Chase Deploying "Touchless" Credit Cards 373
Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
why not (Score:5, Insightful)
Re:why not (Score:2, Insightful)
Re:why not (Score:5, Funny)
Oh...you're talking about your credit cards. Sorry. Carry on.
Re:why not (Score:3, Interesting)
That assumes people are going to use a shielded sleeve. Precious few won't. And a thief could simply plant themselves somewhere busy like a food court and steal any id that goes past.
Of course any such system would require some other form of protection. The site says encryption, e.g. the card's credentionals are encrypted with a key known only to the clearing house. It still means the key could be vulnerable to a plaintext attack since the data is likely to be short but contain well formed data such as dates, names, credit card numbers. It also means that the card could be vulnerable to some kind of playback attack unless the card itself is capable of giving a different response depending on some challenge.
It seems to me that it would be cheaper and safe if they adopted the chip & PIN system already used by France and recently UK & Ireland. There is nothing to "sniff" and it's hardly less convenient to use or implement.
Re:why not (Score:5, Funny)
Yes. It's called a "wallet".
Re:why not (Score:2, Insightful)
Re:why not (Score:3, Funny)
Re:why not (Score:3, Funny)
No, but I keep it in my protective hat. Yes, the tinfoil one. Quit laughing, it works!
Re:why not (Score:2)
Yes, actually. I'm not just being facetious and suggesting the sleeve is my wallet either. I actually have each one of my cards in a sleeve inside my wallet.
No, I'm not paranoid; it just keeps the magnetic strips from being rubbed off (which used to happen to me all the time).
So for me, keeping the new cards in a some kind of sleeve wouldn't be any different than what I do now.
Re:why not (Score:2)
Re:why not (Score:2)
How's yer sciatica?
Re:why not (Score:5, Funny)
Uh, no. Even when they're in the sleeves, some of the strip still gets rubbed off. The friction just isn't as bad as when it's sleeveless, and they actually survive 3 or 4 years without having to be replaced.
Perhaps that's why the only people I see who have to laboriously pull their cards
Laboriously? It's not like you're trying to break into Fort Knox. You just pull the card out.
out of those stupid sleeves are old farts.
You really should talk to a counsellor regarding the hostility you feel towards inanimate objects and the elderly.
Re:why not (Score:3, Insightful)
They hardly kicked the crap out of the cards. All Mythbusters did was subject the cards to electric shocks.
I'm talking about friction rubbing off the magnetic material on the card. This makes the magnetic strip inoperative, because there is no magnetic strip left.
Take some sandpaper and sand the magnetic strip a bit. Then tell me if your card still works.
Why is this so difficult for people to understand?
Re:why not (Score:3, Informative)
I've had cards go bad in less than 9 months.
I got a handful of tyvek sheaths off of ebay and keep may cards in them now. It takes an extra second or two to get the card out (I'm not an old fart yet), and sometimes five or six seconds if I grab the wrong card. This is a fair trade off for my to keep my cards useable for the ever-extending valid period (three years on my most recent one).
Except that it's not (Score:3, Insightful)
1) Safely in a sleeve, where no one can read it
2) Out in the open, where everyone in a certain radius can read it
In other words, you can't spend it without exposing it. Joe Hacker can hang out next to the checkout line at your grocery store for 5 minutes and get a dozen credit card numbers.
I don't care how much you encrypt it: it'll be cracked, and sooner rather than later. The fact that they are compounding this with no regulation of requiring signitures is one of the worst security decisions I've ever heard of - far worse than anything Microsoft has ever put out, and that INCLUDES ActiveX. Because ActiveX breaches don't immediately and directly cause credit card numbers to get stolen en masse unless combined with social engineering.
Re:Except that it's not (Score:4, Insightful)
How come all we are talking about here are the communication of the something you have part, and everyone is ignoring the loss of the other 2 critical parts of the secure equation?
To me, this looks like these cards are totally disassociated from the card holder when used. That is most certainly NOT more secure than we have currently.
