Are Contactless Payments Really Secure?

berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."

yeah yeah

[Colin Smith]

Except that banks magic money into existence so they're not actually losing anything (maybe but a little profit) when someone commits fraud.

 

Re:yeah yeah

[UbuntuDupe]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Anyway ... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.

Re:yeah yeah

[rnelsonee]

Right. The signature on the back of the card is not there for security - it's there to protect the merchant from having to pay a chargeback.

Basically, the signature is the signature to the Cardholder's Agreement you get with the card. Except that instead of the signature being on a piece of paper that no one wants to carry around, they let you sign the card itself. Once you sign it, the merchant knows that the card is valid, and they are now free to charge the card without fearing a complaint come back saying "I never authorized that!". As long as there's a signature, even if it doesn't match the person who's holding it, the merchant is not liable for fraudulent purchases.

Which is why writing "See ID" is frowned upon, and merchants will sometimes refuse to take a card with that writte on the back.

Re:

[AndersOSU]

Merchants will do whatever the hell they want with a credit card, with no apparent rhyme or reason.

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't w

Re:

[AuMatar]

You realise its the exact opposite- its far better to have them ask for id. The chance that someone steals a credit card and makes a matching fake id is low. It actually gives you and the merchant a measure of security. The only risk of showing id is the risk of the checkout person remembering enough information to do something with it 4 hours from now when they get off shift. I get pissy when a merchant *doesn't* ask for id.

Re:

[allacds]

According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf [visa.com]

Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures

So you can't *mandate* that someone provide ID i

Re:yeah yeah

[Blkdeath]

The one that really has become a pet peeve as of late is asking to see my ID when I have a signed card. Now I don't have a reference link handy, but somewhere I've read that the merchant's agreement with the CC company actually forbids them from asking for ID if a signed card is presented. I consider this a good thing, because frankly, I don't trust that cute checkout girl at the grocery store, and I don't want to have to show her my ID.

Why, because she's going to memorize your driver's license number, address, birthdate, issue date and expiry date and create a fake ID from memory when she gets home? What's more likely, scenario #1 above or scenario #2 where somebody gets hold of forged credit card data (perhaps your own), makes a few fake cards and sells them for $100 apiece and you get stuck with the tab?

Re:yeah yeah

[ushering05401]

As of 1 1/2 years ago this is how fraudulent charges were handled.

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.

In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).

Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.

Regards.

I should also mention...

[ushering05401]

Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.

For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.

One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.

She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.

Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.

Re:

[taustin]

Considering that most police agencies (including the FBI) flately refuse to even take a report over less than $50,000, color me a little skeptical about how "serious" these guys are.

(And yes, I've worked in retail management, and above, for all my adult life, and have been directly involved in retreiving those records. A couple of times. In 25 years. The local cops will occasionally have time for such fraud, but they're generally only interested in the shoplifting aspects of it, because it's a far lower amo

Re:

[harl]

s/most/some

Your anecdote differs from my life experience. When I was bartending I talked to detectives a few times about stolen credit cards. One was for a $15 tab. They didn't seem to care it was small time.

I never talked to any feds though.

Re:

[taustin]

Were they interested in the fact that it was a stolen credit card, or were they looking for a mugger or burglar?

In California, using a stolen credit card for a small amount is a misdemeanor, which means the police can't arrest you unless they personally see you commit the crime. But if you mug someone to get it, that's a felony robbery, and a violent one, to boot.

They really don't care about small-time economic crime. They don't have time to.

Re:

[lgw]

Note that "police can't arrest" != "police can't investigate, leading to charges being pressed". Of course, I've (more than once) had the police ignore it when I was openly assaulted on the street, so it's really up to what the police care about that day.

Missing The Point

[mpapet]

r. These guys are serious and have entire departments dedicated to identifying patterns of fraud.

Thanks for perpetuating the myth that banks care. The banks place an enormous burden of proof on the retailer. The bank is assuming no liability whatsoever.

Question: what the retailer does to cover his fraud costs?

Answer: Raise prices.

Funny, nowhere in there are the banks assuming any risks.

Re:

[eln]

So what about those stupid electronic signature collectors? Some of those things are so badly broken that all you can manage to produce is one line after signing your entire name. Even if they are working properly, they will often only produce a blocky straight-line approximation of your real signature. How can these be accepted as valid signatures by anyone?

Re:yeah yeah

[Blkdeath]

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.

When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.

The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?

It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?

