Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chase Deploying "Touchless" Credit Cards

CowboyNeal posted more than 9 years ago | from the trust-us dept.

The Almighty Buck 373

Rick Zeman writes "As reported by Money Magazine, J.P. Morgan Chase, the US' 2nd largest bank, is rolling out 'contactless' credit cards, presumably using RFID technology. 'The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers' which leads me to wonder if the next crime wave of the future will be criminals walking through crowds with readers to grab customer info. Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft' but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

cancel ×

373 comments

Sorry! There are no comments related to the filter you selected.

why not (5, Insightful)

Festering Leper (456849) | more than 9 years ago | (#12584941)

store it in a shielded sleeve until you use it?

Re:why not (0, Troll)

TykeClone (668449) | more than 9 years ago | (#12585001)

Do you keep your credit or debit cards in a protective sleeve now? Why would that be any different?

Re:why not (5, Funny)

gkuz (706134) | more than 9 years ago | (#12585080)

Do you keep your credit or debit cards in a protective sleeve now?

Yes. It's called a "wallet".

Re:why not (1)

pyrrhonist (701154) | more than 9 years ago | (#12585130)

Do you keep your credit or debit cards in a protective sleeve now?

Yes, actually. I'm not just being facetious and suggesting the sleeve is my wallet either. I actually have each one of my cards in a sleeve inside my wallet.

No, I'm not paranoid; it just keeps the magnetic strips from being rubbed off (which used to happen to me all the time).

So for me, keeping the new cards in a some kind of sleeve wouldn't be any different than what I do now.

Re:why not (0)

Anonymous Coward | more than 9 years ago | (#12585177)

Magnetic strips haven't been prone to rubbing off in years. Perhaps that's why the only people I see who have to laboriously pull their cards out of those stupid sleeves are old farts.

Re:why not (1)

TykeClone (668449) | more than 9 years ago | (#12585243)

I do the same - it does keep the cards in better shape considering that I sit on them for more than 8 hours a day.

LED On A Merry J.P. Morgan Chase (0)

Anonymous Coward | more than 9 years ago | (#12585034)

store it in a shielded sleeve until you use it?

Actually, the card uses some of the scan energy to signal that it has been accessed... With the new laws in Florida, [washingtonpost.com] you'll be able to just shoot into the crowd when you get an unauthorized access.

Re:why not (2, Insightful)

Albinofrenchy (844079) | more than 9 years ago | (#12585073)

So we are going to take out our "Touchless" credit card when we want to use it? Seems familiar... oh wait, thats what I do now...

Re:why not (4, Funny)

Mr. Bad Example (31092) | more than 9 years ago | (#12585076)

I prefer to store it in a shielded sleeve before I use it.

Oh...you're talking about your credit cards. Sorry. Carry on.

Re:why not (1)

CypherXero (798440) | more than 9 years ago | (#12585254)

Mod parent up, this is a perfect idea to protect RFID cards.

fp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12584943)

first pr0st!

Few Details (5, Informative)

AKAImBatman (238306) | more than 9 years ago | (#12584944)

The article doesn't give too many details, but my guess is that this is nothing more than a SmartCard [wikipedia.org] , similar to the American Express "Blue" card. SmartCards have had contactless technology for nearly a decade that utilize induction technology to communicate back and forth. The reader on the terminal is then able to talk to the microprocessor on the card, usually sending information that is then verified using encryption technology. (Think: public key encryption.) As a result, it's not possible to just run around and collect the info from cards, because they'll never give out secure information. They only give back cryptographically secure results. (At least, that's how it's supposed to work.)

Note that existing contactless technology is sufficient for this credit card, with a maximum range of up to 10cm. Such technology is supposedly already in use in Europe. (Europeans care to share your experiences?)

That's my guess anyway. I'm sure someone else can add a few details or make corrections.

Re:Few Details (2, Interesting)

Goeland86 (741690) | more than 9 years ago | (#12585049)

Wouldn't this technology also be safer for the RealID cards rather than RFID? It's still contactless, though not readable from 40 feet like some RFID tags. I hope that's what the FBI and NSA had in mind, instead of RFID, 'cuz otherwise I'll sue them both for knowingly facilitating identity theft. I wouldn't mind the government being able to read cards without contact, as it imposes less wear on the readers AND the cards, thus saving US money. As for Europe, I was there last month, and the reader wouldn't take my US visa card because it was lacking the safety chip from EU banks, and I had to be served by the clerk instead... Which was a royal pain. It definitely wasn't contactless though.