Am I missing something or is everybody else?
Few Details (Score:5, Informative)
Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)
That's my guess anyway. I'm sure someone else can add a few details or make corrections.
Re:Few Details (Score:3, Interesting)
Re:Few Details (Score:2)
Re:Few Details (Score:3, Funny)
Re:Few Details (Score:5, Informative)
We used these cards to sign in and out of work as well as to pay for lunch at the cafeteria.
A number of phone manufacturers here are also putting this technology into their phones so you can swipe your phone to pay for things at stores. The main supplier of the actual chip is sony, under the namefelica [sony.net].
Now here, it is impossible to use your bank card to pay for anything. The service is just not avaliable as it is in North america or Europe.
As to the security of the smart cards, the only information on the card is your personal account number and how much money you have on the card. At the end of the day, on mobile fare collection systems anyways, the data is transfered at the depot to a server which updates the main account information. As to store systems, the data is retrieved immediately from the server and updated.
If your card is stolen or lost, it is like loosing cash at least until you call the card issuer and they freeze the account.
I am not sure about how this may affect the magnetic strip on most credit cards, but a magnetic field generates the electrical power required by the chip on card to 'transmit' the data to the reader.
transaction approval (Score:3, Interesting)
The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?
Re:transaction approval (Score:2)
Presumably, the actual transaction still has to be sent to the server. The card identifies itself and/or cryptographically approves the transaction, then the results are sent to the CC server via a merchant account. Using your merchant account fraudulantly would not only get your account revoked, but would most likely result in legal charges from the CC company.
Re:transaction approval (Score:3, Informative)
Because they can't steal the card wirelessly. All they can do is attempt a transaction by placing a reader close to your behind. (Or wherever you keep your cards.)
And that transaction is useless unless they can submit it to the credit card company. You need a merchant account to do that. And a merchant account is not easy to get. Even if you do get one, the CC company will have all the info they need to track it back to you. Thus you'd have to use someone else's merchant account. But since the money from that account goes directly to the merchant (which will then be charged back by the CC company after the theft anyway), you'd have to steal from the merchant. Which means that it would have been easier to just steal the money in the first place.
Re:transaction approval (Score:3, Interesting)
You were saying?
I was saying that they're hard to get. Have you ever tried getting a merchant account? It's expensive, and a royal pain in the ass! Not to mention that it is really easy to lose your merchant account. Just because there are variety of carriers (although not as many as it might seem at first) doesn't mean that such accounts are easy to get.
Because merchants are never verified by CC companies, right? And because merchant accounts don't cost $$$ to get set up, right? And because the CC company isn't going to lock out your account as soon as fraudulent transactions start coming through, right?
Geez, people. Pull your heads out.
Re:transaction approval (Score:2)
Re:Few Details (Score:3, Informative)
I don't know about credit cards, but my Travel card [www.ytv.fi] for commuting uses some kind of induction tech.
It's in use in the Helsinki region, with at least half a million of users (probably more). Given that the card is 70 euros a month I would guess cracking whatever encryption it uses is quite hard, I've never heard of a sigle case of anyone being able to load travel time or value illicitly. The cards also work very reliably, including below the freezing point.
The working radius, as noted in another comment, is something like 10cm.
Re:Problem is they use weak encryption (Score:3, Interesting)
Re:Problem is they use weak encryption (Score:2)
If every bank card or credit card turned into one of these remotely readable cards, and that happened, we'd all be in a world of shit.
So why put ourselves in this situation? As a consumer, I don't want it. But I can easily see how any merchant would welcome the idea of making purchases so much faster and easier..
Re:Problem is they use weak encryption (Score:2)
If every bank card or credit card turned into one of these remotely readable cards, and that happened, we'd all be in a world of shit.
Doubtful. The credit card transaction has to be submitted somehow. Perhaps through a registered merchant account? Those aren't that easy to come by...