Re:

[Colin Smith]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Yes they are, they really do get permission to magic money into existence [wikipedia.org]. They don't have to borrow it from The Reserve, or pay interest on it. The limit they can magic is based on their reserve ratio (seems to be about 3% for most banks) and the amount of deposits they can acquire. I couldn't believe it either at first. I wish I'd understood this while I was at school, I'd be a banker now.

Money doesn't grow on trees, it's easier than that, it's magic'd into existence.

Back on topic. This does explain the

Re:

[Rakishi]

They don't create any money in this way at all, they simply move it about. When you put your money into a bank the whole point is that the bank is free to do whatever they want with the money. They never claim that they will hold it in their vault or some such. The great depression was partially caused by that very fact, everyone wanted their money out of the banks and the banks couldn't give it to them since they no longer had it.

Re:

[Colin Smith]

They don't create any money in this way at all

Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.

How else do you explain the fact that the credit card companies aren't breaking down the doors of the fraudsters and auctioning off everything they own? It's because credit card fraud is no big deal.

In fact, in the UK the police aren't even told about credit card fraud.

http://www.fairinvestment.co.uk/financial-news-Ban ks-defend-new-credit-card-frau [fairinvestment.co.uk]

Re:

[Rakishi]

Eh, yes that's exactly what they do. As long as they hold 3% worth of deposits they can multiply it, in this case ultimately about 30 times as they loan it out.

They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't. As I said, if people tried to withdraw more money from a bank than there are reserves of the bank would be screwed (well not that much, thanks to federal insurance on deposits). If they actually made money then there would be no problems with this scenario. A bank is essentially an investment in essence. You give them your money so they can loan it out to other peopl

Re:

[Colin Smith]

They don't multiply anything. You're simply operating on the assumption that the money you have in the bank actually exists which it doesn't.

Well now you're getting philosophical.

You give them your money so they can loan it out to other people, thats how it works.

uhuh. I give them 100 in cash. They take that cash and loan 95 out. Strangely, it comes back to them because that's what you do with money. They now have 195 on deposit. They get to loan out 185 of that, which comes back again as more deposits. Giving them deposits of 380 and loans worth 280, on an initial deposit of 100. Repeat until total money equals up to 2000 for a 5% ratio.

How is that not multiplication? They are multiplying the money and the debt.

Actually its because in many cases its the merchant not the bank that is liable for fraudulent transactions. So they literary lose nothing from fraud in monetary terms and possibly even make money from fraud.

That's just i

Re:

[Firethorn]

Uh... it sounds like you're talking about profits. Which at a normal bank would be paid in a dividend to the investors.

Strangely, it comes back to them because that's what you do with money.

If you think that people just borrow money to put it into a bank, you're mistaken. I borrow money, it's for a car, house, whatever. Now yes, fractions of that are likely to end up in banks, but not to the extent you're talking about. In the case of a new home - it goes towards paying for all the building materials a

Re:

[Rakishi]

How is that not multiplication? They are multiplying the money and the debt.

No, they're multiplying the debt only. The amount of money stays exactly the same. By your logic I can generate infinite money as well. All I need is say $1 and a friend. I lend him $1. He lends me $1 back. I lend it to him again. Repeat for however long we want. I now owe him $1 million and he owes me $1 million and a dollar. In the end there is still only a single dollar with which I can buy things.

That's just icing. There's nothing for them to lose, maybe a bit of interest.

A bank is based on interests and profits. To a company losing either is no different from you losing money

Re:

[Dare nMc]

Giving them deposits of 380 and loans worth 280

as you say, they are paying interest on $380, getting interest on $280, so they do have to pay that money back, and thus get it back.

Once you multiply it out to the $2000, thier is just $1 out in someones pocket to be spent of the original $95, granted from that original $95 the banks are paying interest on $2000, and getting paid interest on $1800 (granted some of that money is really low interest, IE you checking account may draw no interest, and their only p

Put another way -- Money is created from Debt

[StringBlade]

Paul Grignon has created a video called Money as Debt [google.com] which is recommended viewing to understand the Fractional Reserve system we have today.

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the interest of funds promised to be paid back - those funds don't really exist (or at least most of those funds don't - a fractional portion does).

Let's say a bank has $1,000 in the vault. In a

Mod Parent Informative

[mpapet]

This is what you all should have learned in high school.

Except. I don't agree with the outcome of eliminating all debt.
1. There will always be *some* need for credit. It's just human behavior.
2. People will always find something shiny and new to pay more than they paid last year for something a little less shiny.

Re:

[Colin Smith]

I agree actually, credit is useful. My problem is that money itself is made out of it. It isn't necessary, or particularly healthy.