Problem is they use weak encryption (0)

Anonymous Coward | more than 9 years ago | (#12585109)

These contactless cars probably use weak encryption .. and so they'll be cracked .. and then consumers will lose confidence..

I'm willing to bet that they use dumbed down encryption .. corporations are always cheap .. I have no doubt they opted for low grade "encryption". If they give me one of these cards I'm throwing it away unless they tell me exactly what the protocol is and the type / bit strength of the encryption.

Re:Few Details (1)

John Harrison (223649) | more than 9 years ago | (#12585151)

This is using contactless smart cards. This is distinct from RFID and has more security features. It is a partial implementation of EMV, which has been used for years in Europe. If you are paranoid, put a few strips of tin foil in your wallet.

Re:Few Details (1)

AKAImBatman (238306) | more than 9 years ago | (#12585193)

??? Why did you just repeat what I said?

Re:Few Details (1)

lowrydr310 (830514) | more than 9 years ago | (#12585153)

Anyone ever hear of Mobil SpeedPass or EZPass? My guess it would work just like these. How secure are these and have they ever been hacked?

Re:Few Details (1)

r2q2 (50527) | more than 9 years ago | (#12585277)

There was a slashdot article on this before. The website with the papers (By RSA laboratory) is at http://rfidanalysis.org/ [rfidanalysis.org]

Re:Few Details (0)

Anonymous Coward | more than 9 years ago | (#12585172)

The problem is that unlike normal RFID cards, contactless smart cards can only be read from a very short range. The power requirements of strong crypto are too much for any kind of long range reading. The card would have to be almost in physical contact with the reader to get enough power, much like the wireless PDA recharging systems that only work over a few inches at best.

Re:Few Details (5, Informative)

hawado (762018) | more than 9 years ago | (#12585212)

I worked for a company [lecip.co.jp] , here in Japan where thre use of these type of contactless smart cards is wide spread, which used this technology for fare collection. The bigest problem I had and still have with the system here is that you load up your card with virtual money. So in essence you pay before you play.
We used these cards to sign in and out of work as well as to pay for lunch at the cafeteria.
A number of phone manufacturers here are also putting this technology into their phones so you can swipe your phone to pay for things at stores. The main supplier of the actual chip is sony, under the namefelica [sony.net] .
Now here, it is impossible to use your bank card to pay for anything. The service is just not avaliable as it is in North america or Europe.
As to the security of the smart cards, the only information on the card is your personal account number and how much money you have on the card. At the end of the day, on mobile fare collection systems anyways, the data is transfered at the depot to a server which updates the main account information. As to store systems, the data is retrieved immediately from the server and updated.
If your card is stolen or lost, it is like loosing cash at least until you call the card issuer and they freeze the account.
I am not sure about how this may affect the magnetic strip on most credit cards, but a magnetic field generates the electrical power required by the chip on card to 'transmit' the data to the reader.

transaction approval (2, Interesting)

j1m+5n0w (749199) | more than 9 years ago | (#12585241)

How does the card know that it's owner approves of a particular transaction? From the card's perspective, there's not much difference from running it past a walmart scanner and getting pickpocketted by a card reader with a high gain antenna from a hundred feet away. With a magnetic strip card (horribly insecure, but in different ways), running the card through a reader implies the user's consent, but if that's no longer required, there needs to be some other way to validate the owner's intent to conduct a transaction.

The only way I could see this being secure is if the card itself had a display with the dollar amount and recipient, and a yes/no button. Perhaps they have this, does anybody know?

hmm (0)

Anonymous Coward | more than 9 years ago | (#12584949)

Sounds no harder to steal money than today's current credit cards.

Can't be all bad (2, Interesting)

FlyByPC (841016) | more than 9 years ago | (#12584953)

I'm sure there will be RFID security issues, but the trend does remind me of a commercial I saw a few years back. I forget the company (real effective, then, huh?), but the gist was that this Gen-Xer walks into a supermarket, starts stuffing TV dinners in his trenchcoat, then walks out. The security guard stops him, but just hands him a receipt.

I kinda like the idea. Grovery shopping without having to deal with all that pesky human interaction. Qool.

Re:Can't be all bad (1, Informative)

Anonymous Coward | more than 9 years ago | (#12584992)

IBM ad.

Choices... (2, Insightful)

cd_serek (681446) | more than 9 years ago | (#12584955)

Having to waste 5 seconds looking through my wallet for my Credit Card, and having to manually swipe it...

vs.

Having my Credit Card details stolen and sold.

I think the choice is easy.