Re:Problem is they use weak encryption (Score:2)
I don't know, I have not audited the entire code base. In fact I have not yet seen evidence that the code is available for audit, so by default we need to assume it is insecure enough that they cannot make the source available.
2048 bit RSA is good, but what about the rest of the process? RSA is normally used used for key exchange. Use the RSA only to exchange a 32 bit RC-4 key and the whole thing is insecure. Then there are obscure channels. Things like noting how long it takes to reject a key an indicate how close you are. Maybe the processor leaks information that a sensitive reader can use to detect what it is processing?
Maybe this is good, maybe it is not. I have not seen an analysis by anyone well known in the cryptography community, so I don't trust it.
Re:Problem is they use weak encryption (Score:2)
Nobody. But it's pretty standard for smartcards.
Re:Few Details (Score:3, Interesting)
1. Is this an induction communications device, or an RF transciever?
2. Does it actually use an encryption chip to secure transmissions?
3. If so, wouldn't it basically be the same thing as a contactless or RF smartcard?
Can't be all bad (Score:2, Interesting)
I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.
Choices... (Score:2, Insightful)
vs.
Having my Credit Card details stolen and sold.
I think the choice is easy.
Re:Choices... (Score:5, Informative)
3. Being able to wave your credit card while simultaneously keeping your CC data more secure than ever.
Don't mind the story submitter, (s)he's just making wild claims. This is probably contactless smartcard technology, which is far more secure than RFID. How secure you ask? Well, the card is only supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred. At least, that's the theory, but at least it's had a few decades to mature.
Re:Choices... (Score:2)
Because all your money is stored on your credit card, right? Think about it.
Re:Choices... (Score:2)
Because the transaction has to be submitted through an authorized merchant account, which is carefully investigated before being handed out. Think about it.
Re:Choices... (Score:2)
Re:Choices... (Score:2)
Re:Choices... (Score:2)
First the encryption has to be broken. If public key encryption is used
Second your thief would then have to obtain a merchant ID somehow, and runa transaction request to the credit card company with the valid merchant ID, relvant data and your CC information
Then the authorization code comes back from the CC and then a compelted transaction request goes back to the CC containing the auth code and the ammount to be billed.
And you'll note nowhere in this transaction scheme is it possible to grab the money because the CC company deducts the money and gives it to the merchant, which means your theif needs to register his adress as a merchant.
The only possible worry is extracting your CC data for use in an online store, but your CC doesn't store your security code on the back of your card so that's a moot point, hinderd even further by use of public key encryption.
In all, your theif is no more likely to succeede under the new system than under the old.
Nope (Score:5, Informative)
The problem is that the information isn't encrypted in any way so all someone needs to do is copy it.
Not the case with a smart card. What happens with those is a challenge is sent out be the machine and the smart card computes a response. It's public key crypto. So the bank gives or withholds authorization off of the correctness of the response to the challenge. So finding the correct answer to a given challenge is worthless, since they are always different. You can't copy the data off the card, they don't allow that.
Poke around on Google a bit if you are interested in the technology but that's what makes people interested in it. You have to physically steal the card to be able to do anything with it. Also, it can even have data written to it. IF you use a GSM phone, you phone will have a smartchip in it. That chip contains your identity, so when a phone recieves it, the phone takes on your phone numebr and service. However that's not all, you can write phonebook entries to the smartchip as well, so those will come with you.
The only real security concern at this point is the technology is new. In cryptography, things aren't proven strong in a single test, they are proven not weak by years of failing to be broken. Since smart cards are new, one hesitates to call them truly secure.
Re:Choices... (Score:4, Insightful)
vs.
Getting sideswiped by a semi on the way to the door and getting killed.
Your comparison is a bad one. You need to add up all those 5 seconds you save and compare them to the time you'd spend fixing it if your information got stolen times the odds your information gets stolen.
Let's also keep in mind how easy it is to steal your credit card information as it is. The number is written RIGHT ON your card. Every cashier you ever give your credit card to has access to that number.
