MasterCard To Distribute RFID Credit Cards

wellington writes "Reuters is reporting that MasterCard expects to have 4 million "pay pass" cards in circulation by year's end. These new cards will be equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps." The cards, previously covered on Slashdot, were announced earlier this year.

More fraud?

[Hidyman]

How long until crooks have portable swipers to get your card info?
Hope you don't have your ID, they might get that info, too.

Re:More fraud?

[The Clockwork Troll]

On the flipside, the card never has to leave your physical possession.

MC's gamble is that contactless payment will thus thwart more fraud than it facilitates, while simultaneously encouraging consumers to buy more goods and services, because the PayPass transaction is perceived to be "easier" than exchanging cash or presenting plastic.

Re:More fraud?

[jrockway]

This doesn't make any sense. The time consuming part of a credit card
transaction is where the cashier checks your signature against the one
on the back of the card. If you just touch the card, there's no way
for anyone in authority to verify that you are you. This makes me
slightly uneasy. Handing the cashier the card and signing wasn't
really that hard.

The only place where RFID cars are convenient is for rapid transit
fare control. You want to get through quickly, and swiping a card is
actually cumbersome. When I first experienced this was when I was in
Japan, and the normal card readers there were pretty good so it wasn't
much of a difference. (More of a novelty really, but I bought in and
used JR instead of the subway for my monthly pass... google SUICA if
you're interested.)

Here in Chicago, though, it's great. The normal farecard readers take
*forever* to read the card (you'll know this if you're from Chicago),
but the new RFID-based "Chicago Card" is really really fast and speeds
boarding onto busses which means you get a seat quicker and get to
where you're going quicker.

But for credit cards, this is a security risk.

Re:More fraud?

[Neil Blender]

I was in Hong Kong a while back. They have something called an Octopus card, which is a RFID card that you can charge with dollars money. It's mostly used for mass transit, but you can use it in many stores, phones, parking, etc. It was pretty slick - you'd scan it and the reader would tell you how much you had left on it.

The cool thing about it is you just add money to it as needed, it's not tied to any personal bank account or linked to you in any way. If you lose it, you are out of luck but even if someone could hijack your signal, the most you'd ever lose is what was on the card.

Thinking of it just now, Hong Kong is pretty damn high-tech. You'd think if it was so easy to capture RFID, there'd be signs say "Be sure to protect your card" or something. There were plenty of signs everywhere warning you of various laws and dangers. Everyone, and I mean everyone, has one of these Octopus cards in Hong Kong (well, I read 95% of them do because noone has cars.)

Re:More fraud?

[jrockway]

I believe that JR's (Japan Railways) Suica card is now being accepted as cash in a number of places. I know that if I still lived in Tokyo I would definitely use this to pay for things like coffee, etc, just because it's so damn convenient.

I would appreciate that when I buy a laptop or something that they would pretend to watch me sign the receipt, though :)

Re:More fraud?

[iamdrscience]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

Have you ever used your credit card? It's pretty rare that cashiers will check your signatures, particularly if you're paying for something under $100. Try working as a clerk somewhere and notice the looks you get if you take the time to compare a signature, not to mention the arguments that will erupt with the few customers whose signature doesn't match, but are the legitimate owner.

People don't expect to have their signature checked, especially for small purchases. I've worked as a clerk, even people who write "SEE ID FOR SIGNATURE" on their card's signature line will be confused when you ask to see their ID, most forget they have it written on their card or are not used to actually being asked for it.

Maybe in the US

[aepervius]

But here in EU, they give a cursory glance at the signature. Even if this is for a small amount of 10. Granted it won't stop fraudster which just scrible a similar signature and pass the test, but they certainly check it.

Re:More fraud?

[Skye16]

When I worked for Pac-Sun (don't ask), we had to match signatures. It wasn't a cursory glance. One signature was completely off. I told them I couldn't accept that card. She said "It's okay, it's my Daddy's!" and I'm like "uhh...you can't sign your Dad's name for a purchase you're making." She got all pissy, the manager came over and she told her the exact same thing. So then the girl called Corporate. They told her the same thing. She left, all pissed off.

Personally, I do the see ID route. I get angry when most stores don't check. A gas station we have in western PA, Sheetz, doesn't actually require a signature for amounts under 20$. So they don't bother checking. I don't know whether I'm okay with that or not, but I guess that, since it's under 20$, it's no big deal, to either party.

But that's enough rambling anecdotes for the day. :]

Re:More fraud?

[Jim Haskell]

This is completely contrary to my experience. Every time I've ever payed with a credit card, the person accepting my credit card has never looked at the back of my card. In fact, (and, yes, I just looked,) my credit card isn't even signed. Signatures are not a security measure -- they're a formality. There's a light-hearted look at the issue here. [zug.com]

Re:More fraud?

[gravij]

The time consuming part of a credit card transaction is where the cashier checks your signature against the one on the back of the card.

I disagree. When I worked on a checkout in a supermarket I found the most time consuming part of the transaction was:

• waiting for the customer to get search through their wallet for the right card,
• swiping it a few times,
• forgetting to press ok to confirm transaction,
• waiting for the system to connect and authenticate,
• waiting for the slip to print out.

Handing the slip to the customer, them squiggling on it and me having a quick look to see if the two squiggles was not the hold up in the process.

Re:More fraud?

[Stween]

Your comment deserves to be marked as funny, rather than informative; I laughed out loud.

Having done a lot of bar work, it's surprising how much the customer does hold up the whole process of paying. The whole hunting for cash thing is irritating, but so is the downright stupid "I don't know what I want yet". Uh-huh...

What irritated me the most though were the customers who carefully placed their money on the bar in front of you, while you stand there with your hand out to receive said money. All too often

Re:More fraud?

