×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Would You Trust RFID-Enabled ATM Cards?

Cliff posted more than 7 years ago | from the bringing-new-meaning-to-'pick-pocketing' dept.

Security 214

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?



race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

214 comments

Disable the RFID (5, Interesting)

Ice Wewe (936718) | more than 7 years ago | (#17127008)

Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.

Nuke it (5, Insightful)

brunes69 (86786) | more than 7 years ago | (#17127132)

An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.

Re:Disable the RFID (5, Interesting)

value_added (719364) | more than 7 years ago | (#17127300)

Just wrap the card in Tin foil.

Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.

My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org] , and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?

Have you scanned yourself, lately?

Re:Disable the RFID (3, Informative)

StressedEd (308123) | more than 7 years ago | (#17128798)

More stylish than tin foil, a Muji Aluminium card holder [mujionline.co.uk] . I use one as my wallet, storing everything but coins. It has the added benefit that you absolutely cannot squeeze that one last thing in to your wallet - so it doesn't end up looking like a sphere.

Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!

Not suprised about HSBC (5, Interesting)

arivanov (12034) | more than 7 years ago | (#17127026)

Not surprised about HSBC. In fact surprising about some sense from Chase.

HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.

Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.

Re:Not suprised about HSBC (4, Insightful)

Bazman (4849) | more than 7 years ago | (#17127162)

Talk to a financial journalist. Not only will they have contacts at the bank, but the bank will fear them more than they fear you...

Re:Not suprised about HSBC (5, Funny)

canesfan (607211) | more than 7 years ago | (#17127538)

"pseudosecurity garbageshiteware"

Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???

Re:Not suprised about HSBC (2, Funny)

Anonymous Coward | more than 7 years ago | (#17128710)

Man Law

he proclaimed from his parent's basement

why should they care abotu security, it's... (4, Insightful)

Anonymous Coward | more than 7 years ago | (#17127748)

been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.

Re:why should they care abotu security, it's... (1)

ATMD (986401) | more than 7 years ago | (#17128300)

Oh, mod parent up - I don't recall hearing such a concise and punchy way of putting that.

I'll have to remember it.

/not sarcasm

Re:why should they care abotu security, it's... (1)

wud (709053) | more than 7 years ago | (#17128720)

why back in my day it was called credit fraud...

Re:Not suprised about HSBC (5, Interesting)

EatHam (597465) | more than 7 years ago | (#17128670)

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact.
Careful doing that. I've heard of *ahem* someone *ahem* doing the same thing with a bank, and having to spend several weeks giving depositions to the police, talking to the fbi, and basically being treated like a criminal. Moral of the story, switch your account and shut up about it, or it could easily become a giant hassle for you.

Yes but..... (0)

Groo Wanderer (180806) | more than 7 years ago | (#17127028)

I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

            -Charlie

Re:Yes but..... (5, Interesting)

flyboy974 (624054) | more than 7 years ago | (#17127082)

The reality is that by forcing a "swipe" of a card through a reader, this enforces the act of choosing to provide the information. With RFID, you can read it from across the room given a good transmitter and a sensitive receiver. Why should we need to add a new layer when the old physical layer works just fine. The new RFID does NOT save time. You can't just wave your wallet or purse over the weak reader (which is far weaker than a hacker would be using) if you had multiple cards. How would it tell it apart. You still end up having to take the card out. The difference is Mag Stripe (physical contact.. almost), or RFID, Radio Broadcast. I'll take the Mag Stripe or the Smart Card chip (which required physical contact).

Re:Yes but..... (1)

slidersv (972720) | more than 7 years ago | (#17127244)

Well, they could install "on/off" switch right on the card. You then can turn on the card right before checkout, and card would turn itself off after 5 seconds (so you have just enough time to go through checkout scanner thing)

Re:Yes but..... (2, Informative)

WhatAmIDoingHere (742870) | more than 7 years ago | (#17127662)

These are non-powered RFID tags. There is no "on/off" for them. If you wanted powered RFID, you'd have to include a battery, making the new card larger and bulkier than the old cards.