Re:Choices... (4, Informative)

AKAImBatman (238306) | more than 9 years ago | (#12585070)

How about option 3?

3. Being able to wave your credit card while simultaneously keeping your CC data more secure than ever.

Don't mind the story submitter, (s)he's just making wild claims. This is probably contactless smartcard technology, which is far more secure than RFID. How secure you ask? Well, the card is only supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred. At least, that's the theory, but at least it's had a few decades to mature. :-)

Re:Choices... (1)

berj (754323) | more than 9 years ago | (#12585094)

ly supposed to return crytographically secure results. i.e. You submit information to the card, it returns signed results. No data that could be usefully stolen is transferred.

Yep.. can't steal the data.. but what about the *money*?

Re:Choices... (1)

AKAImBatman (238306) | more than 9 years ago | (#12585173)

but what about the *money*?

Because all your money is stored on your credit card, right? Think about it.

Re:Choices... (3, Insightful)

raehl (609729) | more than 9 years ago | (#12585192)

Having to waste 10 minutes walking to the store...

vs.

Getting sideswiped by a semi on the way to the door and getting killed.

Your comparison is a bad one. You need to add up all those 5 seconds you save and compare them to the time you'd spend fixing it if your information got stolen times the odds your information gets stolen.

Let's also keep in mind how easy it is to steal your credit card information as it is. The number is written RIGHT ON your card. Every cashier you ever give your credit card to has access to that number.

And when that cashier runs the card, what happens? It dials up to the central server and sends your personal information over the phone line. If you're confident with encrytpion to someplace perhaps thousands of miles away, why are you not comfortable with encryption to something 10 inches away?

The fact of the matter is, getting bent out of shape about contactless transmission is silly. Either the encryption method used is good, or it ain't. You don't need to worry about physical layer compramisesif your transaction layer protection is good.

Also, there are other savings here than just your time: Contactless transactions are chepaer to process than signed paper credit card transactions. Merchants can save a lot of money not having to pay cashiers to sit there and watch you sign the receipt, and credit card companies can save money not having to archive those pieces of paper.

Economic efficiency is good for everyone.

Watch out! (3, Funny)

E IS mC(Square) (721736) | more than 9 years ago | (#12584956)

Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!

Re:Watch out! (1)

fitsnips (187974) | more than 9 years ago | (#12585110)

umm your a littel behind the times. we are already using fingerprint tech.

http://paybytouch.com/ [paybytouch.com]

You Bet Your Ass Biometric Mutilation Theft Solved (0)

Anonymous Coward | more than 9 years ago | (#12585125)

Your fingers or eyes (what whatever part of your body they are going to use for authorization eventually) are in danger!!

This is why we should put our biometric research dollars into rectal printing. Sure, they could simply take it, but not many would.

Now people can swipe my card info just walking by (1, Redundant)

skitz0 (89196) | more than 9 years ago | (#12584958)

How long before people get portable readers and walk down the street collecting card info.

RTFS (1)

iammaxus (683241) | more than 9 years ago | (#12584983)

Ok, not clicking on a link and reading an article before commenting on an intriguing summary is understandable, but not even finishing the
Read The Fucking Summary

Re:RTFS (0)

Anonymous Coward | more than 9 years ago | (#12585135)

The real issue is not people stealing your CC# (I'm assuming that does not get transmitted in the clear), but rather people opening a merchant account with fake ID, then standing in a local mall witha portable terminal, scanning and billing people $39.95 for "massage" or something. By the time the first people complain, the theives have had a month or two to gather money, and disappear.

without R'ingTFA, I'll finish the statement.. (1, Funny)

brxndxn (461473) | more than 9 years ago | (#12584963)

...a brand new set of legal case templates will be opened up to the money-grubbing lawyers. And, there will be more lawyers!!! YAY!!!

Lazy Comsumers (0)

Anonymous Coward | more than 9 years ago | (#12584964)

Wait...so what is the inconvenience of having to slide a little plastic card and sign a little piece of paper? Are consumers really THAT lazy...?

Not RFID (0)

Anonymous Coward | more than 9 years ago | (#12584969)

It's not going to be RFID. RFID tags are not the same as contactless smartcards. Contactless smartcards are inherently more secure.

Europe (4, Interesting)

Nexum (516661) | more than 9 years ago | (#12584971)

The new payment method doesn't require a customer signature, making it more convenient and time-saving for consumers

In Europe we have the chip & pin way of using credit and debit cards at Point of Sale. No signature required, but there's not really a time saving involved. When it comes to RFID credit cards though... well, the US can keep them IMO - there's no way i'd be willing to carry one of these, no matter how confident or assuring the bank tried to be.