 

Re:

[lgw]

For all its flaws, the current system works better than anything else that's ever been tried. Economic stability requires a system that allows the central bank to control a country's money supply, even when the government itself is spending borrowed money like there's no tomorrow. "Hard" currency simply doesn't allow this, and since of course the consquences don't in any way cause the government to spend less, the result is economic catastrophy.

So it has proven healthier than any alternative, and is in fa

To you and Colin Smith

[UbuntuDupe]

Let me preface this by saying I don't like government control of the money supply for the same reason I don't like government control of anything. However, that's no reason to permit flawed arguments against either, which is why I feel the need to address these points (I'd do the same for someone too gung-ho about the Federal Reserve):

What it comes down to is that our current monetary system directly related to how much debt we have. The more debt, the more money and vice versa. Lenders make money on the i

Promises promises promises.

[Colin Smith]

All of the money it lent is backed.

LOL. Yes of course... What's it backed by?

A promise.

Really that's it. The monetary system is backed by trillions of promises. No problems there then, and, credit card debt is unsecured (even if that wasn't a farce).

Even if no one, at any positive interest rate, ever borrowed money, you could still grow your money by buying shares of businesses. All that's necessary for the money to grow is that people not save all of their money.

Most of the growth on the stock market is simply inflation. Increased supply of money making it's way into the the investment markets. It just isn't called inflation. Sure some companies increase efficiency and profitability, but most of it's just soaked up liquidity.

So anyway. Back on topic.

Re:

[UbuntuDupe]

LOL. Yes of course... What's it backed by? A promise. Really that's it. The monetary system is backed by trillions of promises. No problems there then, and, credit card debt is unsecured (even if that wasn't a farce).

It's hard to see how any multi-stage financial transaction could ever be acceptable to you. A mortgage is backed by a PROMISE to cede the house on non-payment. A share of stock is backed by the PROMISE to acknowledge your voting rights in that busines and to pay you proportional dividends. A

Re:

[homer_s]

So, what's exactly wrong with backing something with a promise?
Imagine this scenario :
You join a poker game. You give $100 to Mr.A to buy some chips. Mr. A puts the $100 in a box along with the other dollars others have given him for the chips and Mr. A gives you 100 chips.
At the end of the game, *everyone* in the game will give their chips to Mr. A and get back real money. Hopefully, everyone will tip Mr. A for services provided.

Now, the next day you join the game and you notice there is a new pl

Re:

[Firethorn]

Wrong analogy, I'd think. It'd be like Mr. A taking a portion of the money in the box and using it to supply the bar. The bar is supposed to pay Mr. A back(it's not a free bar) at the end of the night, more money than what went in with the chips. Mr. A is required to keep 20% of the money in the box in case somebody wants or needs to cash in early.

Keep in mind that when you go to banks, you're talking about amounts of money and depositors that make this more a function of mathematics than luck, much like

Re:

[feepness]

While it might seem precarous, it's actually far better than a no-credit world. Imagine having to pay rent on a house until you could afford to buy it outright - most would never be able to own their own home.

You're looking at it the wrong way. Think how CHEAP houses would be if people couldn't borrow 10x their income to pay for them.

Re:

[StringBlade]

Or if you simply paid for your house over a period of years without interest. People would be able to afford their homes without actually having to pay 2-3 times the price of the house after interest.

Re:

[UbuntuDupe]

[poker story]

Okay, I agree -- in that instance, the claim is fraudulent and the chip issuer has screwed the players. No argument there.

But the problem with extending that example to the present world is that the chip issuer -- and the Fed -- can only do that once. Every point thereafter, people *know* what's going on with the chips. They know what the fed/chip issuer is doing to the currency and, for all future bets (in the poker game), they know to mentally account the chips as 1/10 of their face value

Re:

[Colin Smith]

A mortgage is backed by a PROMISE to cede the house on non-payment.

uhuh. Can you define the value of the house? Yesterday, it was worth 100,000. Today, when it's auctioned, it's worth 50,000. That's now 50,000 worth of non backed cash. What's a new car worth once it's been driven off the lot?

So, what's exactly wrong with backing something with a promise?

Not everyone is as trustworthy or as responsible as you or I. And I don't have a problem with credit at all. It's credit backed currency I have a problem with, for various reasons.