Re:Yes but..... (1)

Matthew Bafford (43849) | more than 7 years ago | (#17128514)

These are non-powered RFID tags. There is no "on/off" for them.
It's still a circuit. It'd be entirely possible to make a switch. It'd probably be too bulky as it'd have to be a non-momentary switch to maintain state after power is lost to the circuit. Still, the "non-powered" part doesn't mean the switch is impossible.

Re:Yes but..... (5, Insightful)

tttonyyy (726776) | more than 7 years ago | (#17127122)

I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

-Charlie
Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.

Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?

I'll speak slowly for you (-1, Troll)

Groo Wanderer (180806) | more than 7 years ago | (#17127394)

"Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.

Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?"

No, that is not what I said, nor would I be as stupid as you. Please learn the bare minimum reading comprehension skills.

This topic says 'having the ability to read all the info necessary to make a transaction remotely is bad' along with other things.

I said 'I would not have a problem with it as long as you could not read ALL the information remotely'. A pin is part of the necessary info to make a transaction.

You come back and say, although not as intelligently, 'LoLzor, post your details or you are a fagzor'.

Now it is obvious that you 1) didn't understand the statement 2) don't understand the problem 3) generally have a problem with simple logic. May I suggest that if you ever hit high school, you take an extra course or 4 in reading comprehension or logic.

To sum up, I said I didn't want to do exactly what you asked me to do because it was a dumb thing. You didn't comprehend, but at least you didn't use !!!1!!!one!!! in your post, so props to you.

                  -Charlie

Re:I'll speak slowly for you (1)

Aladrin (926209) | more than 7 years ago | (#17127526)

Maybe you are still not being clear, because his point is valid. Maybe you meant 'cannot read ANY of the information remotely.' Your statement says that you don't mind if it can be read remotely, as long as some of the information is still not remote-readable.

Cannot read all = might read some. It's the contrapositive, see?

Cannot read any = can read none.

The GP was stating that if you are so uncaring about your details, you might as well post them here. It'd be just as safe as walking around the mall with your RFID card blaring for anyone with an RFID reader.

Re:I'll speak slowly for you (1)

shawb (16347) | more than 7 years ago | (#17127544)

No... he's saying that a pin in and of itself will not protect the rest of the info on your card. If every gas station, used tire store and cigarette depot can get access to the card scanners it is likely that "the bad guys" can get access to the card scanners and figure out a way to reverse engineer them into a remote reader. Entering the PIN is something that happens on the scanner, so your privacy is not ensured. At the very least the customer behind you in line could watch you enter it. What he was saying is that carrying an RFID card around is as stupid as posting all that info on a public internet forum.

(Yes, it is possible to dupe and make a fake credit card now, but RFID would simply make it easier to steal your money.

Re:I'll speak slowly for you (1)

WhatAmIDoingHere (742870) | more than 7 years ago | (#17127686)

"A pin is part of the necessary info to make a transaction.


Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.

Re:I'll speak slowly for you (1)

Nitage (1010087) | more than 7 years ago | (#17127942)

You can also make online purchases without a pin.
You can't make online transactions without the last 3 digits of the security number on the back of the card. That security number isn't stored electronically on the card - so it can't be read by any means expect visually examining the back of the card.

Re:I'll speak slowly for you (1)

Matthew Bafford (43849) | more than 7 years ago | (#17128552)

You can't make online transactions without the last 3 digits of the security number on the back of the card. That security number isn't stored electronically on the card - so it can't be read by any means expect visually examining the back of the card.
Sure you can. I did last night at cafepress. All I provided was my account number and expiration date. The security number on the back has been adopted by a large percentage of the stores I deal with, but it is not universally used.

Re:I'll speak slowly for you (0)

Anonymous Coward | more than 7 years ago | (#17129148)

Just last night I did, so uh....WRONG. I purchased a quarterly parking permit for my university with no pin whatsoever.

Commuter Annual (July-June) $552.00

I could use a backup. Just post your name, cc number, and exp date. Thanks mate!

Nope for anything that needs security (2, Interesting)

vancbc (974483) | more than 7 years ago | (#17127074)

No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.

I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.

Absolutely not (4, Informative)

techmuse (160085) | more than 7 years ago | (#17127080)

As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.

