Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Privacy Pitfalls in No-Swipe Credit Cards 261

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."
This discussion has been archived. No new comments can be posted.

Privacy Pitfalls in No-Swipe Credit Cards

Comments Filter:
  • Hah. Screw it. (Score:5, Insightful)

    by Concern ( 819622 ) * on Monday October 23, 2006 @07:39AM (#16544606) Journal
    Let them do this. I think it's time these idiots suffered a really big catastrophe; it'd probably the most (only?) effective way to really set the tone re. RFID.

    Meantime, don't carry these cards yourselves, and avoid banks that use them...
    • Re:Hah. Screw it. (Score:4, Insightful)

      by denebian devil ( 944045 ) on Monday October 23, 2006 @08:43AM (#16545128)
      Which assumes that if there were a huge privacy breach caused by the sort of device talked about in the article, that it would be widely known how the breach occurred. It's possible that the only thing people--and even experts--would know is that somehow a massive number of credit card numbers were comprimised. But considering there are so many other, low-tech ways of getting people's CC numbers, unless there were hard evidence that the method was through the swipeless reading method, Occam's razor would dictate that a simpler method of breach would be the most likely culprit.
      • by Concern ( 819622 ) *
        Issuers will be able to see rates of compromise accross types of security measures. They watch this sort of thing diligently. It's practically the core of their business.

        If it's as bad as I think it could be, the news will get out. The media will probably love the story.
    • Re:Hah. Screw it. (Score:5, Insightful)

      by ac7xc ( 686042 ) on Monday October 23, 2006 @09:21AM (#16545462)
      When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.
      • Re: (Score:3, Insightful)

        by rainman_bc ( 735332 )
        When there is credit card fraud the merchants get stuck with the bill and you end up paying higher prices.

        Isn't it still up to the merchant to verify the signature?

        As long as that safeguard exists, tough shit for the merchants if they don't check that signature.
        • Re:Hah. Screw it. (Score:4, Insightful)

          by AuMatar ( 183847 ) on Monday October 23, 2006 @01:01PM (#16548320)
          First off- what about the thousands of merchants who don't use signatures? Internet merchants, phone merchants, gas stations, etc.

          Secondly- most people never actually sign the damn things. I know I don't. And no, that doesn't mean they need to ask for id- I get asked for id once every 20 or 30 face to face transactions.

          Thirdly- you think cashiers actually know how to check a signature? You think the average mom and pop store owners do? Of course not. People who do this for courts get paid big bucks.

          Fourth- handwriting matching is a questionable security method. People's handwriting differs, you'd be hard pressed to look at any 2 copies of mine and say they're by the same man. Question 2 experts on wether a pair of signatures match and you'll frequently get different answers. THinking of handwriting analysis as anything approaching accurate is laughable.
      • Actually, the person who pays the bill depends on the scenario. If it's face-to-face, then the issuing bank generally picks up the tab -- unless it's something easily preventable, like the customer signature not matching the one on the card.

        Interesting to note that dollar amounts from CC fraud have been steadily declining in recent years, as banks and merchants have gotten better at detection and prevention.

  • by Anonymous Coward on Monday October 23, 2006 @07:42AM (#16544618)
    In the old days, you used to actually have to stick your hand into someone's pocket or purse.

    In the new days, you apparently only have to sit next to them on the bus.

    • Re: (Score:2, Funny)

      by jbourj ( 954426 )
      Pickpocketing used to be a skilled profession---requiring years of practice [wikipedia.org] and subtle hands [wikipedia.org]. Where is the 'art' in scanning frequencies while sitting next to someone? I know, I'm old-fashioned: but I miss the good-old-times when you could feel them doing it.
    • by xplenumx ( 703804 ) on Monday October 23, 2006 @09:45AM (#16545730)
      I've been to Thailand three times in the past five years, and while I've never been pick-pocketed, after all three trips mysterious people tried to make fraudulent charges to the credit card that I used for that particular trip. I know two coworkers who have had people attempt to make fraudulent charges on their credit card (from inside the US in each case) even though neither credit card was physically stolen.

      These 'old days' you talk about ended long, long ago. These 'new days' you predict started decades ago. I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader. A stolen credit card is a stolen credit card, regardless how it's done - and we already have measures to counter this. I fail to see how this 'new world' is any different than today's status quo.