Not true. Stock market nominal (not-inflation-adjusted) returns have been ~11% since 1927, while inflation (CPI) has averaged ~3.5%, tops

I think you missed my point. If the money supply to the economy is increasing at 10% per year, the 3% w

Re:

[Firethorn]

(Incidently, for various reasons, I think an insulin price index would be the best measure, since demand and supply are stable and you can't debase the product in response to inflation, but I can't find one.)

There are many brands and types of Insulin, fast release, slow release, human, synthetic, animal. Heck, they're working on permanent cures for diabetes. So insulin futures could crash in the next 30 years.

As for wage stagnation, I think that it's a side effect of globalization. We were on the high en

Re:

[Planesdragon]

The monetary system is backed by trillions of promises.

the most basic of which being "I will give you food for that shiney bauble."

Money itself is a fiat. If it weren't, we wouldn't call it money. The fact that this fiat is based on interconnected promissory notes shouldn't surprise you.

Re:

[Rakishi]

Because the system is so prevalent and there's so much support in the federal reserve system the only way to create a real run on the bank (which would likely cause the collapse of the system) is to have everyone, everywhere withdraw all their money at the same time -- clearly something that could not happen because the bank doesn't really have the money to back up the numbers in your accounts.

Bank accounts are government insured up to $100k I think, great depression caused that one to come about if I remember correctly. Anyway, the worst that would happen is that the federal reserve pays out the loans and if needed prints enough money to cover it. Massive inflation but everyone would get their now much less valuable money back.

Re:

[gurps_npc]

You have a serious lack of knowledge about this subject.

You are making several false beliefs.

1. People that take out loans generally do NOT deposit the full amount back into the bank. Usually they deposit a minutre fraction.

2. People default on loans is an immediate and DIRECT loss to the bank.

Here it works like this in real life.

I deposit 100 to the bank.

The bank loans out 900 to various people (using my 100 and a 10% reserve)

The bank really wishes those people would deposit it back to them, but

Re:

[Actually, I do RTFA]

How was parent modded Informative? Read the wikipedia article he references. The bank has a stack of IOUs (from borrowers to it) a stack of IOUs (from it to depositors) and a stack of singles. Notice how the IOUs from the borrowers plus the stack of singles always equals (in this example) the stack of IOUs that the bank owes? This is because their assets (IOUs from the creditors and I'm folding cash in as well) balance their liabilities.

They are forced to have a certain percentage of the money they owe

Re:

[jabberw0k]

Wrong. According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf [visa.com]

Page 28 directs the sales clerk, "The final step in the card acceptance process is to ensure the customer signs the sales receipt and to compare that signature with the signature on the back of the card..."

On page 29, note "Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse

Re:

[Anakron]

http://www.ingrimayne.com/econ/Banking/Commodity.h tml [ingrimayne.com]
for those who don't get what the parent is talking about. Although banks don't quite "magic" money into existence.

I dunno.....

[Anonymous Coward]

maybe??

--
Jaap van Ballspoogen

Cost of investigation

[nuggz]

It's simply not worth it for anyone to investigate and verify small charges. So why even bother paying to keep a paper trail nobody will ever use?

If it's a fraudulent charge report it.
It seems to me the usage based flagging works just fine anyway.

Are they insecure... Yes.

[Irvu]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.

Lacking the independent verification this is begging for an attack.

Codes are not unique.

[EmbeddedJanitor]

It depends on the RFID chips. These don't always just send out a unique code... there would be little point to that.

There have been many descriptions of challenge/response protocols to prevent a reader being conned by a recorded message.

Ultimately any transaction comes down to trust at some point. The trick is to reduce the number of parties that you need to trust in the process.

Re:

[gurps_npc]

Not really. The chip can also include a simple clock. Then it changes per the time, not a handshake response. If the time says 5:43 and 12 seconds, but the RFID signal decrypts to 4:23, yesterday multiplied by the secret number, that is a lot different.

Re:

[ad0gg]

RFID uses a challenge/response system which prevents replay attacks. The secret code is never sent over a non secured channel. If you manage to capture the transaction and replay the capture data, it won't work since the challenge will be different. The attack that you have to worry about is hacking the challenge response encryption.

Re:

[bogado]

The real problem here is a "man in the middle" attack, the bad guy can be the fellow with a big bag beside you in a crowded train he would have a friend in a store that could be anywhere in the world that accept the wireless card, with his card he would start the negotiation, the friend would relay every bit sent to his card to your card and vice versa. Those communication are low speed and since the card need to charge up to reply I would guess that even with a reasonable lag this could still work.