Re:Absolutely not (1, Funny)

Anonymous Coward | more than 7 years ago | (#17127222)

As a Certified Medical Doctor, I also do not recommend the RFID technology. Just view the discomfort and unnecessary comlexity RFID inflicts on its users as depicted in these totally spontaneous, grainy, black-and-white demonstrations we filmed!


Instead, I endorse RISKchip (Radio-enabled Identification and Storage Key Chip), the leading-brand automatic radio-wave based identification chip. RISKchip makes the theft of your identity simple and convenient for the whole family. It's so easy with RISKchip! For a limited time you can take advantage of this special offer and purchase a RISKChip kit for three easy payments of $49.95!*, I mean, I've paid more for a cup of coffee.


CALL NOW!!!


*plus $12.95 P&H


Liability for unauthorised transactions? (1)

farnz (625056) | more than 7 years ago | (#17127190)

My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:

If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.

If the bank pays, then I can leave the security to the bank; if someone designs a remote reader and uses it to take $10 from every customer, that's the bank's problem, not mine. I therefore don't need to worry about the security of the card design (although I do need to keep authorisation secrets secret), as if RFID cards are as hackable as they appear, the bank will do something about it to avoid eating too large a loss.

Re:Liability for unauthorised transactions? (4, Insightful)

bhima (46039) | more than 7 years ago | (#17127258)

Do you honestly think that banks don't pass every single expense they incur along to the customer?

No matter who pays at first, in the end we all pay more because of shitty security.

Re:Liability for unauthorised transactions? (1)

farnz (625056) | more than 7 years ago | (#17127358)

No, but I have the option to switch banks, which keeps the charges under control; if HSBC has to charge me more/pay me less interest than Chase to make the same profit (because HSBC's RFID cards are insecure, and Chase doesn't issue RFID cards), then I'll switch to Chase. Thus, HSBC either has to fix the security issues with their RFID cards, stop issuing RFID cards, or make less money.

Re:Liability for unauthorised transactions? (1)

voice_of_all_reason (926702) | more than 7 years ago | (#17127428)

I thought moving more than X dollars between accounts automagically flagged you as a terrorist? Pretty sweet deal for the bank:

Me: I've had enough of this shit, I quit
Bank: If you do, we'll have the government sieze all your money
Me: Hey, let's negotiate!

Re:Liability for unauthorised transactions? (1)

maxume (22995) | more than 7 years ago | (#17127326)

The more immediate concern is whether the incremental increase in convenience is worth *any* inconvenience(short term access limitations, etc.).

Re:Liability for unauthorised transactions? (1)

Filmcell-Keyrings (973083) | more than 7 years ago | (#17127398)

Do you want to then have to go through your statement with a fine tooth comb, and check every small transaction. I would spot a large unauthorised withdrawal, but I might not spot £10 here or there, and how many people don't bother to check their statements.

Re:Liability for unauthorised transactions? (1)

ozbon (99708) | more than 7 years ago | (#17127968)

I don't bother to check my statements - because they're old data.

I check out my online banking at least once a week - and usually more often - so I'll be aware of any odd transactions (and I include 'the £/$10 here or there' in that statement) pretty much as soon as they've happened.

If you've got access to online banking, I don't get why you wouldn't use it for that kind of thing, and keeping a fairly regular check on your account(s) that way.

Re:Liability for unauthorised transactions? (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17127522)

The problem is that, even if it's nominally the bank's responsibility, it will still hurt you. You still have to check on the bank to see if they're not letting any unauthorized transactions slip, you will still be the victim if someone uses your account data (and cleaning up the resulting mess can take years), etc. Also, as another poster pointed out, any costs that the bank incurs will be passed on to you. So, in short, when your bank's security sucks, you lose.

Re:Liability ... - Wrong answer (0)

Anonymous Coward | more than 7 years ago | (#17127728)

Remember basic economics (simplified), if the bank is profitable, then the customers pays for all the costs (and the profits). Therefore, even if the banks pretends to cover the costs of RFID fraud, the bank will have other charges that make up the cost of RFID fraud. Nice sounding PR announcements about limits of liability only serve to give the "not too intellectual" customer a warm fuzzy feeling! Now repeat after me: All the costs of any profitable company are paid for by the customers.
The only potential gain a customer might gain from "limits of liability" MIGHT be in not have their credit rating hurt. Unfortunately this is only a maybe, not a guarantee.

