RFID MasterCard 257
starburst writes "MasterCard introduces a
RFID MasterCard called PayPass in Orlando Florida. They tout the convenience of no more swiping or giving your card to cashiers. They claim the card has to be within an inch of the reader to be read -- how long till criminals are walking the malls, or next to you in line with portable readers getting your card information?"
How long? (Score:5, Funny)
Re:How long? (Score:5, Informative)
CARD-SAFE(TM) WALLET
"Protects Credit Cards And Other Valuables From EMF Damage"
The magnetic strip on your credit card can be damaged, even erased by exposure to strong magnetic fields. Ordinary magnets will do it, but so can less obvious sources such as anti-theft scanners in department stores or libraries, small electric motors, even speaker magnets (someone told us that electromagnetic harassment can be used to erase credit cards too)! This handsome black leather wallet is discretely lined with both RF and magnetic field shielding materials and offers excellent protection. Includes 2-compartment bill fold, 6-compartment credit card holder and change pouch, all shielded. Measures about 4" x 4½" when folded. Quality European craftsmanship, equally attractive for men and women.
Magnets! (Score:2, Insightful)
Strong magnets, sure. But ordinary ones? No way.
Re:Magnets! (Score:2)
Smart and Subtle (Score:5, Funny)
Re:Smart and Subtle (Score:2)
Re:How long? (Score:2)
Where is the security measure? (was: Re:How long?) (Score:5, Insightful)
It's nice to say "you have to be within one inch of the reader for the card to be read", but WHERE is this limit built in?
a) If it's the card itself (a "hacked" RFID that has a very weak response signal), we're on the "safe" side.
b) If it's in the reader (i.e. the reader sends out a weak signal, so that only cards within a few centimeters are capable to receiving to the signal), then we're in trouble.
Given - option B gives stores the "peace of mind", that they'll always read the "correct" card (i.e. the stores won't get in trouble for accidentally charging YOUR purchases to the guy next in line).
BUT - option B means, that crooks can use stronger readers that can scan your card from a few meters away (all that while the user thinks that even crooks need to make it to within an inch of their cards).
Before I'd go for such a card, I would most definetely like THAT question answered...
what happened to the old security measure? (Score:3, Interesting)
Re:what happened to the old security measure? (Score:2)
I remember when I worked in "retail" (okay, I was pumping gas), I was told to check the signature on credit cards. Lots of things have changed since then though. For instance, almost no one uses those "whizz-bang" machines with duplicate slips anymore.
Re:what happened to the old security measure? (Score:2)
It's probably less secure than a well checked signature, but it's an awful lot more secure than an unchecked one.
Ewan
Re:what happened to the old security measure? (Score:2)
In the US, people sign so that one can actually read the name from the signature. When I was opening my first bank account in the US, the clerk asked me to change my signature for the signature cards because mine doesn't look like my name. She went as far as saying I could write my name in all caps as the signature if it was too hard to write in script
Re:what happened to the old security measure? (Score:2)
Perhaps there is a movement to implement RFID in all areas of society so that the public will simply accept it.
Answer from someone in the business (Score:2, Informative)
I have seen a boosted reader read a card (which has this magical "2 centimetre" reading distance) several metres away. It was an experiement, and the reader emitted so much energy that it certainly wouldn't pass any certifications but I strongly doubt criminals care about that.
You could quite easily set such a transmitter up in a window overlooking a busy street, and you will be able to scan most people tha
Re:Answer from someone in the business (Score:2)
But - wouldn't it be technically possible to limit the output power? (maybe in a way that the transmitter would either block higher power; or maybe just fry when trying -- I'd rather find my card destroyed than someone accessing it).
Another (simple) way would also be to deactivate the sender unless a specific area of the card was pressed at the time (very much like the batter
Even an inch is too much. (Score:5, Insightful)
Even an inch is too much. Pickpockets often have a "bumper" who distracts the target so he doesn't notice the touch on his wallet. Now the pickpocket can lift your card information by bumping into you in a checkout line.
Then a little careful observation as you enter your PIN and your account is toast.
Re:How long? (Score:2)
Photo and PIN on Cash Card / Credit Card?? (Score:5, Interesting)
If I am at the store, they compare my photo to me?
However I guess some people would not like carrying an ID card (which it could make the Credit Card?) around with them??
Just my two bits (0&1)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:5, Interesting)
It doesn't matter which technology is used (a magnetic strip or an RFID tag). Without authentication of a valid user, the situation won't improve.
