Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Almighty Buck Technology

RFID MasterCard 257

starburst writes "MasterCard introduces a RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"
This discussion has been archived. No new comments can be posted.

RFID MasterCard

Comments Filter:
  • How long? (Score:5, Funny)

    by Mononoke ( 88668 ) on Saturday May 08, 2004 @07:06AM (#9092583) Homepage Journal
    How long until I can buy a wallet with a woven copper grid liner?
    • Re:How long? (Score:5, Informative)

      by Beautyon ( 214567 ) on Saturday May 08, 2004 @07:20AM (#9092632) Homepage
      How about right now? [66.102.11.104]

      CARD-SAFE(TM) WALLET

      "Protects Credit Cards And Other Valuables From EMF Damage"

      The magnetic strip on your credit card can be damaged, even erased by exposure to strong magnetic fields. Ordinary magnets will do it, but so can less obvious sources such as anti-theft scanners in department stores or libraries, small electric motors, even speaker magnets (someone told us that electromagnetic harassment can be used to erase credit cards too)! This handsome black leather wallet is discretely lined with both RF and magnetic field shielding materials and offers excellent protection. Includes 2-compartment bill fold, 6-compartment credit card holder and change pouch, all shielded. Measures about 4" x 4½" when folded. Quality European craftsmanship, equally attractive for men and women.
    • by beh ( 4759 ) * on Saturday May 08, 2004 @07:35AM (#9092685)

      It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

      a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.

      b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.

      Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).

      BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).

      Before I'd go for such a card, I would most definetely like THAT question answered...
      • Has the world completely given up on checking signitures?
        • I can only think of one store [lcbo.com] that I go to that almost always checks the signature on my card. Other than that, unfortunately, yes. I wish everyone did check signatures; it would make me feel more secure.

          I remember when I worked in "retail" (okay, I was pumping gas), I was told to check the signature on credit cards. Lots of things have changed since then though. For instance, almost no one uses those "whizz-bang" machines with duplicate slips anymore.
        • Over here in the UK, and I think most of Europe, signatures are being phased out as too easy to forge, especially when checkout staff ignore them so much. Instead, you have a PIN like at the ATMs, that you have to type in then the machine authenticates you.

          It's probably less secure than a well checked signature, but it's an awful lot more secure than an unchecked one.

          Ewan
          • Ah, time for a personal anecdote.

            In the US, people sign so that one can actually read the name from the signature. When I was opening my first bank account in the US, the clerk asked me to change my signature for the signature cards because mine doesn't look like my name. She went as far as saying I could write my name in all caps as the signature if it was too hard to write in script :)

        • There really must be something to gain for the merchants if they are overlooking obvious security flaws like those that exist with RFID. So much corruption.... probably related.

          Perhaps there is a movement to implement RFID in all areas of society so that the public will simply accept it.
      • by Anonymous Coward
        I work in the security business where this technology is used to control locks and other things.

        I have seen a boosted reader read a card (which has this magical "2 centimetre" reading distance) several metres away. It was an experiement, and the reader emitted so much energy that it certainly wouldn't pass any certifications but I strongly doubt criminals care about that.

        You could quite easily set such a transmitter up in a window overlooking a busy street, and you will be able to scan most people tha

        • I would guess that boosting readers is possible, and it's somewhat clear that the card can not know how far it is off the reader...

          But - wouldn't it be technically possible to limit the output power? (maybe in a way that the transmitter would either block higher power; or maybe just fry when trying -- I'd rather find my card destroyed than someone accessing it).

          Another (simple) way would also be to deactivate the sender unless a specific area of the card was pressed at the time (very much like the batter
      • by Ungrounded Lightning ( 62228 ) on Saturday May 08, 2004 @11:27AM (#9094039) Journal
        It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?

        Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.

        Then a little careful observation as you enter your PIN and your account is toast.
    • How long can a tin foil hat be made?
  • by justinmc ( 710870 ) on Saturday May 08, 2004 @07:06AM (#9092586)
    If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??
    If I am at the store, they compare my photo to me?
    However I guess some people would not like carrying an ID card (which it could make the Credit Card?) around with them??
    Just my two bits (0&1)
    • by Elvisisdead ( 450946 ) on Saturday May 08, 2004 @07:39AM (#9092697) Homepage Journal
      In my case, on the back of every card I carry is emblazoned, "ASK FOR ID !!!" in red sharpie-induced print. Someone asks me for ID maybe 20% of the time. The percentage jumps to around 50% for those who actually look at the back of the card.