Re:Europe (0)

Anonymous Coward | more than 9 years ago | (#12585186)

This is more likely a contactless smartcard [wikipedia.org] rather than RFID. [wikipedia.org]

I don't think it's possible to be absolutely sure from the few details in the story, though.

Re:Europe (1)

andy jenkins (874421) | more than 9 years ago | (#12585265)

Having had my card details circulate Beijing and being alerted then fully reimbursed by my credit card company I'm quite happy to carry a card that's easier to use. After all this sort of security puts the control even more in the hands of the issuer and makes it even harder for me to be negligent.

Hmmm, I have a new business idea.. (2, Interesting)

multi-flavor-geek (586005) | more than 9 years ago | (#12584972)

Well why phish in the comfort of your stinky computer room with thousands of emails when you can fish from your laptop while drinking a latte'.
I certainly hope that someone will figure out how to crack this and then takke the high road and show the consumers all of thier credit card info so they can cut the damn things up.
Also, is there any feasibility to just sending the reply that rfid would be responsible for from your laptop and ignoring the tag altogether. I am sure I havce done worse things.

Oh, by the way, am I the first post?

Re:Hmmm, I have a new business idea.. (1)

mattmatt (855592) | more than 9 years ago | (#12585264)

Oh, by the way, am I the first post?

No.

It's easier than paper money. (0)

Anonymous Coward | more than 9 years ago | (#12584973)

Hmmm.. let me see, the new card doesn't require a signature and has 'encryption'. A signature is not conclusive but it is still a time tested way of verifying authenticity, and this system has been working successfully for centuries now.

I won't be surprised to see over the next few years, ID thieves roaming around gathering card data over the air using RFID readers, manufacturing new cards and using them. This could be a pretty lucrative industry. I'm betting we're also going to see a huge increase in the number of cancelled cards and payment disputes.

Interesting times ahead. I only hope other banks don't follow suit.

To be fair (5, Interesting)

hoka (880785) | more than 9 years ago | (#12584978)

You need to be at a relatively close range to RFID to get a "solid" reading. Sadly a lot of people are under the assumption that you can basically just pull out a huge giganto RFID reading cannon and know what an entire house worths of data is. It isn't true, and RFID is frankly not really that robust of a technology yet. It would not surprise me in the least if a lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless. Me personally? I'm sticking to my card that I have to slide, not that it is necessarily any safer.

Re:To be fair (2, Funny)

gkuz (706134) | more than 9 years ago | (#12585060)

lot of these cards end up failing due to extremities that cause deformities in the RFID, rendering it completely useless

What are you talking about? Extremities that cause deformities? Is this when your ass is so fat it deforms the credit card in your wallet?

Re:To be fair (1)

hoka (880785) | more than 9 years ago | (#12585206)

RFID technology simply isn't robust, it hasn't been well developed enough. Certain clothes makers are noticing that throwing RFID tags through the wash just once will be enough to destroy a good percentage of them.

Re:To be fair (0)

Anonymous Coward | more than 9 years ago | (#12585137)

Mobil speedpass works ok for me .. never had issues. Yeah i know it's cracked etc. blah blah .. thats the encryption they used.

Re:To be fair (0)

Anonymous Coward | more than 9 years ago | (#12585154)

You need to be at a relatively close range to RFID to get a "solid" reading.

"Relatively close" means anyone who brushed up against you in a crowded mall.
It can also mean setting up a larger/more powerful/more sensative device and standing to one side of a hall as people walk by, no contact required.

I KNOW OF AN OPEN PROXY, PLEASE REPRIMAND ME! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12584981)

Make an example of me. Mod me down.

Thanks in advance for your assistance.

No! (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#12585005)

Please, fellow modders. Do not waste your points on this parent post.

We shan't encourage behaviour such as this. It's pretty repugnant.

RFID required for club savings (0)

Anonymous Coward | more than 9 years ago | (#12584982)

How long will it be before Albertson's, Tom Thumb, and Safeway require RFID tags in order to save avoid paying a 15% markup?

not about cleverness (1)

Diabolus777 (663144) | more than 9 years ago | (#12584996)

the vendors are not stupid.
they know fully well the pitfalls of security, but the marketing departments dictate the selling pitch to the public, and, well, they can pretty much lie all they want it seems.

business and profit before customers.

Re:not about cleverness (1)

NineNine (235196) | more than 9 years ago | (#12585165)

That is why all you Best Buy whores should shop at your local retailer.

