Are Contactless Payments Really Secure? 186
berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."
yeah yeah (Score:2)
Re:yeah yeah (Score:5, Insightful)
Anyway
Re:yeah yeah (Score:4, Informative)
Basically, the signature is the signature to the Cardholder's Agreement you get with the card. Except that instead of the signature being on a piece of paper that no one wants to carry around, they let you sign the card itself. Once you sign it, the merchant knows that the card is valid, and they are now free to charge the card without fearing a complaint come back saying "I never authorized that!". As long as there's a signature, even if it doesn't match the person who's holding it, the merchant is not liable for fraudulent purchases.
Which is why writing "See ID" is frowned upon, and merchants will sometimes refuse to take a card with that writte on the back.
Re: (Score:2)
The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't w
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures
So you can't *mandate* that someone provide ID i
Re:yeah yeah (Score:4, Insightful)
Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?
Re:yeah yeah (Score:5, Informative)
If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).
If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.
In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).
Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.
Regards.
I should also mention... (Score:5, Interesting)
For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.
One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.
She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.
Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.
Re: (Score:2)
(And yes, I've worked in retail management, and above, for all my adult life, and have been directly involved in retreiving those records. A couple of times. In 25 years. The local cops will occasionally have time for such fraud, but they're generally only interested in the shoplifting aspects of it, because it's a far lower amo
Re: (Score:2)
Your anecdote differs from my life experience. When I was bartending I talked to detectives a few times about stolen credit cards. One was for a $15 tab. They didn't seem to care it was small time.
I never talked to any feds though.
Re: (Score:2)
In California, using a stolen credit card for a small amount is a misdemeanor, which means the police can't arrest you unless they personally see you commit the crime. But if you mug someone to get it, that's a felony robbery, and a violent one, to boot.
They really don't care about small-time economic crime. They don't have time to.
Re: (Score:2)
Missing The Point (Score:2)
Thanks for perpetuating the myth that banks care. The banks place an enormous burden of proof on the retailer. The bank is assuming no liability whatsoever.
Question: what the retailer does to cover his fraud costs?
Answer: Raise prices.
Funny, nowhere in there are the banks assuming any risks.
Re: (Score:3, Insightful)
Re:yeah yeah (Score:4, Interesting)
Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.
When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.
The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?
It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?
Re: (Score:2, Informative)
Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.
Yes they are, they really do get permission to magic money into existence [wikipedia.org]. They don't have to borrow it from The Reserve, or pay interest on it. The limit they can magic is based on their reserve ratio (seems to be about 3% for most banks) and the amount of deposits they can acquire. I couldn't believe it either at first. I wish I'd understood this while I was at school, I'd be a banker now.
Money doesn't grow on trees, it's easier than that, it's magic'd into existence.
Back on topic. This does explain the
Re: (Score:2)
Re: (Score:2)
They don't create any money in this way at all
Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.
How else do you explain the fact that the credit card companies aren't breaking down the doors of the fraudsters and auctioning off everything they own? It's because credit card fraud is no big deal.
In fact, in the UK the police aren't even told about credit card fraud.
http://www.fairinvestment.co.uk/financial-news-Ban ks-defend-new-credit-card-frau [fairinvestment.co.uk]
Re: (Score:3, Insightful)
Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.
They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't. As I said, if people tried to withdraw more money from a bank than there are reserves of the bank would be screwed (well not that much, thanks to federal insurance on deposits). If they actually made money then there would be no problems with this scenario. A bank is essentially an investment in essence. You give them your money so they can loan it out to other peopl
Re: (Score:2)
They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't.
Well now you're getting philosophical.
You give them your money so they can loan it out to other people, thats how it works.
uhuh. I give them 100 in cash. They take that cash and loan 95 out. Strangely, it comes back to them because that's what you do with money. They now have 195 on deposit. They get to loan out 185 of that, which comes back again as more deposits. Giving them deposits of 380 and loans worth 280, on an initial deposit of 100. Repeat until total money equals up to 2000 for a 5% ratio.
How is that not multiplication? They are multiplying the money and the debt.
Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud.
That's just i
Re: (Score:2)
Strangely, it comes back to them because that's what you do with money.