Re:Liability for unauthorised transactions? (1)

Name Anonymous (850635) | more than 7 years ago | (#17127794)

I have one scenario involving a "honest mistake". (Honest as in nobody was trying to do anything malicious.)

What if you are standing too close to the RFID reader and it picks up your card details instead of the person who is paying in front of you?

Re:Liability for unauthorised transactions? (1)

Matthew Bafford (43849) | more than 7 years ago | (#17128668)

What if you are standing too close to the RFID reader and it picks up your card details instead of the person who is paying in front of you?

I used a similar service, Speedpass [wikipedia.org] a few+ years ago, and this honestly was not a possibility. I never got it to read my chip from more than 2cm away from the reading area - and usually not even that far worked. Same with my door pass to get in my building - I've got to touch my wallet to the reader to get it to register - meaning 1" or so at most. Same thing with the DC metro's readers - 2" is about the best you'll ever get.

That's not to say a stronger reader component couldn't be built that could read from a further distance. However, in practice, these devices are engineered to only work at a very short distance.

Would I heck! (0)

Anonymous Coward | more than 7 years ago | (#17127206)

Absolutely not.

Next question please.

Seriously though, the security on RFID devices have been broken time and time again so you cannot trust it. What with criminals managing to swipe cards by attaching devices to ATM machines it will be a lot easier to swipe cards if they are RFID enabled as most people are idiots and would not know how to protect their cards.

Also, if they are accepted would the banks take liability if you are scammed because of the RFID technology? The whole idea of chip and pin was not about security but about moving the responsibility of the losses from the bank to the customer, although the banks would swear blind that it was about security.

And what with most ATM machines being run by a versions of Windows anyway you could guarantee they are running as Wireless Access Points. :o)

Don't you think that's a bit racial? (0, Flamebait)

QuantumG (50515) | more than 7 years ago | (#17127220)

Seriously though, don't americans only have like $750 limits on their credit cards? And that's if you've been a good customer for ten years with the same financial institution? Unless, of course, you have one of those unlimited american express cards. I had one of those, but the fees are just insane and only half the stores take them as a result.

Re:Don't you think that's a bit racial? (0)

Anonymous Coward | more than 7 years ago | (#17127506)

Why on earth is this flamebait? It'a a valid point/question.

Re:Don't you think that's a bit racial? (0)

Anonymous Coward | more than 7 years ago | (#17128180)

What, are you just as retarded as the GP? Or do you both live on welfare and the closest you've gotten to a credit card is watching someone use one on TV?

captcha = EARNING

Re:Don't you think that's a bit racial? (1)

QuantumG (50515) | more than 7 years ago | (#17128296)

My guess is that he, like I, does not live in the US and is only informed with your customs by the few times we've visited and the drivel we see on television.

But thanks for being a prick about it. Karma I suppose.

Re:Don't you think that's a bit racial? (0)

Anonymous Coward | more than 7 years ago | (#17127588)

um, no. My first CC with no credit history at 18 had a $10k limit. You can get up to $50k from most banks without showing any proof of income, and higher with POI. I know people straight out of bankruptcy with much higher limits than $750.

Re:Don't you think that's a bit racial? (1)

karmatic (776420) | more than 7 years ago | (#17127866)

If you have halfway decent credit, you maximums can be way higher than that. In fact, I've repeatedly had limits raised automatically, without asking - sometimes by over $3000 at a time.

Also, for the Amex, "no pre-set limit" doesn't mean "no limit".

RFID offers very little security... (1)

locksmith101 (1017864) | more than 7 years ago | (#17127234)

as fun and futuristic as it may seem - RFID gives you as much protection as a condom with a wee little hole in it.

New fashion accessory (2, Interesting)

eeyore (78059) | more than 7 years ago | (#17127238)

Your grandfather's old silver cigarette case has just acquired a new lease of life as a Faraday cage.


What use is an RFID to a bank?

--

E

Metal wallet (1)

Psycosys (886125) | more than 7 years ago | (#17127254)

My credit card company replaced my card last time with an RFID card. I'm not too worried about it though because I keep all of my cards in a metal cigarette case.