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
As you've noticed, writing See ID isn't all that effective. But it can prove to be pretty funny:
http://www.zug.com/pranks/credit/
-Alex
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
http://www.zug.com/pranks/credit/
That is pretty funny, but there's one problem with that site. You see, legally, your name is whatever the hell you say it is. So it doesn't really matter what you sign your name as, it's the act of you doing the signing that makes it legally binding.
Of course, reality is different, and you could probably argue your way out of paying for something successfully that way, but tha
Re:Photo and PIN on Cash Card / Credit Card?? (Score:4, Interesting)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2, Interesting)
Read the back of your card... it is very plainly printed on the back "not valid unless signed", and if you ever read the "t&c" that come with your card it's also listed there.
Also, some CC makers (Visa for one, MC used to...), actually guarantee your privacy, so asking for an ID when you present your card is actually breaking the merchant's contract with Visa (the one that allows them to accept transactions and
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:4, Insightful)
It's interesting that you suggest this scheme. Over here in Europe, several countries have started using/requiring PINs to be entered for all credit card purchases. They claim that since this scheme has been implemented, credit card fraud has fallen markedly.
Personally, I have somewhat mixed feelings about it. Credit cards have - until now - always been safe, emergency financial fallback. As long as you have your card (and haven't hit the limit) you can use it to get yourself out of any bind: buy a ticket, buy a meal, pay for a cab. Now, even if you still have your credit card, if you forget your PIN you're in a world of hurt. ("So, don't forget your PIN, dummy!" Yeah, I know. But no one ever plans on forgetting their PIN.)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
Or do what I do, and make every PIN the same.
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
I think Royal Bank of Scotland do photos on your credit card. However it would be even better if when the cashier swipes your, a photo of you would be downloaded and appear on their screen so that they can compare you to that photo. A photo on the card might be forgeable.
Obviously this would require a significant investment but I expect it would reduce fraud.
Re:Photo and PIN on Cash Card / Credit Card?? (Score:2)
The next store (Dixons) noticed and asked me to sign the card, then they allowed the transactions!
I guess its because they're not liable, their nation-wide uber company is so their jobs not worth it.
Re:Photo and PIN on Cash Card / Credit Card?? (Score:3, Informative)
Which bit are you referring to - the photo part? Because point-of-sale PIN number entry is currently being rolled out nationwide here in the UK - there was a trial period and now they're going live.
Paranoid? Ha! (Score:3, Funny)
But then people invent stuff like this. Which just makes us even crazier.
tin foil hat... (Score:5, Funny)
Re:tin foil hat... (Score:2)
mastercard, don't sue me (Score:5, Funny)
Pack of cheetos - $1.25
1 Liter of Mountain Dew - $1.50
Stolen card # via RFID - Priceless (or your max on the card)
Tell me I'm wrong (Score:5, Insightful)
Re:Tell me I'm wrong (Score:5, Informative)
The power with which the chip emits its information is dependent on the size of the capacitor on it, so feeding a higher "power beam" to it will not increase the output power.
However, RF energy decreases as the distance from the radiator increases (inverse square law), but does not technically (theoretically) go away completely at any distance from the radiator. If your subversive reader had a higher-gain receiving antenna than the official reader, then you would be able to read the data farther away than one inch.
Note that RFID chips have come a long way since the beginning and now can perform whole two-way transactions during each pulse of activity. The devices could implement a challenge-response type of authentication. The chip sends a string, the reader encrypts it with the secret code, and sends it back to the chip which checks to see if the string is encrypted correctly. If it is, then it sends the data (also enrypted) to the reader, all in one pulse from the "power beam".
While nothing can be totally secure AND also accessible to everyone, the challenge-response system is practical and effective (some mail servers use it so you can log into your mail server over an unencrypted channel without revealing your password).
Re:Tell me I'm wrong (Score:2)
Remember those infrared remote controlled door locks on cars?
Re:Tell me I'm wrong (Score:2)
The intial string "to be encrypted" is random.
both kinds exist (Score:2, Informative)
Nokia also announced recently they have software & hardware [rfidjournal.com] that can turn your cellphone into a tag reader.
Wonder how long until the later gets "improved" upon by "outside independent researchers", the kind of dudes who wear darker colored chapeaus.....