      It doesn't matter which technology is used (a magnetic strip or an RFID tag). Without authentication of a valid user, the situation won't improve.
      • Someone asks me for ID maybe 20% of the time. The percentage jumps to around 50% for those who actually look at the back of the card.


        As you've noticed, writing See ID isn't all that effective. But it can prove to be pretty funny:

        http://www.zug.com/pranks/credit/

        -Alex
        • Wouldn't happen in the UK. My signature gets checked pretty much every time. I've even had to re-sign or give alternative ID a few times when the cashier wasn't sure about my signiture.
        • As you've noticed, writing See ID isn't all that effective. But it can prove to be pretty funny:

          http://www.zug.com/pranks/credit/


          That is pretty funny, but there's one problem with that site. You see, legally, your name is whatever the hell you say it is. So it doesn't really matter what you sign your name as, it's the act of you doing the signing that makes it legally binding.

          Of course, reality is different, and you could probably argue your way out of paying for something successfully that way, but tha
      • by dbc ( 135354 ) on Saturday May 08, 2004 @09:47AM (#9093443)
        20% That high??? You are lucky. One friend of mine who for a time ran his own company doing very high priced ECAD software had this experience: He was entertaining clients at a pricey eatery -- the waiter quietly calls him asside and says: "Excuse me sir, but the name on this card does not match your signature" -- Indeed, it did not. The name was someone elses entirely -- not even close. (He settled the bill on another card without embarassment.) Turns out, about a month earlier, a salesmen and he had gotten their cards swapped by a waiter at some other resturant. They both went for *a solid month* of sales call T&E before this waiter caught it. They got to be well aquainted over the next two months as they sorted out their bills.
      • Actually, writing "ask for id" on the back of most CC (V/MC/AM/D) makes the card "invalid".

        Read the back of your card... it is very plainly printed on the back "not valid unless signed", and if you ever read the "t&c" that come with your card it's also listed there.

        Also, some CC makers (Visa for one, MC used to...), actually guarantee your privacy, so asking for an ID when you present your card is actually breaking the merchant's contract with Visa (the one that allows them to accept transactions and
      • If they can steal your card number with an RFID reader, they won't need your signature or your photo. They will just make a new card with that same RFID imprint and put their own photo/signature on it.
    • by Radon Knight ( 684275 ) on Saturday May 08, 2004 @07:42AM (#9092706)
      If my photo had to be on my Credit Card and also I had to enter a Secret PIN to use it - would that stop a load of Credit Card Fraud??

      It's interesting that you suggest this scheme. Over here in Europe, several countries have started using/requiring PINs to be entered for all credit card purchases. They claim that since this scheme has been implemented, credit card fraud has fallen markedly.

      Personally, I have somewhat mixed feelings about it. Credit cards have - until now - always been safe, emergency financial fallback. As long as you have your card (and haven't hit the limit) you can use it to get yourself out of any bind: buy a ticket, buy a meal, pay for a cab. Now, even if you still have your credit card, if you forget your PIN you're in a world of hurt. ("So, don't forget your PIN, dummy!" Yeah, I know. But no one ever plans on forgetting their PIN.)

    • There should be some asymetric encryption between your card and the terminal and additionally your credit card should have kind of ok/cancel buttons.. but thats prolly 10 years off
    • In the UK, all in-store credit card transactions will require a pin. I think that comes in next year.

      I think Royal Bank of Scotland do photos on your credit card. However it would be even better if when the cashier swipes your, a photo of you would be downloaded and appear on their screen so that they can compare you to that photo. A photo on the card might be forgeable.

      Obviously this would require a significant investment but I expect it would reduce fraud.
  • by HawkinsD ( 267367 ) on Saturday May 08, 2004 @07:07AM (#9092589)
    You know, people make fun of us tin-foil-heat-wearing paranoid psychos...