Re:Metal wallet (2, Informative)

melstav (174456) | more than 7 years ago | (#17128074)

Keeping your RFID tagged cards in a metal case only prevents them from being read while you've got them stored away. Anytime you pull your card out to use it, someone could have an RFID reader nearby to scan it mid-air.

Or, much easier, find someplace with an RFID reader at the cash register and find someplace to hide a high-gain directional antenna. Let the legitimate reader do the work of powering the tag on the card, and then log the data being broadcast by the tag with the antenna.

RFID tags broadcast omni-directionally. So the reader doesn't have to be in a specific spot. It just has to be close enough to the tag. RFID tags' usable range (distance between tag and reader) is limited by two factors:

1) The tag has to be in a "strong enough" EM field to run.
2) The reader has to have a sensitive enough antenna to be able to receive the data being transmitted by the tag.

um cost? (3, Funny)

tomstdenis (446163) | more than 7 years ago | (#17127262)

Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!

Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...

Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.

Trace 'inventory' (0)

Anonymous Coward | more than 7 years ago | (#17127550)

"Besides, RFID is not meant for privacy or security. It's meant to track inventory."

You hit the nail, maybe. Wasn't there a plan to link up all social-security numbers, bank-accounts, tax-numbers etc. to the creditcard-numbers, so it would be possible to trace 'terrorrist' suspects?
Wouldn't it be even more convenient to place transmitters around stations and crossroads, to track the people passing by?

Ursa..

Re:um cost? (1)

sangreal66 (740295) | more than 7 years ago | (#17127664)

American Express released the smart card American Express Blue many years ago. I still have the free smart card reader they gave out with it. It was pretty worthless and not widely adopted. They probably still have chips in them, but no-one cares. I now have an RFID Citi paypass keychain which I find incredibly convenient, and I can't say I lose sleep over the security.

Re:um cost? (1)

tomstdenis (446163) | more than 7 years ago | (#17127830)

The problem with Blue is that they didn't work with others on it. For a smart card system to work all of the banks have to participate.

And it's not like we don't have the readers here. All of the common retail stores I go to here in Ottawa (that have debit/credit) have a reader built-in (I imagine because the machines are made in one factory and chances are it's good for tourism).

So really the only problem left is to actually roll out the cards and start enforcing their use.

The point of the smart card, isn't to be neato or costly but to help prevent fraud. The crypto authentication is done inside the card itself so there is no real "skimming" possible. Lower fraud, should (most likely won't) lead to lower interest rates and service fees (maybe they will after the government cracks down on banks...).

Tom

Benefits? (0)

EaglemanBSA (950534) | more than 7 years ago | (#17127266)

My question is, what's the big benefit of using an RFID-enabled card? Is it really worth the security risk to swipe your wallet instead of your card? I'm content with how fast the money exchange already is, to be honest.

Re:Benefits? (1)

voice_of_all_reason (926702) | more than 7 years ago | (#17127478)

The same benefit any big company finds with technology

Step 1: Higher up finds he's got all this money, but it's tied up in the company and he wants to sneak it out into my own pocket.

Step 2: Contract out with a friend for a zany new technological upgrade that does nothing for the business or it's customers. Overspend like it's going out of style.

Step 3: Split profit

Re:Benefits? (0)

Anonymous Coward | more than 7 years ago | (#17127482)

This is kind of the whole point. The average Joe is thrilled with the idea of not having to line up in the supermarket for as long as they do now, and probably won't give a damn about the security implications until reports start coming in of people's money mysteriously disappering from their accounts. If people are willing to give biometric information to a supermarket to save a few seconds at the til then they'll sign up for pretty much anything that saves time.

Re:Benefits? (2, Informative)

spinnerbait (1000859) | more than 7 years ago | (#17127638)

The problem with RFID encoded is they can be viewed by anyone that has the right equipment. I work for a company that uses RFID encoded labels because of there ease of reading the data off the label. Since you don't have to be within close proximity of the RFID chip to get a good read, someone can point a RFID reader at your butt and read the card from thirty yards away. Also, some RFID chips are very fragile and can be altered given the right condition which are not that extreme. My vote is we go back to the day where ten cows would buy you a year supply of donuts and fig newtons.

bank change time (0)

Anonymous Coward | more than 7 years ago | (#17127270)

It looks like I am about to change Banks pretty soon, before the current HSBC one runs out...