[AnnualSparrow]

It would help if the UI wasn't completely different on every single POS machine I've ever used. Even a particular store will sometimes change its POS system often enough that I have to carefully follow the UI prompts, instead of relying on muscle-memory. Then you have the stores where they've modified the UI themselves, using sharpies or masking-tape.

Think of it from the customer's point of view: he would have to remember the UI for every POS system he uses. Meanwhile, you use the same one, all day, and onl

WOo double confirmation

[xant]

This is pretty common in a lot of software systems. The thing is, the people who designed the system already built a confirmation into it, and then forgot. It's the signature.

When I'm doing design, I always look for places where security requirements of the system have placed an automatic confirmation step, and eliminate any confirmations before that. If necessary, put a summary of what's about to happen in the same place that the security check takes place.

Re:More fraud?

[Znork]

"The only place where RFID cards are convenient is for rapid transit fare control."

Nah, they're also very convenient for assassins or terrorists who want to create ID-triggered explosive devices. Just imagine how practical when you can leave a device, and a few weeks later when the victim walks by, there goes the boom.

Any remote ID that doesnt require the owners active cooperation is a security risk.

I expect tinfoil wallets to become commonplace.

No need for tinfoil

[DrSkwid]

try this [magellans.com]

or make your own [rfsafe.com]

When I was a shoplifter I used one of these [magellans.com] works a treat for rf frequency shifting security tags.

Re:More fraud?

[DrXym]

I believe some countries allow you to use your rapid transit card to make small purchases. In addition of swiping your card to be allowed through a gate you can buy a bar of chocolate or a newspaper or other small transactions. Apparently London is piloting doing such a thing with their Oyster card.

It makes sense that if you have a card which is acting like pocket change to allow this. You deplete the credit and then you top it up. You can only spend as much as you have on the card so it has a natural cutoff. Since you buy the card with cash from a machine, the card is effectively acting like semi-anonymous currency.

It doesn't make much sense to do the same with a credit card, unless the credit card imposes a hard limit on what you can spend in such a manner. And I don't mean per item - I mean total that you deplete and must be topped up either by you or a preset top up. Otherwise what's to stop someone reading your RFID and making their own purchases by spoofing yours?

It doesn't really make sense to even embed the RFID into the credit card anyway. Are Mastercard going to be happy with reissuing cards to hundreds of people for the sake of thieves leeching $10 a day off them? How does a customer or Mastercard even spot suspicious transactions for tiny items anyway until the statement arrives?

It seems smarter for the RFID to be on separate card - to be more like a gift card that can be topped up at the discretion of main card holder. These could be sold anywhere and it would be easy for someone to buy a couple of them and set them up with their main account. Then if someone steals one, you simply don't top it up anymore. This would of course require Mastercard or whoever to stop gouging owners of these cards by charging a monthly "administration fee", but if they wanted to see the scheme work, they'd waive it.

Re:More fraud?

[Gordonjcp]

It's a lot harder to clone "Chip and PIN" cards, because they are very difficult to program. There is surprisingly little security-by-obscurity involved, and lots of things like 3DES and rotating keys uploaded from the till on a regular basis, and stuff like that.

The big problem is with vending machines and the like that use Chip and PIN. We have a cashless vending system that can be topped up with either cash or a credit or debit card. Great. The problem is that instead of a small (calculator-sized) PIN pad that's difficult to shoulder-surf, you enter your pin on a 6" square keypad on the big, bright touchscreen on the front of the unit. This kind of defeats the purpose.

Re:More fraud?

[Tony Hoyle]

A pickpocket who gets your card can also get your PIN and clean you out... no cloning needed (that's actually quite hard although not impossible). The whole point of C&P was to shift responsibility - if someone uses your pin to make a transaction *you* are liable even if the card was stolen.. there's a basic assumption that only you know your pin.

I *really* hate the way they limited it to 4 digit pins. I'd rather have a 10 digit one - much less chance of a casual thief being able to memorise it on the first shot. Leave it at 4 for the AOL users, but I'd rather have some security thanks.

Signatures were way better in many ways... everywhere round here was really strict about checking them.

The worst of course are the supermarket 'self service' checkouts - they don't ask for a signature *or* a pin - no security at all... you swipe the card and walk away.

Re:More fraud?

[Lord Kano]

As I understand it, these aren't really RFID cards but just imagine the mayhem if all you had to do was stand outside of your local mall smoking and rip off every RFID card that passed by.

Or a corrupt janitor could install a sniffer inside of a garbage can in a high traffic area.

LK

Re:More fraud?

[E8086]

"On the flipside, the card never has to leave your physical possession."

It rarely has to anymore. Most stores have installed credit/debit card readers for their customers, thanks to that scare a while back that cashiers were stealing credit card numbers. The only time my card leaves my posession is with the older style BoA/Fleet ATMs that still want to hold on to your card until the transaction is complete. I hope they will still require a PIN/passcode along with the card or maybe a thumb held on a scanner while the PIN is entered with the other hand.

Or they could try making the cards smaller. Who says a credit/debit card has to be 3.5"x2"? Yes, it fits perfectly in a wallet, but so does a 3.5" floppy in a shirt breast pocket. I remember seeing commercials of credit cards designed to fit on a keychain, it even had a protective case. A credit card can easily be reduced to 1" high, if you examine one you'll see that the top half contains the magnetic strip and the signature box and the bottom has the number, exp date and name. And they're on opposite sides of the card.

Remeber, RFID that claims to be read at only up to 6" can really be read at up to 70'
The tinfoil wallet is too passive an approach and can only protect the card while it's in the wallet, not in use. It's time to modify a PDA RFID scanner to be an RFID jammer.