    But then people invent stuff like this. Which just makes us even crazier.
  • by millahtime ( 710421 ) on Saturday May 08, 2004 @07:07AM (#9092590) Homepage Journal
    time for a tin foil hat for my wallet.
  • by Anonymous Coward on Saturday May 08, 2004 @07:08AM (#9092591)
    Tank of gas - $22.47
    Pack of cheetos - $1.25
    1 Liter of Mountain Dew - $1.50
    Stolen card # via RFID - Priceless (or your max on the card)
  • Tell me I'm wrong (Score:5, Insightful)

    by Exiler ( 589908 ) on Saturday May 08, 2004 @07:09AM (#9092593)
    I'm haven't read much on RFID tags, but I thought the power came from the reader, so the only thing that would have to be more powerful for the cards to be read from more than an inch away would be the reader, not the card.
    • Re:Tell me I'm wrong (Score:5, Informative)

      by josecanuc ( 91 ) on Saturday May 08, 2004 @07:36AM (#9092688) Homepage Journal
      The power does come from the reader in the form of a low frequency, unmodulated RF signal (a sine wave) around 140 kHz (a very, very low frequency). An antenna on the RFID chip absorbs this RF energy into a capacitive component and the energy from each pulse of the low frequency "Activates" the chip to emit its information on a higher frequency (varies, from 400 MHz to 3 GHz, but mostly in the 400 MHz or 920 MHz bands, depending on the chip design).

      The power with which the chip emits its information is dependent on the size of the capacitor on it, so feeding a higher "power beam" to it will not increase the output power.

      However, RF energy decreases as the distance from the radiator increases (inverse square law), but does not technically (theoretically) go away completely at any distance from the radiator. If your subversive reader had a higher-gain receiving antenna than the official reader, then you would be able to read the data farther away than one inch.

      Note that RFID chips have come a long way since the beginning and now can perform whole two-way transactions during each pulse of activity. The devices could implement a challenge-response type of authentication. The chip sends a string, the reader encrypts it with the secret code, and sends it back to the chip which checks to see if the string is encrypted correctly. If it is, then it sends the data (also enrypted) to the reader, all in one pulse from the "power beam".

      While nothing can be totally secure AND also accessible to everyone, the challenge-response system is practical and effective (some mail servers use it so you can log into your mail server over an unencrypted channel without revealing your password).
      • They may use a challenge-response method of authentication, but beware of someone walking by with a pocket sized repeater for the real reader.

        Remember those infrared remote controlled door locks on cars?
      • both kinds exist (Score:2, Informative)

        by zogger ( 617870 )
        There are both [frontlinetoday.com] passive and active rfid tags. Some are powered from the reader externally like you say (from the right up extremely close all the way out to dozens of feet), but there are others that are completely self powered.

        Nokia also announced recently they have software & hardware [rfidjournal.com] that can turn your cellphone into a tag reader.

        Wonder how long until the later gets "improved" upon by "outside independent researchers", the kind of dudes who wear darker colored chapeaus.....

      • Exactly.
        What we really need is a switch on the card itself, akin to the rw/ro switch on floppy disks. That way we could turn the cards off for most activities, but turn it on just long enough for the RFID reader to scan the card. It could even probably be a small button that must be depressed to activate the card, though how that would work when the car is stuck next to my ass in my back pocket, I'm not sure. My ass seems to be good at pushing buttons, at times.

        But in all seriousness, the ability to "tu
      • And what if one was to get a reader and mod it so the output frequency power was 10 or 20x the magnitude it should be, then walk around a mall sending off bursts of radation every 10 or 15 seconds?

        • Re:Tell me I'm wrong (Score:3, Informative)

          by josecanuc ( 91 )
          In that case, the RFID chip would still only output it's regular power, since the capacitor in it has a limited capacity. There would be no way to get the RFID chip to emit more power than it was manufactured to.
    • I would guess that this is an ISO 14443 smart card rather than an RFID card, especially since there is nothing to indicate otherwise on the website linked to. If the system is well-designed then you would need to know the proper cryptographic keys just to get it to talk and different keys to understand what it is saying. Note that ISO 14443 works on some of the same technology as RFID but can be much more secure. So it doesn't matter if you have a giant reader that will turn your ass into rump roast from
  • Really! (Score:5, Insightful)

    by _Sharp'r_ ( 649297 ) <sharper@NOsPaM.booksunderreview.com> on Saturday May 08, 2004 @07:09AM (#9092595) Homepage Journal
    How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?

    Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.
    • Re:Really! (Score:5, Insightful)

      by Motherfucking Shit ( 636021 ) on Saturday May 08, 2004 @07:17AM (#9092624) Journal
      How much more efficient is it really to put a card an inch next to a pad merchants will have to buy instead of swiping it through a card reader that already exists everywhere?
      I really have to agree here. "They tout the convenience of no more swiping or giving your card to cashiers." What the heck? Swiping my credit card is supposedly "inconvenient?" I don't think so. I can't remember the last time I shopped anywhere that I had to physically hand my card to a cashier, every retail store seems to have the self-swipe card reader. Swiping my own card takes, what, 2 seconds? Entering the PIN (if I'm using a debit card) takes another 2 seconds.

      What's the "inconvenience" that RFID is trying to solve here? Why can't some company concentrate on making it faster for Ms. Soccer Mom to write her $300 check at the grocery store, when she's one of 4 Ms. Soccer Moms in line in front of me?

      I agree, this is a solution looking for a problem, and it's going to die a quick death.
      • Re:Really! (Score:2, Funny)

        by isorox ( 205688 )
        You yanks use Cheques?
      • Re:Really! (Score:3, Insightful)

        The inconvienece is that Magnetic card readers wear quickly and everyone gets mad at a multiple swipe purchases, or when it doesn't even work at all. At gas stations, where credit card is self-serve, its really convienent. Thats why mobil invented speedpass. so this is a speedpass for 'everywhere else'. I like it. anything that takes the cashier out of the equation so i can get on with my life instead of dealing with a snotty underpaid teen is a good thing.
        • The inconvienece is that Magnetic card readers wear quickly and everyone gets mad at a multiple swipe purchases, or when it doesn't even work at all.

          I've never understood why credit cards don't use an imprinted 2D barcode and optical scanners for much the same reasons. If wear on the print were an issue they could use aluminium cards with holes as an optical punch card.

          One issue with the RFID tags that doesn't seem to have been mentioned though, is would walking around with an RFID scanner be illegal?

        • The inconvienece is that Magnetic card readers wear quickly and everyone gets mad at a multiple swipe purchases, or when it doesn't even work at all.

          Maybe I've come across some bionic credit cards, but I've never run into a problem with scanning any of my cards. My Capital One MasterCard was issued in 1999 and still scans just fine whenever I want to use it. My MBNA and Fleet cards are replacements which were automatically sent. And now I have an Amex "Blue" card which is practically see-through, replacing

        • The inconvienece is that Magnetic card readers wear quickly and everyone gets mad at a multiple swipe purchases, or when it doesn't even work at all.

          I call bullpucky on that.

          I have a direct-debit card that's also a VISA (with the same protections as a regular VISA card), that I use a lot for everything. Before the bank replaced it (bank changed names a year ago, finally swapped out the old cards), the card was so worn that you could barely read the bank name on the front, yet I never had to multi-swip
          • There's no incentive there to use SpeedPass, unless you buy into the marketing drivel.

            Except with a credit card, you have to reach into your pocket, pull out your wallet, open the wallet, pull out the proper card, and then swipe it.

            From what I understand about these speedpass systems, it's something you hang from your keychain. Which means you just have to take your keys with you when you get out of the car to pump the gas (something you might want to do anyway if you compulsively lock your doors when yo
      • I agree, this is a solution looking for a problem, and it's going to die a quick death.
        At least this has the potential to be marginally useful unlike that kidney-bean-shaped Discover card with a hinged case. (Remember those?) AFAIK, they were market as being "conversation starters" and didn't claim any real advantage.
      • I think the inconvenience that RFID is trying to solve is that silly little thing called "Civil Rights".

        It's not at all inconvenient to me, however, it appears to be an inconvenience to the government.