Re:Tell me I'm wrong (Score:2)
What we really need is a switch on the card itself, akin to the rw/ro switch on floppy disks. That way we could turn the cards off for most activities, but turn it on just long enough for the RFID reader to scan the card. It could even probably be a small button that must be depressed to activate the card, though how that would work when the car is stuck next to my ass in my back pocket, I'm not sure. My ass seems to be good at pushing buttons, at times.
But in all seriousness, the ability to "tu
Re:Tell me I'm wrong (Score:2)
Re:Tell me I'm wrong (Score:3, Informative)
This is probably NOT RFID (Score:2)
Really! (Score:5, Insightful)
Look, the 5 seconds per month people will save with this aren't going to be worth the costs of embedding the RFID, so eventually this will go away based on simple economics.
Re:Really! (Score:5, Insightful)
What's the "inconvenience" that RFID is trying to solve here? Why can't some company concentrate on making it faster for Ms. Soccer Mom to write her $300 check at the grocery store, when she's one of 4 Ms. Soccer Moms in line in front of me?
I agree, this is a solution looking for a problem, and it's going to die a quick death.
Re:Really! (Score:2, Funny)
Re:Really! (Score:3, Insightful)
Re:Really! (Score:2)
I've never understood why credit cards don't use an imprinted 2D barcode and optical scanners for much the same reasons. If wear on the print were an issue they could use aluminium cards with holes as an optical punch card.
One issue with the RFID tags that doesn't seem to have been mentioned though, is would walking around with an RFID scanner be illegal?
Re:Really! (Score:2)
Maybe I've come across some bionic credit cards, but I've never run into a problem with scanning any of my cards. My Capital One MasterCard was issued in 1999 and still scans just fine whenever I want to use it. My MBNA and Fleet cards are replacements which were automatically sent. And now I have an Amex "Blue" card which is practically see-through, replacing
Re:Really! (Score:2)
I call bullpucky on that.
I have a direct-debit card that's also a VISA (with the same protections as a regular VISA card), that I use a lot for everything. Before the bank replaced it (bank changed names a year ago, finally swapped out the old cards), the card was so worn that you could barely read the bank name on the front, yet I never had to multi-swip
Re:Really! (Score:2)
Except with a credit card, you have to reach into your pocket, pull out your wallet, open the wallet, pull out the proper card, and then swipe it.
From what I understand about these speedpass systems, it's something you hang from your keychain. Which means you just have to take your keys with you when you get out of the car to pump the gas (something you might want to do anyway if you compulsively lock your doors when yo
Kidney-bean-shaped Discover cards (Score:2)
Re:Really! (Score:2)
It's not at all inconvenient to me, however, it appears to be an inconvenience to the government.
Re:Really! (Score:2)
Re:Really! (Score:2, Informative)
Re:Really! (Score:2)
But what happens when you have multiple RFID-enabled cards? which one gets read?
Re:Really! (Score:3, Interesting)
What if you could just swipe the ca
Re:Really! (Score:2)
It has nothing to do with saving you time, it has to do with saving retail outlets money on cashiers. There's already gas stations in California (and I'm sure elsewhere) that do not have attendants. This way associates can focus on getting more merchandise into your hands and not on the average 3 minutes it takes to ring someone out
Simple economics (Score:2)
So if you are in a country that hasn't switched to smart cards yet, your bank is the low h
Re:Convenience (Score:3, Insightful)
Security (Score:2, Interesting)
Re:Security (Score:2)
A possible solution could be to encrypt the card number with the vendor's public key(and a
Re:Security (Score:2, Informative)
cc companies and security (Score:2)
Code (Score:2)
Sweep the card AND punch in your personal code.
That way, you need to have something (the card) and need to know something (the code).
It's also better then putting your signature on a piece of paper. Everyone can fake a signature. Don't tell me they always verify it. With a code the machine always verifies it for you.
Dexit (Score:4, Interesting)
They must think it's safe (Score:2, Insightful)
From the site:
Your card never leaves your hand. And, of course, you get the same level of security that you've been accustomed to: $0 liability on unauthorized purchases and a receipt for every purchase.If it's really possible to grab numbers from a crowd, this one could get expensive for them. You'd think they'd be smarter than that. But companies have messed up before.
