Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Almighty Buck

Contactless Credit Cards 414

An anonymous reader writes "According to his article in EETimes, Visa and Philips are teaming up to introduce a so-called "contactless credit card". Basically it'll work like the proximity cards many of us use for access to our places of work or apartments. You won't need to physically swipe it, simply waving it over a reader is good enough."
This discussion has been archived. No new comments can be posted.

Contactless Credit Cards

Comments Filter:
  • by krray ( 605395 ) * on Wednesday May 28, 2003 @11:51PM (#6064982)
    I like the convenience idea of it. The magnetic strip in my credit cards are usually destroyed/useless before the card even expires. Between rubbing against other credit cards, contact with the leather, and/or body sweat highly used cards are usually replaced before they ?expire?.

    Where?s the security? I often wonder why the heck credit card purchases don?t require a PIN at the very least. Yeah, we?re all high tech and thumb prints and/or eye scans would be cool, but I?m all for having to know and enter a PIN on each and every purchase.

    I tend to go for EFT payment whenever possible as I do have to enter a PIN. Shoulder surfing or a corrupt security camera guy is always a problem. I?m smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN too. I suppose insurance costs and ?shrink? just isn?t too expensive yet?

    I?d be impressed if there was a thumb reader built into each plastic card I waived around buying all my shit.

    Mobile gas anyone?
    • by the_bahua ( 411625 ) on Wednesday May 28, 2003 @11:55PM (#6065010) Homepage Journal
      I would be interested to know how they would be able to stop "contactless thieves" in this case. It seems to me that scanners would become available for people to walk around zapping people's funds away from them. One nice thing about the tried and true swipecards is that to charge them, it's very much a physical action.

      At the very least, the signature process should be retained.
      • by pirodude ( 54707 ) on Thursday May 29, 2003 @12:19AM (#6065168) Homepage
        It's fairly easy and a part of all smartcards on the market today. Not only is the reader able to verify the card, but the card is able to verify the reader.

        How I see it working would be, 1 central authority (CA like we know it for SSL certs) issuing certificates to all of the readers on the market (there still needs to be a way to expire the certs incase one gets stolen, put out of service). The cards will contain the corresponding certificate for the CA so it can properly validate any certificates the CA signs. When
        • by KrispyKringle ( 672903 ) on Thursday May 29, 2003 @01:42AM (#6065513)
          "Skimmers" are pretty common as is. If we had a more complex system to defeat them involving some sort of PKI you have two issues.

          First, this would be hardware based and it'd be fairly likely that someone out there would sell a legit signed reader to a theif or a theif would get one somehow. Unlike the CA analogy, where this only effects people if the fake store manages to steal the real store's private key as well and the weak point of trust is still a legitimate store, here, we are looking at a stolen card reader and suddenly the weak point in the chain is not just a shopkeeper or retailer, but any random theif who manages to walk by you on the street.

          Second, how would this infrastructure work in conjunction with CC# purchases where there is no physical transaction, i.e. online purchases? I suppose you could only implement it for proximity card purchases, some sort of built in smart-card feature as you said, but I don't even see it as providing that much security. As I said, one stolen reader and someone can charge you whatever they like.

          The best solution I can come up with, now that I think about it, is to have all the proximity-broadcast information encrypted with a public key for VISA or whoever, and only VISA can decrypt it. That way, even a stolen reader is useless, all someone can do is charge for purchases, and then the money paid from the CC company is traceable anyway. There is no way for the theif to actually gain the CC details. No need for any other sort of security; you could give this information out to everyone on the planet and have it still be totally secure.

      • by teknokracy ( 660401 ) <teknokracy@NosPAm.telus.net> on Thursday May 29, 2003 @12:30AM (#6065226)
        And then it comes down to the point where you have the fact that the card could just as easily be stolen. No amount of encryption would protect a card from that.
      • by RajivSLK ( 398494 ) on Thursday May 29, 2003 @01:12AM (#6065400)
        to charge them, it's very much a physical action.

        Physical, hardly.
        Have you ever purchased anything online?

        All I need is your number, name and expiry and I can charge your account all I want.

        Credit card accounts are inherently very insecure. Prosecution is the only thing stopping (even more) massive fraud.
        • by js7a ( 579872 ) * <james AT bovik DOT org> on Thursday May 29, 2003 @03:11AM (#6065789) Homepage Journal
          They should name these card after presidents Bush. You can run up a huge deficit [yahoo.com] without touching anything.
        • > Physical, hardly.
          > Have you ever purchased anything online?

          Yes, I seem to recall needing to physically see my card to do it and enter the numbers on a keyboard. The site did not simply sense the card in my wallet from a pop-up window and start charging things to it.