And when that cashier runs the card, what happens? It dials up to the central server and sends your personal information over the phone line. If you're confident with encrytpion to someplace perhaps thousands of miles away, why are you not comfortable with encryption to something 10 inches away?
The fact of the matter is, getting bent out of shape about contactless transmission is silly. Either the encryption method used is good, or it ain't. You don't need to worry about physical layer compramisesif your transaction layer protection is good.
Also, there are other savings here than just your time: Contactless transactions are chepaer to process than signed paper credit card transactions. Merchants can save a lot of money not having to pay cashiers to sit there and watch you sign the receipt, and credit card companies can save money not having to archive those pieces of paper.
Economic efficiency is good for everyone.
Re:Choices... (Score:3, Informative)
Wrong. A cashier has to print a copy of the receipt (with your card # on it. YOUR copy may not have that number but the vender copy most certainly does.), have YOU sign it, then it stays in the cash register. If that transaction is challeneged, they'll bring that receipt up to verify your signature.
At least that's the way it was when I worked in retail. It's funny what you learn from your boss when you neglect to do something.
-1 Wrong (Score:3, Informative)
I can memorize 16 digit numbers, at least long enough to write them down a few minutes later, without much trouble. Talent picked up when working in a restaurant and it being convenient to memorize the numbers on the manager cards.
Because I'm confident that any company engaging in credit card theft will promptly get caught, prosecuted, and sued the pants off of. The same may not hold true for an individual, and the fact that there are two dozen people standing within RFID range when most transactions are done greatly disturbs me.
You missed the point. I'm not talking about the company on the OTHER END of the line - I'm talking about the ability of parties to intercept your transmission between you and the company. If you use credit cards, you must accept that the encryption that keeps your data safe from when it leaves you and when it gets to the company is sufficient. If you're willing to accept that the encryption is sufficient, why does swapping hundreds of miles of phone line or fiber for 10 inches of air suddenly make you not trust the encryption?
Either the encryption is good enough, or it isn't. Whether it's a contact or contactless transmission doesn't matter.
And it ain't good enough. I can promise you it will be cracked sooner rather than later.
Are there people running around breaking the encryption used on web transactions? The encryption used to move money from bank to bank? The encryption used when the VERY SAME data you don't want to transmit wirelessly is transmitted over the phone or internet to process EVERY SINGLE OTHER CREDIT CARD TRANSACTION YOU MAKE?
I can accept that you are paranoid and don't trust encryption. But if you don't trust encryption, you shouldn't use a credit card at all. But if you do use a credit card, which it appears that you do, there is no logical reason not to use contactless credit cards. If the information can be stolen in contactless transmission, it can be stolen even more efficiently by tapping the data line on the way out of the store.
You haven't gone to fast food places lately, have you? McDonald's, Wendy's, and Panera (the 3 joints i frequent most) do not require a signature on credit cards if the transaction is small (less than $25 or so). So, there is next to no money saved on that point.
For those merchants, and that was a huge concession on the part of the credit card industry in order to be accepted into those merchants, who didn't want to slow down their lines to make people sign stuff. It won't be that easy for industries where credit cards are already an expected form of payment, so if contactless transmission will get the credit card companies to allow merchants to not require paper, that's a good thing.
Watch out! (Score:3, Funny)
without R'ingTFA, I'll finish the statement.. (Score:2, Funny)
Europe (Score:5, Interesting)
In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.
Re:Europe (Score:5, Interesting)
Chip and Pin is destined to stay outside of the US, which is why US credit card companies are always trying to do something new that is entirely unnecessary.
Mastercard and Visa are competing with people using their debit cardson the debit system and not running the transaction over the MC/Visa system. When you use your debit card on the debit system, you have the card swiped, and then you enter in your pin number...and MC/Visa doesn't get its valuable merchant's fee.
In order to maintain their fees, MC/Visa has to make sure that people swipe and sign the receipts, avoiding the pin code alltogether. The introduction of a pin based MC/Visa transaction in the US would confuse people toward using their debit cards off of the MC/Visa system.