      • by superflippy ( 442879 ) on Monday October 23, 2006 @11:37AM (#16547078) Homepage Journal
        I'm far more worried about the minimum wage employee handling my credit card info or someone digging through improperly discarded credit card receipts than I am of a technophile taking the time and effort to build a mobile card reader.

        While I agree that the first scenario is more likely than the second, OTBE, I'm always more wary of the smarter thief.
      • This is why I am always amazed that people carry the 'check cards'. It is so easy to commit credit card fraud that it is just silly. So, what do people do? They start carrying around a credit card that has access directly to their checking account. Of course the banks will try to tell you it is safe because if the money is stolen, they will return it in one business day. Of course that is one business day after you notify them, and the way you find out about it is that your mortgage/rent check bounces,
  • by narftrek ( 549077 ) on Monday October 23, 2006 @07:44AM (#16544626)
    FINALLY! Us geeks have something to be happy about. For once we can walk confidently sporting our tinfoil wallets and WE'LL be the ones laughing...all teh way to the bank!
    • Re: (Score:2, Interesting)

      by Beltonius ( 960316 )
      I have one of those cards. I lined my wallet with as soon as my bank informed me that I would received an RFID-equipped credit-card at no extra charge!
      • Re:Geeks Rejoice! (Score:4, Insightful)

        by mikesmind ( 689651 ) on Monday October 23, 2006 @11:32AM (#16547020) Homepage
        I would send it back to the bank and say, "No thanks!" I would demand a traditional credit card and if I couldn't get it, I would go somewhere else. If a person is against this technology, and the potential for abuse, they need to make their opinion known. Vote with your wallet and your actions. Believe me, if there is a customer revolt, these corporations will change direction.
        • by db32 ( 862117 )
          Let me lift that rock up for you. If there is a customer revolt, these corporations will NOT change direction, they WILL change legislation. This pretty much applies in all things 'vote with your dollar'.
    • hmmmm... duct tape wallet here I come.
      and no, I won't be silly enough to use actual duct tape. Only the foil backed, NASHUA approved stuff for me!
      I mean c'mon, the basic duct tape isn't even recommended for use on ducts...
      Makes me wonder about Duck brand tape though...
      • by Firehed ( 942385 )
        Last I heard, tinfoil actually amplified RFID signals (or, at the very least, did absolutely nothing to block it). Surely you want the Faraday-cage duct tape wallet.
  • by SirMrStatic ( 1014461 ) <mrstatic@gmail.com> on Monday October 23, 2006 @07:45AM (#16544632)
    I thought they could not get even dumber then not having people sign their credit card slips or have the user swipe it themselves and sign so the cashier does not even look at them. Let who ever chooses this "easier" way to crash and burn
    • by CastrTroy ( 595695 ) on Monday October 23, 2006 @09:08AM (#16545340) Homepage
      Wouldn't it make more sense to leave all the information on the credit card encrypted, have the information left encrypted and sent to the credit card company, still encrypted, and only be able to decrypt the information at the credit card company? It seems to me that even if you need physical access to copy the number it's still not that secure. It would make much more sense to have a card that's blank and devoid of any identifying information than to have something that just about anybody can get the information off of.
      • by spectral ( 158121 ) on Monday October 23, 2006 @09:33AM (#16545586)
        Encryption isn't magic. All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it. If I read "CastrTroy, 1234-5678-9012-3456, 12/09" from a credit card, stuck ", $1000" on the end and sent it to the credit card company, that's no different than being able to read "oinasdfomasdfpmweasdfhqervsad, $1000". The credit card company still associates that random crap with you. It's always the same, so it means nothing.

        There are ways around this, but maintaining the physical security of the card is one of the better ways. Not being able to shoot your wallet with radiation and get money back seems like a good first step.. having the data only available after physically plugging/sliding the card in to a reader AND be encrypted while still on the card (smart chip) using a public key granted to the store (so the store would be able to reproduce the data, but you wouldn't have any real information available to you to use on a different place, so all the stolen transactions are quite quickly tracked back) would be a good first start.

        There's probably flaws in that plan that I'm unaware of.. though the fact that my credit card has one of these chips and I didn't ask for it to and have no idea how to turn it off is one of the flaws, I'm suspecting. :P
        • by ZachPruckowski ( 918562 ) <zachary.pruckowski@gmail.com> on Monday October 23, 2006 @10:04AM (#16545932)
          "All you've done is substitute one set of unique information for another set of unique information, the fact that the information means nothing to you doesn't change it."