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards? That will add a new level to wardriving and even war/RFID walking in malls.

Re:More fraud?

[maxwell demon]

RFID passports, RealID cards and credit cards. What's next RFID birth certificates and social security cards?

To prevent physical stealing of personal RFID cards, you'll get an RFID chip implanted in your forehead. Which means that you can pay by banging your head against the cash desk.

Fraud Prevention.

[ciroknight]

Quick, start selling Tinfoil hats!!!!.. for WALLET!!!

Re:More fraud?

[petej2310]

Spreading FUD...u should all work for BILL!!!
These cards are based on SMARTCARDS and the EMV standards (3DES, PKI, challenge-auth techniques) against which millions of credit and debit cards have been issued. The only difference is that they use an RF interface to provide comms and power the chip.
See http://en.wikipedia.org/wiki/ISO_14443/ [wikipedia.org]
They ARE NOT RFID tags, they do not emit your card number, banks (as other have correctly posted) are smart enough to NOT provide OTHER avenues of fraud.

Re:More fraud?

[thelonestranger]

War driving for credit cards? Get a scanner sit on a motorway bridge and fleece 30 people a minute.

Theft

[jedie]

Well okay, you don't need physical access to the card anymore to steal money from it.

They're gonna need to put in some confirmation thing in this, but I thought the whole idea was effortless payments.

Range?

[interactive_civilian]

Really? Just out of curiosity, what is the range of RFID in these cards?

I only ask because my train pass (in Japan, the Suica card) is RFID, and you pretty much have to touch the sensor for it to work at the ticket gates. Anything more than about 5mm and it won't be read. You pretty much have to touch it to the sensor.

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK. If you are paranoid about it, you could always wrap your cards in tinfoil or something. ;)

Or am I missing something, and these things are more remotely scannable than I thought?

Re:Range?

[Anonymous Crowhead]

These new 4th generation RFIDS (or 4GRFIDs as known in the industry) broadcast at a strength 64.2W (1.9 amps/hz) Though it not might seem like much, the signal is detectable by a dime sized reader at over 3000 yards and does not require line of sight. This reader can be easily assembled by about $13 dollars worth of parts (diodes,wires,etc) from RadioShack. There are instructions on the internet that are so simple, a child capable of drawing crude stick figures of his mommy and daddy with crayons could assemble one, link it to an offshore bank account and be draining bank accounts in less than thirty minutes.

Actual range is 8190850 miles

[mangu]

These new 4th generation RFIDS (or 4GRFIDs as known in the industry) broadcast at a strength 64.2W

The true range for that power is *much* more than 3000 yards. Using "some surplus telephone house wire" this amateur [madisoncounty.net] received signals from 1531 miles away at 12 milliwatts. Can you imagine what a true professional could to to your 64.2W RFID?

Re:Range?

[gardyloo]

So, unless someone with a scanner embedded into his/her pants bumps into you, I imagine you will be OK.

      It's not the scanners I'm worried about. It's the guys who *call* it a scanner, and are just really happy to see me -- THEM I worry about.

Re:Range?

[moro_666]

the range always depends on the censor, i'm pretty sure that some adequate h4x0rs can make their scanners work on 2-3cm distance or even more. if you have 10k cash on your account that a thief could "use", he will definetly "bump" into you and probably into some other people too :)

imagine the power of such a scanner in a wall street elevator, you struggle through some people and "pay" a few minutes later while they are struggling for stocks.

seems awfully insecure and i would advise against using this stuff.

Re:Range?

[amodm]

I don't know about the range and all. What I can tell is that I used to keep my company ID card (RFID based) in my wallet.

I never really needed to bring my card out for swiping. I just brought my wallet in front of the scanner (at least 2 cms distance), and it worked.

I wonder if in a subway, a guy could bring a scanner close enough to my pocket and sniff our my CC info.

Worse, if the info is static, all he needs to do is replicate the same signals using any damn device. He doesn't even need to build another card, or decode the info.

Re:Range?

[Dachannien]

What's best is when they put the sensor on the inside of a window at about ass-height. If your RFID card is in your wallet in your back pocket, all you have to do is press your ass up against the window to get into the building.

Tinfoil, or...

[Trejkaz]

I guess if you made a duct tape wallet out of metallic duct tape, it would block radio waves for free. :-)

Re:Range?

[tooth]

When you bring the card near the reader it induces a current in the card to power it (Passive RFID). This is why you need to put it close to the reader. Once this happens you can snoop the signal from the card from nearby.

Re:Range?

[joe_bruin]

You put your card up to the reader not because that is the range of the signal coming out of the card. Rather, it is the range of the magnetic induction field coming out of the reader to power the card. The signal the card emits can probably be read at 100 meters by a person with a high gain directional antenna.

Of course, Suica cards are not that prone to theft because the most that person could do is take a spin around the Yamanote Line at your expense. When there's serious money involved, you will see someone place a high powered field generator in a trash can by the entrance to a mall, and then sit in a car nearby and gather access numbers from everyone going in or out and massively cash out. Non-contact based transactions are a bad idea. Faraday-cage wallet, here I come.

Re:Range?

[StrawberryFrog]

it is the range of the magnetic induction field coming out of the reader to power the card

This is true.

Anecdote: During the early trials of the Oyster [tfl.gov.uk] RFID transport card in London, there was a problem with passing buses dinging the accounts of people waiting at the stop who didn't get on that bus. The Solution was to reduce the power of the reader on the bus.

Re:Range?

[Guignol]

The card itself is just an antena powering an embedded 'tag'
The power it will be able to get and partly send back will be function of the field it is in. That field will be generated by the reader and, of course, different readers have different capabilities.
I have installed several types and while most of them are 5 to 12 cms range, there are some that work at meter range.

