Are Contactless Payments Really Secure?

berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."

yeah yeah

[Colin Smith (2679)]

Except that banks magic money into existence so they're not actually losing anything (maybe but a little profit) when someone commits fraud.

 

Re:yeah yeah

[UbuntuDupe (970646)]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Anyway ... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.

Re:yeah yeah

[rnelsonee (98732)]

Right. The signature on the back of the card is not there for security - it's there to protect the merchant from having to pay a chargeback.

Basically, the signature is the signature to the Cardholder's Agreement you get with the card. Except that instead of the signature being on a piece of paper that no one wants to carry around, they let you sign the card itself. Once you sign it, the merchant knows that the card is valid, and they are now free to charge the card without fearing a complaint come back saying "I never authorized that!". As long as there's a signature, even if it doesn't match the person who's holding it, the merchant is not liable for fraudulent purchases.

Which is why writing "See ID" is frowned upon, and merchants will sometimes refuse to take a card with that writte on the back.

Re:

[AndersOSU (873247)]

Merchants will do whatever the hell they want with a credit card, with no apparent rhyme or reason.

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't w

Re:

[AuMatar (183847)]

You realise its the exact opposite- its far better to have them ask for id. The chance that someone steals a credit card and makes a matching fake id is low. It actually gives you and the merchant a measure of security. The only risk of showing id is the risk of the checkout person remembering enough information to do something with it 4 hours from now when they get off shift. I get pissy when a merchant *doesn't* ask for id.

Re:

[allacds (567636)]

According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf [visa.com]

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures

So you can't *mandate* that someone provide ID i

Re:yeah yeah

[Blkdeath (530393)]

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't want to have to show her my ID.

Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?

Re:yeah yeah

[ushering05401 (1086795)]

As of 1 1/2 years ago this is how fraudulent charges were handled.

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.

In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).

Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.

Regards.

I should also mention...

[ushering05401 (1086795)]

Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.

For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.

One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.

She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.

Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.

Re:

[taustin (171655)]

Considering that most police agencies (including the FBI) flately refuse to even take a report over less than $50,000, color me a little skeptical about how "serious" these guys are.

(And yes, I've worked in retail management, and above, for all my adult life, and have been directly involved in retreiving those records. A couple of times. In 25 years. The local cops will occasionally have time for such fraud, but they're generally only interested in the shoplifting aspects of it, because it's a far lower amo

Missing The Point

[mpapet (761907)]

r. These guys are serious and have entire departments dedicated to identifying patterns of fraud.

Thanks for perpetuating the myth that banks care. The banks place an enormous burden of proof on the retailer. The bank is assuming no liability whatsoever.

Question: what the retailer does to cover his fraud costs?

Answer: Raise prices.

Funny, nowhere in there are the banks assuming any risks.

Re:

[eln (21727)]

So what about those stupid electronic signature collectors? Some of those things are so badly broken that all you can manage to produce is one line after signing your entire name. Even if they are working properly, they will often only produce a blocky straight-line approximation of your real signature. How can these be accepted as valid signatures by anyone?

Re:yeah yeah

[Blkdeath (530393)]

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.

When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.

The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?

It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?

Re:

[Colin Smith (2679)]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Yes they are, they really do get permission to magic money into existence [wikipedia.org]. They don't have to borrow it from The Reserve, or pay interest on it. The limit they can magic is based on their reserve ratio (seems to be about 3% for most banks) and the amount of deposits they can acquire. I couldn't believe it either at first. I wish I'd understood this while I was at school, I'd be a banker now.

Money doesn't grow on trees, it's easier than that, it's magic'd into existence.

Back on topic. This does explain the

Re:

[Rakishi (759894)]

They don't create any money in this way at all, they simply move it about. When you put your money into a bank the whole point is that the bank is free to do whatever they want with the money. They never claim that they will hold it in their vault or some such. The great depression was partially caused by that very fact, everyone wanted their money out of the banks and the banks couldn't give it to them since they no longer had it.

Re:

[Colin Smith (2679)]

They don't create any money in this way at all

Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.

How else do you explain the fact that the credit card companies aren't breaking down the doors of the fraudsters and auctioning off everything they own? It's because credit card fraud is no big deal.

In fact, in the UK the police aren't even told about credit card fraud.

http://www.fairinvestment.co.uk/financial-news-Ban ks-defend-new-credit-card-frau [fairinvestment.co.uk]

Re:

[Rakishi (759894)]

Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.