          Yes, but it's information that's harder to obtain. I mean, you can't read it off the card's front, you have to scan to get it, and once you get it, you can't use that series of encrypted info at the online stores, you have to find a credit card of a similar type and "flash" it to that encrypted series.
          • This is my point. You'd still have to protect against stores with faulty boxes on the network, sending requests for transactions with numbers that have just been obtained before, or people creating duplicate cards with the same information. However, that requires a little bit more savvy than buying a usb dongle for $500 off some shady website (they'd wanna make a profit), hook it up to your laptop, and start getting plaintext names, numbers and expiry dates that could be used for any website to buy other
            • You're not getting it.

              The encryption would happen on a smart card chip, every transaction gets a new key. There would have to be a unique identifier header, but without the rest of the data you'd not be able to use that header number effectively.
        • by Jerf ( 17166 ) on Monday October 23, 2006 @10:56AM (#16546578) Journal
          I hear zapping chips in microwaves toasts them pretty quick; if you have a stripe to fall back then the card wouldn't be useless, but I don't know if it would survive.

          Does anybody know how magnetic stripes respond to being microwaved? Not much use if you toast that too. And how long do you have to zap a chip to burn it out? (Sub-second?)

          (Note the stripe only has to be significantly more robust than the chip, it doesn't have to be immune to microwaves. If there's a range where the chip dies but the stripe still works, it doesn't matter if the stripe would stop working in another ten seconds.)
          • by Alpha232 ( 922118 ) on Monday October 23, 2006 @02:00PM (#16549252)
            Working in the hotel business, I handle a large number of credit cards. The trend I have seen for people wanting to "disable" the RF portion is to use a hole punch through the chip. I've seen about ten or so this past month, all have the little radio icon on the back and a hole punched right through the card. Not a bad way to do it I must say.
        • by harks ( 534599 )
          I'm definitely not an expert at this, but I thought that swipeless transactions usually can't be used for amounts greater than $25 or so. If the information used for swipeless transactions was encrypted (or just a different credit card number) a person who stole that number would only be able to use it for amounts less than $25.
    • Re: (Score:3, Informative)

      by DrSkwid ( 118965 )
      A good way to look dumb is to use "then" rather than "than".
    • Totally agree with you: our credit security must be our primary concern.

      Might I suggest tattooing one's credit number on every person's forhead at birth. And nobody should be allowed to buy or sell without one (or the terrorists win).
  • by QuatermassX ( 808146 ) on Monday October 23, 2006 @07:49AM (#16544656) Homepage
    In London, TfL can track my movements for the past several years, but I do wonder how often people have their Oyster data swiped. Of course, what would the purpose be, really ... use and abuse that season ticket? Hmmm ...

    Of course, I found this interesting blog post from several years ago: http://www.spy.org.uk/spyblog/2004/02/foiling_the_ oyster_card.html [spy.org.uk]

    I just wish TfL would get the bloody Silverlink / North London Line railways on the system rather than posting stormtrooper rent-a-cops at selected stations on random mornings. I actually do pay my fare, but I'm deeply distressed by the rudeness of some of the non-TfL staff. Treat customers not as potential fare-evaders but customers!

    • by CowboyBob500 ( 580695 ) on Monday October 23, 2006 @07:56AM (#16544720) Homepage
      Take anything on that Spy Blog with a very large sack of salt. They wrote about one of the projects I was involved in a few years back, and it was just about the most complete load of uninformed bollocks I've ever read.

    • by SenseiLeNoir ( 699164 ) on Monday October 23, 2006 @08:22AM (#16544918)
      Silverlink Metro will be coming under the new tfl "London Overground" system in 2007. And yes will be fully oysterised.

      I do know about the thugs who pose as Ticket inspectors... I was once getting off the SilverLink COunty service from Euston to Harrow and Wealdstone, and the "thugs" were waiting on the stairs.. I shown my Oyster (travelcard, not pre pay) and he checked with the reader, then grunted in a few loud syllables that would make an orangutang proud "Not Valid". And pushed me aside.... (for once i was glad there was CCTV in the area).

      I piped up, louder "Of course its bloody valid!" and fished out my record card. It seems there was another chap also given the rough treatment...