There are those who find the signing the receipt thing a pain, and entering the pin easier. So MC/Visa will continue trying to elminate the signature and get people to feel as comfortable as possible in as easy a transaction as possible. Merchants, who don't have to pay the merchant fee if you pay via debit, would prefer you to run the transaction on that system (though I believe they can't request that you do it via debit as part of their MC/Visa agreements) I can only presume that merchants who agree to install these new credit card readers (as featured in the article) are getting some very special deal on all their MC/Visa transactions.
I hope this goes some way to explain why credit card companies are so keen to reinvent the wheel.
Re:Europe (Score:3, Interesting)
If it was about 'security' they'd still require a signature+pin (+photo ID would be nice). As it is, all a theif has to do is to say 'I don't know my pin' or (my favourite) 'Don't bother.. this card doesn't work with pins' and they'll immediately put it through as a signature only transaction and *still* never check the signature.
When C&P first started none of my cards worked with it. Now they do, but I still use the excuses above... I have *never* been refused or asked to actually enter a pin.
Re:Europe (Score:3, Informative)
Actually, pin # verification for Visa / MC is *already* in the US. They're called Verified by Visa and Mastercard Secure, respectively, and any cardholder is free to attach a pin # to their card.
They're a huge benefit to merchants, as verified transactions are subject to far fewer chargeback reasons.
Re:Europe (Score:2)
And who do you think end up paying for that? All of us. So the higher level of fraud associated with the more convenient system is costing us money in higher transaction fees from the credit card companies. They have to make a profit after all...
Hmmm, I have a new business idea.. (Score:2, Interesting)
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.
Oh, by the way, am I the first post?
To be fair (Score:5, Interesting)
Re:To be fair (Score:3, Funny)
What are you talking about? Extremities that cause deformities? Is this when your ass is so fat it deforms the credit card in your wallet?
Re:To be fair (Score:2)
While the switch would be a point of failure for the card, it seems to worse than using the magnetic strip in readers with dirty heads (i.e. most or all of them.)
Comment removed (Score:2)
Armchair cryptographers; Slashdot AP wire (Score:2)
Gentlemen, start your armchairs!
but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
...and we have Ignition!
Seriously, until we know the specifics, much of what anyone says in this story will be silly posturing and armchair engineering. It's also pretty hilarious to see a slashdot reader questioning the qualifications of a bank's security- do you honestly think they'd put their reputation (critical to a bank) and money on the line, without having the whole thing rather thoroughly evaluated by security consult firms? I'm not saying they're perfectly qualified, but I am saying they're a tad more qualified than the general slashdot readership, myself included.
It would have been nice if Slashdot had, say, gotten the inside scoop on some more details- instead of being about 12 hours behind the AP wire (I read about it this morning. And to think one of the reasons on the Slashdot FAQ for "not notifying people they're about to get slashdotted" is "we don't want you to have to wait an hour"). I used to read Slashdot for stories that have more detail/insight than AP stories, or beat them to the punch.
Now it does neither.
Re:Armchair cryptographers; Slashdot AP wire (Score:3, Funny)
Re:Armchair cryptographers; Slashdot AP wire (Score:3, Funny)
Re:Armchair cryptographers; Slashdot AP wire (Score:2)
I'll bet you're semi-horizontal [slashdot.org] while you do that.
Re:Armchair cryptographers; Slashdot AP wire (Score:2)
Man, all these people questioning security specialits just ruin it for the rest of us. Just think, everyone's American passports would have been perfectly secure because nobody would know that the new RFID design would not use encryption at all. If everyone had simply assumed that the homeland security office actually understood what security means, and had never questioned them about it.
but do they really care? (Score:2)
As far as I can tell, it seems like credit card companies currently don't care too much about who is using the card. My signature is checked against my card maybe 10% of the time I'm making a transaction. It's probably much easier for them to run through their database with a "fraudulent buying pattern" detection algorithm then crack down on the way the card is physically used, be it by signature or embedded RFID.