An article you may want to read. (2)

DeQuincey (221531) | more than 7 years ago | (#17127284)

My answer is no, as well. [theregister.com]


Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.

a question bout current implementations-speedpass (1)

shareme (897587) | more than 7 years ago | (#17127336)

Well lets take a current implementation..ie SpeedPass.. How many events of a speedpass stolen and used? Until we have the stats there is no use of debating ether..

Re:a question bout current implementations-speedpa (0)

Anonymous Coward | more than 7 years ago | (#17127468)

There are certain Mobil stations that you run across where you have to punch in your zip code to be able to use Speedpass every time you use Speedpass there.

I'd suspect those are stations that were hit by Speedpass fraud.

One of these stations is off I-80 near the California/Nevada state line.

Re:a question bout current implementations-speedpa (1)

Matthew Bafford (43849) | more than 7 years ago | (#17128774)

There are certain Mobil stations that you run across where you have to punch in your zip code to be able to use Speedpass every time you use Speedpass there. I'd suspect those are stations that were hit by Speedpass fraud.

Possibly, but is that Speedpass fraud as in "RFID read remotely and then the Speedpass device was duplicated", or is it Speedpass fraud as in "someone dropped their Speedpass in the parking lot, and then someone else used it"?

I wouldn't be surprised if it's the latter.

Re:a question bout current implementations-speedpa (1)

RAMMS+EIN (578166) | more than 7 years ago | (#17127698)

``Until we have the stats there is no use of debating ether..''

Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.

RFID Hacking kits avaliable here. (2, Informative)

davro (539320) | more than 7 years ago | (#17127406)

Roll up Roll up come on you lovely people.

Buy your RFID Readers http://froogle.google.co.uk/froogle?q=RFID+reader& oe=UTF-8&scoring=pd&price1=&price2=225.00&lnk=prsu gg [google.co.uk]
Buy your RFID Tag/Chips http://www.gaotek.com/index.php?main_page=index&cP ath=63&gclid=CJ7p383q_YgCFSJ4MAodJDDrAg [gaotek.com]
Buy your blank credit sized cards http://www.smartcardsupply.com/Content/Cards/cards .htm [smartcardsupply.com]

What was the question again "Would You Trust RFID Enabled ATM Cards" mmm let me ponder that, NOOOOO.

Personally i have little hope or no, for are open/free society, mainly after talking to friends, people on the train anyone who understands RFID, and most people that i have talked/chatted to really do believe that rfid is a good thing, when questioned about some basic fact they just do not get it but follow on blind F^^KING FAITH.

RFID good for packages and tracking your stuff you ordered, useful for the company and client.
RFID good for making people belive that if a dick fits up your arse then it is compatible and you should adopt, even if it is not comfortable or useful, no questions just sit on it and smile.

RFID Detection (4, Interesting)

Chaos1 (466833) | more than 7 years ago | (#17127424)

Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.

Check the incentives (4, Informative)

inviolet (797804) | more than 7 years ago | (#17127432)

With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.

It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

Re:Check the incentives (1)

RemovableBait (885871) | more than 7 years ago | (#17128252)

It's like a config.rc file with the wrong default value: loss-paid-by = customer.


Wow. You must be the biggest geek on earth.

Of Course! (note: sarcasm) (1)

SuperStretchy (1018064) | more than 7 years ago | (#17127510)

Go ahead, use the RFID cards. I use wireless networks all the time for my banking/purchasing needs and WEP encryption handles it just fine. Sometimes I do it over unencrypted networks just to feel like I'm living life on the wild side. I just have to buy when my punk neighbor kids are around or I'm at work or in the airport. WEP is perfectly unbreakable. And so what? Even if someone does get my number, I have a really good fraud protection system with my card. I've only had to declare bankruptcy twice.

I can't wait for these new RFID chips... Because no one knows how to use them or what they mean anyway.

Note: I'm kidding.

Its one thing to present a choice between security and convenience and have a whole bunch of suckers take the easy way (aka personal responsibility, ignorance is no excuse), but its another thing when that right to choose is taken away (remember Sony DRM?).