Things c

Re:

[swillden]

I don't know how close one must be to actually talk to a card

Nominal maximum range for an ISO 14443 device (a contactless smart card) is 4 cm. Under carefully controlled laboratory conditions, you can get 2-3 times as much range, with difficulty. In real-world conditions it's pretty rare to get even 2 cm. Normally it's less than 1 cm.

would a powerful transmitter be able to talk to a card from a far away distance?

Not really. A very powerful transmitter can power the chip from farther away, but the nature of the way the chip is powered by the transmitter's RF field means that power drops with the cube (not square) of distance. So to do i

You're wrong. And right.

[swillden]

Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused.

You're right if you look at most of the contactless payment mechanisms that have been deployed in the US. They are what I would call RFID, not contactless smart cards, and they're dumb, and replayable.

You're wrong if you look at what has been deployed in other places, and if you look at the standards that have been defined for contactless payment. Contactless smart cards are full-blown microprocessor cards, with secure storage, key management capabilities and support for strong encryption, both symmetric and asymmetric. One of those cards plus secure EMV [emvco.com] transactions (I say "secure" because EMV defines several levels of security, and the lowest aren't very good) and a card-verified PIN is very secure indeed. Vastly better than magstripe. And, believe it or not, it is completely possible to perform a strong mutual authentication and a secured transaction in < 200 ms, which is as long as it takes to tap the card on the reader.

With respect to contact vs. contactless, the difference is irrelevant from a security point of view. The key to making either secure is (a) using an adequately "smart" and tamper-resistant chip, and (b) using well-designed transaction protocols that make appropriate use of cryptographic operations.

The current trend in the US financial industry is, unfortunately, focused on low cost of chips and maximum convenience. Note, however, that the low level of security doesn't affect the cardholder that much, because as it is now the cardholder is not liable for fraudulent transactions. It's the banks and merchants that absorb those costs, and if they'd rather save money up front on secure hardware and pay for it later in fraud, that's their business.

What may reverse that trend, even here, is the possible upcoming shift to NFC devices for payment, rather than contactless smart card or RFID. NFC is basically the idea of putting a smart card RF transceiver in your cellphone, plus one or more secure processing units (which look a lot like smart card chips). Given the fact that the difference between using a powerful, high-security secure processor and a cheap, low-security one is a couple of dollars, it makes a lot less sense to go the cheap route when you're embedding it in a $100 phone. When you're looking at a plastic card, a price increase of $2 means tripling the price of the card.

Time will tell if we actually do go that way, but consumers, banks, merchants and mobile phone service operators all like it, so the odds are good.

No, but they're secure enough

[tbo]

It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.

I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.

Bad Assumptions

[mpapet]

Then I realized that the bank will take the hit on any losses

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.

You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.

Pricing does not reflect cost

[jeko]

Businesses love to trot this argument out -- Fraud raises prices -- but unfortunately, it's just not true. Say it with me -- Prices are already as high as they can be, and the cost of materials doesn't enter into it. Prices reflect demand, not costs.

Most people assume, and it used to be this way when the catholic Church ruled Europe, that prices are set by adding material cost, plus labor, plus reasonable profit. For instance, I sell chairs. I paid 10 bucks for the wood, I had to pay the carpenter 10 bucks

Re:

[qbwiz]

Prices are as high as they can get away with, true, but even in a monopolistic competition system, there is competition between sellers for your money. If you'll go to where it's cheapest, they'll continually have to lower prices (unless they attempt to cooperate explicitly or implicitly, but one of those is illegal and the other is unlikely among enough sellers). At some point they can lower their prices no more: when the price equals their (economic) cost.

You're forgetting supply

[Solandri]

Businesses love to trot this argument out -- Fraud raises prices -- but unfortunately, it's just not true. Say it with me -- Prices are already as high as they can be, and the cost of materials doesn't enter into it. Prices reflect demand, not costs.

Read the first sentence of the Wikipedia entry on supply curves [wikipedia.org]. It tells you right there that the primary reason for a shift in the supply curve is a change in cost. So yes prices reflect cost. Increased cost means less supply means higher prices.

This is no

Re:

[swillden]

Nowhere in the process does the bank assume any liability.

This isn't true. There are plenty of circumstances in which one of the banks ends up holding part or all of the liability. In some rare cases even the clearinghouse that settles transactions between the merchant acquiring bank and the card issuing bank takes the liability. You're right that it generally falls on the merchant, but not always.

However, even if the liability is shared, the cost of that fraud obviously must eventually make its way into the pockets of the consumers, because we are ultimate

Re:

[tbo]

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity.

