Privacy Pitfalls in No-Swipe Credit Cards

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

Original research paper

[Anonymous Coward]

http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC -manuscript.pdf [umass.edu]

gentlemen, start your soldering irons

Re:Oyster Cards on the London Underground

[CowboyBob500]

Take anything on that Spy Blog with a very large sack of salt. They wrote about one of the projects I was involved in a few years back, and it was just about the most complete load of uninformed bollocks I've ever read.

Bob

How they think about fraud

[truthsearch]

As a former employee of one of the credit card companies, I'd like to explain a little bit of how they think. Banks and credit card companies take fraud for granted. They have departments which analyze potential and reported fraud. They set certain thresholds which they consider acceptable. Since they know it's going to happen they study it and figure out the best way to flag accounts. To the credit card companies it makes the most financial sense to not bother with the technological blocks and catch the fraud on the tail end. For example, with smaller purchases no longer requiring a signiture, card use for small purchases has gone up. If a few percent of those purchases are fraud the banks and credit card companies don't care because in the end they're making more money. People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases. Banks who suspect fraud has taken place simply block the accounts until the card holder calls. It all works out to the benefit of the banks and credit card companies.

So even though the credit card companies should do more to protect the information from a logical and PR perspective, they've already decided that the small potential increase in the cost of fraud is outweighed by the increased use of these cards that some people consider more convenient.

Re:Oyster Cards on the London Underground

[SenseiLeNoir]

Silverlink Metro will be coming under the new tfl "London Overground" system in 2007. And yes will be fully oysterised.

I do know about the thugs who pose as Ticket inspectors... I was once getting off the SilverLink COunty service from Euston to Harrow and Wealdstone, and the "thugs" were waiting on the stairs.. I shown my Oyster (travelcard, not pre pay) and he checked with the reader, then grunted in a few loud syllables that would make an orangutang proud "Not Valid". And pushed me aside.... (for once i was glad there was CCTV in the area).

I piped up, louder "Of course its bloody valid!" and fished out my record card. It seems there was another chap also given the rough treatment...

Mr gorrilla, said "That record card must be fake!" with obvious snicker.

"Call your manager NOW, before I call the Police!"

He was saying "You do that sonny," when his supervisor came to see what the commotion was about (The other guy next to me was makign an equally loud commotion)..

He checked my record card, and saw it was perfectly valid.. then checked the readers of the baboons, and found them set for zone 6.. WTF.

With a lot of apologies, we were allowed to move on.

My suggestions for anyone who has an issue with these blokes, write a letter to both TfL and Silverlink.

I do understand they do need to check for tickets, they are loosing millions of pounds a year thanks to fare avaders. And nothing annoys me more than watching people chance it.

However, their bahviour is not on.

Re:Citi PayPass

[Rob T Firefly]

What happens one day when they're chasing some criminal and they connect your paypass up to his/her movements? The thing can be lost or cloned, and it'll probably be taken as gospel. New York's MTA in particular has been working hard the past decade or two to de-anonymize the use of public transit. They replaced the untraceable coin-type subway/bus tokens with Metrocards, which you either buy from vending machines or booths, both of which enable them to match up that particular card and its movements through the system to at the very least a very clear video image from the camera pointed up your nose, at most the credit card info from whoever bought it. Your Citipass is the next step, that thing's readable by just having you walk past stuff, and it's all quite traceable to you. The legit only way to anonymously take the subway anymore is to find one of those little newsstands that sell pre-packaged Metrocards. The non-legit ways now include cloning things like your Citipass.

Meanwhile, out on the Long Island railroad (also run by the MTA,) you now pay a penalty of $5 or so when you buy a ticket for cash on the train. They want you to use the vending machines or the last few remaining human-staffed station booths instead, with the same resulting traceability. You even get all sorts of bonuses if you let them just mail your tickets to your home and charge your card.

Re:You mean...

[BenjyD]

Indeed, the system in the US does seem to be different from elsewhere. Here (UK) there's no difference really between a credit/debit card when you buy something, you just put the card in the reader and type your PIN, there'll never be any different charges AFAIK. I believe mainland Europe has had a similar system for a while.

Re:Dumber then not signing

[DrSkwid]

A good way to look dumb is to use "then" rather than "than".

Liability, merchants, and you

[BrianRoach]

our
Everyone keeps saying, "Who cares, I'm not liable if someone takes my card and uses it", and that "The banks eat it".

No, they don't. The merchants do. And the customers end up covering it in the end.

I own an online retail business. If someone disputes a purchase and we lose the dispute, the credit card processor simply takes the money back from *us*. We're out the money. Nobody else.

We go to great lengths to try and prevent this (AVS, CVV, etc), but you will get one every once in a while no matter what you do.

So fraud rates are built into retail *pricing*. When we get a new product, we have a formula to decide our selling price. It's based on our business costs. Fraud is one of those costs - we know how much we incur per year, so we build it into the profit margin. Every business does this in one way or another.

If fraud goes up, so do our prices. Therefore, it goes full-circle back to the consumer.

Brian Roach

Re:Pickpocketing at the same old level

[FrostedChaos]

Frankly, I don't understand everybody's obsession with credit card number theft. Unless you are posting your credit card number on /. or wearing it on your T-shirt for everybody to see, you are NOT liable for any fraudulent charges. If the merchant cannot produce a receipt with your signature on it, or if the merchant cannot prove that you received their services, then it has no effect on you, except for you having to make a quick phone call to the credit card issuer.

Credit card fraud ruins your credit rating. This happened to the parents of a friend of mine. With a crappy credit rating, his parents were unable to get favorable terms for his school loans, and so he ended up taking out a lot of 9% or higher interest rate loans for his college education.

Also, when you report your credit card stolen, there is a period where you don't have a credit card at all because they cut you off for a while. So you had better have some cash on hand or another credit card to cover this situation. This is exactly why I have two credit cards rather than one.

And no, my friend never got a cent from the credit card companies to compensate for his ruined credit rating, or for the other inconveniences he went through. There's no law requiring it.

Re:Why are we upgrading again?

[adavidw]

I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police.

This was covered recently at snopes.com (http://www.snopes.com/business/bank/pinalert.asp) . In short, it's already implemented in a few places, but is a bad idea for several reasons, not the least of which being that the whole idea is under patent.