Oh wow! (1)

skyshock21 (764958) | more than 9 years ago | (#12585032)

Let's just say *I* won't be an early adopter! o_O

Armchair cryptographers; Slashdot AP wire (1)

SuperBanana (662181) | more than 9 years ago | (#12585035)

Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft'

Gentlemen, start your armchairs!

but since RFID has been cracked before, and the criminals are usually more clever than the vendors...."

...and we have Ignition!

Seriously, until we know the specifics, much of what anyone says in this story will be silly posturing and armchair engineering. It's also pretty hilarious to see a slashdot reader questioning the qualifications of a bank's security- do you honestly think they'd put their reputation (critical to a bank) and money on the line, without having the whole thing rather thoroughly evaluated by security consult firms? I'm not saying they're perfectly qualified, but I am saying they're a tad more qualified than the general slashdot readership, myself included.

It would have been nice if Slashdot had, say, gotten the inside scoop on some more details- instead of being about 12 hours behind the AP wire (I read about it this morning. And to think one of the reasons on the Slashdot FAQ for "not notifying people they're about to get slashdotted" is "we don't want you to have to wait an hour"). I used to read Slashdot for stories that have more detail/insight than AP stories, or beat them to the punch.

Now it does neither.

Re:Armchair cryptographers; Slashdot AP wire (3, Funny)

mr_snarf (807002) | more than 9 years ago | (#12585160)

I design armchairs for a living you insensitive clod!

Re:Armchair cryptographers; Slashdot AP wire (3, Funny)

Joe Random (777564) | more than 9 years ago | (#12585261)

I design armchairs for a living you insensitive clod!
*sigh* A golden opportunity wasted. The correct response to the phrase "armchair cryptographers" would have been, "I encrypt armchairs for a living, you insensitive clod!"

Re:Armchair cryptographers; Slashdot AP wire (0)

Anonymous Coward | more than 9 years ago | (#12585232)

Seriously, until we know the specifics,

Well, that in itself is a story. Where is this information? A company is planning to deploy millions of these things across the country, and they don't seem interested in giving out technical details or advertising any sort of independent evaluation. If they are using strong encryption, it should be very easy for these companies to answer security concerns from the get go. And yet I've scoured the companies' fact sheets and done a number of web searches in order to get some idea of what technology these companies are using, and I can't find much. I think a healthy dose of skepticism is called for, if only so that companies release more information in the future.

but do they really care? (1)

wooby (786765) | more than 9 years ago | (#12585057)

As far as I can tell, it seems like credit card companies currently don't care too much about who is using the card. My signature is checked against my card maybe 10% of the time I'm making a transaction. It's probably much easier for them to run through their database with a "fraudulent buying pattern" detection algorithm then crack down on the way the card is physically used, be it by signature or embedded RFID.

The fact that credit cards are often used online further nullifies the point of efforts for making credit cards more physically secure.

But then again, I've never been the victim of fraud.

Re:but do they really care? (1)

NineNine (235196) | more than 9 years ago | (#12585230)

You're right. Signatures are currently useless. They were not even designed to be used for security. They were designed to act as an agreement that you would pay the fees due (or your credit card company would). That's it. Now they're adding security to actually check if they are being used by the right person.

Still. Big deal.

Future /. Headline (1)

Roger_Wilco (138600) | more than 9 years ago | (#12585065)

I can see the headline now, from when somebody cracks this technology:

"Wave of the future breaks" :)

whatever (1)

mosb1000 (710161) | more than 9 years ago | (#12585071)

The solution is simple, make the card reader tied to a certain account at the credit card company, to which cards may debit only. Then you'll always know where the money ends up, and the security problem becomes one of bank security. Unless criminals have some reason to want to debit from someone else's card into someone else's account.

Re:whatever (1)

mosb1000 (710161) | more than 9 years ago | (#12585124)

no, that wouldn't work. Never-mind.

Re:whatever (0)

Anonymous Coward | more than 9 years ago | (#12585136)

Uh, what the heck are you talking about? Criminals debit someone else's card into someone else's account... that way they can, you know, purchase goods. Are you quite alright?

Re:whatever (1)

TERdON (862570) | more than 9 years ago | (#12585138)

Which is exactly what they would like to do. Debit cards are quite usual in Europe, and it's not unusual with credit card fraud involves "fake billings" of some kind (ok, it's quite usual card copying etc is a part of the fraud, but not really a necessary one - internet card frauds are quite usual too, where sometimes you only need the card #).