That depends on the price elasticity of demand. Furthermore, retailers usually only pay a penalty if fraud exceeds a certain threshold. Since retailers have a choice (for now, at least) about installing contactless readers, they presumably won't do it unless it makes financial sense. If fraud is a major problem, retailers won't adopt the system.

Re:

[AnyoneEB]

There seems to be a trivial solution to this, although it does impact ease of use: the user has to press a button on their card to accept a transaction. Even better if there is a screen on the card showing the amount of the transaction. Then again, this would make the card more expensive and may not be considered worthwhile. Also, it would just narrow the window for the attack you described. It would still be possible, just more difficult.

Re:

[RobertLTux]

of course "button" may just be a tiny area on the card that has a make/break zone (think a pair of traces that overlap but dont connect).
maybe even a momentary connect would be needed (so you hit the button and then release to trigger)

What?

[BobMcD]

This just doesn't track with me. The article fails to explain:

1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?

2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?

3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?

Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.

Who wants a Big Mac?

Re:

[p0tat03]

1 - For someone to copy the data on my magnetic strip card, they would have to physically swipe it. This has been done before (gas stations, anyone?). For RFID devices, however, this data is accessible to anyone in your near proximity with a reader (which is easy enough to hide). So basically, your data is only at risk when your magnetic card leaves your wallet (and sight!), but your contactless card is at risk of copying always.

So while contact cards are not exactly foolproof, they are much harder to thiev

Re:

[ScrewMaster]

In this case since the signal sent is different for every transaction, it is impossible for someone to read the present value of your card and re-use said value later on a copied card.

That's only true so long as details of the algorithm used to generate the codes stay secret. They won't forever, and eventually the bad guys will be able to duplicate the functionality of a legitimate reader. There's a lot of money in credit card fraud, and a lot of very bright people (at least as smart as the folks develop

Re:

[lgw]

A good challenge-response system is much harder to crack than you seem to think. The goal is *not* to prevent someone who has an unlimited amount of time to work on a card from duplicating it (as is the case with CSS and its ilk). It's a much simpler problem: make it harder to duplicate a card than it currently is to duplicate a magstripe card. And that's quite doable. Merely recording an exchange (or 1000 exchanges) between the card and the reader gets you nothing.

Of course, that fact that the crypto e

Signatureless, no change. Contactless, problem

[russotto]

Since almost nobody checks the signature anyway (other than occasionally to check if the card has a signature), eliminating the signature requirement doesn't change much. However, using contactless for credit card transactions has the same security issues as any other contactless system. One of which is that the system can be surreptitiously interrogated by a fraudster. Sit down with your fraud-o-matic for 15 minutes on a Saturday in any mall, and collect hundreds of card numbers as people walk by. (and

Re:

[Delta-9]

"Since almost nobody checks the signature anyway"

Its been my experience that about 10-20% of the people I had my credit card to actually look at and read the signature on my credit card. I have "PLEASE SEE ID" written in that box and it would be a stretch to say that more than 1 out of 5 purchases result in the person asking for my ID.

Often times the cashier will flip it over and look at it, but won't bother to ask for my ID. I partially do this to see if they will ask for my ID. I hope that if I ever

Signature is pointless

[Mr. Underbridge]

Visa, for instance, doesn't require your signature for purchases at or below $25."

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained.

The signature provides virtually no up-front protection. As far as I can see, the signature serves one purpose: to allow the card company/merchant to investigate, after the fact, whether purchases you are claim

Re:

[Control Group]

I think they've finally realized a simple truth: cashiers aren't handwriting analysts. Nor would they have sufficient sample (ie, 1, from the back of the card) to perform the analysis if one happened to be so trained

Beyond which, the security measures they put on the signature line on the back of the card conspire to mean the signature is virtually impossible to see (unless you sign with a Sharpie...in which case it doesn't fit), and even if you were able to read it, sliding the card in and out of readers (

Main problem with RFID

[vlad_petric]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems. (between secure and cheap, cheap seems to always win). So manufacturers use proprietary hacks to allegedly achieve the same type of operations (e.g., authentication via challenge/response). However, these hacks are nothing more than security via obscurity.

Re:

[swillden]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems.

Depends on what you mean by "cheap". A $3 contactless smart card can perform AES, SHA-256 and RSA operations sufficient to execute a high-security transaction in < 500 ms. If you can eliminate the need for PK (which you can), then transactions of less than 200 ms are possible with cards that cost less than $1.

Re:

[vlad_petric]

Interesting!! Can you provide a link to a spec page?

