Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re: Turn it off (Score 1) 385

You misunderstand the threat. It is not that an attacker uses MITM to relay the data, though that has been demonstrated. The threat is due to the cardholder data (name, account number and expiration date) being readable in plaintext from hundreds of meters away using readily available and inexpensive equipment. This data can then be used to perform offline transactions or other identity fraud ("what are the last four digits of your credit card number..." sort of "verification" questions.)

Even just knowing the name of a cardholder passing by could be a security risk (ask in nearby hotel for the room of Jane Doe, etc.)

Comment Re:Shielding, jamming (Score 4, Interesting) 385

But consider what happened to me last year on the first day of a two-week international vacation. I got a notice from my primary card bank (Chase) that my card had been compromised and that they would cancel it and send a new one. The problem was that I was depending on this card (which has no foreign transaction fees) and I would be moving around every two days meaning that it would be difficult to get a new card to me quickly. They did offer a compromise - disable any card-not-present transactions and had me list which countries I would be in, until I could return home. I had several online purchases outstanding so I had to scramble to fix those, and even then I missed one of the countries I would be in and had my card declined twice before I figured out the problem.

I am sure this case was a leak from a merchant that stored card data insecurely, or maybe a skimmer somewhere. That card did not have RFID. We really do need to move quicker to a tokenized system. Even so, it was more than a minor annoyance to me.

Comment Re:Shielding, jamming (Score 3, Insightful) 385

Do you really think that the banks would have added a feature that makes fraud as easy as pointing an antenna at people walking past? Where are the crime waves of people draining accounts with concealed card readers?

Why yes, I do. It has been demonstrated numerous times, and is easy to reproduce on your own with inexpensive equipment. The specs are public (have you read them? I have.) Even EMV chips send your card information in plaintext - any encryption needs to be added by the terminal. You may not have read much about it as RFID cards are still uncommon in the US, but that is changing. The specs for this and EMV are more than a decade old and were designed for the banks' convenience, not your protection.

US banks have shown a singular unwillingness to invest in technology that helps their customers. In the US they fall back on "zero liability" terms that mostly shield customers from direct financial losses but then pass on the cost of billions of dollars of fraud to all consumers and merchants.

Comment Re:Hole punch (Score 1) 385

PayWave is awesome. You just tap the card on the terminal (or near it) to pay, no pin, no signature.

That it is - I have used it once so far, at a Walgreens, and it was very speedy. Not too surprising as it's effectively the same as swiping - there's no challenge-response sequence as there is with a chip-based transaction. Indeed, Visa's specs for PayWave require a response in half a second.

That said, I very much prefer tokenization systems such as Apple Pay and I find that is almost as fast as PayWave. (PayWave is Visa's brand name for RFID transactions - other card issuers use different names, but the underlying technology is the same.)

Comment Re:Hole punch (Score 4, Interesting) 385

Snipping out the RFID chip shouldn't affect the smart card chip in any way, since they should be totally unrelated mechanisms. I could be wrong though - I haven't seen an RFID included in a modern chip card yet.

You are mistaken - the RFID chip is connected to the EMV chip - may even be the same chip nowadays. This wasn't always the case, but is now. The RFID data includes an EMV-derived authentication code like the CVV.

This had all been theoretical for me until Costco replaced my Amex card with a Visa that had PayWave (RFID). I did a LOT of reading then!

Comment Shielding, jamming (Score 4, Interesting) 385

Currently I use an envelope that claims to be RFID shielding. No idea if it works or not.

I have backed on Kickstarter an interesting "jamming" solution, Vaultcard, which looks promising.

The current RFID cards - Visa PayWave is one brand - provide the "Track 2" data plus an authentication code from the EMV chip. Quite usable for fraud.

Comment osCommerce and its derivatives susceptible to this (Score 2) 372

I run two e-commerce stores based on osCommerce and had this exact issue with a customer whose last name was Null. There is a common function in osCommerce (tep_not_null) trying to see if the argument is empty. One of the things it looks for is the string "null". When I discovered this, I removed that part of the test (which never made sense to me.)

Comment GaN Transistors are the future (Score 4, Informative) 245

Gallium Nitride transistors have a lot of nice characteristics, but low yields and high costs have slowed their introduction. Two tiny laptop chargers, the FinSix Dart and Avogy Zolt, were said to use GaN transistors. The Dart still hasn't shipped, a year past its claimed release date. The Zolt has but is apparently using older Silicon Carbide-substrate transistors instead (Also see here.) (I received my Zolt recently and it is working well.)

It won't be a surprise to anyone following this technology that it can make inverters more efficient - that's what FinSix and Avogy have been claiming/demonstrating for two years at least.

Comment I have one, but teething pains (Score 3, Informative) 85

I have had one of these for a month or so now. The range is fantastic (even with 5GHz) as is the throughput, though the Ethernet bonding feature isn't useful to me.

However, I, like many other X8 users complaining in Netgear's support forum, have an ongoing issue with the WiFi in that devices still show they're connected but no data flows. And if you have a device that tries to connect to the access point, the router rejects it. Rebooting the router fixes it for a while. Netgear support has been very responsive and they've given me beta firmware, but the problem persists. It's especially aggravating for my DVR which goes back to an "unconnected" state each time this happens, meaning I have to go through its configuration again.

Netgear is sending me a replacement router to see if that helps. I hope it does, as otherwise I love this thing. I was able to disconnect a repeater I had running on the other side of the house as I didn't need it anymore.

Slashdot Top Deals

"If anything can go wrong, it will." -- Edsel Murphy

Working...