If you think that people just borrow money to put it into a bank, you're mistaken. I borrow money, it's for a car, house, whatever. Now yes, fractions of that are likely to end up in banks, but not to the extent you're talking about. In the case of a new home - it goes towards paying for all the building materials a
Re: (Score:2)
How is that not multiplication? They are multiplying the money and the debt.
No, they're multiplying the debt only. The amount of money stays exactly the same. By your logic I can generate infinite money as well. All I need is say $1 and a friend. I lend him $1. He lends me $1 back. I lend it to him again. Repeat for however long we want. I now owe him $1 million and he owes me $1 million and a dollar. In the end there is still only a single dollar with which I can buy things.
That's just icing. There's nothing for them to lose, maybe a bit of interest.
A bank is based on interests and profits. To a company losing either is no different from you losing money
Re: (Score:2)
Put another way -- Money is created from Debt (Score:2)
What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).
Let's say a bank has $1,000 in the vault. In a
Mod Parent Informative (Score:2)
Except. I don't agree with the outcome of eliminating all debt.
1. There will always be *some* need for credit. It's just human behavior.
2. People will always find something shiny and new to pay more than they paid last year for something a little less shiny.
Re: (Score:2)
Re: (Score:2)
So it has proven healthier than any alternative, and is in fa
To you and Colin Smith (Score:3, Interesting)
What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the i
Promises promises promises. (Score:2)
All of the money it lent is backed.
LOL. Yes of course... What's it backed by?
A promise.
Really that's it. The monetary system is backed by trillions of promises. No problems there then, and, credit card debt is unsecured (even if that wasn't a farce).
Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money.
Most of the growth on the stock market is simply inflation. Increased supply of money making it's way into the the investment markets. It just isn't called inflation. Sure some companies increase efficiency and profitability, but most of it's just soaked up liquidity.
So anyway. Back on topic.
Re: (Score:2)
It's hard to see how any multi-stage financial transaction could ever be acceptable to you. A mortgage is backed by a PROMISE to cede the house on non-payment. A share of stock is backed by the PROMISE to acknowledge your voting rights in that busines and to pay you proportional dividends. A
Re: (Score:2)
Imagine this scenario
You join a poker game. You give $100 to Mr.A to buy some chips. Mr. A puts the $100 in a box along with the other dollars others have given him for the chips and Mr. A gives you 100 chips.
At the end of the game, *everyone* in the game will give their chips to Mr. A and get back real money. Hopefully, everyone will tip Mr. A for services provided.
Now, the next day you join the game and you notice there is a new pl
Re: (Score:2)
Keep in mind that when you go to banks, you're talking about amounts of money and depositors that make this more a function of mathematics than luck, much like
Re: (Score:2)
You're looking at it the wrong way. Think how CHEAP houses would be if people couldn't borrow 10x their income to pay for them.
Re: (Score:2)
Re: (Score:2)
Okay, I agree -- in that instance, the claim is fraudulent and the chip issuer has screwed the players. No argument there.
But the problem with extending that example to the present world is that the chip issuer -- and the Fed -- can only do that once. Every point thereafter, people *know* what's going on with the chips. They know what the fed/chip issuer is doing to the currency and, for all future bets (in the poker game), they know to mentally account the chips as 1/10 of their face value
Re: (Score:2)
A mortgage is backed by a PROMISE to cede the house on non-payment.
uhuh. Can you define the value of the house? Yesterday, it was worth 100,000. Today, when it's auctioned, it's worth 50,000. That's now 50,000 worth of non backed cash. What's a new car worth once it's been driven off the lot?
So, what's exactly wrong with backing something with a promise?
Not everyone is as trustworthy or as responsible as you or I. And I don't have a problem with credit at all. It's credit backed currency I have a problem with, for various reasons.
Not true. Stock market nominal (not-inflation-adjusted) returns have been ~11% since 1927, while inflation (CPI) has averaged ~3.5%, tops
I think you missed my point. If the money supply to the economy is increasing at 10% per year, the 3% w
Re: (Score:3, Insightful)
There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.
As for wage stagnation, I think that it's a side effect of globalization. We were on the high en
Re: (Score:2)
Money itself is a fiat. If it weren't, we wouldn't call it money. The fact that this fiat is based on interconnected promissory notes shouldn't surprise you.