    • Re:Really! (Score:3, Interesting)

      A lot of credit card occurs due to the intermediaries copying the details of your card (the magnetic stripe) while the card is out of your sight. Consider the times when you go to a restaurant, have a meal, ask for the bill, and choose to pay by credit card. The waiter then takes the card out of sight and then (hopefully) returns the card. Other scams simply involve a till operator "accidently" dropping your card on the floor, and then swiping the card through a reader.

      What if you could just swipe the ca
    • Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.

      It has nothing to do with saving you time, it has to do with saving retail outlets money on cashiers. There's already gas stations in California (and I'm sure elsewhere) that do not have attendants. This way associates can focus on getting more merchandise into your hands and not on the average 3 minutes it takes to ring someone out

    • The rest of the world is switching to EMV, a smart card based standard for credit card transactions. Why? Because of simple economics. Fraud rates have been high in Europe so the banks have switched to EMV smart cards to reduce fraud. Countries that mandate EMV have seen sharp reductions in fraud. As this happens criminals move towards the low hanging fruit. Again, the simple economics, which you are so fond of.

      So if you are in a country that hasn't switched to smart cards yet, your bank is the low h

  • Security (Score:2, Interesting)

    I checked out their web site - no details on security other than the assertion that it is "secure". Right. I am assuming that the RFID tag is a passive one and that the paypass terminal needs to authenticate in some way. I do hope so, anyway, because if not, criminals are indeed going to have lots of fun with this. Would anyone be able to tell me how secure communication between a tag and a reader can be obtained?
    • Trully secure communication cannot be obtained because RFID is passive(it has to be, otherwise you couldn't power it!) Meaning that whenever something scans the RFID tag, it has to cough up the results, the same results every time. You could encrypt the result with a known public key for the card, but this doesn't do you any good, since the criminal can decrypt it easily or capture the signal and repeat it at will.
      A possible solution could be to encrypt the card number with the vendor's public key(and a
      • Re:Security (Score:2, Informative)

        by 706GL ( 172709 )
        No... just because their passivly powered dosen't mean they can't process data, there are dumb and smart prox cards. A smart prox card has RAM and a processor insted of just ROM, and the processor is powered off of the magnetic field the antenna picks up. Here's an example of a smart prox card: hID iClass [hidcorp.com]
  • We need to not forget that us tin-foil-hat wearing geeks are the security folks at the credit card companies.
  • Can't they couple a code with the card?
    Sweep the card AND punch in your personal code.
    That way, you need to have something (the card) and need to know something (the code).
    It's also better then putting your signature on a piece of paper. Everyone can fake a signature. Don't tell me they always verify it. With a code the machine always verifies it for you.
  • Dexit (Score:4, Interesting)

    by Chess_the_cat ( 653159 ) on Saturday May 08, 2004 @07:13AM (#9092609) Homepage
    There's something similiar in Canada called Dexit [dexit.com]. But it's not a credit card. It's a type of debit card with a $100 limit so if you lose it or anything you're not really out all that much. You can refill it anytime online, over the phone, or automatically from your account. It's used for fast food, candy, newspapers, whatever.
  • From the site:

    Your card never leaves your hand. And, of course, you get the same level of security that you've been accustomed to: $0 liability on unauthorized purchases and a receipt for every purchase.

    If it's really possible to grab numbers from a crowd, this one could get expensive for them. You'd think they'd be smarter than that. But companies have messed up before.

    • If it's really possible to grab numbers from a crowd, this one could get expensive for them.

      Just this once, let's give them the benefit of the doubt and assume that this thought may have crossed their minds, mkay? Otherwise, patent some kind of RFID blocking wallet and make a fortune. I can see this technology taking off - consumers will like the idea of "magic wand" payment methods. And it's good to see new technology like this, because it keeps things interesting for the crooks trying to abuse it - woul
  • How secure? (Score:4, Interesting)

    by jayminer ( 692836 ) on Saturday May 08, 2004 @07:14AM (#9092616) Homepage
    I think that's a make up on the current insecure credit card framework, which is hopeless. Credit cards are so propagated through the world, and it would be very costly (and disastrous) to build a brand new security mechanism so anyone can understand why MasterCard does such kind of show-off, without doing actually anything.

    This quote is worth any comment:

    "PayPass is guaranteed as safe and secure as all MasterCards."