Re:Range?

[Allnighterking]

Remember Range (in somewhat simplistic terms) is a function of two components. Component 1 is distance the transmitter can transmit a signal at level "X". Component 2 would then be the signal level, or sensitivity, needed by the reciever. Increase the sensitivity (or actually decrease the level at which it can read data.) and you increase the distance the signal can be transmitted.

Increasing the sensitivity of the reciever is much easier and much less expensive than increasing the power of the transmitt

Re:Theft

[Burning1]

You never did need physical access. Ever made an online purchase? There's a million other valid numbers sitting right next to yours, neatly orginized and ready to be stolen.

Re:Theft

[Tatarize]

Walking around with a scanner is too much work. What you really need is a really small scanner with a meg or two of memory say about the size of a sticker, and put it on a sticker and stick it near the scanner at a merchant. Come back in a week or so and you'll have a few thousand CC#. The scanning chip should be dirt easy and super tiny. You should be able to put them in just about anything in a few years.

Also another great scam is going to be those stupid turnstiles on subways and the like. Everybody se

Re:Theft

[DigitumDei]

I dunno about what's happening in the US, but in South Africa my bank claimed it was bringing these into circulation at the beginning of this year. The thing is, according to the letter from the bank, you wouldn't have to remove the card from you wallet, but you would have to enter in a pin code on a key pad. The pin code wouldn't be on the card itself, the keypad/reader would have to confirm with the banks much like your average ATM.

Of course someone with a reader who also see's you entering in your pin co

Re:Theft

[Begemot]

...They're gonna need to put in some confirmation thing in this...

Dunno how's it in states, but in Russia, France and more countries you have to type in your PIN in order to approve a payment.
Long range RFID would be much easier because you won't need to get your card out of your wallet that's stuck somewhere in your pouch full of other stuff. Just type the PIN.

Supermarkets should greatly welcome this initiative because their lines will go much faster that way.

Re:Theft

[samael]

Will it ask you which of the 4 cards in your wallet you want to pay with?

Not a big change

[drivinghighway61]

The article claims these new RFID cards will be a breakthrough in ease of use, like PayPal was for online purchases. However, the change to simply a wave isn't that much better than a swipe. One wonders what the real motive for adding the RFID chips to the cards will be.

Re:Not a big change

[WoTG]

IMHO, over time this will become part of a more secure credit card system. It's much harder to clone an RFID than it is to clone the mag stripe and graphics of current cards.

It won't completely fix credit card security (think online purchases and manual imprints), but it will help.

Plus it gives MC some marketing bullet points for providing advanced "RFID super-technology" to its members first.

Shoplifting

[jbellows_20]

No more shoplifting now. They just scan my creid card as I walk out the door, after they scanned the merchandise that was in my backpack. What has the world come to?

Re:Shoplifting

[jamesh]

And the security guards will jump you when you walk _into_ the store if you don't have a credit card on you, since obviously you are there to steal stuff.

Security?

[Mateito]

It amazes me every time I go to the states how no signature or pin is required to buy goods on a credit card. Self-service gas stations are good example. This is single-factor authentication. RFID or magnetic strip, doesn't make a difference.

How long will it take the collectives minds of the criminal fraternity ... or for that matter the collective minds of Slashdot, to design a reader that can be used to copy RFID takes from people in crowded lifts and trains?

Re:Security?

[rincebrain]

Already done...I think.

I read a HOWTO, written by a student in a college which used RFID chips in cards for authenticating students, about building a nice device for artificially duplicating any given chip's signal. I can't find it offhand, but I know it's there...someone on Slashdot has to have read it.

Re:Security?

[zoloto]

They already have, but they're doing such a good job and raking in a ton of money - so sneakily that they aren't being noticed yet.

Just wait, I'm sure the NYT will have an article about it in the future.

Re:Security?

[Burning1]

The signature isn't required at all to process transactions. The signature is only there to protect the store if you decide to contest your purchase.

Credit fraud is trivially easy.

I have a bad feeling about this...

[Anonymous Coward]

MasterCard RFID Credit Card: free

Checking out at the grocery store without signing your name or entering a pesky PIN number: effortless

Having your account drained by a 12 year old who bought a high-gain RF antenna off eBay: priceless

Re:I have a bad feeling about this...

[RzUpAnmsCwrds]

12-year-old busted after realizing that ISO/IEC 14443 uses two-factor authentication: Classic.

The RF component of these cards is considerably more secure than even the magstripe component.

Re:I have a bad feeling about this...

[caluml]

The RF component of these cards is considerably more secure than even the magstripe component.

If only I could dig up someone saying that about WEP a few years ago...

Theft!

[Palal]

Not only will thieves be able to capture your CC#, they will be able to do it without you knowing it! Think of the possibilities! Subways, buses, crowded trains, elevators, escalators, and other public places! I guess that gives me another reason to not leave home and to spend all day reading slashdot about how others have had their identity stolen.

Re:Theft!

[MoralHazard]

I thought of this immediately, too. But there HAS to be something more going on, right?

In the USA, at least, credit card issuers (the banks that back the cards) are ultimately responsible for fraud. Their agreements with merchants stipulate that the merchant has to eat any charges found to be fraudulent, and if the merchant can't/won't, the bank has to do it. By law, the customer is limited to being responsble for only the first $50 of charges. And most card issuers have policies that waive even that fee.

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

Of course, this disincentivizes merchants to let people easily pay for things with a swipe (yif ou have to show your photo ID before you wave your card--defeats the point, doesn't it?). Which would make the whole thing moot.

Re:Theft!

[cra]

Your theory floats, but just barely. How much harder is it to pull the card through a megnetic reader than waving it in front of an RFID scanner? Not much, I'd say.