Re:

[swillden]

Look at any of the current-generation, RSA-capable cards from the major manufacturers, which these days is pretty much down to G&D, Oberthur, Gemalto and NXP. For a while, JCOP was the only Javacard OS to get such fast transaction times, but that was a few years ago and they can all match it now (or close), at least with the symmetric crypto. Most of these chips even have hardware DES coprocessors that execute DES operations in microseconds. I worked with JCOP 40 on a Philips/NXP chip a couple years

A signature is completely insecure too

[Bert64]

Why the hell do people think having to sign something ever made anything even remotely secure?

a, it only has to match whats on the back of the card anyway
b, noone ever checks
c, even if they do, if you have the card you can copy it from the back
d, if you clone the card, you can sign it yourself in any which way you please

*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.

Re:

[feepness]

*ANYTHING* would be more secure than requiring the purchaser to make some arbitrary random mark on a piece of paper.

I've been making little smiley faces, writing "HI!!", etc, etc... for years.

I haven't had the guts to write "STOLEN!" yet.

Re:

[Solandri]

Why the hell do people think having to sign something ever made anything even remotely secure?

The banks and credit card companies have managed to offload all the financial risk associated with fraud onto the merchants. Merchants use signatures because when a charge is disputed, the first thing the credit card company asks for is a fax of the authorization slip with signature showing that their client did in fact authorize the charge. If the merchant can't provide that, they automatically lose the dispute

Re:

[JimBobJoe]

Where I work, the register clerks are taught to check the name and signature against the driver's license name, signature, and picture.

Is that happening in the US? Visa/MC merchant agreements forbid the checking of driver's licenses if the card is signed, in the US at least.

*looks at watch*

[overcaffein8d]

It's time for a RFID-blocking wallet! [thinkgeek.com]

People may be able to clone your I-pass or EZ-pass

[Joe The Dragon]

but transactions are tracked and they can disable it and get the plate of the car that has a cloned tag you should be able to do the same thing with other contactless payment systems.

Hmmm... Are Contactless Payments Really Secure?

[Shadow Wrought]

Short answer: no.
Long answer: not so much.

Slashdot: you ask, we answer.

The Hustle is On

[mpapet]

This is a play by the banks to privatize the role of the Treasury as a no-cost micro-transactions service provider.

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

I anxiously await the uninformed posts to follow.

Let's take those in reverse order

[Control Group]

Consumers already assume all costs of payment card fraud and rewards programs. Most are stupid enough to let this go too.

Uh...yes, they do. And who else should assume those costs?

No, not even should, who else can assume those costs? The credit card company? If the CC company doesn't pass on the costs of fraud to the consumer, the CC company goes out of business (note: using their profits to cover the cost doesn't work - if they still have profits left over, they can be accused of building the cost of fraud

Re:

[mpapet]

Complaining that consumers bear the cost of fraud is just silly, though. Of course they do, and there isn't another way to do it.

You completely fail to acknowledge that are lower-cost alternatives. Which suggest you have no experience, much less given the topic any thought.

'd be more than happy to entertain your idea
Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun. Please examine micro-payments and currency implementations and get back to me when you

Re:

[Control Group]

You completely fail to acknowledge that are lower-cost alternatives. Which suggest you have no experience, much less given the topic any thought.

Irrelevant. Unless you can propose a no cost alternative, consumers will bear the cost. Which is what you started complaining about.

Poke fun at the joker who's talking about you know nothing about. It's easy right? Most of all it's fun.

More like poke fun at the joker who makes a bold claim with no explanation of what he means, much less a justification for why it's

Are cash payments really secure?

[mi]

As if nobody was ever robbed of their remaining cash soon after completing a cash transaction.

As if the correct change is always given.

As if a wrong bill (50 instead of 20, for example) has never changed hands.

As if counterfit money is not an ongoing problem for the last several centuries.

Keep it in perspective, people — a new technology does not need to be bulletproof to deserve a chance. It does not even have to beat an old one in all respects. Better in some respects and merely comparable in the others...

Lots of transactions don't need signatures anymore

[z_gringo]

Gasoline hasn't needed a signature for years whether it is under $25 or not.

Most any online purchases don't need signatures. Some ask for the special 3 digit code, but many don't.

Depends on the system

[billsf]

As a former engineer of DigiCash in Amsterdam, I know a little about smartcard technology. There are a number of problems and risks:

1) The technology used is very old and few improvements have been made over the last 20 years or so.

2) The latest technology can cost over $10 while the older chips are a few cents.