      Mr gorrilla, said "That record card must be fake!" with obvious snicker.

      "Call your manager NOW, before I call the Police!"

      He was saying "You do that sonny," when his supervisor came to see what the commotion was about (The other guy next to me was makign an equally loud commotion)..

      He checked my record card, and saw it was perfectly valid.. then checked the readers of the baboons, and found them set for zone 6.. WTF.

      With a lot of apologies, we were allowed to move on.

      My suggestions for anyone who has an issue with these blokes, write a letter to both TfL and Silverlink.

      I do understand they do need to check for tickets, they are loosing millions of pounds a year thanks to fare avaders. And nothing annoys me more than watching people chance it.

      However, their bahviour is not on.
    • Easy solution is to put Oyster readers on every station regardless. Even better, make it nationwide. I'd love that.
  • by boyfaceddog ( 788041 ) on Monday October 23, 2006 @07:49AM (#16544658) Journal
    Okay, magnetic swipe cards are better than the old way of making a carbon from the raised info on the little plastic cards, but what is the advantage of an RFID credit card? I still need to get the RFID-thing out of my wallet or out of my pocket to use it. Is saving five seconds such a big deal that I wouldn't spend that five seconds in order to protect my identity?

    Upgrades for the sake of the "wow-factor" are stupid.
    • by aadvancedGIR ( 959466 ) on Monday October 23, 2006 @08:04AM (#16544774)
      I mostly agree with your point of view, but I would like to react on magnetic strip:
      -Yes, it is better than the good old carbon, but it is still easy to copy in a couple of sec with 50bucks of equipment. The PIN-protected chip is the only relatively safe part of the card.
      -As long as you can still buy stuff on the net or by phone with only the card number and validity date, the thief only needs a good visual memory or a camera to steal that from you when you are removing your card from your tinfoil wallet to pay for your grocery.
      • by ajs318 ( 655362 ) <sd_resp2@earthsho[ ]o.uk ['d.c' in gap]> on Monday October 23, 2006 @08:40AM (#16545094)
        The PIN protected chip is tantamount to useless, since no signature is required. It takes about an hour to learn to forge a signature convincingly. But a person can be persuaded to disclose a four-digit number in a matter of seconds, with suitable application of blade to throat. If there are two of you, one can hold the victim while the other carries out a transaction in a nearby store to verify that the PIN worked. Alternatively, you can obtain a PIN non-intrusively by watching a person entering it on a keypad -- they are still unlikely to twig that anyone else knows their PIN. (For obvious reasons, this is easiest in the Summer months.) Then you can lift their card subtly. You might even be able to replace the card before they suspect a thing.

        From the point of view of the banks, chip and PIN is excellent because it eliminates a human decision (is that signature correct?). If money went out of your account, it must have been because somebody used your PIN -- but as far as the bank are concerned, only you know your PIN, so it must have been you.
        • by badfish99 ( 826052 ) on Monday October 23, 2006 @08:52AM (#16545218)
          As far as the banks are concerned, a PIN chip completely eliminates fraud. If you've lost money from your account, it must be your fault (i.e. someone must have discovered your PIN). It's protection for the bank, NOT for the card holder.
          • The reason that we have the credit card fraud protection that we do today is not just because the banks thought it was a good idea, but because federal law makes them liable for all fraudulent charges up to a certain amount. Regardless of what arguments they put forth about who is most at fault, it is the bank and not the consumer who is liable, period. The credit card companies can and do write conditions into it's merchant contract that say they won't pay the merchant for fraudulent charges, especially if
        • I agree, that is the reason I used the word "relatively". However, since the PIN is only a way to use the card once you had physical access to it, it is far from being the easiest way to steal from someone else's account.
        • by BenjyD ( 316700 )
          The signature is next to useless for security. Most shop staff don't check it anyway and once you steal the card, you have all the information you need to make a transaction. And you have to be pretty slow typing your PIN for somebody else to see it - just use one hand to cover the pad while you type the PIN quickly using three or four fingers.
          • by ajs318 ( 655362 )
            Next time you're standing behind someone entering their PIN, don't watch the fingers -- watch the arm all the way up to the shoulder. It's the tendons you need to pick up on. If they're wearing short sleeves, it's very easy. Give it a go sometime. After enough attempts, the number will just scream out at you.