I agree that there has to be some motive, and you can be pretty sure the goal is to increase the income for the company, which boils down to getting it from the card users/customers.

Still, the fact that the merchant/bank has to cover any fraud except for the first $50 isn't good enough. If I have my card scanned and stolen ten times, that ads up

Re:Theft!

[RzUpAnmsCwrds]

ISO/IEC 14443 has two-factor authentication. You can't steal the card number because the card doesn't transmit the card number.

Re:Theft!

[jesdynf]

So if it's really going to be that easy to steal CC numbers, why in the hell would banks do this??

I had one idea that might float: The expected losses due to increased fraud are outweighed by their predictions of increased consumer credit spending, once it becomes easier to use the cards. Since the merchants eat fraudulent charges, anyway, the banks aren't out that much more money if fraud goes up.

I dunno. Wendy's shrugging off checking ID or making you sign documents for credit purchases under a certain a

Re:Theft!

[BlueTrin]

I thought of this immediately, too. But there HAS to be something more going on, right? Yes, in fact you will have to wave your card and to identify yourself, you will just have to swipe your card, type your pin and sign a receipt.

Re:Theft!

[lostchicken]

Getting money back from anybody is hell. What you CAN do is refuse to pay a certain charge when the bill gets to you. Things actually get cleared up pretty quickly that way.

Re:Theft!

[MoralHazard]

I have, actually, experienced CC fraud. Card got double-swiped at a restaurant in San Jose, and a few years before that a shady acquiantance of a college roommate nicked my wallet and bought a few hundreds' worth of audio equipment.

I wasn't that big of a deal, either time. In the restaurant case, I called the CC company, got a CS rep in about 30 seconds, and explained the situation. I got a call back about an hour later and they instantly reversed the second charge--could have just been a mistake by the server, right?

The other time, I called and they told me to fill out a police report. They froze the fraudulent charge, essentially meaning that it was off for the time being, and cancelled that card. I got a call back the next week telling me that they'd looked into it and agreed with me. The only real hassle was the police report, but being as I was living in NYC, the local precinct was two blocks away. It took about 30 minutes, including travel time.

Re:Theft!

[Ark42]

Generally, you can probably buy something and just say its fraud, keep the item, and get your money back with no hassle, if you don't do it that often. CC Companies and banks don't care one way or another, they do not take ANY of the hit from a chargeback. The entire chargeback comes from the merchant, on top of a chargeback fee of at least $35, so only the mercahnts are hurt.

Re:Theft!

[wcdw]

Not quite. The way the credit card world actually works is that when you dispute a charge, the processor (usually a 3rd party) has 45 days to produce a signed receipt (not considering MOTO here, which has different rules).

If a signed (original) receipt cannot be produced, the consumer is automatically awarded the chargeback. And the merchant is screwed. If a valid receipt can be found with your signature, and you've just claimed fraud, you're the one who is [potentially] screwed.

Having seen the inner wor

Wow...

[Vo0k]

Now you can get pickpocketed without ever getting touched by the thief!

OOOH...4 million unsecure credit lines

[realilskater]

With the known security flaws of RFID it is surprising that a credit card company would go this route. Oh, wait MasterCard wants people to be in debt to them. Now it all makes sense.

Anyone else concerned

[SecureTheNet]

about people walking through the mall with rfid readers? Will /. readers line their wallets with tinfoil? :-)

Re:Anyone else concerned

[rincebrain]

After reading this, I'm going to.

The sad part is, I'm completely serious.

Re:Anyone else concerned

[BlueTrin]

I guess that you are fine if you don't wave your card to card readers ...

Conflicting RFIDs

[Cytos]

This is not going to work well for anyone that has multiple RFIDs in their pockets. The current scanners are unable to dicipher between different cards. I already have two cards that use RFID technology and am forced to either pull one out when I want to scan in or awkwardly adjust my wallet so that only one is read. Either way it just defeats the intuitiveness of it if I spend more time trying to get the thing to work instead of just scanning the card I had to pull out anyways.

Works fine for me

[MochaMan]

I have three in my wallet, and use all three everyday without pulling them out; one is a Suica card for JR trains here in Tokyo, one is my company ID, and one is an Edy card [detnews.com] (contactless cash/credit card). In Japan, this sort of technology has been in widespread use for years.

Get some facts

[scdeimos]

PayPass FAQ page: http://www.paypass.com/faq.html [paypass.com]

I'm not sure what the benefit of these are since you still have to take your card out of your pocket/wallet/handbag to swipe it over the scanner (only works within an inch). Anyone who has trouble swiping cards with mag stripes (which seems to be becoming a more-common problem as technology progresses) will likely think this a good thing - one swipe and that's it.

The issue of Card ID theft isn't really that much more than it already is.

Re:Get some facts

[zurab]

The issue of Card ID theft isn't really that much more than it already is.

How so? Instead of picking your pocket and removing your wallet from it, all I would have to do is stand next to you with a small scanner in my hand/pocket in an unsuspecting environment - i.e. any crowded place. The FAQ page you liked to doesn't address this issue.

Limit of liability

[NoGuffCheck]

Here in Australia we have zero liability on credit cards. That means if the card is stolen or even if your charged for something you didnt buy and you still have your card, then the bank takes the money back from the retailer and credits you. It can actually be quite simple depending on which finacial institution and in the spirit of crappy customer service who answers the phone when you call said company to report the missuse.

I have heard that in the US you have a 10% limit, eg if someone steals your car

Re:Limit of liability

[Motherfucking Shit]

I have heard that in the US you have a 10% limit, eg if someone steals your card to buy $100 worth of goods you get $90 back from the retailer via the card issuer.