Re: (Score:2)
Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.
Bank accounts are government insured up to $100k I think, great depression caused that one to come about if I remember correctly. Anyway, the worst that would happen is that the federal reserve pays out the loans and if needed prints enough money to cover it. Massive inflation but everyone would get their now much less valuable money back.
Re: (Score:2)
You are making several false beliefs.
1. People that take out loans generally do NOT deposit the full amount back into the bank. Usually they deposit a minutre fraction.
2. People default on loans is an immediate and DIRECT loss to the bank.
Here it works like this in real life.
I deposit 100 to the bank.
The bank loans out 900 to various people (using my 100 and a 10% reserve)
The bank really wishes those people would deposit it back to them, but
Re: (Score:2)
How was parent modded Informative? Read the wikipedia article he references. The bank has a stack of IOUs (from borrowers to it) a stack of IOUs (from it to depositors) and a stack of singles. Notice how the IOUs from the borrowers plus the stack of singles always equals (in this example) the stack of IOUs that the bank owes? This is because their assets (IOUs from the creditors and I'm folding cash in as well) balance their liabilities.
They are forced to have a certain percentage of the money they owe
Re: (Score:2, Informative)
Page 28 directs the sales clerk, "The final step in the card acceptance process is to ensure the customer signs the sales receipt and to compare that signature with the signature on the back of the card..."
On page 29, note "Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse
Re: (Score:3, Informative)
for those who don't get what the parent is talking about. Although banks don't quite "magic" money into existence.
I dunno..... (Score:2, Funny)
--
Jaap van Ballspoogen
Cost of investigation (Score:2)
If it's a fraudulent charge report it.
It seems to me the usage based flagging works just fine anyway.
Are they insecure... Yes. (Score:4, Interesting)
Lacking the independent verification this is begging for an attack.
Codes are not unique. (Score:4, Insightful)
There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.
Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Things c
Re: (Score:2)
I don't know how close one must be to actually talk to a card
Nominal maximum range for an ISO 14443 device (a contactless smart card) is 4 cm. Under carefully controlled laboratory conditions, you can get 2-3 times as much range, with difficulty. In real-world conditions it's pretty rare to get even 2 cm. Normally it's less than 1 cm.
would a powerful transmitter be able to talk to a card from a far away distance?
Not really. A very powerful transmitter can power the chip from farther away, but the nature of the way the chip is powered by the transmitter's RF field means that power drops with the cube (not square) of distance. So to do i
You're wrong. And right. (Score:4, Insightful)
You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.
You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV [emvco.com] transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.
With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.
The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.
What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.
Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.
No, but they're secure enough (Score:5, Insightful)
I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.
Bad Assumptions (Score:5, Informative)
No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.
You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.
Pricing does not reflect cost (Score:2)
Most people assume, and it used to be this way when the catholic Church ruled Europe, that prices are set by adding material cost, plus labor, plus reasonable profit. For instance, I sell chairs. I paid 10 bucks for the wood, I had to pay the carpenter 10 bucks
Re: (Score:2)
You're forgetting supply (Score:2)
Read the first sentence of the Wikipedia entry on supply curves [wikipedia.org]. It tells you right there that the primary reason for a shift in the supply curve is a change in cost. So yes prices reflect cost. Increased cost means less supply means higher prices.
Re: (Score:2)
Nowhere in the process does the bank assume any liability.
This isn't true. There are plenty of circumstances in which one of the banks ends up holding part or all of the liability. In some rare cases even the clearinghouse that settles transactions between the merchant acquiring bank and the card issuing bank takes the liability. You're right that it generally falls on the merchant, but not always.
However, even if the liability is shared, the cost of that fraud obviously must eventually make its way into the pockets of the consumers, because we are ultimate
Re: (Score:2)
That depends on the price elasticity of demand. Furthermore, retailers usually only pay a penalty if fraud exceeds a certain threshold. Since retailers have a choice (for now, at least) about installing contactless readers, they presumably won't do it unless it makes financial sense. If fraud is a major problem, retailers won't adopt the system.
