charge for purchases, and then the money paid from the CC company is traceable anyway. There is no way for the theif to actually gain the CC details. No need for any other sort of security; you could give this information out to everyone on the planet and have it still be totally secure.
Re:Good and badGood and badGood and Bad (Score:5, Insightful)
Re:Good and badGood and badGood and Bad (Score:5, Insightful)
Re:Good and badGood and badGood and Bad (Score:5, Interesting)
Physical, hardly.
Have you ever purchased anything online?
All I need is your number, name and expiry and I can charge your account all I want.
Credit card accounts are inherently very insecure. Prosecution is the only thing stopping (even more) massive fraud.
the Bush card (Score:4, Funny)
Re:the Bush card (Score:3, Insightful)
Democrats want to spend, so do Republicans. The Democrats are just more honest about it.
Re:Good and badGood and badGood and Bad (Score:3, Insightful)
> Have you ever purchased anything online?
Yes, I seem to recall needing to physically see my card to do it and enter the numbers on a keyboard. The site did not simply sense the card in my wallet from a pop-up window and start charging things to it.
> All I need is your number, name and expiry and I can charge
> your account all I want.
And how will you get those without seeing something with my card details on it (like my card)?
The argument here is that just walking past som
Re:Good and badGood and badGood and Bad (Score:4, Interesting)
That being said we may see this attitude change in the future as online credit card databases allow fraud on a much larger scale.
For the record I can get a large number of credit cards (probably yours too) fairly easily:
Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
Grab your mail
Look in your recycling box
Look at your card over your shoulder
Hidden cameras, crooked cashiers/waiters etc
Set up a fake online store selling a few products very cheaply.
Set up a cheap porn site. (ala the Eros Island scam)
etc
Tips for Mitigating Credit Card Risks (Score:3, Informative)
Shred receipts you don't need and keep secure those you do.
Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)
If you are going to purchase online via credit card, never allow the website to store the data "for your convenience" because then it is in their database. The site should have to ask for your cc# for each and ever
Re:Good and badGood and badGood and Bad (Score:5, Informative)
Actually, that's less and less the case. With the exception of the "big" vendors who have enough fraud insurance (amazon, etc), more and more vendors are instituting stiff requirements on your card purchases such as: a) shipping only to the credit card billing address (or another address listed on your credit card), b) requiring that you enter the CCV (the three digit number printed on the signature stripe of the card), c) requiring that you enter your credit card's customer service number so they can contact your bank.
And almost all online vendors (except the really sketchy ones) require that you provide the credit card billing address when placing an order. If they don't match, the order won't go through. I have had several vendors call me when this happened because I typo'd the name of my street.
On a related note, I wish more and more brick and mortar stores would check your signature. To prove a point, my friend and I were making a purchase at a large national chain store, and he signed "Homer J Simpson" to the credit card receipt, and the cashier didn't care.
Re:Good and badGood and badGood and Bad (Score:5, Interesting)
I used to work for Sears. I did this. One guy comes up, tried to buy something, I think a faucet, and gave me an unsigned credit card. I asked him for ID, he gave it to me, complaining, and I handed back the ID and the card, and asked him to sign it. He refused, started yelling, and walked out.
Mind you, the card quite clearly states 'not valid until signed'. And this wasn't an isolated incident, either.
That is why stores don't check signatures very well. Customers don't want the security it provides.
Re:Good and badGood and badGood and Bad (Score:3, Informative)
Re:Good and badGood and badGood and Bad (Score:5, Informative)
I would be interested to know how they would be able to stop "contactless thieves" in this case. It seems to me that scanners would become available for people to walk around zapping people's funds away from them. One nice thing about the tried and true swipecards is that to charge them, it's very much a physical action.
Not entirely true. One of the more common credit card scams here in Los Angeles is portable card scanners being carried by waiters in restaurants. As they take the card you've handed them back to scan it for the bill, they scan it in their personal scanner, which records the information for later use.
There is no meaningful physical location tied to this because you've given your card (intentionally) to someone you have to trust. If you eat at multiple restaurants over the course of a week, there's no easy way to trace the theft back to an individual location.