In the US, federal law limits a cardholder's total liability for fraudulent charges to $50. If someone steals your card info and goes on a shopping spree, by law the credit card company cannot ask you to pay any more than $50, no matter how high the total of fraudulent charges. In practice, liability for fraudulent charges is normally zero here too. Almost all of the major issuing banks will immediately credit you for the amount of a disputed charge, and then debit the merchant for the same amount. Unless the dispute turns out to be false (i.e. the retailer has a receipt with your actual signature on it) you never pay a cent.

Speaking as someone who's been on the merchant side of things in both online and brick-and-mortar situations, I can say that this policy is a double-edged sword. Proving cardholder fraud (where the customer buys something, then decides they don't want to pay for it) and winning a chargeback is dead easy when you're using a point of sale terminal. Proving cardholder fraud with internet based transactions, especially when you're selling a service instead of a tangible (shipped) product, is next to impossible and the merchant will almost always lose.

OTOH, when someone used my credit card to order $600 worth of Victoria's Secret merchandise online a few years ago, it was nice that all I had to do was fill out a form on my bank's website to dispute the charge and get my money back. I still have that card, with the same number, and it's never been abused since. I always wondered where they got it from, and why they only used it once.

Not the same "RFID"

[RzUpAnmsCwrds]

The MasterCard system, like all of its type, uses the ISO/IEC 14443 contactless smartcard standard.

ISO 14443, unlike most RFID standards, is a cryptographically strong system that renders easedropping useless.

Re:Not the same "RFID"

[Panaflex]

Yeah, this is GREAT crypto guys! I have to disagree, as there's plenty to be said here.

From TI:
using National Institute of Standards and Technology (NIST) approved crypto algorithms, including Triple DES and SHA-1

Ok, my limited crypto background says that TDES and SHA1 are headed towards the junkyard. Not that it's trivial to brute force these guys - but there are some SERIOUS questions on the long term usage of these algorithms.

To wit: A system built on these algorithms should not expect security beyond a few years. It's not computationally worth it NOW, but perhaps in 5 years it may be trivial to breach.

AES is much more secure and faster than TDES. It is more complicated circuit wise, but certainly doable. Additionally, the SHA1 algorithm is under heavy scrutiny now, and short plain text lengths may have heavy collisions with other viable texts. Remains to be seen.

Reguardless, if I were developing a system for the next 10-20 years I would certainly aim a little higher than TDES - just my 2 cents.

Pan

Re:Not the same "RFID"

[Detritus]

DES, and its variants, have the advantage of not having succumbed to decades worth of cryptanalysis. AES may be better, but it is relatively new, and hasn't received the same amount of cryptanalysis as DES. New isn't always better.

Re:Not the same "RFID"

[Panaflex]

Forgot my source for the crypto info. [ti.com] First item listed is "New ISO 14443 Solution for MasterCard PayPass(TM)"

Re:Not the same "RFID"

[PowerKe]

So 2 people need to work together to steal some money. One stands close to the victim and the other walks over to the cashier. Instead of recording the signal you now proxy it. The one at the cashier picks up the signal from the reader and uses a wireless transmitter to get the signal to the person by the victim who sends the data to the card. Send the response from the card back to the reader and you're done.

Protection available already!

[gaetan-g]

A company called Taiyo (located in Shibukawa city, Gunma prefecture) recently developed a super thin (0.4mm) credit card size device for skimming protection. Consumers put it on top of RFID cards to prevent the cards from secretly read by strangers etc. It's called "Skimming Card" (though I would rather call it "Anti-Skimming Card"). What's interesting about it is in how it works -- When (Anti-)Skimming Cards are exposed to electro-magnetic fields created by RFID readers, they create excess electric current in it and actively create "reverse" electro-magnetic fields that is approximately the same strengths as the readers' fields, thereby, prevents RFID readers to read RFID cards. We can relax now :-)

PayPass vs. Octopus

[fuzheado]

Here in Hong Kong, we've had one of the earliest and most successful RFID "touch card" payment systems in Octopus Card [wikipedia.org], but here's why I'm wary of PayPass:

• It's a credit card, which means the limit is theoretically your credit limit of thousands of dollars. (Yes, I know they say it's for transactions under US $25, but do I trust their software?) The Octopus system is anonymous and stored value. You can only lose as much cash is in the card, which is typically less than US $15.

• It doesn't display much information about the transaction. Octopus displays how much has been deducted, and how much is left on the card. For PayPass: "When you present your PayPass card to the terminal, you will see a series of lights on the terminal. When all the lights have lit, you will know that your card has been properly read. If you want a receipt, simply ask the clerk to give you one--it is available, should you request it."

#include coolsig.h

Re:PayPass vs. Octopus

[Motherfucking Shit]

PayPass vs. Octopus

I can't wait until these two companies eventually merge. "PayPuss: Don't leave home without it."

Soooooo lame, make it stop!

[TheLittleJetson]

by simply waving their cards at readers posted near cash registers

Is it just me, or is waving your card in front of a reader pretty much the exact same motion as swiping it in a slot?

RFID can be secure.

[Serious Simon]

It won't be so easy to copy an RFID credit card as many people here seem to think.

ISO14443 RFID cards have been on the market for years and are often used in public transportation. These have a range of at most 10 cm and implement challenge handshake encryption such as triple DES.

So you can only communicate with such a card if you have the proper encryption key. And if you manage to intercept the communication between such a card and a legitimate reader, it will contain no meaningful information unless you are somehow able to break the encryption.

This is easier how?

[el_womble]

Chip and pin was bad enough. Clerks still handle my card, and from a mugging perspective, its far easier to beat a 4 digit pin out of me, than the ability to write my signiture (at least forgery was skill?). But chip and pin does represent a step in the right direction (one step backwards, two steps forward). Not using a clerk to verify your identity is probably a good move in the long run, and keeping the pass phrase in plain site was never a good idea.