Re: (Score:2)
Re: (Score:2)
maybe even a momentary connect would be needed (so you hit the button and then release to trigger)
What? (Score:4, Interesting)
This just doesn't track with me. The article fails to explain:
1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?
2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?
3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?
Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.
Who wants a Big Mac?
Re: (Score:3, Insightful)
So while contact cards are not exactly foolproof, they are much harder to thiev
Re: (Score:2)
That's only true so long as details of the algorithm used to generate the codes stay secret. They won't forever, and eventually the bad guys will be able to duplicate the functionality of a legitimate reader. There's a lot of money in credit card fraud, and a lot of very bright people (at least as smart as the folks develop
Re: (Score:2)
Of course, that fact that the crypto e
Signatureless, no change. Contactless, problem (Score:2)
Re: (Score:2)
Its been my experience that about 10-20% of the people I had my credit card to actually look at and read the signature on my credit card. I have "PLEASE SEE ID" written in that box and it would be a stretch to say that more than 1 out of 5 purchases result in the person asking for my ID.
Often times the cashier will flip it over and look at it, but won't bother to ask for my ID. I partially do this to see if they will ask for my ID. I hope that if I ever
Signature is pointless (Score:2)
Visa, for instance, doesn't require your signature for purchases at or below $25."
I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained.
The signature provides virtually no up-front protection. As far as I can see, the signature serves one purpose: to allow the card company/merchant to investigate, after the fact, whether purchases you are claim
Re: (Score:2)
Beyond which, the security measures they put on the signature line on the back of the card conspire to mean the signature is virtually impossible to see (unless you sign with a Sharpie...in which case it doesn't fit), and even if you were able to read it, sliding the card in and out of readers (
Main problem with RFID (Score:5, Informative)
Re: (Score:3, Interesting)
Depends on what you mean by "cheap". A $3 contactless smart card can perform AES, SHA-256 and RSA operations sufficient to execute a high-security transaction in < 500 ms. If you can eliminate the need for PK (which you can), then transactions of less than 200 ms are possible with cards that cost less than $1.
Re: (Score:2)
Re: (Score:2)
Look at any of the current-generation, RSA-capable cards from the major manufacturers, which these days is pretty much down to G&D, Oberthur, Gemalto and NXP. For a while, JCOP was the only Javacard OS to get such fast transaction times, but that was a few years ago and they can all match it now (or close), at least with the symmetric crypto. Most of these chips even have hardware DES coprocessors that execute DES operations in microseconds. I worked with JCOP 40 on a Philips/NXP chip a couple years
A signature is completely insecure too (Score:4, Insightful)
a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please
*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.
Re: (Score:2)
I haven't had the guts to write "STOLEN!" yet.
Re: (Score:2)
The banks and credit card companies have managed to offload all the financial risk associated with fraud onto the merchants. Merchants use signatures because when a charge is disputed, the first thing the credit card company asks for is a fax of the authorization slip with signature showing that their client did in fact authorize the charge. If the merchant can't provide that, they automatically lose the dispute
Re: (Score:2)
Is that happening in the US? Visa/MC merchant agreements forbid the checking of driver's licenses if the card is signed, in the US at least.
*looks at watch* (Score:2, Funny)
People may be able to clone your I-pass or EZ-pass (Score:2)
Hmmm... Are Contactless Payments Really Secure? (Score:2)
Long answer: not so much.
Slashdot: you ask, we answer.
The Hustle is On (Score:2)
Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.
I anxiously await the uninformed posts to follow.
Let's take those in reverse order (Score:2)
Uh...yes, they do. And who else should assume those costs?
No, not even should, who else can assume those costs? The credit card company? If the CC company doesn't pass on the costs of fraud to the consumer, the CC company goes out of business (note: using their profits to cover the cost doesn't work - if they still have profits left over, they can be accused of building the cost of fraud
Re: (Score:2)
You completely fail to acknowledge that are lower-cost alternatives. Which suggest you have no experience, much less given the topic any thought.
'd be more than happy to entertain your idea
Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun. Please examine micro-payments and currency implementations and get back to me when you
Re: (Score:2)
Irrelevant. Unless you can propose a no cost alternative, consumers will bear the cost. Which is what you started complaining about.
Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun.