Re:Good and badGood and badGood and Bad (Score:5, Interesting)
Re:Good and badGood and badGood and Bad (Score:2, Interesting)
Re:Good and badGood and badGood and Bad (Score:3, Informative)
I have two proximity cards on me at all times, for two different security systems. Whenever I swipe one card, and the other is too close, it will not work. There seems to be some interferance between the two cards. I assume that the reader machines would be able to tell if more than one card is detected, and the transaction would fail.
Let me get this straight... (Score:5, Funny)
Most, if not all, of the smart people I know never, ever 'buy' shit....they seem to find a way where people continously give them shit, sometimes for no apparent reason. Now I know some would argue that this may well be a gift, but I've watched this happen, over and over, and I'm here to tell you, it seems like it doesn't matter what they do or what they say, someone will eventually give them shit. Really! I am not kidding! It's true!!
If you are having to pay for shit, may I suggest a crash course in shit 'taking'...you can sign up for one online I believe..perhaps right here, if you ask nice.
Re:Good and badGood and badGood and Bad (Score:5, Informative)
My cards usually crack from curvature long before the stripe is demagnetized or worn away. I guess that's what comes from sitting on your wallet all the time.
FWIW, Esso Canada (gas station chain) has been using keychain-dongles for rapid payment for about a year now. You just hold your keys in front of the coloured box on the pump for a few seconds and it prepares to make the sale exactly the way it would if you stuck your card in the stripe reader. They also put the same dongle-reader at each cash register so you can buy your morning coffee a few seconds faster....
Re:Good and badGood and badGood and Bad (Score:5, Informative)
The mag stripe isn't actually necessary for making the purchase. (If a store salesdroid tells you it is, demand to see the manager or take your business elsewhere). Only the card itself is required.
Back in the day, credit cards didn't have mag stripes. They were called charger plates, and they were placed in a machine along with a carbon sales slip, and when a roller was moved back and forth across the paper, an imprint of the card was made on the sales slip. And you signed it to charge something to your MasterCharge or BankAmericard.
The security was in actually having the card present at the checkout. That is still the case - you swipe it to prove that its there, or if the stripe doesn't work, they take an imprint of it (all places that take cards are supposed to have an imprint machine). That, combined with the signature, is in theory enough security. I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
Re:Good and badGood and badGood and Bad (Score:3, Informative)
I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.
Of course, hiring anyone but illiterate 12 year olds at registers would cost more than the credit card fraud they'd stop.
oh, too bad... (Score:2)
Re:oh, too bad... [agreed] (Score:2)
Contactless? Great! (Score:5, Funny)
Pickpocket from a distance... (Score:5, Interesting)
Perfect business opportunity (Score:5, Funny)
Re:Perfect business opportunity (Score:5, Funny)
Re:Perfect business opportunity (Score:2)
Re:Perfect business opportunity (Score:5, Funny)
Re:Perfect business opportunity (Score:3, Funny)
Just do what I do, and destroy the RFID tag by microwaving all your tinfoil first.
(whooop whooop whooop)
Ooops, gotta run -- damned microwave's set off the fire alarm again...
Re:Perfect business opportunity (Score:3, Funny)
How much protection do you need from tinfoil bombs?
Anyone taking bets... (Score:3, Insightful)
How long will it be? Say, to the nearest hour or so?
Re:Anyone taking bets... (Score:3, Insightful)
Otherwise, as you say, someone will come up with something to read them for sufficent distance to go through clothing, your wallet, etc, without you knowing. Sure, the range (according to the article) is only 20 cms, but even that's too far for my peace of mind.
Re:Anyone taking bets... (Score:5, Informative)
I had the pleasure of seeing a prototype credit card that had that feature. It was geared toward online purchases and basically worked like this:
The button is an excellent idea because you save transmitter life, although I'm sure there's a power supply that can live the life of a credit card. It also controls when the info is sent out. I wouldn't mind throwing a PIN on there either. Hell, I don't even have a credit card, just a check card, so I'm fine with PINs
Damn I like ordered lists!
Re:Anyone taking bets... (Score:5, Informative)
Still , a button would be nice. Even just a 'squeeze point' (eg squeeze the card whilst waving over reader) would be handy.