Re:Of Course! (note: sarcasm) (1)

perky (106880) | more than 7 years ago | (#17128598)

You do know that you could just cut the card up and throw it in the bin? Regardless of the fact that this is FUD, the personal choice argument extends to your choice not to use the product.

As an aside, 5 million Londoners have an Oyster card in their pocket. Mine currently has about 80 quid of pre-pay on it. I am not in the slightest bit worried that someone will be able to steal this, and I haven't heard of this happening to anyone. This is basically the same contactless smartcard implementation that will be used for the next generation of banking cards.

Another solution? How about Altoids tins? (4, Interesting)

ClayJar (126217) | more than 7 years ago | (#17127590)

For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.

At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.

They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice. :)

While credit and debit cards may have... (1)

Slashdot Junky (265039) | more than 7 years ago | (#17127632)

Dear world,

While credit and debit cards may have their problems, the speed of checking out isn't one them. Come on, how much of hurry must someone be that they can't take on more 30 more minutes to press a few buttons on the keypad and sign? With every new article about RFID being release, it seem that RFID is solution to fewer and fewer problems. It will only create privacy and security issues for credit and debit cards, and I don't want the tech in mine.

Later,
-Slashdot Junky

Re:While credit and debit cards may have... (0)

Anonymous Coward | more than 7 years ago | (#17128748)

I'd use an RFID card if it would save me thirty minutes.

Later,
-Anonymous Coward

Destroy the tag... (3, Informative)

Ghostalker474 (1022885) | more than 7 years ago | (#17127884)

I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.

oh hell (1)

John Harrison (223649) | more than 7 years ago | (#17127986)

First of all it probably isn't an RFID tag but a contactless smart card. Yes there is a meaningful distinction.

Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.

Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and put some security standards in place.

Shutting down technology? On /. (1)

Voltas (222666) | more than 7 years ago | (#17127994)

I work on security systems and I've proposed "security paranoia"

Fear isn't going to help grow technology. There are hundreds of social engineering, web based, technical equipment base, and good old scam based ways to get your info.

We can't fear new technologies...everything will have its bumps and flaws and with time they get worked out...if they are accepted by users.

Your not a whole lot more vunerable then you are now with a chip in your credit card.

Watch and work your money like a job...get proper coverage for inevitable loss and go with it!

If your really worried about being vunerable...get off the internet!!! (At least I can't get flamed by those paranoid people now)

How Long? (1)

vtcodger (957785) | more than 7 years ago | (#17128174)

So, How long until wallets start coming with built in shielding to discourage unauthorized RFID readout?

I was lied to by Chase (1)

MrLint (519792) | more than 7 years ago | (#17128238)

I called chase for an rfid-less card. they said they would send one. They did not. they sent YA 'blink' card. I called again and was told that if I want one that is still a 'check card' I have to pay a fee. So basically, in order to get the same security I had before I have to *pay* for it, but for free I get a feature I don't want.

I have already written my senator.

What is this mania with RFID about? (1)

hey! (33014) | more than 7 years ago | (#17128400)

A European guy asked me recently why American companies are using unproven RFID technology in their credit cards, when Smart Cards are not only proven, but more easily shown to be secure.

I think there are several reasons.

First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US less attractive.

This explains why Smart Cards were adopted in Europe and not initially the US. But why even consider new RFID technology when a proven technology already exists? I believe the answer comes from the culture of technology adoption. The RFID tag on these cards is not being used in a way that does anything fundamentally new. It's just a incremental improvement on the mag stripe. Smart Card technology would involve going to a two factor approach; familiar to ATM users, but it would change the way we process credit card transactions. So RFID is a "state of the art" technology, yet it looks like a non-disruptive drop in replacement for mag stripes on credit cards. These are both killer advantages from the CIO standpoint. Since most ATM cards are supposed to function as credit cards, they come along for the ride.

The final reason is that US companies favor RFID over Smart Cards is that they face fewer consequences from mishandling private data than EU companies. This is due to differing cultural perspectives on privacy and regulation.