More like poke fun at the joker who makes a bold claim with no explanation of what he means, much less a justification for why it's
Are cash payments really secure? (Score:4, Insightful)
As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.
As if the correct change is always given.
As if a wrong bill (50 instead of 20, for example) has never changed hands.
As if counterfit money is not an ongoing problem for the last several centuries.
Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...
Lots of transactions don't need signatures anymore (Score:2)
Most any online purchases don't need signatures. Some ask for the special 3 digit code, but many don't.
Depends on the system (Score:3, Informative)
1) The technology used is very old and few improvements have been made over the last 20 years or so.
2) The latest technology can cost over $10 while the older chips are a few cents.
3) Banks and politics have done their best to stifle development and have mostly succeeded.
In a word: NO. Chances are you get some 'exportable' model that supports 40bit crypto if money is involved. Otherwise, say for transit use, it may be a simple account number that is (usually) broadcast at 13.1MHz. Just because the readers appear to work at only close range does not mean the information cannot be intercepted at a range of 10's of meters or more.
The very expensive units can support 128bit or better crypto. Apart from being costly, they may be 'export restricted' and there are a number of governments that only allow very weak security. 40bits will take about a half hour to crack on a 'high-end' desktop and only a handful of minutes on a halfway decent workstation. A shielded wallet may be a common item if these chips see widespread use. A card (or passport) carefully wrapped in aluminium foil will work (to prevent unauthorized use/interception) despite any propaganda that may be out there.
As long as the 'value' is very low and you can accept losing it, there is really nothing wrong with using them. Keep in mind the chips can be destroyed accidently a number of ways and easy verification and recovery of funds is doubtful. Banknotes are still better and their use for 'small ticket' purchases is not likely to go away anytime soon.
Mod Parent Informative (Score:2)
Read the post carefully. It's 100% right.
Re: (Score:2)
Re: (Score:3, Informative)
Your information is dated.
Cards that support 3DES and AES-128 can be purchased in volume for ~$1 each. Cards with RSA coprocessors cost a little more, and contactless costs a little more, but cards with 64KB EEPROM, RSA, ISO-14440 contactless are around $5.
Export restrictions aren't really a problem, and haven't been for a long time, partly because the US relaxed its restrictions and partly because most of the cards are manufactured in Europe.
Don't you guys in the new world... (Score:2)
Don't you guys in the new world have chip and pin [chipandpin.co.uk] yet?
Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Not sure any system can be high security *and* not hack off customers. OK, we use it for big payments too (perhaps they should limit the amount to 10% of the PIN!)
Alternatively, instead of setting a per-transaction limit, have a system where the *user* 'loads' the card with cash and when that is exh
No Virgil... (Score:2)
Some systems store currency value on the card. No complex or burdensome network necessary. Most authentication is handled between the chip and the terminal. Secure. Simple. Efficient. Much cheaper than letting American banks handle micro-transactions.
Re: (Score:2)
Nope - a debit card will, usually, happily let you (or Mr Bad Hat) drain your bank account and possibly max out your agreed overdraft. If it has a cap, its usually quite high. I'm talking about a "virtual cash" system that lets you load up your card with (say) $100-$200, so if it gets "lifted" its no worse than losing a wallet with some cash (I'm pretty sure such "virtual cash" systems exist, and its not unlike a pay-as-you-go phone). Of course, part of the attracti
It's not like there isn't someone to ask. (Score:2)
No. (Score:2)
Wrong Question (Score:2)
Re: (Score:2)
I think RFID is great! Much better than barcodes for inventory tracking. Maybe someday RFID readers will be common in cell phones and I can wave my phone by a product and find out if it's available at a lower price down the road. I mean, there are lots of really great uses for passive RFID tags.
Living in Orlando which has lots of toll roads, I'll even commend the RFID toll payment system--whiz through the fast lane and pay the toll without even slowing down. It's a batt
Re: (Score:2, Funny)
Re: (Score:2)
And so they should - at 5% or whatever it is they charge in commission - the risk should ALL be theirs. The technology has been paid for by now and so has the infrastructure. That's a lot of profit, and the huge profits banks have seen in the past few years has reflected that (ok they're in trouble now, but sub-prime is a whole different ballgame).