Then we could also have the obligatory "Squeeze the last cent out of my card jokes"
Go for it (Score:5, Insightful)
Re:Go for it (Score:5, Informative)
I beg to differ. Credit card fraud runs in the billions of $ every year. One article [internet.com] claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.
Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.
Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.
Re:Go for it (Score:3, Insightful)
You mean all this time I couldn't compare the signature on the receipt to the signature on the back of the card?
Holy shit... I must be responsible for millions in credit card fraud alone.
Re:Go for it (Score:3, Interesting)
True. However, if fake ID's (such as driver's license) were sooo easy to get, they would be worthless as ID's. Yet, they are accepted as such almost everywhere. Strange. Hmmm...
Now, how many people are handwriting experts and would be able to make a meaningful comparison (assuming they even tried)? In any case, a handwriting sample is available to compare to (the "Please ask for ID" - ask me to write that if you want the same
Mastercard beat them to it (Score:2, Informative)
Billy, can you say "fraud"? (Score:2)
Sounds an awful lot like SpeedPass (Score:5, Insightful)
Re:Sounds an awful lot like SpeedPass (Score:2)
That's a pretty substantive difference in and of itself.
Re:Sounds an awful lot like SpeedPass (Score:3, Informative)
Re:Sounds an awful lot like SpeedPass (Score:2)
That said, SpeedPass seems to work well, technically speaking. My big complaint about it is it seems a little redundant. "Just wave your speedpass" isn't really any easier than "Just stick your credit card in the slot on the pump".
It's all going to get charged to a card anyway.
SpeedPass would have been more sensible if it functioned as a unique credit card account, instead
Why (Score:3, Interesting)
Re:Why (Score:3, Funny)
Re:Why (Score:5, Interesting)
When I lived in Hong Kong there was a smart card (not Credit Card) called Octopus. Basically, you buy the smart-card, you add cash funds to it, and then you can use it to ride the train system.
It was incredibly convenient, not to have to buy tickets, and much greater throughput than ticket machines. You just walked through the gate and swiped your wallet over the reader.
Anyways, it wasn't long before they figured out the advantage of converting the vending machines in the station over to Octopus. No cash to collect, just fill it up with product and collect the money from the Octopus administrators, less administrative fee.
I can tell you from experience, it beats the hell out of coins, changing money, messing about with cash, fumbling about with change. Just swipe your card and get your product. Faster, easier and much more effecient.
Best of all, the cards were anonymous, which means the govt couldn't track you via the card. Disadvantage of course is that if the card was lost or stolen, there was no recovery. I guess for that reason the maximum you could put on the card was HK$500.
To me this was the first step towards an anonymous cashless society, which despite the Orwellian protests of the tin-foilers, is IMO, A Good Thing(tm). Money spreads disease, has an administrative cost, is vunerable to forgery. If we can have all the advantages of cash, including anonymity, then I say, let's get rid of cash.
Re:Why (Score:3, Informative)
Yanno what I'm thinking... (Score:5, Funny)
"These are not the droids you're looking for"
(handwave, subtle ka-ching! sound)
"These are not the droids I'm looking for.. move along..."
Re:Yanno what I'm thinking... (Score:4, Funny)
Mobil Speed Pass? (Score:2)
Mobil Speedpass (Score:5, Interesting)
Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...
It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
Re:Mobil Speedpass (Score:2)
Contactless credit cards? (Score:5, Funny)
In fact... let me see here... no, I still haven't gotten around to signing the back.
Absolute Fascist Control (Score:5, Insightful)
Warning (Score:2)
DON'T OVERWAVE
One L (Score:2)
"You won't need to physically swipe it" (Score:2)
My 2 yen (Score:4, Interesting)
Maybe good Maybe not (Score:2, Informative)
Unless the also use a pin-number system, there is really nothing they can to to prevent theft. If you have a 'shielded wallet' or you have to press a button, then it defeats much of the point, a
Ummm...branding error, me thinks... (Score:2)
Comments by proxy (Score:5, Funny)
How you gonna.... (Score:5, Funny)
Hello, I'm Dwayne, I'll be your card waver this evening.