The US politics is relatively more libertarian in its privacy outlook. Under US law, the government is generally restricted, but with specific exceptions to the restrictions; the private sector is generally permitted -- but with specific exceptions to the permissions. US laws only address a few of the most egregious of private sector abuses. Even then are typically drafted with extreme care to minimize business exposure to new regulation or private lawsuits, whichever seems to be the greatest threat to business.

Europeans have more of a human rights perspective, in which the right of privacy can be asserting against anyone. Consequently, EU directives do not make a fundamental and general distinction between government and private sector data privacy practices. This means that EU companies are less able to externalize the costs of sloppy data privacy practices, because they face both regulatory action and private lawsuits, because EU law imposes duties upon them which US companies do not have.

The US has a strong cultural bias against regulation and government enforced standardization. You can see this in our mobile phone systems, where we have several competing standards, each of which is arguably superior to GSM in some way, but the net result is that the overall phone system is not as good. We're seeing the same thing happen with the introduction of RFID credit cards (which is probably why ATM cards are starting to sport tags too). We're seeing a spate of non-standardized solutions, some of which may be reasonably secure, some of which rely totally upon the assumption that RFIDs cannot be read at more than a few millimeters.

As should be clear, I think that on the privacy issue at least, Europeans have it right, and we Americans have lost our way. The US attitude towards privacy is inconsistent and impractical, at least if you value privacy at all. It is our unwilligness to regulate the behavior of private industry towards individuals or to even let individual hold companies accountable makes the adoption of technologies like RFID inevitable. Private enterprise never has to worry whether the security costs outweigh the benfits, becuase they can impose the costs on the consumer.

Multiple RFID credit cards? (1)

WimBo (124634) | more than 7 years ago | (#17128416)

So, say I've got three RFID credit cards in my wallet when I go through a checkout. Is there some standard prtocol that all three cards are using to have me choose a card? Do all three cards get used?

If I still have to pull my card out of my wallet, I don't see any advantage to me.

Years ago I was tought the most important phrases to learn in any language. Two more beers. My friend is paying.

The second phrase becomes much harder to dispute if my friend has an RFID credit card.

RFID CUSP Report (1)

meffie (526171) | more than 7 years ago | (#17128492)

Researchers at the RFID CUSP (ConsortiUm for Security and Privacy) published an informative report in October. They show how to build skimmers, describe relay and replay attacks, and how the transaction counter can be used to invade privacy. They show in the current generation of RFID-enabled smart cards there is no mutual authentication between the reader and the card, so it is not difficult to build or buy a reader to scan cards. Track 1, which usually contains the card holder name, is transmitted in the clear. Track 2 is transmitted in the clear, with PAN (account number) in 3 of the 4 types of cards currently being issued. The nominal read distance is 10 cm, but only if the reader complies with the IS0 14443 spec. http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC -manuscript.pdf [umass.edu]

doesn't matter if you trust it or not (1)

m1ndrape (971736) | more than 7 years ago | (#17128700)

what matters is can they prove it's trustworthy....then there is no question...

Hack it yourself (1)

amigabill (146897) | more than 7 years ago | (#17128706)

What about getting the kind of equipment used to work with these RFID tags, and clear it out so it no longer has any interesting info to steal? Is that possible, or are these things read-only? You could also try to microwave it. :)

Re: Check the incentive (5, Insightful)

Erick Lionheart (745320) | more than 7 years ago | (#17128770)

Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.

As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!

If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!

With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it?? :/

Corporate America vs you (0)

Anonymous Coward | more than 7 years ago | (#17128822)

ATM card or debit card, it doesn't matter. The bottom line is they both connect to your money, not the credit card company's money. And the law protecting your money via debit/ATM cards (Electronic Funds Transfer Act) is completely different than the law protecting the credit card company's money via credit/charge cards (Fair Credit Billing Act).

Why would someone knowingly want to place more risk on their own money? I'm ok with RFID tags on credit only cards, but when it comes to ATM and debit cards, do what I have done. Take a hole puncher and punch the chip it out of the card! You can protect your money better than the govt can...

RFID is already dead for this application. (1)

ivan256 (17499) | more than 7 years ago | (#17129094)

When you have two or more RFID cards in your wallet, chances are neither of them will work on any given attempt to use them unless you take the card you want to use out of your wallet....

So what's the benefit?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...