          > All I need is your number, name and expiry and I can charge
          > your account all I want.

          And how will you get those without seeing something with my card details on it (like my card)?

          The argument here is that just walking past som
          • by RajivSLK ( 398494 ) on Thursday May 29, 2003 @04:40AM (#6066036)
            My point is that the current credit card authentication system is so insecure that it doesn't really matter what the physical card is made of. The only thing that keeps massive fraud from occurring is the paper trail. It is easier to trace the money and prosecute that it is to secure the system. Securing the system would inconvenience the user and that is something that visa would never want. It is much easier to prosecute.

            That being said we may see this attitude change in the future as online credit card databases allow fraud on a much larger scale.

            For the record I can get a large number of credit cards (probably yours too) fairly easily:

            Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)

            Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)

            Grab your mail

            Look in your recycling box

            Look at your card over your shoulder

            Hidden cameras, crooked cashiers/waiters etc

            Set up a fake online store selling a few products very cheaply.

            Set up a cheap porn site. (ala the Eros Island scam)

            etc
            • Receipts carelessly tossed in a garbage can outside of certain stores (yes, many of them do print your full name, card number and exp. Date)

              Shred receipts you don't need and keep secure those you do.

              Hacking insecure online servers (many have 1000s of cards in plain text or weakly encrypted)

              If you are going to purchase online via credit card, never allow the website to store the data "for your convenience" because then it is in their database. The site should have to ask for your cc# for each and ever
        • by jdreed1024 ( 443938 ) on Thursday May 29, 2003 @07:11AM (#6066437)
          All I need is your number, name and expiry and I can charge your account all I want.

          Actually, that's less and less the case. With the exception of the "big" vendors who have enough fraud insurance (amazon, etc), more and more vendors are instituting stiff requirements on your card purchases such as: a) shipping only to the credit card billing address (or another address listed on your credit card), b) requiring that you enter the CCV (the three digit number printed on the signature stripe of the card), c) requiring that you enter your credit card's customer service number so they can contact your bank.

          And almost all online vendors (except the really sketchy ones) require that you provide the credit card billing address when placing an order. If they don't match, the order won't go through. I have had several vendors call me when this happened because I typo'd the name of my street.

          On a related note, I wish more and more brick and mortar stores would check your signature. To prove a point, my friend and I were making a purchase at a large national chain store, and he signed "Homer J Simpson" to the credit card receipt, and the cashier didn't care.

          • by Zirnike ( 640152 ) on Thursday May 29, 2003 @12:01PM (#6068616) Journal
            "I wish more and more brick and mortar stores would check your signature"

            I used to work for Sears. I did this. One guy comes up, tried to buy something, I think a faucet, and gave me an unsigned credit card. I asked him for ID, he gave it to me, complaining, and I handed back the ID and the card, and asked him to sign it. He refused, started yelling, and walked out.

            Mind you, the card quite clearly states 'not valid until signed'. And this wasn't an isolated incident, either.

            That is why stores don't check signatures very well. Customers don't want the security it provides.

      • by b0r1s ( 170449 ) on Thursday May 29, 2003 @01:31AM (#6065472) Homepage

        I would be interested to know how they would be able to stop "contactless thieves" in this case. It seems to me that scanners would become available for people to walk around zapping people's funds away from them. One nice thing about the tried and true swipecards is that to charge them, it's very much a physical action.


        Not entirely true. One of the more common credit card scams here in Los Angeles is portable card scanners being carried by waiters in restaurants. As they take the card you've handed them back to scan it for the bill, they scan it in their personal scanner, which records the information for later use.

        There is no meaningful physical location tied to this because you've given your card (intentionally) to someone you have to trust. If you eat at multiple restaurants over the course of a week, there's no easy way to trace the theft back to an individual location.
    • by FatRatBastard ( 7583 ) on Thursday May 29, 2003 @12:02AM (#6065050) Homepage
      Hell, there's even a simpler problem: If I have more than one credit card which one will it "charge?" Or will it charge both?
      • ...Assuming you're a lazy ass like me and don't take it out of your wallet when you swipe it to get into your building.
      • Hell, there's even a simpler problem: If I have more than one credit card which one will it "charge?" Or will it charge both?

        I have two proximity cards on me at all times, for two different security systems. Whenever I swipe one card, and the other is too close, it will not work. There seems to be some interferance between the two cards. I assume that the reader machines would be able to tell if more than one card is detected, and the transaction would fail.

    • by djupedal ( 584558 ) on Thursday May 29, 2003 @12:08AM (#6065102)
      You say you are smart enough to remember a purchase PIN and a ATM/Cash type transaction PIN, yet you also claim to be buying shit?

