Privacy Pitfalls in No-Swipe Credit Cards 261
Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."
Oyster Cards on the London Underground (Score:5, Interesting)
Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html [spy.org.uk]
I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!
Why are we upgrading again? (Score:5, Interesting)
Upgrades for the sake of the "wow-factor" are stupid.
You mean... (Score:4, Interesting)
I've been waiting for 2 years for cashiers and salespeople to check my signature whenever I buy something with my credit card. Sometimes I'll sign "Mickey Mouse" or "Donald Trump", or even write a phrase like "Yankees suck!", and I still have yet to be asked even once. With the lack of security on older cards, it doesn't surprise me that these newer ones are no less safe.
Re:You mean... (Score:3, Interesting)
Re:When did this happen (Score:4, Interesting)
Re:How they think about fraud (Score:1, Interesting)
Re:Why are we upgrading again? (Score:4, Interesting)
While they were at it, they issued a new card # to my wife, for the same account - the old cards had the same number on both hers and mine.
For the tinfoil crowd, the few times I've used it, I had to make physical contact between the card and the reader - I couldn't just wave it by. In fact, the first 2 times I used it, it took me several attempts to get a read. It's pretty weak, but I don't know if that's the card or the reader.
Re:You mean... (Score:5, Interesting)
My autograph is pretty small and ugly and worst of all I've never really gotten the hang of getting it consistant. I've been called on it a number of times when I wanted to pay with my credit card. One store actually went so far as to hand me a notepad and have me write down my signature a couple of times, to check the variations with my card and my driver's license.
Now most stores aren't this paranoid, but credit cards are thoroughly checked around here...
This is stupid (Score:1, Interesting)
Aren't there any rules regarding the handling of sensitive customer information? No laws? Is it enough to just say: "Don't worry. Your data is safe with our technology." when it is actually not?
Re:Dumber then not signing (Score:5, Interesting)
Re:Hah. Screw it. (Score:1, Interesting)
Re:Geeks Rejoice! (Score:2, Interesting)
Pickpocketing at the same old level (Score:5, Interesting)
These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.
Re:Dumber then not signing (Score:4, Interesting)
Yes, but it's information that's harder to obtain. I mean, you can't read it off the card's front, you have to scan to get it, and once you get it, you can't use that series of encrypted info at the online stores, you have to find a credit card of a similar type and "flash" it to that encrypted series.
Re:Why are we upgrading again? (Score:2, Interesting)
The big credit card companies are well aware of the risks. After all, its the main determinator of their income.
What some people don't realise: It's not about the risk of theft, its about the risk of liability.
With the new EMV system, the credit card companies will firstly start to roll out Smart card based credit cards, and to force credit card merchants to use the new machines, they will change contracts so that merchants are fully liable for chargebacks on magstipe transactions, and a lot less liable for smart card / card present transactions.
Note that the paranoia mongering of Smart cards versus Magstripe is pointless: Smart cards are a lot better than magstripe to begin with. If the company that controls the information is up to scratch, I'd rather go for smart cards.
Remember: Magstripe credit cards do not provide full 3 factor authentication. At best, it provides 2. Smart cards on the other hand can provide full 3 factor authentication.
As for the whole RFID thing: I call BS. If the information is encrypted and the PKI is implemented, it does not matter how far the information travels, it is still safe. The private key on the smart card cannot be compromised, unless you have a very expensive piece of machinery with micro probes to detect the internal chip state.
Re:Dumber then not signing (Score:5, Interesting)
Does anybody know how magnetic stripes respond to being microwaved? Not much use if you toast that too. And how long do you have to zap a chip to burn it out? (Sub-second?)
(Note the stripe only has to be significantly more robust than the chip, it doesn't have to be immune to microwaves. If there's a range where the chip dies but the stripe still works, it doesn't matter if the stripe would stop working in another ten seconds.)
Re:Why are we upgrading again? (Score:5, Interesting)
I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police. Woe if you use it inappropriately....
Also, an easy trick for the RFID cards would be for it to have two numbers; one which is transmitted when you swipe it, allowing for normal purchases, and a differnet number on the RFID side, which allows up to $50/transaction, or whatever, maybe a # of purchases/time constraint, and so on. That way, somebody waving an RFID reader over your wallet doesn't get your full purchasing power.
Re:Hah. Screw it. (Score:2, Interesting)
Re:Dumber then not signing (Score:5, Interesting)