What I'm not sure about with these RFID is where is the feedback that the transaction was successful? If you still have to wait for the terminal to handshake with the central database and process the transaction, it still takes as long as a conventional credit card - then there is no improvement. If there is no identification process, short of possessing the card how is that better for my security? If its part of the build up of biometric ID, is that really going to be any quicker, more convient or secure than using a human to identify another human.

My girlfriends father has banked with the same branch his entire life. When he walks into the bank the people know him. Now don't get me wrong, he "Hates the bastards", but he won't change branches because, when he sent his new accountant into withdraw some cash, they took the accountant to one side and refused the transaction until they had verified his identify via a phone call. It was quick and painless. The trust was human, the identification was human.

The interesting thing about that story is that it identifies the absolute reason we need human trust mechanisms (because they work and are intuitive) and the absolute reason we need automatic trust - I don't want to have to make friends with every clerk/manager in the world before they'll accept my credit card - and I want the freedom to change banks.

I don't think RFID for credit cards is a good idea. In fact I don't think credit cards are a good idea - they are a hack. They are a machine readable identification tool - what we need is a technology that identifies you by looking at you, talking too you, smelling you. If my moms Lhasa Apso (possibly the stupidest breed of dog on the planet) can identify me from a line up then at some point we need a technology that has a similar capability.

Do you carry just ONE credit card in your wallet?

[Mike_K]

I don't think the expected ease of use will be nearly as much as predicted by people who want to push this technology.

I carry three credit cards in my wallet. I don't really need the third one, but I always try to have at least two, just in case my primary card doesn't swipe correctly, goes over limit, or becomes otherwise useless.

So what will happen when I wave my wallet with three CCs in it in front of the reader? It'll probably ask me which card I'd like to use... Now I have to read the options (how many people carry 6 or 7 CCs in their wallets?!) and find the one I like and select it. Or just take it out of the wallet and swipe it. Which one will you chose?

Plus, this may make lives easier for women who can just wave their purse in front of the reader, so they don't have to take out the wallet and then the CC. But most men I know carry their wallet in their back pocket, and I don't think stores will be happy with men sticking their butts up to the readers on the counters. And if I have to take out the wallet, I may just as well take out the CC...

Just a couple of thoughts..

m

A problem I see...

[iamdrscience]

The thing about this is that there are a lot of people that have multiple credit cards. If these are keyring style cards, they'd all be close enough that it would be a real hassle to make sure that the right one is getting read.

Another problem I see if these are keyring "cards" is that, well, having a bunch of shit hanging all over your keychain is a pain. In the future will we all have big janitor-style keyrings hanging off our beltloops?

This nails the problem... mod parent up!

[Goldenhawk]

I already replied on this thread, or I'd mod the parent comment up a notch. A lot of folks have been griping about the reader not being able to handle multiple cards in your wallet simultaneously, when really RFID is designed to do that just fine. In fact, the problem, as "iamdrscience" has identified, is precisely the OPPOSITE problem - RFID is a little TOO good at multiple simultaneous identifications. He's right - how do you prevent the system from reading the wrong card - or multiple cards - and double

Cause we all know...

[Lispy]

the hardest part about paying something was the signing part not the weeks of labour that went into earning the money in the first place. :)

Big flaw in their thinking

[tod_miller]

Why would I want the worry an security, and the act of stupidly waving my card over a petrol pump like an access card when I can just swipe it.

Card swipe... card... swipe the card... hurray.

The same result, no complex expensive worries about security. I can just hear their security chief now:

"The RFID cards will be secure, because we will use a *really* big number in the cards..."

"Bigger than... erm... one kajillion million fafillion bajillion?"

"Yes sir!"

"*evil laugh*"

"*evil laugh*"

I am expert! BTW this isn't a mvoe for technology, they will use RFID as a marketting bait to get more credit card customers, think about it, what other reason than to get people to sign up for the new 'wow' rfid card.. yeah, give us your debt.

To confirm you're not a script,
please type the word in this image: expert

random letters - if you are visually impaired, please email us at pater@slashdot.org

What's the incentive to change for each party?

[200_success]

Let's face it: traditional credit cards suck because they are hampered by concern for backward compatibility with 1970s technology. If one were designing a credit card system today, it wouldn't be based on an embossed number and magnetic stripe. The number is there for remote transactions (using the expiration date and possibly the 3-digit CVV as a plaintext "password"!). With today's technology, remote transactions should be handled using a challenge-response system or one-time-use numbers such that the retailer can authenticate the cardmember without gaining enough information to impersonate the cardmember. The number on the card is embossed for use with the carbon-copy rolling machine. When was the last time a retailer carbon-copied your card, asked for photographic ID, and looked through a blacklist of stolen card numbers? And the magnetic stripe would certainly be replaced by a smart chip, which is much harder to clone because it can do challenge-response.

The infrastructure of the credit card network has improved, slowly. Nearly all point-of-sale equipment now performs real-time authorization. In Europe, the magnetic stripe is being obsoleted by contact smart chips. However, the benefit of the new technology must be significant enough to justify upgrading the huge worldwide network of equipment. So what's in it for each party to adopt RFID for credit cards?