      Most, if not all, of the smart people I know never, ever 'buy' shit....they seem to find a way where people continously give them shit, sometimes for no apparent reason. Now I know some would argue that this may well be a gift, but I've watched this happen, over and over, and I'm here to tell you, it seems like it doesn't matter what they do or what they say, someone will eventually give them shit. Really! I am not kidding! It's true!!

      If you are having to pay for shit, may I suggest a crash course in shit 'taking'...you can sign up for one online I believe..perhaps right here, if you ask nice.
    • by Jetson ( 176002 ) on Thursday May 29, 2003 @01:37AM (#6065495) Homepage
      The magnetic strip in my credit cards are usually destroyed/useless before the card even expires.

      My cards usually crack from curvature long before the stripe is demagnetized or worn away. I guess that's what comes from sitting on your wallet all the time.

      FWIW, Esso Canada (gas station chain) has been using keychain-dongles for rapid payment for about a year now. You just hold your keys in front of the coloured box on the pump for a few seconds and it prepares to make the sale exactly the way it would if you stuck your card in the stripe reader. They also put the same dongle-reader at each cash register so you can buy your morning coffee a few seconds faster....

    • by jdreed1024 ( 443938 ) on Thursday May 29, 2003 @07:20AM (#6066481)
      I like the convenience idea of it. The magnetic strip in my credit cards are usually destroyed/useless before the card even expires. Between rubbing against other credit cards, contact with the leather, and/or body sweat highly used cards are usually replaced before they ?expire?.

      The mag stripe isn't actually necessary for making the purchase. (If a store salesdroid tells you it is, demand to see the manager or take your business elsewhere). Only the card itself is required.

      Back in the day, credit cards didn't have mag stripes. They were called charger plates, and they were placed in a machine along with a carbon sales slip, and when a roller was moved back and forth across the paper, an imprint of the card was made on the sales slip. And you signed it to charge something to your MasterCharge or BankAmericard.

      The security was in actually having the card present at the checkout. That is still the case - you swipe it to prove that its there, or if the stripe doesn't work, they take an imprint of it (all places that take cards are supposed to have an imprint machine). That, combined with the signature, is in theory enough security. I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.

      • I'd wager a large portion of credit card fraud could be stopped if places would stop hiring illiterate 12 year olds at registers who can't even read, let alone compare signatures.

        Of course, hiring anyone but illiterate 12 year olds at registers would cost more than the credit card fraud they'd stop.

  • ... I thought it meant it didn't have any of my contact information. Oh well...
  • by Anonymous Coward on Wednesday May 28, 2003 @11:52PM (#6064987)
    They won't know where to send the bill!
  • by bgog ( 564818 ) * on Wednesday May 28, 2003 @11:52PM (#6064990) Journal
    Let's see. A crowded line at an amusement park... I'm sure I could pick up 100 credit card numbers an hour with my wiz-bang pocket card reader. "Excuse me sir... I didn't mean to bump into you..."
  • by Verteiron ( 224042 ) * on Wednesday May 28, 2003 @11:53PM (#6064993) Homepage
    ... on how long it takes before someone cracks/hacks whatever security these things have and begins making megabucks by planting remote cardreaders in places like mall store entrances?

    How long will it be? Say, to the nearest hour or so?
    • I would hope that it would require more than simply waving it around. At the least, I would like to see, say, a button on the card you have to press at the same time.

      Otherwise, as you say, someone will come up with something to read them for sufficent distance to go through clothing, your wallet, etc, without you knowing. Sure, the range (according to the article) is only 20 cms, but even that's too far for my peace of mind.
      • by cruppel ( 603595 ) * on Thursday May 29, 2003 @12:20AM (#6065174) Homepage
        ...I would like to see, say, a button on the card you have to press at the same time.

        I had the pleasure of seeing a prototype credit card that had that feature. It was geared toward online purchases and basically worked like this:

        1. You had to have a small signal receptor at the time...this was over three years ago and they were trying to get rid of that piece of equipment.
        2. When you enter your card info on a website, instead of typing it, you press an area on the card, and it emits a sonic signal that tells the receptor that
          1. You've actually got the card and
          2. It's you using it. The info (name, billing address, etc) is all in the card.
        3. To prevent someone from stealing your card and using it at their convenience you needed to enter a PIN once you pressed the button to make it work. In the end it auto-filled your forms for you, and I thought as a concept it looked promising.

        The button is an excellent idea because you save transmitter life, although I'm sure there's a power supply that can live the life of a credit card. It also controls when the info is sent out. I wouldn't mind throwing a PIN on there either. Hell, I don't even have a credit card, just a check card, so I'm fine with PINs

        Damn I like ordered lists!