The work-around for this problem is to never, ever, have more than ~$500 on the account tied to the card. Also, all risks of the debit cards are a problem of the bank (if handle the card with care), but it's still annoying having to deal with the problems.

Re:whatever (1)

NineNine (235196) | more than 9 years ago | (#12585255)

That's the way it is now. Terminals are tied to a merchant service account, which is in by turn, tied to a bank account. That's how they work.

THIS IS NOT RFID (0)

Anonymous Coward | more than 9 years ago | (#12585082)

I DESIGN REGISTERS! BLINK IS A SMART CARD READER TECH!!!!!

contactless but u have to still slide it in!! kinda like my last date..

New way to get ripped-off (1)

drewzhrodague (606182) | more than 9 years ago | (#12585090)

Sounds like a new way to get ripped-off. Is the sack under the mattress such a bad idea?

No Problem - shield! (1)

profhaptic (885379) | more than 9 years ago | (#12585106)

A friend of mine came up with a clever workaround. Just make a little wallet or envelope of conductive material to hold the card. It will act like a Faraday cage and totally shield the card. When you want to use it you have to take it out though. Should work well for the new passports!

it might not be rfid (5, Interesting)

Naikrovek (667) | more than 9 years ago | (#12585126)

I've worked on wireless smart cards, that act similarly to rfid cards, but have very good encryption, even public/private key encryption. smart cards have their own computers on them, so you can have a challenge/response, or just about any kind of encryption you can think of.

those are just as hard to crack as PGP emails. Not at all easy.

Re:it might not be rfid (0)

Anonymous Coward | more than 9 years ago | (#12585197)

Seems very suseptable to a man in the middle attack. A totally passive man in the middle. A paired set of reader/emitters with a set of long range transciever. One man walks around the crowd another buys (assuming a retail situation).

Probably more secure (1)

plughead (664285) | more than 9 years ago | (#12585131)

I'm guessing that these things won't have any *human* readable numbers on them, which is a huge source of credit card losses now. If, as one poster suggested already, these are smartcard based and use some sort of public/private key encryption, then they might just be on to something.

I'm no fan of credit card companies, but they aren't total idiots. They're losing billions of dollars due to fraud and I suspect they've put rather a lot of thought into ways of preventing it.

fag0rz (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12585132)

Familiar with Easypass? (2, Interesting)

Exluddite (851324) | more than 9 years ago | (#12585133)

If you are familiar with Easypass you know how this will revolutionize things. According to one bill, our car passed a Parkway toll near the Atlantic City Expressway and entered the Lincoln Tunnel ten minutes later.

Get Outside the US People (1)

Kagato (116051) | more than 9 years ago | (#12585139)

Outside of the US merchants are manadated by Visa and Mastercard to move to a high encryption RF standard. Dispite what the credit cards would have you beleive, the US has extremely low credit card fraud. Because fraud provention work well no one is in a hurry to move in this direction.

In Europe organized crime is a big deal. In particular in the east. So much that the credit card companies have mandated EVERY merchant switch credit card terminals. If they don't switch terminals, they won't cover certain types of Credit Card fraud anymore.

Re:Get Outside the US People (1)

BarneyRabble (866644) | more than 9 years ago | (#12585248)

the US has extremely low credit card fraud. Because fraud provention work well no one is in a hurry to move in this direction.

What crack pipe have you been smoking recently?

There have been numerous cases of identity theft/credit card fraud here in the USA that have damaged people's credit ratings, not to mention their personal lives. And the thieves are getting quite clever at ATMS using tiny cameras, card readers to drain accounts, and other ways to thwart security. Sure the worst case scenario is that you, the credit card holder are not responsible for that first $50 of that transaction, but what about the rest of the damage the thief is doing?

Stop acting so naive.

Good point. (1)

WhatAmIDoingHere (742870) | more than 9 years ago | (#12585142)

Because you've heard about all the Mobil card information that's been stolen, right? Oh. You haven't? Right. Because there hasn't been any.

You have to touch the speedpass reader for it to work, that's the keypad one without a battery. The window one can be read at about 2' but all you're going to get is a number that Mobil matches up with an account. Nothing sensitive.

I'm sorry (4, Interesting)

mcc (14761) | more than 9 years ago | (#12585147)

I don't care how encrypted or advanced or "secure" it is, I don't want my credit card doing anything unless I've taken it out of my wallet.

And I would sooner change my bank to get a normal credit card than I would buy a wallet with a faraday cage built in.

not really sure what the problem is (0)

Anonymous Coward | more than 9 years ago | (#12585152)

Its not like these cards are storing SSN's or medical records yet.