The fact that credit cards are often used online further nullifies the point of efforts for making credit cards more physically secure.
But then again, I've never been the victim of fraud.
whatever (Score:2)
Re:whatever (Score:2)
New way to get ripped-off (Score:2)
Re:New way to get ripped-off (Score:2)
It's harder to swipe through the card reader.
it might not be rfid (Score:5, Interesting)
those are just as hard to crack as PGP emails. Not at all easy.
Re:it might not be rfid (Score:2)
if what i've worked on is similar to what is going into these contact-less cards, they will be as vulnerable to man-in-the-middle attacks as PGP is. (not at all)
Re:it might not be rfid (Score:2)
This is true. Encryption is designed around the idea that the blackhat can see the entire transaction... ssl, pgp, etc. all make that assumption.
It doesn't matter if you plug it into a 1000W transmitter and broadcast the transaction to half a state - the encryption is designed not to be broken, and unless someone has some seriously good hardware attacking it, won't be.
Familiar with Easypass? (Score:2, Interesting)
Get Outside the US People (Score:2)
In Europe organized crime is a big deal. In particular in the east. So much that the credit card companies have mandated EVERY merchant switch credit card terminals. If they don't switch terminals, they won't cover certain types of Credit Card fraud anymore.
Re:Get Outside the US People (Score:2)
I'd wager that there's a whole bunch more than that caused by Organized Crime across the pond.
Good point. (Score:2)
You have to touch the speedpass reader for it to work, that's the keypad one without a battery. The window one can be read at about 2' but all you're going to get is a number that Mobil matches up with an account. Nothing sensitive.
Re:Good point. (Score:2)
I'm sorry (Score:5, Interesting)
And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.
Low tech answer... (Score:2)
Hong Kong's Octopus (Score:5, Insightful)
Why the paranoia? (Score:3, Interesting)
I would think that
I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.
gives new meaning to "double swipe" (Score:2, Interesting)
There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.
The other name for this (Score:2)
No Point (Score:2)
Further, this will make it a nightmare for law enforcement. Most credit card rings go through a retail location (i.e., a waiter jacks everyone's info, and someone else does the fraud). However, if you could just steal credit card info from people who you just brush up against, there'd be very little for authorities to go on.
Here's how it might work (Score:3, Insightful)
In any case, I can imagine it working like this:
1. Terminal sends some string of random bytes, p.
2. Card processes it using some one way function f(p,q) and returns the value s where q is some secret info.
3. Terminal takes the results and sends p and s to the bank to verify. Bank runs f(p, q) and see if it matches s. If so, return true.
That's just a simple scheme I hatched up where you don't have to reveal your secret info to verify yourself. I'm sure there are much better ways.
Phish-pocketing (Score:3, Funny)
In the near future, all that a pick pocket has to do is bump into you and he's got your entire wallet.
I dub this "Phishpocketing".
Contactless Tech, Old news? (Score:5, Informative)
As much as the
Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.
What if you have multiple cards? (Score:5, Interesting)
I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?
Re:What if you have multiple cards? (Score:2)
Re:What if you have multiple cards? (Score:3, Informative)
If I wave my wallet near some type of scanner, which card will be selected?
I have two different contactless readers on my desk, and a few dozen cards of different types, so I think I can answer this.
Which one will be selected? None. In my experiments, the reader is unable to communicate with any card if there are multiple cards in range. The technology doesn't have any anti-collision technology, and no way of addressing a specific card, so when multiple cards are powered by the field, they step all over each other.
If you have two cards and one is deep into the field while the other is just at the edge, just barely into the region where it would normally work, the nearer card seems to block the transmissions from the further card and the reader can communicate with the nearer card.
A Question (Score:3, Interesting)
Cleverness irrelevant (Score:2)
Don't assume RFID (Score:2, Interesting)
http://www.sony.net/Products/felica/contents04_02
Encryption is irrelevant (Score:4, Interesting)
Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.