  • Go for it (Score:5, Insightful)

    by TopShelf ( 92521 ) on Wednesday May 28, 2003 @11:54PM (#6065003) Homepage Journal
    The nice thing from a security standpoint is that the credit card companies have it in their own best interest to make sure people feel confident using these new technologies. While a single cardholder could be at risk to lose a few thousand dollars, these companies have billions riding on these transactions. When it comes to secure computing, this is one industry that actually keeps it on the front burner...
    • Re:Go for it (Score:5, Informative)

      by berzerke ( 319205 ) on Thursday May 29, 2003 @12:49AM (#6065298) Homepage

      ...When it comes to secure computing, this is one industry that actually keeps it on the front burner...



      I beg to differ. Credit card fraud runs in the billions of $ every year. One article [internet.com] claims the losses will be about (2002 figures) "$285 million over the holiday season in the United States." And that's just about 1 month's worth. Credit cards are anything but secure. Since consumers don't see the cost of the fraud directly, most are barely aware it exists. Of course, the cost is passed on in the form of higher fees and interest.



      Merchants (and their employees) don't help matters any either. On all my cards, in the signature block, I put "Please ask for ID". (I've checked with Discover and they have no problems with that, BTW). Rarely do I get asked for ID.



      Then there are merchants, such as the USPS, which won't accept the card without an actual signature. Don't need to show ID (I tested this), but it must have a signature or they won't accept it. It's an actual federal rule (I checked), so the clerk isn't doing anything wrong. Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.

      • Re:Go for it (Score:3, Insightful)

        by Talez ( 468021 )
        Maybe it's just me, but I would trust a driver's license MORE than a signature with nothing to compare it too.

        You mean all this time I couldn't compare the signature on the receipt to the signature on the back of the card?

        Holy shit... I must be responsible for millions in credit card fraud alone.
  • http://www.paypass.com/ Currently beta testing in Florida...
  • Fantastic. Now your pocket can be picked just by someone carrying a bag, purse, or package and passing behind you. Who asked for this?
  • by Otterley ( 29945 ) on Wednesday May 28, 2003 @11:58PM (#6065023)
    This sounds an awful lot like SpeedPass [speedpass.com], which is at least 5 years old. Any idea what the difference is?
    • It's backed by Visa, the world's largest credit card company?

      That's a pretty substantive difference in and of itself.
    • Uhhh.. Visa is doing it. Which means if it actually happens, it'll be accepted at MANY more locations than speedpass. Additionally with a decent amount of storage and the high bit rates, you could use one card to buy stuff, get into your gym etc.
    • Yep - that's immediately what I thought, too. It's just the same technology as the Mobil SpeedPass, in a different physical format.

      That said, SpeedPass seems to work well, technically speaking. My big complaint about it is it seems a little redundant. "Just wave your speedpass" isn't really any easier than "Just stick your credit card in the slot on the pump".

      It's all going to get charged to a card anyway.

      SpeedPass would have been more sensible if it functioned as a unique credit card account, instead
  • Why (Score:3, Interesting)

    by I don't want to spen ( 638810 ) on Wednesday May 28, 2003 @11:58PM (#6065026) Journal
    Other than the magnetic strip not wearing out, what's the advantage? Unless its short-range enough that passers-by can't steal your money, you'll still have to present it to a reader (the article mentions 20cm) Or perhaps they mean it can't be swiped (as in stolen.) It could mean the end of shoplifting though, just use the security scanners to read the RF tags in what has been taken and then take the money straight off the card. (Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer?)
    • Re:Why (Score:3, Funny)

      by mnewton32 ( 613590 )
      Actually, that could be a great way to shop: pick things off the shelf, walk out and pay without having any queues at the checkout. Where's my patent lawyer? You could try, but I'm sure Amazon would sue you. "Buying something? Don't we have a patent for that?"
    • Re:Why (Score:5, Interesting)

      by thirdrock ( 460992 ) on Thursday May 29, 2003 @01:14AM (#6065409)
      Other than the magnetic strip not wearing out, what's the advantage?

      When I lived in Hong Kong there was a smart card (not Credit Card) called Octopus. Basically, you buy the smart-card, you add cash funds to it, and then you can use it to ride the train system.

      It was incredibly convenient, not to have to buy tickets, and much greater throughput than ticket machines. You just walked through the gate and swiped your wallet over the reader.

      Anyways, it wasn't long before they figured out the advantage of converting the vending machines in the station over to Octopus. No cash to collect, just fill it up with product and collect the money from the Octopus administrators, less administrative fee.