If someone steels your card number, or what ever is on the chip, then call up customer service and demand they take care of it right away.

Not like almost all american banks arent FDIC inshured anyways. If it prooves to be to big of a problem, im sure theill pull the cards out of circulation.

fuc4 a troll (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12585156)

how it was Supposed but many find it

Low tech answer... (1)

Caduceus1 (178942) | more than 9 years ago | (#12585157)

Would it be that difficult to simple wire in a loop to a contact button, such that the induction circuit is open unless you press the button, and thus the induction field itself is not enough to read the card?

Motivation (0)

Anonymous Coward | more than 9 years ago | (#12585178)

A friend and I were arguing today about the motivation for these systems. First, the main advantage of contactless cards (in my experience) is that you don't have to dig them out of your wallet in order to use them-- think of the proximity card I use to get into my office building. However, this doesn't fly with credit cards, at least not if you carry several in your wallet. You still have to dig it out and hold it by the reader. So all you're really saving is a swipe, which isn't such a big deal.

My friend thinks that the motivation for all of this is to eliminate the need to check signatures, and to eventually place liability for fraud on the user. The idea is that stores like 7/11 don't check signatures because their employees aren't well trained, and Credit Card companies treat failure to check a signature as grounds for place liability on the store. He thinks that these new "secure cards" aren't so vulnerable to fraud, so credit card companies will bribe stores to buy new equipment by relieving them of the responsibility to check signatures. He believes that this will ultimately lead to a higher burden of responsibility on customers.

Possible scams (0)

Anonymous Coward | more than 9 years ago | (#12585179)

Got to wonder how it can determine a legitimate purchase from a bogus one. Point being what is to stop a store from charging you whether you buy anything or not. Remember that of all the pricing "errors" the vast majority are overcharges. Defies random chance. If ten percent of the customers were charged "accidentally" for a minor purchase how many wouldn't notice? May sound paranoid but stores have been doing things to eek out a few percent more in sales for a long time. How do you prove it's not simply a mistake? Like I say if even a small number don't catch the error or don't complain it could add up to a fortune.

What about a variation where a bogus vendor sets up at a ballgame and charges a few hundred or a few thousand fans for a rather expensive beer and hotdog. If enough people complain they will get caught but if they only do it for a few games and move on and the company is set up under a bogus name, how do you catch them? There's likely to be hundreds of variations on what seem to be legit purchases from bogus vendors. They want vendors to use the service so how do you properly police vendors?

Hong Kong's Octopus (4, Insightful)

G4from128k (686170) | more than 9 years ago | (#12585181)

HK has been using a contactless cash card [rfidjournal.com] since 1997 called Octopus [octopuscards.com] It's proprietary RFID system (built before the standard appeared), that seems to work quite well for public transport and retail.

Why the paranoia? (3, Interesting)

Joe Random (777564) | more than 9 years ago | (#12585182)

I just don't see why everyone is so afraid of RFID credit cards. Simply have the private key portion of a key pair stored in the card itself, with the public key in an easily-accessible database. When you make a purchase, the merchant sends a random challenge to the card, which then encrypts it with the private key and sends it back. The merchant verifies against the public key, and, if it matches, the transaction is approved. With a smart card, the only way to use my card is to have the physical card, in which case we're back to be exactly as secure as the current system.

I would think that /. geeks would be all over this. I mean, it's not perfect, but it would be a hell of a lot more secure than the current system. Right now, if I take my credit card to a restaurant, the waiter need only make a spare imprint of the card (and write down the verification number on the back). Later, he can pull out a phone book to get my address, and then he has all of the information he needs to use my card fraudulently.

I say "bring on the RFID credit cards". Simpler to use, and more secure than what's currently in my wallet.

Cool... (1)

J Mack Daddy (774273) | more than 9 years ago | (#12585183)

Now I can blink my bling

(ducks)

gives new meaning to "double swipe" (2, Interesting)

gooogle (643307) | more than 9 years ago | (#12585187)

Some retailers (Gas station employees mostly) will double swipe your card to charge you twice or swipe it through a personal magnetic reader which grabs and stores all info on your card which they use later to repro your magnetic strip. With RFID, an fradulent retalier would simply need you to walk through the door and have a concealed reader sitting within close proximity. You won't even know you've been charged until you get your bill at the end of the month. And to add to this, if they charged you 10 cents, would you go through the hassle of calling waiting on customer support for 10 minutes just to report a 10 cent charge you don't have?