    Oh, then that gave me a very strong and confident feeling. (Read this as: secure my ass)
  • by cygnusx ( 193092 ) * on Saturday May 08, 2004 @07:15AM (#9092617)
    This card is not about RFID, it's about making card use in scenarios like drive-throughs easier. Also, it's currently limited to <$25 transactions currently according to the FAQ [paypass.com].

    Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.
    • Hmmm, maybe the reason they have smaller transactions is to prevent misuse of technology?

      Worst case, you get $25 wiped off your card, not more.

      Therefore, you will not pay much attention to a $25 RFID credit card, but you would be careful with your normal mag-swipe credit cards. And there is a distinct possibility that they probably want to study how well this is accepted and adopted, and how people use this, before getting into it with guns blazing.

      They may have it separate from the magnetic stripe becau
    • Even better would be a store of time, transaction count or dollar amount limited account numbers usable for situations where you don't trust the vendor or the transaction environment completely.

      Going to Moscow? Grab a new account limited for the length of your stay, good for up to $5000. If your number is stolen, they have until the expiry date or your allotment is spent.

      Of course, I don't think that Visa/Mastercard care, actually, since they get a cut of the transactions, and limiting transactions would
  • by Mad Man ( 166674 ) on Saturday May 08, 2004 @07:16AM (#9092619)
    "Now I've got enough money to build my robot. My girl robot. This is going to be the best prom ever."
  • how long... (Score:5, Interesting)

    by moviepig.com ( 745183 ) on Saturday May 08, 2004 @07:16AM (#9092621)
    ...how long till criminals ... with portable readers [get] your card information?

    How long till plainclothes cops walk the malls carrying detectors that sense the self-incriminating probe of the would-be pickpacket?

  • by Da w00t ( 1789 ) * on Saturday May 08, 2004 @07:18AM (#9092629) Homepage
    The kind of contacts I'm talking about would be the ones that measure the resistance across two contacts a few mm apart, in order to use the card your finger(s) have to be on the contacts, otherwise your card doesn't send or receive RFID crap.
  • by Mister Transistor ( 259842 ) on Saturday May 08, 2004 @07:19AM (#9092630) Journal
    Once again, just because something can be done, it has been, totally without regard to whether or not it is actually a _good_ idea.

    RFID's on personal ID's or credit cards have to be a security nightmare. How easy would it be to hide a collection device under a bus or train seat and collect ID's for a whole day or two?

    Not to mention that a transmitter generates EM fields, which might be strong enough to erase your other mag-stripe cards in proximity.

    RFID technology is now getting into the "buzzword" phase of electronic manufacturing/production, it's now cheap and common enough to start getting idiotic designers thinking "gee, wouldn't it be neat if we put an RFID in ...". The same thing happened to microprocessors in the mid-80's, and we started seeing truly idiotic applications, uP-based Toasters, Staplers, Golf Tees, etc.

    History repeats itself once again.

  • FUD against RFID? (Score:3, Interesting)

    by Hackie_Chan ( 678203 ) on Saturday May 08, 2004 @07:25AM (#9092650)
    Sorry to say, but this collective fear against RFID is just ignorance. The bus company where I live in Sweden has RFID bus-passes and it works like a charm. You don't even need to pull them out of the wallet! It's extremely convenient. I'm a person that's used the technology for over a year so I know what I am talking about. Sure, a bus-pass is different from a credit card, then again, I suspect that you still need to enter your code to charge it.
  • Why passive? (Score:2, Interesting)

    by tomstdenis ( 446163 )
    Europeans are smart and use "smart-cards" already. Why are Americans still playing around with new-fangled passive devices which are just not secure?

    The reality of the situation is you can't trust the reader. Ever. This is why it's easy to scam debit [get their card no and pin], why it's easy to charge credit cards, etc...

    Sure it might cost more per card but the cards would be subject to *less* abuse and you'd have to pay out *less* ultimately in fraud.

    Tom
    • Smart cards are an entirely different technology.

      Many of the European smart cards have embedded chip techonogy that works as a debit card. That is, there are limitations to how much can be stolen, if it can be stolen. Most smart card chips are designed to fuse themselves shut when hacked.