      I can tell you from experience, it beats the hell out of coins, changing money, messing about with cash, fumbling about with change. Just swipe your card and get your product. Faster, easier and much more effecient.

      Best of all, the cards were anonymous, which means the govt couldn't track you via the card. Disadvantage of course is that if the card was lost or stolen, there was no recovery. I guess for that reason the maximum you could put on the card was HK$500.

      To me this was the first step towards an anonymous cashless society, which despite the Orwellian protests of the tin-foilers, is IMO, A Good Thing(tm). Money spreads disease, has an administrative cost, is vunerable to forgery. If we can have all the advantages of cash, including anonymity, then I say, let's get rid of cash.
  • by Julian Morrison ( 5575 ) on Wednesday May 28, 2003 @11:58PM (#6065028)
    so THAT's why the Jedi Hand Wave works.

    "These are not the droids you're looking for"
    (handwave, subtle ka-ching! sound)
    "These are not the droids I'm looking for.. move along..."
  • Doesn't the mobil speed pass already do this? nothing really all that new.

  • Mobil Speedpass (Score:5, Interesting)

    by tbdean ( 163865 ) on Wednesday May 28, 2003 @11:59PM (#6065034) Homepage
    That's how I pay for gas at Mobil, with their Speedpass [speedpass.com]. It's a small keychain thing that looks like a black magot:

    Well, that was how I paid for gas at Mobil. I cut my Speedpass open, took out the glass cylinder, and put it inside my Nextel i90 cell phone, it fit next to the battery. The Speedpass only lasted a few months before dieing. I haven't tried it again yet...

    It was cool when it worked though, I just held my cell phone up to the pump to pay for gas.
    • It's a small keychain thing that looks like a black
      magot
      Insect larvae that pay our bills? The future is truly here. Tiny ear-dwelling language-translating fish can't be that far behind.
  • by cperciva ( 102828 ) on Thursday May 29, 2003 @12:01AM (#6065041) Homepage
    I've been using a contactless credit card for years. I type the number into an HTML form, and my card never comes within the same city as the merchant I'm purchasing something from. For that matter, it sometimes isn't in the same city as I am when I'm making the purchase -- for a couple months last year it was on a different continent.

    In fact... let me see here... no, I still haven't gotten around to signing the back.
  • by HotNeedleOfInquiry ( 598897 ) on Thursday May 29, 2003 @12:04AM (#6065066)
    Read the article. Plenty of subtle reference to rights management and content control. Buy a DVD with this viper and have to wave it next to your DVD player to get it to play.
  • You won't need to physically swipe it, simply waving it over a reader is good enough.

    DON'T OVERWAVE
  • That's Philips [philips.com], with one L, not two. The Phillips with two LL in the middle is a petroleum company.
  • indeed... maybe metal wallets [zoovy.com] will become a popular deterrent.
  • My 2 yen (Score:4, Interesting)

    by DNS-and-BIND ( 461968 ) on Thursday May 29, 2003 @12:13AM (#6065135) Homepage
    Not to be a twit, but I heard about this sort of "keep it in your pocket" magnetic technology being deployed already. Around February of this year, one of my English students in Tokyo, who worked for Sony/Ericsson, told me his company's "secret" new cell phone in development would have this mag card tech built in. It would replace the "Suica Card" existing tech, which is just a card you mash against the reader while keeping it in your wallet. The phone was due to hit the shelves in 6 months, which would be this August. Only in Japan, of course, which means it should be out in America around August 2005.
  • Maybe good Maybe not (Score:2, Informative)

    by emerrill ( 110518 )
    The technology in general can be a great convience, I have used them before and it means you don't have to fish the card in and out of your wallet, but what happens when you have more then one of this type of card in your wallet (the reader will read them all properly, but which to use?) and theft is a real concern.

    Unless the also use a pin-number system, there is really nothing they can to to prevent theft. If you have a 'shielded wallet' or you have to press a button, then it defeats much of the point, a
  • That's 'Philips'...with one L.
  • by NeoPotato ( 444954 ) on Thursday May 29, 2003 @12:27AM (#6065213)
    It's not a new concept. We already practice it here at Slashdot - we don't even have to read the article, we just get near the story and start spouting off comments.
  • by djupedal ( 584558 ) on Thursday May 29, 2003 @12:31AM (#6065230)
    You know, back when you could still afford to go out for dinner (DQ doesn't count), how the waitperson would bring the bill on a little plastic tray and lay it on the table....and you'd simply drop your c'card onto the bill...and then someone would take the tray and bill and c'card and....oh, wait, I get it...