• Retailer: The store wants to minimize the likelihood of chargebacks while being quick and friendly to the customer. In addition, the card reader needs to be cheap, since they have to buy or lease the equipment. They have all adopted real-time authorization because it eliminated a lot of fraud. In countries where magnetic stripe cloning is prevalent, they have already acquired contact smart chip readers. The only ones who would be interested in RFID might be the industries clustered around the American car culture, where every second counts: tollbooths, fast food/coffee places, gas stations.
• Issuing banks: The bank wants secure cards that can be issued cheaply. Although most of the risk of fraud is borne by the retailers, the banks do assume some liability, not to mention the expense of running the call center and the fraud check departments. Although the RFID signals might be intercepted and cracked, I think that thieves will prefer to steal credit card numbers by other means (the same security holes that are there today will continue to exist for backward compatibility). The RFID chip is relatively cheap, so they might go for the new tech. Or Mastercard could force them to embed RFID in the cards.
• Cardmember: The typical cardmember mainly cares about convenience, with security as a secondary concern. Being able to wave your entire purse or hump your butt against the contactless card reader is marginally more convenient, assuming that the signal can overcome shielding and interference problems. If RFID cards become common, you'll have to specify which of the several cards you are carrying you want to charge, or there it's possible that it will read a card other than the one you intended to charge. So I don't think you would really be saving any time. However, cardmembers are not really in any position to promote or protest technological decisions -- you just get to use whatever card comes in the mail.

In short, credit card technology advances slowly, with the retailer network being the bottleneck. Can they be convinced to upgrade? In my opinion, I think not.

I also think that RFID offers practically no advantage over contact smart chips, and that it would be pointless to add yet another standard. Wireless will never be quite as secure as contact. The network needs an overhaul, but this is not it! The credit card companies should be pushing to remove the card number and magnetic stripe in favor of the smart chip, instead of adding RFID.

Kneejerking?

[Malor]

From what I can see, these don't appear to be RFID cards. They seem to be using an encrypted signal with a handshake. An simple eavesdropper shouldn't be able to do anything with the data he snoops, because all he's going to be able to see is the key exchange and then the encrypted bitstream.

It's just using the air to transmit encrypted information instead of a wire. As long as the encryption is good, the simple fact that it's broadcast instead of being on a wire shouldn't matter.

Ok, that said, I could see one potential attack vector, in that a bad guy could theoretically initiate a key exchange and swipe some cash from you. If all it takes is being nearby with an inductive field to power the card, then a fraudulent charge would be pretty easy to make. The virtual equivalent of pickpocketing. If you did it in small amounts per card, you could walk through a crowd with your portable gear and make hundreds of dollars an hour.

One idea to work around that would be requiring the user to hold the card in two specific places, on opposite sides. Thumb on one side, finger on the other, touching big gold contact points. If the card can detect the proper grip (very trivial technology), then it is active; otherwise, it refuses transactions. That should prevent 'pickpocketing'.

Basically, there needs to be a way for the user to announce 'yes, this is an authorized charge' other than simple proximity. The Kung-Fu Grip is one possibility... there must be others. Heck, the cards may already DO this. The actual technical data seems exceedingly scarce.

Snooping, at least, doesn't appear to be a potential problem.

Four points from oblivion

[Fantastic Lad]

A standard trip to the mall twenty minutes into the future. . .

1. A ten cent charge for entering the mall doors.

--After all, it takes HARD WORK to make and install doors! Somebody had to design and build them! Do you feel you are so special that you shouldn't have to pay for the privilege of using doors? Jeez, it's just a dime. (Though, that price can change once the populace has been acclimated to being dinged for simply walking. I'm sure that, as per usual, there will be a host of worthy Slashdotters eager to argue on behalf of the corporations; who can be counted on to cry 'Thief' whenever somebody wonders why they can't use doors for free anymore; and who will happily parrot terms like, 'entrance-theft' once such terms have been appropriately astro-turfed into place by the corporate PR monkeys.)

2. People think that RFID is a close-range affair and so are lulled into a false sense of security. While it is true that an RFID chip does need to be within a few feet in order to be charged by a magnetic field, the signal it subsequently transmits can be picked up by satellite.

3. If there is no third element involved in the transference of data, (a pin number held in the user's brain), then any sneaky person with a satellite or closer range receiver can 'over-hear' all the info s/he needs to access an account and make a fraudulent purchase.

4. The big corporations and big government know all of this and are eager to have it all in place. The more base-level fear there is humming in the background, the more easily controlled a population becomes and the better fed the overseers are. Fear is food.

-FL

Re:As a MasterCard customer...

[cra]

More like on the back of your jacket where you can't see who is taking a note of you number.

Re:As a MasterCard customer...

[Joe Random]

It's like walking around with my card number tattooed on my forehead.

So? It's likely that in an RFID credit card system your account number will not be a very interesting piece of data. What the crooks will need is your private key, which will not be broadcast by the card.

Merchants, I'm sure, will not process transactions unless the card passes a challenge/response cycle based on the private key encrypting or signing some data, with the public key available from bank itself for verification purposes. So someone having access to your card number would be a non-issue. They'd have to have physical access to the card itself, which would make it more secure than the current system.

Re:As a MasterCard customer...

[Burning1]

Fine. Just relax: I'm sure they are going to give you the option.

Re:I'm an honest person... I'm an honest person...

[rincebrain]

I agree. It's so very sad how many people believe in the inherent security of all systems, without any evidence...

It's even sadder, however, how many system developers don't care, or don't have the knowledge to implement it.

Re:Brings a whole new meaning to drive throu...

[jamesh]

Many many people are posting along these lines. Do you all really think that Mastercard hasn't already thought of this and solved it???

A simple solution would be to have an RSA key + engine on the card, so that the 'scanner' issues a challenge to the card and if the card can supply the decrypted string then it passes. A limit of 1 challenge per 30 seconds would stop anyone getting any useful data out of it. Presumably this is do-able using today's technology... or would an RSA engine use more power than cou

Re:Maybe not now, but soon enough...

[Concerned Onlooker]

Correct me if I'm wrong, but doesn't RFID technology work similarly to sonar?

No. You'd have to be bats to use sonar.