Re:Encryption is irrelevant (Score:2, Interesting)
hacker #1 finds a mark he can get close enough to to read the card, maybe he's on the subway or something. Then radios his accomplish hacker #2 who is about to buy something from the store. Instead of having a card in his wallet, he has a radio repeater from a hacker #1's reader that takes the information from the card and plays it to the store's card reader. Even if the card reader "challenged" the card with sophisticated encryption, the transaction would still go through because the reply from the challenge would always be correct, because it was read real-time from a real card.
Re:Encryption is irrelevant (Score:5, Interesting)
The information supplied by the card is of ZERO value to any criminal. Copying the data sent over the air is completely useless. No secret is ever revealed. Everything transmitted is considered 'public' information, in the sense that it doesn't matter who sees it.
The message from the card in particular is useless, and doesn't even need to be encrypted. It can say "Alice has made a purchase of two pairs of woollen socks from the shop on the corner for £2.67. This is her third purchase on 20/05/2005", and the credit company can maintain a replay database to make sure that she only makes one third purchase on a given day.
Replaying that message to another device accomplishes nothing. It's not a purchase at this device, for this object or amount of money, or which will actually be accepted by the credit company.
We aren't really talking about 'contactless credit cards' here. We're talking about contactless smart cards, which are a well-developed technology. They are nothing like RFID.
Now, there's still plenty of room for the credit companies to screw up security on these cards, particularly since they don't actually care how secure they are. But genre attacks like you describe are not an issue.
Signing takes that long? (Score:2)
I didn't think that signing a charge receipt took that long, but maybe I'm wrong.
From the CNN article referenced [cnn.com]:
But MasterCard said the feedback for its system was more positive. The company has been testing its cards in Orlando and Dallas and plans to roll the new cards this summer in other cities but declined to elaborate on the details.
"We're looking at places where the cards can replace cash," said Art Kranzley, MasterCard's chief ebusiness officer, citing McDonald's, Starbucks, Loews movie theaters and Chevron gas stations, among other destinations, as examples. Citibank, J.P. Morgan Chase and MBNA -- some of the nation's biggest card issuers -- took part in the trials.
How does the current use of the cards not perform the same function?
Call me old-fashioned, but the idea of my signature on the receipt being checked against the card (stop laughing, some merchants actually still do this) at least provides a little bit of protection against credit card theft/fraud.
THIS IS NOT RFID (Score:5, Informative)
THIS IS NOT RFID.
RFID is a term used to describe a number of standards.
Chase is deploying "contactless smartcards" (ISO 14443). Contactless smartcards, like regular smartcards, use public-key encrpytion technology. Being able to activate / read the card does zero good, because the secret is stored in the card and never revealed.
ISO 14443 is also far more secure than magstripe cards, which have no encryption whatsoever.
Screw the card, put it in my watch (Score:2)
OMG, my old Swatch Access site [arcor.de] (now hosted by someone else) is the 5th hit on a Google search for "Swatch Access".
Real geeks spend cash (Score:3, Insightful)
I dress like a slob, so I am not a mugging target, and I don't spend what I don't have, so I don't have any credit card debt.
When the clerk asks for personal info, even if it is just "Can I have your zip code, sir?", I say "No".
Sure, I could get a couple of percent on "the float", but just not hassling with big bills is worth it. Paying for a meal you excreted a month ago sucks.
Pay as you go. Be happy.
RTFS (Score:2)
Read The Fucking Summary
Re:Major clarifications (Score:5, Informative)
As a matter of fact, yes.
Especially considering that American banks are WAY behind the rest of the world in areas like using one-time pads or multi-factor authentication. Heck, Bank of America actually only requires use of your 4-digit PIN number from your ATM account.
In my experience, you are actually more likely to get intelligent solutions to identity theft from smaller institutions. If something "funny" goes on with my account, THEY CALL ME personally FROM THE BRANCH, with a friendly voice I recognize. They also by default have passwords set up on accounts (and discourage the use of common passwords like maiden names).