    Hello, I'm Dwayne, I'll be your card waver this evening.
  • by toybuilder ( 161045 ) on Thursday May 29, 2003 @12:32AM (#6065234)
    So, if Visa is the first mover, do they essentially "own" the wallet because the lazy consumer wouldn't want to bother pulling out a different card?

    And what happens if there are multiple cards that are contactless? Do I have to pick one out? What's the point of this, then?

    My building uses contactless badges. Ironically, we have a badge for the building and another for the garage. I can't keep both cards in the wallet because they interfere with each other.

    Finally, is Phillips proposing to make cars run off the card? Wow. Imagine starting your car just by sitting down...
    • Wow. Imagine starting your car just by sitting down...

      You already can. Mercedes Benz, Porsche, and even certain Volkswagen models (just to name a few, I'm sure there's others) have this feature. You leave the keys in your pocket. To unlock the car, touch the door handle. To start the car, touch a button on the dashboard. To lock the car back up, just touch the outside door handle on your way out. The keys stay in your pocket the whole time. It works by actively seeking out your remote commander ("t
  • by ebuck ( 585470 ) on Thursday May 29, 2003 @12:35AM (#6065246)
    These cards better have a small range (two feet max) or I don't see how you will manage to perserve the time-honored tradition of the grocery store line.

    "Did you swipe your card?"

    "Not yet."

    "That's funny, because your total has already been paid!"
  • Pick-pocketing (Score:5, Informative)

    by dachshund ( 300733 ) on Thursday May 29, 2003 @12:39AM (#6065261)
    My work ID badge can operate through my wallet. In fact, I can often just touch my hip or coat pocket to the reader and the door will open, depending on how lazy I'm feeling.

    My concern would be that unscrupulous individuals would use portable readers to get your card number. It would be a form of pick-pocketing that wouldn't actually require any contact or much risk of getting caught.

    Hopefully, the cards would use some sort of challenge/response system, rather than a fixed number that could be replayed to a terminal. Still, there are bound to be vulnerabilities, and we'll probably be reading about them in a couple of years.

  • The Swatch Access watch has been able to do this sort of stuff for ages. Here are my old pages [arcor.de] from way back.
  • by dzimmerm ( 131384 ) on Thursday May 29, 2003 @12:57AM (#6065335) Homepage Journal
    These kinds of cards do not usually have any kind of power source. They rely on a alternating current magnetic field that the reader gives off. This magnetic field energizes the coil that is built into the card. This coil supplies power to the circuitry on the card which causes the card to send its ID via some kind of rf signal. There are no "smarts in the card itself. The card just sends its ID and a computer behind the scenes uses that ID info to open the door or pay the bill.

    For those concerned about portable readers consider that a reader would have to send out a powering magnetic field and then capture the ID of the card. My guess is that all kinds of security could be built into these cards. The most obvious kind would be the use of an ID that contained a constantly changing code like the secure IDs many of us use to access various secured dialup and network devices. The only drawback is you would need some kind of contained power source in the card to power the secure ID ciruitry as it has to be constantly powered so it does not lose sychronization with the host system. My guess is the reader could still supply power for the RF signal while the secure ID part used a small lithium cell.

    That way the ID would not only have to be correct but the security code would only be good for about 3 minutes. That would make these things fairly secure, probably moreso than a card and a PIN as the PIN can be noted via cameras and the quicksighted.

    Physical theft of the card would be a problem but that would not be anything new to get used to.

    dzimmerm
  • Challenge/response? (Score:2, Interesting)

    by skraps ( 650379 )

    I didn't RTFA, but here's an idea to counter some people's fear that a technology like this would necessarily allow you to steal card numbers as you walk through a crowd.

    The card could use a challenge/response system with the merchant. Each card has a symmetric key pair - the public key is your account number used for billing. The private key is known only to the card, and is used to sign a challenge phrase from the merchant. Challenge phrases would be unique to each transaction (given out by the financ

  • So what happened to the idea of using crystals with air bubbles to create light patterns? That sounds like a much more secure and unique method than this. Really, I have the time to slide my damn card so lets go with security.
  • by kramer2718 ( 598033 ) on Thursday May 29, 2003 @01:03AM (#6065364) Homepage
    When I visited Hong Kong in 2001, I bought a subway pass with this technology.

    If you buy more than about $10 US of subway services, you have the option to get a smart card. My whole stay that card left my wallet only once (to return it for a refund). Othere than that when I used the subway, I would just set my wallet on top of the read. It was so conveneient.

    Even better, lots of vendors (such as convenience stores) let you pay using your subway credit.

    I guess there are more security concerns when using this with a real credit card, but it seems like it should have happened in this country sooner.