They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't. As I said, if people tried to withdraw more money from a bank than there are reserves of the bank would be screwed (well not that much, thanks to federal insurance on deposits). If they actually made money then there would be no problems with this scenario. A bank is essentially an investment in essence. You give them your money so they can loan it out to other peopl

Put another way -- Money is created from Debt

[StringBlade (557322)]

Paul Grignon has created a video called Money as Debt [google.com] which is recommended viewing to understand the Fractional Reserve system we have today.

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).

Let's say a bank has $1,000 in the vault. In a

Mod Parent Informative

[mpapet (761907)]

This is what you all should have learned in high school.

Except. I don't agree with the outcome of eliminating all debt.
1. There will always be *some* need for credit. It's just human behavior.
2. People will always find something shiny and new to pay more than they paid last year for something a little less shiny.

To you and Colin Smith

[UbuntuDupe (970646)]

Let me preface this by saying I don't like government control of the money supply for the same reason I don't like government control of anything. However, that's no reason to permit flawed arguments against either, which is why I feel the need to address these points (I'd do the same for someone too gung-ho about the Federal Reserve):

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the i

Re:

[Firethorn (177587)]

(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)

There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.

As for wage stagnation, I think that it's a side effect of globalization. We were on the high en

Re:

[Anakron (899671)]

http://www.ingrimayne.com/econ/Banking/Commodity.h tml [ingrimayne.com]
for those who don't get what the parent is talking about. Although banks don't quite "magic" money into existence.

I dunno.....

[by Anonymous Coward]

maybe??

--
Jaap van Ballspoogen

Cost of investigation

[nuggz (69912)]

It's simply not worth it for anyone to investigate and verify small charges. So why even bother paying to keep a paper trail nobody will ever use?

If it's a fraudulent charge report it.
It seems to me the usage based flagging works just fine anyway.

Are they insecure... Yes.

[Irvu (248207)]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.

Lacking the independent verification this is begging for an attack.

Codes are not unique.

[EmbeddedJanitor (597831)]

It depends on the RFID chips. These don't always just send out a unique code... there would be little point to that.

There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.

Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.

You're wrong. And right.

[swillden (191260)]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused.

You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.

You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV [emvco.com] transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.

With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.

The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.

What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.

Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.

No, but they're secure enough

[tbo (35008)]

It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.

I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.

Bad Assumptions

[mpapet (761907)]

Then I realized that the bank will take the hit on any losses

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.

You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.

What?

[BobMcD (601576)]

This just doesn't track with me. The article fails to explain:

1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?

2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?

3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?

Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.

Who wants a Big Mac?

Re:

[p0tat03 (985078)]

1 - For someone to copy the data on my magnetic strip card, they would have to physically swipe it. This has been done before (gas stations, anyone?). For RFID devices, however, this data is accessible to anyone in your near proximity with a reader (which is easy enough to hide). So basically, your data is only at risk when your magnetic card leaves your wallet (and sight!), but your contactless card is at risk of copying always.

So while contact cards are not exactly foolproof, they are much harder to thiev

Signatureless, no change. Contactless, problem

[russotto (537200)]

Since almost nobody checks the signature anyway (other than occasionally to check if the card has a signature), eliminating the signature requirement doesn't change much. However, using contactless for credit card transactions has the same security issues as any other contactless system. One of which is that the system can be surreptitiously interrogated by a fraudster. Sit down with your fraud-o-matic for 15 minutes on a Saturday in any mall, and collect hundreds of card numbers as people walk by. (and

Re:

[Delta-9 (19355)]

"Since almost nobody checks the signature anyway"

Its been my experience that about 10-20% of the people I had my credit card to actually look at and read the signature on my credit card. I have "PLEASE SEE ID" written in that box and it would be a stretch to say that more than 1 out of 5 purchases result in the person asking for my ID.

Often times the cashier will flip it over and look at it, but won't bother to ask for my ID. I partially do this to see if they will ask for my ID. I hope that if I ever

Signature is pointless

[Mr. Underbridge (666784)]

Visa, for instance, doesn't require your signature for purchases at or below $25."

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained.

The signature provides virtually no up-front protection. As far as I can see, the signature serves one purpose: to allow the card company/merchant to investigate, after the fact, whether purchases you are claim

Re:

[Control Group (105494)]

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained

Beyond which, the security measures they put on the signature line on the back of the card conspire to mean the signature is virtually impossible to see (unless you sign with a Sharpie...in which case it doesn't fit), and even if you were able to read it, sliding the card in and out of readers (

Main problem with RFID

[vlad_petric (94134)]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems. (between secure and cheap, cheap seems to always win). So manufacturers use proprietary hacks to allegedly achieve the same type of operations (e.g., authentication via challenge/response). However, these hacks are nothing more than security via obscurity.

Re:

[swillden (191260)]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems.