Re:They must think it's safe (Score:2)
Just this once, let's give them the benefit of the doubt and assume that this thought may have crossed their minds, mkay? Otherwise, patent some kind of RFID blocking wallet and make a fortune. I can see this technology taking off - consumers will like the idea of "magic wand" payment methods. And it's good to see new technology like this, because it keeps things interesting for the crooks trying to abuse it - woul
How secure? (Score:4, Interesting)
This quote is worth any comment:
"PayPass is guaranteed as safe and secure as all MasterCards."
Oh, then that gave me a very strong and confident feeling. (Read this as: secure my ass)
Better idea - 2 accounts in one card? (Score:5, Insightful)
Assuming one likes the idea of small plastic transactions at all, I wonder if it wouldn't be a better idea to _combine_ 2 accounts in one card: one account for the higher-value mag-stripe, and an RFID account with a low credit limit that needs to be constantly replenished.
Re:Better idea - 2 accounts in one card? (Score:2)
Worst case, you get $25 wiped off your card, not more.
Therefore, you will not pay much attention to a $25 RFID credit card, but you would be careful with your normal mag-swipe credit cards. And there is a distinct possibility that they probably want to study how well this is accepted and adopted, and how people use this, before getting into it with guns blazing.
They may have it separate from the magnetic stripe becau
Even better, a store of account numbers (Score:2)
Going to Moscow? Grab a new account limited for the length of your stay, good for up to $5000. If your number is stolen, they have until the expiry date or your allotment is spent.
Of course, I don't think that Visa/Mastercard care, actually, since they get a cut of the transactions, and limiting transactions would
Obligatory Credit Card Fraud Quote (Score:4, Funny)
how long... (Score:5, Interesting)
How long till plainclothes cops walk the malls carrying detectors that sense the self-incriminating probe of the would-be pickpacket?
Re:how long... (Score:2)
pickpacket
nice word.
Why don't they put some contacts on the card? (Score:3, Insightful)
Re:Why don't they put some contacts on the card? (Score:2, Insightful)
Heat could do it.
Remember "Locks only keep honest people out."
This is a Horrible Idea (Score:4, Insightful)
RFID's on personal ID's or credit cards have to be a security nightmare. How easy would it be to hide a collection device under a bus or train seat and collect ID's for a whole day or two?
Not to mention that a transmitter generates EM fields, which might be strong enough to erase your other mag-stripe cards in proximity.
RFID technology is now getting into the "buzzword" phase of electronic manufacturing/production, it's now cheap and common enough to start getting idiotic designers thinking "gee, wouldn't it be neat if we put an RFID in
History repeats itself once again.
FUD against RFID? (Score:3, Interesting)
Why passive? (Score:2, Interesting)
The reality of the situation is you can't trust the reader. Ever. This is why it's easy to scam debit [get their card no and pin], why it's easy to charge credit cards, etc...
Sure it might cost more per card but the cards would be subject to *less* abuse and you'd have to pay out *less* ultimately in fraud.
Tom
Re:Why passive? (Score:2)
Many of the European smart cards have embedded chip techonogy that works as a debit card. That is, there are limitations to how much can be stolen, if it can be stolen. Most smart card chips are designed to fuse themselves shut when hacked.
Proximity scan for such cards isn't as big a deal as getting access to someone's credit-card number, which in turn can be parlayed into a fake credit card used to drain someone's line of credit, or check banking account.
equip clerks w/x-ray glasses to confirm signature (Score:2)
Looks similar to the failed technology Mobile used at its gas pumps, only flatter and provides more opportunities for nere-do-wells.
It could work... (Score:3, Informative)
The Smart MasterCard would exchange single-use credit card numbers a la Citibank's Virtual Account Numbers. That way the number would be useless as soon as the retailer has charged it, so that a bystander "sniffing" the information would not get anything of value.
The microswitch would simply allow you to control WHEN the card can be interrogated, so that passersby can't much with it. You'd squeeze a spot on the card when you held it up to the retailer's reader, and thereby allow the transaction.
Re:It could work... (Score:2)
Eliminating the physical swipe across a magstripe would be an improvement because magstripes wear out and get demagnetized. Chip-in-card systems have basically taken over the building-security business for this reason.
In theory it is the card vendors problem (Score:4, Interesting)
In some ways I got lucky because the nature of the spending raised flags, and because my bank actually has incredibly good service. The catch is, it is up to the credit card companies to wear the cost of stolen cards etc. presuming you take reasonable precautions. If they want to embed easily readable RFID tags and have to cover a shitload of costs for easily stolen card numbers... well, more power to them. They'll be out of that business soon enough.
Jedidiah.