            Note that all this is only possible because the keypad is static. A keypad with displays in each button that could be randomly re-arranged for each user would combat this. Also, if the till soft
            • by BenjyD ( 316700 )
              How is that possible - if you can't see the hand, how do you tell which finger is on which key?
              • by ajs318 ( 655362 )
                You can usually see enough of a person's hand to see what they are doing -- either they will use one finger in a hunt-and-peck fashion, or dedicate a finger to each column. Stand and watch a few people. Most are unbelievably careless.
        • by Feyr ( 449684 ) on Monday October 23, 2006 @10:45AM (#16546450) Journal
          signatures are next to useless, they don't actually check that it match one that they have on file, only that its there.

          i'd know, my signature is always different and no one ever called me about it, removed a charge, or made any kind of inquiry about it. not on credit cards, not on checks, not even on loan applications.

          it's a social convention based on honor that was extended further that it was ever meant to go
        • by SuiteSisterMary ( 123932 ) <slebrun.gmail@com> on Monday October 23, 2006 @11:32AM (#16547022) Journal

          I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police. Woe if you use it inappropriately....

          Also, an easy trick for the RFID cards would be for it to have two numbers; one which is transmitted when you swipe it, allowing for normal purchases, and a differnet number on the RFID side, which allows up to $50/transaction, or whatever, maybe a # of purchases/time constraint, and so on. That way, somebody waving an RFID reader over your wallet doesn't get your full purchasing power.

          • Re: (Score:3, Informative)

            by adavidw ( 31941 )

            I've said it before, and I'll say it again: duress code. A pin number that works perfectly well, and gives no outward sign of being used, but flags the transaction(s) as being 'under duress', kicks in a high-resolution camera (say, in an ATM kiosk) and summons the police.

            This was covered recently at snopes.com (http://www.snopes.com/business/bank/pinalert.asp) . In short, it's already implemented in a few places, but is a bad idea for several reasons, not the least of which being that the whole idea is und

    • by Aladrin ( 926209 ) on Monday October 23, 2006 @08:06AM (#16544792)
      Actually, part of the problem with these is that you DON'T need to take it out of your wallet. They can easily be read while it's still in your pocket, even.

      And yeah, that five seconds is the world to some people, apparently, nevermind that you could combine that five seconds with the 5 minutes you stand there and watch them scan the items in the first place.

      The first time I saw an RFID credit card thingy, I nearly screamed out loud. Outrage mixed with panic, all at once. So amazingly stupid. I obviously won't be asking my bank for one. Those tinfoil wallets are looking better every day.
      • by barzok ( 26681 ) on Monday October 23, 2006 @08:53AM (#16545222)
        Asking your bank for one? I was given mine by my bank, no other option. "Here, you're taking this."

        While they were at it, they issued a new card # to my wife, for the same account - the old cards had the same number on both hers and mine.

        For the tinfoil crowd, the few times I've used it, I had to make physical contact between the card and the reader - I couldn't just wave it by. In fact, the first 2 times I used it, it took me several attempts to get a read. It's pretty weak, but I don't know if that's the card or the reader.
        • by Aladrin ( 926209 )
          Yeah, I realize that day will come. My card is pretty frayed as it is, so there's probably new card coming soon. Hopefully it's not a RFID one.

          I suspect it's the reader that's weak, as the summary/article talks about making a reader for $150 that can read it at a distance. Or mayber there's actually a touch-sensitive portion of the reader. You might try using something else to touch the reader with the card nearby some time.
        • Re: (Score:2, Interesting)

          by z4pp4 ( 923705 )
          Read EMV [wikipedia.org].
          The big credit card companies are well aware of the risks. After all, its the main determinator of their income.
          What some people don't realise: It's not about the risk of theft, its about the risk of liability.
          With the new EMV system, the credit card companies will firstly start to roll out Smart card based credit cards, and to force credit card merchants to use the new machines, they will change contracts so that merchants are fully liable for chargebacks on magstipe transactions, and a lot les
  • by aadvancedGIR ( 959466 ) on Monday October 23, 2006 @07:50AM (#16544662)
    ...then you have nothing to hide, right? So why are you bothering hiding your credit card from the other law abiding citizens, are you a terrorist?
  • Lead-lined sleeves for credit cards, driver's licences, passports, and airport visitor tags. In an assortment of new colors for our autumn lineup!
  • by Anonymous Coward

    http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC -manuscript.pdf [umass.edu]

    gentlemen, start your soldering irons
  • You mean... (Score:4, Interesting)

    by Atheose ( 932144 ) on Monday October 23, 2006 @07:57AM (#16544726)
    ...swipe cards aren't secure? Hell, I'm still waiting for CREDIT cards to become secure.