First movers advantage and contentions? (Score:3, Insightful)
And what happens if there are multiple cards that are contactless? Do I have to pick one out? What's the point of this, then?
My building uses contactless badges. Ironically, we have a badge for the building and another for the garage. I can't keep both cards in the wallet because they interfere with each other.
Finally, is Phillips proposing to make cars run off the card? Wow. Imagine starting your car just by sitting down...
Re:First movers advantage and contentions? (Score:3, Informative)
You already can. Mercedes Benz, Porsche, and even certain Volkswagen models (just to name a few, I'm sure there's others) have this feature. You leave the keys in your pocket. To unlock the car, touch the door handle. To start the car, touch a button on the dashboard. To lock the car back up, just touch the outside door handle on your way out. The keys stay in your pocket the whole time. It works by actively seeking out your remote commander ("t
These better have a small range (Score:5, Funny)
"Did you swipe your card?"
"Not yet."
"That's funny, because your total has already been paid!"
Pick-pocketing (Score:5, Informative)
My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.
Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.
Re:Pick-pocketing (Score:2)
Swatch Access (Score:2)
Probably how they work (Score:4, Interesting)
For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.
That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.
Physical theft of the card would be a problem but that would not be anything new to get used to.
dzimmerm
Challenge/response? (Score:2, Interesting)
I didn't RTFA, but here's an idea to counter some people's fear that a technology like this would necessarily allow you to steal card numbers as you walk through a crowd.
The card could use a challenge/response system with the merchant. Each card has a symmetric key pair - the public key is your account number used for billing. The private key is known only to the card, and is used to sign a challenge phrase from the merchant. Challenge phrases would be unique to each transaction (given out by the financ
Bubble Crystals (Score:2)
Hong Kong has had this for a while (Score:4, Interesting)
If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.
Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.
I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.
Re:Hong Kong has had this for a while (Score:2)
Not new ~ BTDT for almost a year now. (Score:2)
I can see a new Amazon patent (Score:5, Funny)
War Driving For Credit Card Numbers !! (Score:3, Interesting)
If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...
Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
Stopping fraud? (Score:5, Insightful)
I used to sysadmin for a shell account company, and we saw huge amounts of credit card fraud, mostly from kids looking to run bots on IRC, or just because they collected shell accounts.
One thing I came away with from that experience was the definite feeling that Credit card companies don't seem to think it is in their interest to stop credit card fraud.
After all, if the owner of a card is frauded, the bill goes on their card, and interest is accrued. If the owner of the card isn't diligent, its possible they might just automatically pay the card off, without even realise they have been a victim of card fraud.
Certainly, the credit card companies don't seem to go after the fraudsters as much as they should. One of my friends on Dalnet used to regularly give the full details of people that she had discovered doing carding. One kid was so blatant, he put up a web page, with pictures of him holding up all the crap he had bought with stolen card numbers.
He was 12, and his mother didn't care in the slightest he was stealing. And neither did the credit card companies. The police were interested though, but he didn't have much repercussions - just a couple of weeks in a counselling center for kids.
Anyway, I digress.
Proximity cards are a great ieda. It means I can just wave my wallet near the scanner to pay for an item.
But, if this is not couple with some new form of identification currently not in use with credit cards (a pin number would suffice, or something biometric such as a thumb-print), then I fear that fraud will just increase.
People will get a hold of the scanners, and set up their iPod to capture the card numbers of anyone in proximit to it, and just walk up behind people, snapping up numbers.
Maybe I'm just getting paranoid.
Re:Stopping fraud? (Score:3, Informative)
Another reason credit card companies don't care? They are not the ones to foot the bills when a chargeback is initiated. It's the merchant who is out of the entire purchase, some insane chargeback fee, and the lost product.
Credit card companies will never care as long as the monetary loss due to fraud is LESS than the actual cost of pursuing the criminals.
Octopus (Score:5, Informative)
The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.
Security (Score:2, Interesting)
For the naysayers... (Score:5, Informative)
Not.
Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.
Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
How am I suppose to impress people then? (Score:3, Interesting)
I kid. I don't have one and you can't "apply" for one either. Read more about it here [time.com] and see it here [americanexpress.com].