RFID sensitivity (Score:3, Informative)
OTOH, what makes things easier when you can train a person to perform a task in a set way is not always better for mass consumption. Look at how often people have to reswipe cards becuse they put the strip on the wrong side of the reader - no imagine someone trying to align the RFID tag with a reader - all you've done is replace one motion with another. Mobil (ExxonMobil - the Mobile is silent) has SpeedPass - which never really caught on - that is esentially the same idea. They tried to push it for fast food purchase as well - ever see a SpeedPass enabled drive through? Which brings up th eissue - how much will it cost for companies to replace/upgrade existing readers to handle the new cards? Without a lot of cards, there's no incentive for companies to spend the money. Without readers, why have the card?
I've had one CC strip go bad - and all the clerck did was key in the info - this RFID idea sounds like a solution to a non-problem. Now, if they could add a biometric reader that required my thumb on the card to validate it - and it read the first thumb placed on the card as the right one when you get the card, then I'd be interested.
A switch that activates the tag sounds neat - but now I must not only get the RFID tag close to the reader but hold the card in a special way - forget it - not to mention some people may have trouble doing that due to physical constraints.
Encryption (Score:2)
The power consumption of the cryptographic circuits explains the limited read range. The amount of power that an ISO 14443 tag needs to operate cannot be transferre
No more or less safe/secure (Score:2)
Some company policies require that all cashwrap associates hold the card until it is signed and the signature compared, other companies have policies that the card be given directly back to the customer after it has be
If only you could turn them OFF, or block them... (Score:2)
http://money.howstuffworks.com/credit-card3.htm
The RFID would allow me to authenticate my purchase without unauthorized persons seeing the critical information needed to make another card. The problem
Why is this more insecure? (Score:2)
For example:
purchase
enter pin
terminal hashes to pin with some random number
card responds to the challenge by hashing the random number with the time and your card ID number (public key)
card puts itself into sleep mode for a second
terminal sends th
maybe they should... (Score:2)
Mastercard is not stupid. (Score:4, Insightful)
I would be very surprised if the cards didn't have built in challenge/response cryptography to send the information. These cards are available now, and cheaply in bulk. Further, they would likely only contain a database link to the credit information which can probably be invalidated without changing the credit card number.
Of course, this means the bad guys only need to break one (or maybe a few) keys to gain access to everyone's card, but then they have to go around and collect them by hand.
The assumption that companies are stupid or lazy is actually based on the fact that they have to make cost/performance decisions. What seems stupid to us generally is cheaper including all the incidental and security costs. I doubt that the cost/performance ratio here would favor a 'stupid' solution.
-Adam
your card# is already not a secret (Score:2)
The act of swiping your credit card number is proof to the merchant that you possess a physical token, nothing more; it is the merchant's good name with the credit card company that then lets them get the money that was promised to them.
What matters from the consumer's point of view is how hard it is to duplicate the token. If they picked the right RFID (something w
Clone Speedpass RFID? (Score:3, Insightful)
Are there any documented cases of Mobil Speedpass RFID's being stolen and cloned? I do recall reading a slashdot [slashdot.org] story about a product that could be used for this purpose.
There are already millions of these out, and the infrastructure for using them has already been in place for years (atleast in my neck of the woods).
This is already out there (and maybe better) (Score:2, Interesting)
Too much discussion! (Score:2)
You have magnetic-stripe cards now. They contain the information necessary to identify the account of the card owner.
If you move to RFID-based cards, they will (*GASP*) contain the information necessary to identify the account of the card holder.
That doesn't, in either case, mean that the person actually presenting the card for reading *IS* the account holder. The same marchant negligence issues apply. See: no
This is Actually MORE Secure (Score:2)
When you hand your card to the cashier, anybody -- and I mean anybody, particularly the cashier -- with a decent memory, or even just a piece of paper, can glance at the number and jot it down. If you're really worried about this, you'd be really worried about cashiers as a potential source of credit card fraud -- they, after all, get to see the number whenever they want. Especially
Re:Within in inch (Score:2)
To a degree they can inhibit the power of the reply, sure. But only to a degree. If they go too low, the things will get a reputation for being flakey because people will have trouble getting them to read properly.
So while I don't doubt it's something close to what they say, I'd guess 2-3-4 inches should work just fine with the proper equipement.
And even if it really won't work past 1 inch, so what? Pickpockets that are used to having to remove the entire wallet from the pocket are still going to find i