    I've been waiting for 2 years for cashiers and salespeople to check my signature whenever I buy something with my credit card. Sometimes I'll sign "Mickey Mouse" or "Donald Trump", or even write a phrase like "Yankees suck!", and I still have yet to be asked even once. With the lack of security on older cards, it doesn't surprise me that these newer ones are no less safe.
    • Re: (Score:3, Interesting)

      by BenjyD ( 316700 )
      I think a lot of countries are adding security by requiring PINs for swipe credit/debit card transactions.
      • Re:You mean... (Score:4, Insightful)

        by magicchex ( 898936 ) <mdanielewicz.gmail@com> on Monday October 23, 2006 @08:45AM (#16545142)
        I've only ever had to use a PIN in a debit card transaction and never in a credit card transaction. Why? Because when they ask for your PIN, it's being processed as an ATM transaction and I assume you don't want to pay for your groceries or gas with a cash advance at 25%APR. The reason they try to get you to use your PIN when paying with debit is that it's significantly cheaper for the vendor to accept PIN debit than signed credit. On the other hand, you will most likely get charged by your bank for using "another banks'" ATM. They're pushing the cost of accepting plastic onto you.
        • Re: (Score:3, Informative)

          by BenjyD ( 316700 )
          Indeed, the system in the US does seem to be different from elsewhere. Here (UK) there's no difference really between a credit/debit card when you buy something, you just put the card in the reader and type your PIN, there'll never be any different charges AFAIK. I believe mainland Europe has had a similar system for a while.
    • Re:You mean... (Score:5, Insightful)

      by finkployd ( 12902 ) * on Monday October 23, 2006 @08:21AM (#16544912) Homepage
      You honestly think a minimum wage counter jockey at the 7/11 is going to perform a proper signature analysis on your credit card slip? Why would they check your signature? They are in no position to validate it against the one on the card anyway. The only reason you sign it is so that there is a record in case you contest the charge later. It gives the CC company a way to try to prove you DID buy something.

      • by swv3752 ( 187722 )
        Exactly. the signature on the back of your card is not there to validate your signature in the store, it is to show that you accept the Credit card contract.
        • That's what I've had to try to explain to one of my ex, and current, girlfriends, both of whom wrote "SEE ID" on the back of the card and are gracious whenever someone checks even though what they should really be saying is "See where this card says not valid if not signed? This card isn't signed" Makes me wish, at least on that level that I still worked in retail (of course on every other level I wouldn't go back for anything)
        • Which, in turn, is there for the store's protection, not the cardholder's. Seeing any signature on the back of a card is enough of a "good faith" effort on the store's part to ensure that the Cardholder's Agreement has been signed. Hence, if there's a chargeback, the store isn't liable for the loss. The purchaser is, and the the credit card company is on the hook for getting that money back. That's why the store never cares if you sign it right in front of them.
    • Re:You mean... (Score:5, Interesting)

      by NightWhistler ( 542034 ) <alexNO@SPAMnightwhistler.net> on Monday October 23, 2006 @08:53AM (#16545224) Homepage
      Here in the Netherlands the overwhelming majority of payments is made with direct-debit cards, so credit cards are not used as much. Whenever you do want to pay with a credit card, they require some form of ID for any payment over 50 euros.

      My autograph is pretty small and ugly and worst of all I've never really gotten the hang of getting it consistant. I've been called on it a number of times when I wanted to pay with my credit card. One store actually went so far as to hand me a notepad and have me write down my signature a couple of times, to check the variations with my card and my driver's license.

      Now most stores aren't this paranoid, but credit cards are thoroughly checked around here...

    • the biggest problem is when someone rewrites the data on their card with data from a stolen card - the signature can then be perfect, 'cos it's their card! However, the printed receipt card number will NOT match the card presented. The droid at the checkout is supposed to verify that receipt and card match, and if they don't, report it... in theory they get a reward for doing so.
    • Re: (Score:3, Funny)

      by Sax Maniac ( 88550 )
      Keep on doing that, just as long as you don't buy a big-screen TV [zug.com].
    • If you haven't seen this [zug.com] credit card prank yet, you should get a kick out of it.
    • You do realize your signature both on the card and on a copy of the sales reciept has nothing to do with security, right...?