      Proximity scan for such cards isn't as big a deal as getting access to someone's credit-card number, which in turn can be parlayed into a fake credit card used to drain someone's line of credit, or check banking account.
  • Great, so the card stays in my wallet that I wave near the proximity reader ... so my signature and photo on the card remain a mystery to the hurried cashier.

    Looks similar to the failed technology Mobile used at its gas pumps, only flatter and provides more opportunities for nere-do-wells.
  • It could work... (Score:3, Informative)

    by anser ( 224618 ) * on Saturday May 08, 2004 @07:31AM (#9092674) Homepage
    This would be better with a Smart MasterCard and a microswitch on the card.

    The Smart MasterCard would exchange single-use credit card numbers a la Citibank's Virtual Account Numbers. That way the number would be useless as soon as the retailer has charged it, so that a bystander "sniffing" the information would not get anything of value.

    The microswitch would simply allow you to control WHEN the card can be interrogated, so that passersby can't much with it. You'd squeeze a spot on the card when you held it up to the retailer's reader, and thereby allow the transaction.
  • by Coryoth ( 254751 ) on Saturday May 08, 2004 @07:38AM (#9092695) Homepage Journal
    I had my credit card number stolen - still no idea how. May have been random card number generation for all I know - I did nothing particularly unsafe (using your credit card at all is pretty unsafe). I was immediately contacted by my bank who were suspicious because the charges were (a) out of line with my current spending pattern (b) in a completely different country to my previous charges. I simply verified that no, I hadn't been to Spain recently, they faxed me some forms (basically just signing to say that no, the following charges were not made by me) and 3 days later my new credit card arrived by courier. everything else was handled by the bank.

    In some ways I got lucky because the nature of the spending raised flags, and because my bank actually has incredibly good service. The catch is, it is up to the credit card companies to wear the cost of stolen cards etc. presuming you take reasonable precautions. If they want to embed easily readable RFID tags and have to cover a shitload of costs for easily stolen card numbers... well, more power to them. They'll be out of that business soon enough.

    Jedidiah.
  • RFID sensitivity (Score:3, Informative)

    by Registered Coward v2 ( 447531 ) on Saturday May 08, 2004 @07:53AM (#9092726)
    I recently spoke with an RFID engineer about how easy it is to read RFID tags. Basicaly, the readers are very sensitive to the position of the tag, as well as distance. Move the tag out of the ideal plane for the antenna and it becomes unreadable. Sheild it and the reader must be much closer to read it. Great technology for tracking shipments - anything that takes away people entering data via a keyboard and replaces it with people holdining recievers to spots on containers should help greatly reduce tracking errors - as well as allow shippers to track temperatures, if a container has been openned, etc.

    OTOH, what makes things easier when you can train a person to perform a task in a set way is not always better for mass consumption. Look at how often people have to reswipe cards becuse they put the strip on the wrong side of the reader - no imagine someone trying to align the RFID tag with a reader - all you've done is replace one motion with another. Mobil (ExxonMobil - the Mobile is silent) has SpeedPass - which never really caught on - that is esentially the same idea. They tried to push it for fast food purchase as well - ever see a SpeedPass enabled drive through? Which brings up th eissue - how much will it cost for companies to replace/upgrade existing readers to handle the new cards? Without a lot of cards, there's no incentive for companies to spend the money. Without readers, why have the card?

    I've had one CC strip go bad - and all the clerck did was key in the info - this RFID idea sounds like a solution to a non-problem. Now, if they could add a biometric reader that required my thumb on the card to validate it - and it read the first thumb placed on the card as the right one when you get the card, then I'd be interested.

    A switch that activates the tag sounds neat - but now I must not only get the RFID tag close to the reader but hold the card in a special way - forget it - not to mention some people may have trouble doing that due to physical constraints.
  • The data may not be that easy to pick up, because of encryption being used. Many RFID tags that comply to the international standard ISO 14443 contain cryptograpic units that use public/private key encryption (triple DES is often used). So, listening in on the conversation you will not learn anything useful, unless you can break the encryption.