There'll be a whole new array of attack vectors and frauds built around this. The insurance companies will up the premium, the credit card companies will be able to differentiate and compete, retailers will install new readers and a it'll give shape to a new industry.

Re:gives new meaning to "double swipe" (1)

Joe Random (777564) | more than 9 years ago | (#12585228)

With RFID, an fradulent retalier would simply need you to walk through the door and have a concealed reader sitting within close proximity.
The obvious solution is to have an on/off switch on the card. Not to mention that the range is likely to be only a few centimeters. To complete a transaction, simply take out your card, flip a switch and toss it on a reader pad. Add an inductively-powered LCD display, and you could even see the amount and be required to press a button on the card to approve the transaction.

Scamming (1)

jorts (882463) | more than 9 years ago | (#12585198)

I can't help thinking how easy it would be for someone with a mobile card-reader to walk through a crowd. I don't know if there's anything on the card to notify when to activate, but if not, it's a free for all.

I had a look 'round, and found American Express has a similar product, called "ExpressPay" (google it) - shaped like a key fob, rather than a card (much better, I would have thought). Their website makes no reference to anything else needing to be done. A scammer need simply swipe the machine past a user's pocket.I assume these cards are probably the same - swipe your scanner past someone's purse or pocket.

Also, does the reader indicate clearly what you're about to be charged? "That'll be $20", the clerk said, ringing up $200. I've had it done to me. I don't know if it was on purpose...

Re:Scamming (1, Informative)

Anonymous Coward | more than 9 years ago | (#12585250)

Shell and Esso both doe this, atleast in Canada.

The transaction information is challenge-response type, which is tied back to the credit card transaction itself. While it might be crackable, it isn't going to happen to the same extent the gas-jockey lifts credit card numbers, or the waitress 'borrows' it.

Whew. (0)

Anonymous Coward | more than 9 years ago | (#12585200)

Chase says, however, that 'new cards are embedded with encryption software to prevent duplication and data theft'

For a second I thought they were going to make the same mistake the MPAA did...

Heh, never. Humans learn from their mistakes. Right?

No Point (1)

Razzak (253908) | more than 9 years ago | (#12585205)

Unless you're also eliminating the ID check, this isn't going to save any time. Plus, I don't see the benefit of not having to swipe outweighing the problems with something that compromises security this much.

Further, this will make it a nightmare for law enforcement. Most credit card rings go through a retail location (i.e., a waiter jacks everyone's info, and someone else does the fraud). However, if you could just steal credit card info from people who you just brush up against, there'd be very little for authorities to go on.

Now if they only came up... (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#12585222)

... with touchless priests...

Here's how it might work (2, Insightful)

Comatose51 (687974) | more than 9 years ago | (#12585226)

I was just thinking about this. I doubt banks will make it THAT easy for people to steal identity. Remember, it's money here we're dealing with and if it becomes too easy to steal the banks will lose money as well and customers' good will and trust, which you want in the finance industry.

In any case, I can imagine it working like this:
1. Terminal sends some string of random bytes, p.
2. Card processes it using some one way function f(p,q) and returns the value s where q is some secret info.
3. Terminal takes the results and sends p and s to the bank to verify. Bank runs f(p, q) and see if it matches s. If so, return true.

That's just a simple scheme I hatched up where you don't have to reveal your secret info to verify yourself. I'm sure there are much better ways.

I Smell Extra Fraud (1)

ad1 (881260) | more than 9 years ago | (#12585256)

Contactless Credit Card Charges = Contactless Credit Card Fraud

Phish-pocketing (2, Funny)

lawpoop (604919) | more than 9 years ago | (#12585268)

Nowadays, a pickpocket bumps into you to distract you from the hand going into your pocket.

In the near future, all that a pick pocket has to do is bump into you and he's got your entire wallet.

I dub this "Phishpocketing".

Contactless Tech, Old news? (5, Informative)

Hido (655301) | more than 9 years ago | (#12585281)

In Japan we have been using contactless technology for our daily needs for a while now. Good examples of the technology are Felica [sony.net] Suica [eurotechnology.com] and Edy [google.com] .

As much as the /. crowd has been all skeptical about this technology, over here I've not heard of anything happening that could make headlines for this and I personally have been using them for my daily commute needs and have never had any sort of problems with them.

Now its understandable that people are getting all finicky about something like this, but I say first try it out before you make a comments on about it. Its a lot better then walking around with a wad of cash and it sure as hell beats having to stand in line trying to by a ticket for anything from airlines to trains.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>