      On the back of the card it's only there to validate that you agree to the terms of the use of the card... That's it's only purpose... Amazingly even if you don't accept (either by signing with a phrase rather than your name or leaving it blank) they'll still take your card... Well most will... A few places actually read the terms of use and understand that a incorrectly signed or unsig
  • by Zadaz ( 950521 ) on Monday October 23, 2006 @07:58AM (#16544732)
    When did we get too lazy to swipe credit cards?

    If you're too lazy to have any security, you won't have any.
    • by MikeBabcock ( 65886 ) <mtb-slashdot@mikebabcock.ca> on Monday October 23, 2006 @08:23AM (#16544928) Homepage Journal
      On a really cold winter's day up here in Canada, I'd quite like a system that didn't require removing the card from my wallet while wearing heavy gloves. That would require a keyfob that worked from several feet and had some form of passcode required of course, but it would be awful nice.
      • by g1zmo ( 315166 )
        Just get it implanted in your forehead and stick your face on the reader. Might have to remove that silly-looking tuque first, though. :)
    • by budgenator ( 254554 ) on Monday October 23, 2006 @09:37AM (#16545650) Journal
      It's a matter of cost/benefits ratios, when the last time you went to a retailer and swiped the CC in the reader and nothing, clerk says something stupid like, "wrap the card in paper and try again" nothing, " hold it the other way and try a again"? The problem is they got a bad card reader, it's probably wornout after 6 months and needs replacing and it's expensive, and it's not on corporates budget for 6 more months. The bottom line is the retail corporation has judged the costs of using RFID credit cards and the increased charge-backs to be less then the costs of keeping the card-swipe readers working. The credit card companies are judging the cost of doing encryption processing to be more than the marginal savings from using ineffective security.

      The only way this will change is if the states figure out someway to keep them from deducting the sales tax back off the books for charge-backs; punish them for bad security.
  • by truthsearch ( 249536 ) on Monday October 23, 2006 @08:04AM (#16544770) Homepage Journal
    As a former employee of one of the credit card companies, I'd like to explain a little bit of how they think. Banks and credit card companies take fraud for granted. They have departments which analyze potential and reported fraud. They set certain thresholds which they consider acceptable. Since they know it's going to happen they study it and figure out the best way to flag accounts. To the credit card companies it makes the most financial sense to not bother with the technological blocks and catch the fraud on the tail end. For example, with smaller purchases no longer requiring a signiture, card use for small purchases has gone up. If a few percent of those purchases are fraud the banks and credit card companies don't care because in the end they're making more money. People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases. Banks who suspect fraud has taken place simply block the accounts until the card holder calls. It all works out to the benefit of the banks and credit card companies.

    So even though the credit card companies should do more to protect the information from a logical and PR perspective, they've already decided that the small potential increase in the cost of fraud is outweighed by the increased use of these cards that some people consider more convenient.
    • Re: (Score:2, Insightful)

      by maxume ( 22995 )
      This is why there need to be laws making the credit card companies more liable for fraud. As long as it is profitable not to worry about it, they won't. I was also under the impression that they just charge contested transactions back to the merchant.

      The big problem is that somebody who has the misfortune of having a credit card company issue a card in their name/identity to someone who is not them still has to clean up the mess -- in a sane world, the company that issued the fraudulent card would at least
  • Aren't the credit card companies liable in the case that someone war-drives your credit card info? I mean, if it's not encrypted and it's effectively broadcasting the number, could there really be a bigger security risk? Maybe we should all just get stainless steel wallets [uncrate.com].
    • I'm pretty sure they are actually well aware of the risk. But how many are going to "steal" that info and abuse it, and how many people are going to jump on it 'cause it's so fancy?