    The power consumption of the cryptographic circuits explains the limited read range. The amount of power that an ISO 14443 tag needs to operate cannot be transferre

  • The problem is everyone assumes this is going to be more or less safe than what is out now. The truth is that the only thing that makes credit card purchasing more or less secure is the person behind the cashwrap. This is my ninth year of retail and I have worked for 6 different companies.

    Some company policies require that all cashwrap associates hold the card until it is signed and the signature compared, other companies have policies that the card be given directly back to the customer after it has be

  • The idea is right, on this one. With my current plastic card, if you can see it and/or photograph it, you have all the information you need to create another card, including magnetic stripe. The magnetic stripe just has the same information as on the card itself: Name, account number, and expiration date.

    http://money.howstuffworks.com/credit-card3.htm

    The RFID would allow me to authenticate my purchase without unauthorized persons seeing the critical information needed to make another card. The problem
  • I know there is a lot of hysteria about RFID cards, but a well implemented RFID card can be a lot more secure than the current system. Say the card does an encrypted challenge response, is limiting itself to one transaction per second, _and_ you still need a pin.

    For example:

    purchase
    enter pin
    terminal hashes to pin with some random number
    card responds to the challenge by hashing the random number with the time and your card ID number (public key)
    card puts itself into sleep mode for a second
    terminal sends th
  • Maybe they should first optimize other aspects of the transaction, like uselessly asking me "credit or debit" every time I use my ATM card (it's not linked to a credit card).
  • by stienman ( 51024 ) <.adavis. .at. .ubasics.com.> on Saturday May 08, 2004 @08:44AM (#9093030) Homepage Journal
    The people working for mastercard and other financial credit companies are as smart as we are, and they stand to lose millions in fraud if they don't secure their customer's cards.

    I would be very surprised if the cards didn't have built in challenge/response cryptography to send the information. These cards are available now, and cheaply in bulk. Further, they would likely only contain a database link to the credit information which can probably be invalidated without changing the credit card number.

    Of course, this means the bad guys only need to break one (or maybe a few) keys to gain access to everyone's card, but then they have to go around and collect them by hand.

    The assumption that companies are stupid or lazy is actually based on the fact that they have to make cost/performance decisions. What seems stupid to us generally is cheaper including all the incidental and security costs. I doubt that the cost/performance ratio here would favor a 'stupid' solution.

    -Adam
  • I don't see why people are so worried about their card numbers being read from a distance--it's not like your card number is a secret anyway.

    The act of swiping your credit card number is proof to the merchant that you possess a physical token, nothing more; it is the merchant's good name with the credit card company that then lets them get the money that was promised to them.

    What matters from the consumer's point of view is how hard it is to duplicate the token. If they picked the right RFID (something w
  • by Aoverify ( 566411 ) on Saturday May 08, 2004 @11:11AM (#9093936) Homepage

    Are there any documented cases of Mobil Speedpass RFID's being stolen and cloned? I do recall reading a slashdot [slashdot.org] story about a product that could be used for this purpose.

    There are already millions of these out, and the infrastructure for using them has already been in place for years (atleast in my neck of the woods).

  • In Hong Kong, I was at the local equivalent of the 7-11 where I saw the people where just waving their wallets in front of a panel by the cash register. It turns out that they have something called the Octopus card. This is a short range RFID cash card that works much like a prepaid phone card. You go to a ATM like station where you can purchase the card and/or add money to the card. If the card gets stolen, you loose the money on the card. Lots of people had it, and it made the line at the store FLY.
  • Why doesn't anyone seem to realize that this means nothing good and potentially a bit of bad?

    You have magnetic-stripe cards now. They contain the information necessary to identify the account of the card owner.

    If you move to RFID-based cards, they will (*GASP*) contain the information necessary to identify the account of the card holder.

    That doesn't, in either case, mean that the person actually presenting the card for reading *IS* the account holder. The same marchant negligence issues apply. See: no
  • Has anybody else realized that the RFID method is actually more secure than the current hand-your-card-to-the-cashier method?

    When you hand your card to the cashier, anybody -- and I mean anybody, particularly the cashier -- with a decent memory, or even just a piece of paper, can glance at the number and jot it down. If you're really worried about this, you'd be really worried about cashiers as a potential source of credit card fraud -- they, after all, get to see the number whenever they want. Especially

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...