Jedi credit card trick. (Score:2, Funny)
Japan has contactless credit cards already (Score:3, Informative)
http://www.tcvb.or.jp/en/hot/sizzling/0112/sizz
and
http://edition.cnn.com/2003/WORL
Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.
http://www.sony.net/Products/felica/contents04_
One use that springs immediately to mind.... (Score:5, Funny)
Waves AmEx These aren't the droids you're looking for...
Obiwan was a bribe merchant!
Isn't that how the SpeedPass works? (Score:3, Insightful)
Who's talking about security? (Score:3, Interesting)
I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.
Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .
Pros & Cons (Score:3, Insightful)
Pro: My card won't wear out before it expires 6 years from now
Con: Now I can have my number stolen without comming into physical contact with the theif .
--This could be a pro if you consider it could make getting robbed a whole lot safer
Did anyone RTFA? (Score:3, Insightful)
I don't know about everyone else but I go running scared when I see things like (paraphrased) "...standard method of allowing consumers to purchase content in their home..."
I can see it now.... "please wave your contactless credit card to watch this channel"....
Stealing Proximity Cards (Score:3, Informative)
One proximity card that I use requires almost physical contact to the reader, which is appropriate for a doorway.. But another card I use (same building, same card type) to open the garage gate reads the card within about a foot of the reader. I roll my car slowly by, casually holding the card out, and it reads with no contact.
With the appropriate equipment, you can read data from just about anyone's card at a distance. How close do you have to be? People get kinda close in elevators, or you can just be polite, and be holding an outside door for them while they walk by your briefcase/laptop bag/purse. For that matter, I guess your reader could be in the brown paper bag that appears to hold your lunch.
H2K2 had a lecture on it. Here's the lecture description. [h2k2.net] in July of 2002
"Proximity Cards: How Secure Are They?
Sunday, 6 pm
Area "B"
They're used everywhere but they could be making you even more vulnerable to privacy invasion. Delchi has been working with proximity based card systems for two years and has developed a method of casually extracting data from proximity cards in a public environment. Riding in an elevator, subway, or just walking down the hall, a person can bump into you, say "excuse me," and walk away with the decoded information from the proximity card in your pocket. It could then be possible to build a device that can capture and replay these snippets of information on demand or to even brute force a proximity card system. This talk will focus on the vulnerabilities of the systems and show a low power working prototype. Alternatives will be discussed, as well as other vulnerable aspects of proximity based building and computer access systems."
I've read some design information on it also, but can't seem to find the links right now. I don't know what the options are for protection of proximity cards.. Keep them in a foil pouch?
First Sploit! (Score:3, Interesting)
Wanna go shopping?
Re:BAD IDEA (Score:3, Funny)
Re:too long range (maybe) (Score:2, Informative)
This is something that I have seen with proximity cards for two seperate systems. When the two are together then when system A tries to contact Card A, Card B is also activated and the system cannot make any sense out of what it has received. Therefore no access.
In this case you have to seperate the two cards, in order to read them.
There has been talk about contactless smartcards for the past 10 years.
Re:How easy would it be to steal info from these? (Score:3)
You can set files on the card (it has a tiny file system) such that they can only be written to. I have a Cryptoflex 8k card here
Re:How easy would it be to steal info from these? (Score:5, Informative)
From their site:
High-speed contactless operations are completed in less than 100 milliseconds and at distances of up to 10 cm from the reader. Security between different applications is ensured by two 48-bit diversified keys and specific access conditions per sector. Security is further reinforced by replay attack protection and a three-pass handshake, which manages the mutual authentication between the card and the reader. In addition, the Easyflex FastOS 2.0 fast anticollision algorithm allows more than one card to be processed by the reader at the same time.
Easyflex FastOS 2.0 communicates on the 13.56 MHz carrier frequency in compliance with the current ISO 14443-Type A standard and implements the standard Mifare protocol, allowing it to be used with the vast majority of contactless card systems.
Re:NOT A GOOD IDEA (Score:2)
An Electro Magnetic Field in a mall is entirely plausable.