  • I live/work in Korea, and my company ID badge has a passive chip, where I only need to get it near a sensor. A Jedi swipe will do the trick, in most cases. This badge/card is also a Visa c'card, and it comes with the traditional swipe stripe. I keep it in my wallet, however. I can't seem to relax when hanging a cord around my neck that has a few thousand dollars attached to it. Why advertise.
  • by DannyiMac ( 216056 ) on Thursday May 29, 2003 @01:12AM (#6065398) Homepage
    I can see Amazon patenting 0-click technology with this...
  • by Lew Payne ( 592648 ) on Thursday May 29, 2003 @01:18AM (#6065423) Journal
    Leave it to those narrow-minded visionaries at VISA and Royal Phillips to come up with an even more insecure method of deploying consumer credit card information... via RF (wireless) technology.

    If you think credit card fraud is rampant now, wait until card thieves get hold of a portable RF reader and begin walking down crowded streets...

    Hey, that's fine with me. This gives me enough lead time to come out with a copper-lined wallet that prevents RF credit card theft. In fact, I'm racing to the patent office now!
  • Stopping fraud? (Score:5, Insightful)

    by chrome ( 3506 ) <[ten.suodneputs] [ta] [emorhc]> on Thursday May 29, 2003 @01:22AM (#6065443) Homepage Journal
    Reading some of the comments here about the security of these cards, and it makes me worry somewhat.

    I used to sysadmin for a shell account company, and we saw huge amounts of credit card fraud, mostly from kids looking to run bots on IRC, or just because they collected shell accounts.

    One thing I came away with from that experience was the definite feeling that Credit card companies don't seem to think it is in their interest to stop credit card fraud.

    After all, if the owner of a card is frauded, the bill goes on their card, and interest is accrued. If the owner of the card isn't diligent, its possible they might just automatically pay the card off, without even realise they have been a victim of card fraud.

    Certainly, the credit card companies don't seem to go after the fraudsters as much as they should. One of my friends on Dalnet used to regularly give the full details of people that she had discovered doing carding. One kid was so blatant, he put up a web page, with pictures of him holding up all the crap he had bought with stolen card numbers.

    He was 12, and his mother didn't care in the slightest he was stealing. And neither did the credit card companies. The police were interested though, but he didn't have much repercussions - just a couple of weeks in a counselling center for kids.

    Anyway, I digress.

    Proximity cards are a great ieda. It means I can just wave my wallet near the scanner to pay for an item.

    But, if this is not couple with some new form of identification currently not in use with credit cards (a pin number would suffice, or something biometric such as a thumb-print), then I fear that fraud will just increase.

    People will get a hold of the scanners, and set up their iPod to capture the card numbers of anyone in proximit to it, and just walk up behind people, snapping up numbers.

    Maybe I'm just getting paranoid.
    • One thing to add...

      Another reason credit card companies don't care? They are not the ones to foot the bills when a chargeback is initiated. It's the merchant who is out of the entire purchase, some insane chargeback fee, and the lost product.

      Credit card companies will never care as long as the monetary loss due to fraud is LESS than the actual cost of pursuing the criminals.
  • Octopus (Score:5, Informative)

    by ZarathustraThePolarB ( 646456 ) on Thursday May 29, 2003 @01:23AM (#6065444)
    In Hong Kong we've had a similar technology for several years now. It's called the Octopus card [octopus.com.hk] and virtually everyone in the city has one. It can be used for payment on nearly all public transport and in stores where people make small purchases.

    The EE Times article focuses on the technology is a bit light on details of what the card actually does, so I'm not sure if it is a stored-value card (like Octopus) or actually operates like a credit card. I would be surprised if it's the latter because of concerns about theft etc.

  • Security (Score:2, Interesting)

    by oreomitch ( 676943 )
    Wouldn't the PKI scheme be used? That is to say that the card and card-reader share some key. I suppose that this would be just another variation on chip-card technology (EMV, Proton etc).
  • For the naysayers... (Score:5, Informative)

    by SamMichaels ( 213605 ) on Thursday May 29, 2003 @01:39AM (#6065503)
    The place where I used to work had these key fobs which worked like that. I thought it'd be cool that we just had to walk next to the door and it'd open it.

    Not.

    Even when directly contacting the sensor with the key fob in my pocket it didn't activate it. It had to be held infront of the device, almost touching it.

    Whatever the range they say, I'm sure you're not going to be able to sniff out the RF signal by just sitting next to someone unless you have some expensive equipment.
  • by mrklin ( 608689 ) <ken,lin&gmail,com> on Thursday May 29, 2003 @01:41AM (#6065510)
    With my American Express black Centurion card if I don't take it out?

