Chase Deploying "Touchless" Credit Cards 373
Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."
Can't be all bad (Score:2, Interesting)
I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.
Europe (Score:5, Interesting)
In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.
Hmmm, I have a new business idea.. (Score:2, Interesting)
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.
Oh, by the way, am I the first post?
To be fair (Score:5, Interesting)
Re:Few Details (Score:3, Interesting)
it might not be rfid (Score:5, Interesting)
those are just as hard to crack as PGP emails. Not at all easy.
Familiar with Easypass? (Score:2, Interesting)
I'm sorry (Score:5, Interesting)
And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.
Why the paranoia? (Score:3, Interesting)
I would think that
I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.
gives new meaning to "double swipe" (Score:2, Interesting)
There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.
Re:Problem is they use weak encryption (Score:3, Interesting)
transaction approval (Score:3, Interesting)
The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?
What if you have multiple cards? (Score:5, Interesting)
I personally have 3 credit cards and 1 banking card. I'm curious what will happen if/when multiple companies pick up on this technology? If I wave my wallet near some type of scanner, which card will be selected?
A Question (Score:3, Interesting)
Don't assume RFID (Score:2, Interesting)
http://www.sony.net/Products/felica/contents04_02
Re:Europe (Score:5, Interesting)
Chip and Pin is destined to stay outside of the US, which is why US credit card companies are always trying to do something new that is entirely unnecessary.
Mastercard and Visa are competing with people using their debit cardson the debit system and not running the transaction over the MC/Visa system. When you use your debit card on the debit system, you have the card swiped, and then you enter in your pin number...and MC/Visa doesn't get its valuable merchant's fee.
In order to maintain their fees, MC/Visa has to make sure that people swipe and sign the receipts, avoiding the pin code alltogether. The introduction of a pin based MC/Visa transaction in the US would confuse people toward using their debit cards off of the MC/Visa system.
There are those who find the signing the receipt thing a pain, and entering the pin easier. So MC/Visa will continue trying to elminate the signature and get people to feel as comfortable as possible in as easy a transaction as possible. Merchants, who don't have to pay the merchant fee if you pay via debit, would prefer you to run the transaction on that system (though I believe they can't request that you do it via debit as part of their MC/Visa agreements) I can only presume that merchants who agree to install these new credit card readers (as featured in the article) are getting some very special deal on all their MC/Visa transactions.
I hope this goes some way to explain why credit card companies are so keen to reinvent the wheel.
Re:Few Details (Score:3, Interesting)
1. Is this an induction communications device, or an RF transciever?
2. Does it actually use an encryption chip to secure transmissions?
3. If so, wouldn't it basically be the same thing as a contactless or RF smartcard?
Encryption is irrelevant (Score:4, Interesting)
Does all that talk about encryption make you feel warm and fuzzy? Don't let it. Encryption gives ZERO protection in this case, doesn't even need to be cracked. The criminal doesn't need to understand the information he is stealing, he just needs to route it to a card reader that does.
The difference here is that a person who keeps control of their swipeable credit card has the assurance that only businesses they trust has access to the card.
The odds that a traceable employee (with a job!) steals the card while in the backroom is much smaller than an anonymous person in the crowd at the mall.
Re:Few Details (Score:1, Interesting)
Re:Encryption is irrelevant (Score:2, Interesting)
hacker #1 finds a mark he can get close enough to to read the card, maybe he's on the subway or something. Then radios his accomplish hacker #2 who is about to buy something from the store. Instead of having a card in his wallet, he has a radio repeater from a hacker #1's reader that takes the information from the card and plays it to the store's card reader. Even if the card reader "challenged" the card with sophisticated encryption, the transaction would still go through because the reply from the challenge would always be correct, because it was read real-time from a real card.
Re:Europe (Score:3, Interesting)
If it was about 'security' they'd still require a signature+pin (+photo ID would be nice). As it is, all a theif has to do is to say 'I don't know my pin' or (my favourite) 'Don't bother.. this card doesn't work with pins' and they'll immediately put it through as a signature only transaction and *still* never check the signature.
When C&P first started none of my cards worked with it. Now they do, but I still use the excuses above... I have *never* been refused or asked to actually enter a pin.
Hmmmm, I see a new product niche opening up... (Score:1, Interesting)
It would really suck to park your car and walk past a criminal and the criminal scans you, cracks your info from your car keys, credit card and passport and just walks over, drives your car off while ordering thousands of dollars of stuff off the internet and selling your passport info to a fense.
Re:Except that it's not (Score:2, Interesting)
Re:Encryption is irrelevant (Score:5, Interesting)
The information supplied by the card is of ZERO value to any criminal. Copying the data sent over the air is completely useless. No secret is ever revealed. Everything transmitted is considered 'public' information, in the sense that it doesn't matter who sees it.
The message from the card in particular is useless, and doesn't even need to be encrypted. It can say "Alice has made a purchase of two pairs of woollen socks from the shop on the corner for £2.67. This is her third purchase on 20/05/2005", and the credit company can maintain a replay database to make sure that she only makes one third purchase on a given day.
Replaying that message to another device accomplishes nothing. It's not a purchase at this device, for this object or amount of money, or which will actually be accepted by the credit company.
We aren't really talking about 'contactless credit cards' here. We're talking about contactless smart cards, which are a well-developed technology. They are nothing like RFID.
Now, there's still plenty of room for the credit companies to screw up security on these cards, particularly since they don't actually care how secure they are. But genre attacks like you describe are not an issue.
Re:why not (Score:3, Interesting)
That assumes people are going to use a shielded sleeve. Precious few won't. And a thief could simply plant themselves somewhere busy like a food court and steal any id that goes past.
Of course any such system would require some other form of protection. The site says encryption, e.g. the card's credentionals are encrypted with a key known only to the clearing house. It still means the key could be vulnerable to a plaintext attack since the data is likely to be short but contain well formed data such as dates, names, credit card numbers. It also means that the card could be vulnerable to some kind of playback attack unless the card itself is capable of giving a different response depending on some challenge.
It seems to me that it would be cheaper and safe if they adopted the chip & PIN system already used by France and recently UK & Ireland. There is nothing to "sniff" and it's hardly less convenient to use or implement.
Re:transaction approval (Score:3, Interesting)
You were saying?
I was saying that they're hard to get. Have you ever tried getting a merchant account? It's expensive, and a royal pain in the ass! Not to mention that it is really easy to lose your merchant account. Just because there are variety of carriers (although not as many as it might seem at first) doesn't mean that such accounts are easy to get.
Because merchants are never verified by CC companies, right? And because merchant accounts don't cost $$$ to get set up, right? And because the CC company isn't going to lock out your account as soon as fraudulent transactions start coming through, right?
Geez, people. Pull your heads out.