Depends on what you mean by "cheap". A $3 contactless smart card can perform AES, SHA-256 and RSA operations sufficient to execute a high-security transaction in < 500 ms. If you can eliminate the need for PK (which you can), then transactions of less than 200 ms are possible with cards that cost less than $1.

A signature is completely insecure too

[Bert64 (520050)]

Why the hell do people think having to sign something ever made anything even remotely secure?

a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please

*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.

*looks at watch*

[overcaffein8d (1101951)]

It's time for a RFID-blocking wallet! [thinkgeek.com]

People may be able to clone your I-pass or EZ-pass

[Joe The Dragon (967727)]

but transactions are tracked and they can disable it and get the plate of the car that has a cloned tag you should be able to do the same thing with other contactless payment systems.

Hmmm... Are Contactless Payments Really Secure?

[Shadow Wrought (586631)]

Short answer: no.
Long answer: not so much.

Slashdot: you ask, we answer.

The Hustle is On

[mpapet (761907)]

This is a play by the banks to privatize the role of the Treasury as a no-cost micro-transactions service provider.

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

I anxiously await the uninformed posts to follow.

Let's take those in reverse order

[Control Group (105494)]

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

Uh...yes, they do. And who else should assume those costs?

No, not even should, who else can assume those costs? The credit card company? If the CC company doesn't pass on the costs of fraud to the consumer, the CC company goes out of business (note: using their profits to cover the cost doesn't work - if they still have profits left over, they can be accused of building the cost of fraud

Are cash payments really secure?

[mi (197448)]

As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.

As if the correct change is always given.

As if a wrong bill (50 instead of 20, for example) has never changed hands.

As if counterfit money is not an ongoing problem for the last several centuries.

Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...

Lots of transactions don't need signatures anymore

[z_gringo (452163)]

Gasoline hasn't needed a signature for years whether it is under $25 or not.

Most any online purchases don't need signatures. Some ask for the special 3 digit code, but many don't.

Depends on the system

[billsf (34378)]

As a former engineer of DigiCash in Amsterdam, I know a little about smartcard technology. There are a number of problems and risks:

1) The technology used is very old and few improvements have been made over the last 20 years or so.

2) The latest technology can cost over $10 while the older chips are a few cents.

3) Banks and politics have done their best to stifle development and have mostly succeeded.

In a word: NO. Chances are you get some 'exportable' model that supports 40bit crypto if money is involved. Otherwise, say for transit use, it may be a simple account number that is (usually) broadcast at 13.1MHz. Just because the readers appear to work at only close range does not mean the information cannot be intercepted at a range of 10's of meters or more.

The very expensive units can support 128bit or better crypto. Apart from being costly, they may be 'export restricted' and there are a number of governments that only allow very weak security. 40bits will take about a half hour to crack on a 'high-end' desktop and only a handful of minutes on a halfway decent workstation. A shielded wallet may be a common item if these chips see widespread use. A card (or passport) carefully wrapped in aluminium foil will work (to prevent unauthorized use/interception) despite any propaganda that may be out there.

As long as the 'value' is very low and you can accept losing it, there is really nothing wrong with using them. Keep in mind the chips can be destroyed accidently a number of ways and easy verification and recovery of funds is doubtful. Banknotes are still better and their use for 'small ticket' purchases is not likely to go away anytime soon.

Re:

[swillden (191260)]

Your information is dated.

Cards that support 3DES and AES-128 can be purchased in volume for ~$1 each. Cards with RSA coprocessors cost a little more, and contactless costs a little more, but cards with 64KB EEPROM, RSA, ISO-14440 contactless are around $5.

Export restrictions aren't really a problem, and haven't been for a long time, partly because the US relaxed its restrictions and partly because most of the cards are manufactured in Europe.

Don't you guys in the new world...

[itsdapead (734413)]

Don't you guys in the new world have chip and pin [chipandpin.co.uk] yet?

Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Not sure any system can be high security *and* not hack off customers. OK, we use it for big payments too (perhaps they should limit the amount to 10% of the PIN!)

Alternatively, instead of setting a per-transaction limit, have a system where the *user* 'loads' the card with cash and when that is exh

Re:

[Orange Crush (934731)]

P.S. RFID is crap. Get a clue!

I think RFID is great! Much better than barcodes for inventory tracking. Maybe someday RFID readers will be common in cell phones and I can wave my phone by a product and find out if it's available at a lower price down the road. I mean, there are lots of really great uses for passive RFID tags.

Living in Orlando which has lots of toll roads, I'll even commend the RFID toll payment system--whiz through the fast lane and pay the toll without even slowing down. It's a batt

Re:

[Idbar (1034346)]

Typical /. user... showing off about their knowledge on "contact-less sex".