    I kid. I don't have one and you can't "apply" for one either. Read more about it here [time.com] and see it here [americanexpress.com].

  • (waves hand) "You will sell me these goods." :)
  • by gkanai ( 148625 ) on Thursday May 29, 2003 @02:09AM (#6065590) Homepage
    Japan has had contactless debit cards for quite some time, with technology developed by Sony. The Japan Railway East 'SUICA' cards are similar to the Octopus cards in Hong Kong.

    http://www.tcvb.or.jp/en/hot/sizzling/0112/sizzl in g_12c.html
    and
    http://edition.cnn.com/2003/WORLD /europe/02/18/biz .trav.smart.cards.ap/

    Also the EDY cards use similar technology and are embedded into credit cards so one card can be both a swipable credit card as well as a contact-less debit card.

    http://www.sony.net/Products/felica/contents04_0 1. html
  • Waves AmEx These aren't the droids you're looking for...

    Obiwan was a bribe merchant!

  • I think that's how SpeedPass [speedpass.com] works. It's really a faster way to buy things, but seems incredibly unsafe. If someone swipes that thing, you're done!
  • by JoseMonkey ( 64123 ) on Thursday May 29, 2003 @07:04AM (#6066416)
    All of these threads about security seem off-topic to me. I don't think anyone really intended proximity cards as a way to improve security at all. Considering how dismal cc security is, it probably won't make it worse, either.

    I think the point is that proximity scanning is (slightly) easier than swiping -- especially since swiping isn't always straight-forward in my experience. (i.e., Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk swipes card. Pause. Clerk enters number manually.) It might be nice to have the reading of a card number not be dependent on 1) the supple wrist of the user, 2) the condition of the card, 3) the speed and direction of the swiping motion . . . the list goes on and on.

    Also, the wear and tear on the cards might actually be reduced enough to make them last more than a few months . . .

  • Pros & Cons (Score:3, Insightful)

    by Anonym1ty ( 534715 ) on Thursday May 29, 2003 @10:48AM (#6068055) Homepage Journal

    Pro: My card won't wear out before it expires 6 years from now

    Con: Now I can have my number stolen without comming into physical contact with the theif
    --This could be a pro if you consider it could make getting robbed a whole lot safer .

  • Did anyone RTFA? (Score:3, Insightful)

    by jhines0042 ( 184217 ) on Thursday May 29, 2003 @12:05PM (#6068656) Journal
    Looks to me like just a speedier way to suck money out of your bank account and charge you for the service to boot!

    I don't know about everyone else but I go running scared when I see things like (paraphrased) "...standard method of allowing consumers to purchase content in their home..."

    I can see it now.... "please wave your contactless credit card to watch this channel"....
  • by JWSmythe ( 446288 ) * <jwsmythe AT jwsmythe DOT com> on Thursday May 29, 2003 @03:22PM (#6070413) Homepage Journal
    I read a few articles on "stealing" proximity card data. It's aparently not very hard..

    One proximity card that I use requires almost physical contact to the reader, which is appropriate for a doorway.. But another card I use (same building, same card type) to open the garage gate reads the card within about a foot of the reader. I roll my car slowly by, casually holding the card out, and it reads with no contact.

    With the appropriate equipment, you can read data from just about anyone's card at a distance. How close do you have to be? People get kinda close in elevators, or you can just be polite, and be holding an outside door for them while they walk by your briefcase/laptop bag/purse. For that matter, I guess your reader could be in the brown paper bag that appears to hold your lunch.

    H2K2 had a lecture on it. Here's the lecture description. [h2k2.net] in July of 2002

    "Proximity Cards: How Secure Are They?

    Sunday, 6 pm
    Area "B"

    They're used everywhere but they could be making you even more vulnerable to privacy invasion. Delchi has been working with proximity based card systems for two years and has developed a method of casually extracting data from proximity cards in a public environment. Riding in an elevator, subway, or just walking down the hall, a person can bump into you, say "excuse me," and walk away with the decoded information from the proximity card in your pocket. It could then be possible to build a device that can capture and replay these snippets of information on demand or to even brute force a proximity card system. This talk will focus on the vulnerabilities of the systems and show a low power working prototype. Alternatives will be discussed, as well as other vulnerable aspects of proximity based building and computer access systems."

    I've read some design information on it also, but can't seem to find the links right now. I don't know what the options are for protection of proximity cards.. Keep them in a foil pouch?

  • First Sploit! (Score:3, Interesting)

    by blair1q ( 305137 ) on Thursday May 29, 2003 @04:52PM (#6071274) Journal
    So then I walked through the mall with my card scanner on and picked up about 15 valid numbers from people I passed.

    Wanna go shopping?

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN

Working...