      As long as it makes them more money than the fraud and abuse costs, they don't care.
  • Finally the tin foil hat brigade has something to teach us. To stop your RFID cards being read you simply need two sheets of tin foil (aka bacofoil) on either side of your wallet. I predict that such wallets will soon be on sale as will metalized pockets for coats.
  • by mgkimsal2 ( 200677 ) on Monday October 23, 2006 @09:10AM (#16545358) Homepage
    I probably sound like a paranoid nut, but banks are pushing this 'touchless' card technology because we buy more when we use it. By 'we' I mean consumers. And we buy more when using plastic than when using cash. In this USAToday article - http://www.usatoday.com/money/perfi/credit/2006-10 -09-credit-cards-usat_x.htm [usatoday.com] - a great quote sums it up:

    Merchants, too, benefit from faster no-signature transactions, credit card companies say, because the stores can serve more customers -- resulting in higher overall sales. And "people will spend more if they come in with a card vs. cash," says Gareth Forsey of MasterCard Worldwide (MA).

    "People will spend more".

    So, if people already spend more by putting a card in a reader, it stands to reason that they'll spend even more when they don't even have to get the card out of the wallet - just wave it around in front of the reader. The speedpass technology is pretty much doing this already, and McDonald's adopted it a few years back. Obviously it was a pretty big expense for them to put the machines in, refit their networks to accomodate it, etc. Why would they do it unless it meant people were buying more? In fact, Visa's own website (http://merchants.visa.com/solutions/qsr.jsp) states that

    A recent Visa study of 100,000 QSR transactions showed that customers using payment cards spent an average of 30 percent more than those who paid with cash. Other industry studies suggest that the average spread may be even higher.

    So for everyone saying "when did we get so lazy?" and similar notions, it's not that we're lazy. We simply spend more the less psychologically painful it is to do so. If I lay down 5 $20s to do my grocery shopping, it's more painful than swiping a card, because it's not as real at that moment. When I get view my statement later, yes, it all tallies up, but there's no difference between using plastic for groceries, clothes, the movies, or anything else, even if all the prices are wildly different.
    • by adolf ( 21054 )
      I know we hear it over and over again, but it must not have sunken in yet: Correlation != causation. But throw a wild assertion or two in there, and any statistic, no matter how benign or biased, can be molded to prove your point.

      I have friends in a wide variety of income brackets. The poorest of them buy everything with cash, because their credit is so fucked that nobody will give them a card with their name on it under -any- terms. They're obviously going to spend more of their money buying inexpensiv
  • by genegeek ( 548040 ) on Monday October 23, 2006 @09:19AM (#16545428)
    For years I had a Mobil speedpass. I found it incredibly convenient. Take out the keys, pass them near the pump, and go. For those rushed commutes when I wanted to get back to the road and back to my audiobook, getting out of the gas station was a priority and I thought it was great. And even when it was clear the system was hackable http://www.marketingshift.com/2005/1/exxon-mobile- speedpass-hack-via-rfid.cfm [marketingshift.com] I still used it. WTF? You get cheated, you call the credit card company and take care of it. How many websites already have my credit card information? How many bills do I pay online? There is a huge amount of trust that I put in these institutions. But I've decided that my time and convenience in the long run are more important than worrying about a few hundred dollars.
  • by zerofoo ( 262795 ) on Monday October 23, 2006 @09:40AM (#16545684)
    Really - if they did, don't you think they would at least REQUIRE A PIN? This is something that can easily be turned on with the flip of a switch - hell the infrastructure is already in place for ATM and Debit Card transactions.

    If they can't be bothered with PIN numbers, why would they be bothered with encryption and authentication?

  • by BrianRoach ( 614397 ) on Monday October 23, 2006 @10:49AM (#16546492)
    Everyone keeps saying, "Who cares, I'm not liable if someone takes my card and uses it", and that "The banks eat it".

    No, they don't. The merchants do. And the customers end up covering it in the end.

    I own an online retail business. If someone disputes a purchase and we lose the dispute, the credit card processor simply takes the money back from *us*. We're out the money. Nobody else.

    We go to great lengths to try and prevent this (AVS, CVV, etc), but you will get one every once in a while no matter what you do.

    So fraud rates are built into retail *pricing*. When we get a new product, we have a formula to decide our selling price. It's based on our business costs. Fraud is one of those costs - we know how much we incur per year, so we build it into the profit margin. Every business does this in one way or another.

    If fraud goes up, so do our prices. Therefore, it goes full-circle back to the consumer.

    Brian Roach
  • Where is the greater threat?

    1. Stealing information from card holders one-at-a-time with a soon to be illegal device?
    2. Card holder data at rest by the thousands in some DB somwhere?

    Where is the liability in each instance?

    There's no incentive for the banks to do this any differently.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984