3) Banks and politics have done their best to stifle development and have mostly succeeded.

In a word: NO. Chances are you get some 'exportable' model that supports 40bit crypto if money is involved. Otherwise, say for transit use, it may be a simple account number that is (usually) broadcast at 13.1MHz. Just because the readers appear to work at only close range does not mean the information cannot be intercepted at a range of 10's of meters or more.

The very expensive units can support 128bit or better crypto. Apart from being costly, they may be 'export restricted' and there are a number of governments that only allow very weak security. 40bits will take about a half hour to crack on a 'high-end' desktop and only a handful of minutes on a halfway decent workstation. A shielded wallet may be a common item if these chips see widespread use. A card (or passport) carefully wrapped in aluminium foil will work (to prevent unauthorized use/interception) despite any propaganda that may be out there.

As long as the 'value' is very low and you can accept losing it, there is really nothing wrong with using them. Keep in mind the chips can be destroyed accidently a number of ways and easy verification and recovery of funds is doubtful. Banknotes are still better and their use for 'small ticket' purchases is not likely to go away anytime soon.

Mod Parent Informative

[mpapet]

The other person on /. who knows something about the payment card industry.

Read the post carefully. It's 100% right.

Re:

[Control Group]

The difference between his post and yours that I responded to is that he provided explanation and backing for his claims - which weren't bold indictments of the entire banking industry to begin with.

Re:

[swillden]

Your information is dated.

Cards that support 3DES and AES-128 can be purchased in volume for ~$1 each. Cards with RSA coprocessors cost a little more, and contactless costs a little more, but cards with 64KB EEPROM, RSA, ISO-14440 contactless are around $5.

Export restrictions aren't really a problem, and haven't been for a long time, partly because the US relaxed its restrictions and partly because most of the cards are manufactured in Europe.

Don't you guys in the new world...

[itsdapead]

Don't you guys in the new world have chip and pin [chipandpin.co.uk] yet?

Its a million miles from perfect, but it certainly speeds up small payments and means that a crook has to clone the card *and* shoulder-surf for the PIN. Not sure any system can be high security *and* not hack off customers. OK, we use it for big payments too (perhaps they should limit the amount to 10% of the PIN!)

Alternatively, instead of setting a per-transaction limit, have a system where the *user* 'loads' the card with cash and when that is exh

No Virgil...

[mpapet]

it's probably not an average american debit card.

Some systems store currency value on the card. No complex or burdensome network necessary. Most authentication is handled between the chip and the terminal. Secure. Simple. Efficient. Much cheaper than letting American banks handle micro-transactions.

Re:

[itsdapead]

Surely thats basically a debit card....

Nope - a debit card will, usually, happily let you (or Mr Bad Hat) drain your bank account and possibly max out your agreed overdraft. If it has a cap, its usually quite high. I'm talking about a "virtual cash" system that lets you load up your card with (say) $100-$200, so if it gets "lifted" its no worse than losing a wallet with some cash (I'm pretty sure such "virtual cash" systems exist, and its not unlike a pay-as-you-go phone). Of course, part of the attracti

It's not like there isn't someone to ask.

[Zadaz]

Why don't we ask any of the dozens of countries who have been using these systems for billions of transactions the past decade?

No.

[Nephroth]

No, not really. In fact most financial transactions are pretty insecure.

Wrong Question

[gweihir]

The right one is "Are they secure enough". Personally I think they are. One thing however is who pays, in practice, pays if there is a security breach. The customer or the card company? Legally it is the card company and at least I have never had any issue. Just ignore their statement when you report a fraudulent use and tell them to cancel that. Once they sent me a nice letter stating that if I ever had bought anything over the Internet, I was not eligible to dispute charges. Complete nonsense, of course.

Re:

[Orange Crush]

P.S. RFID is crap. Get a clue!

I think RFID is great! Much better than barcodes for inventory tracking. Maybe someday RFID readers will be common in cell phones and I can wave my phone by a product and find out if it's available at a lower price down the road. I mean, there are lots of really great uses for passive RFID tags.

Living in Orlando which has lots of toll roads, I'll even commend the RFID toll payment system--whiz through the fast lane and pay the toll without even slowing down. It's a batt

Re:

[Idbar]

Typical /. user... showing off about their knowledge on "contact-less sex".

Re:

[Dunbal]

they're made safe by the CC companies taking the risk of BS charges.

And so they should - at 5% or whatever it is they charge in commission - the risk should ALL be theirs. The technology has been paid for by now and so has the infrastructure. That's a lot of profit, and the huge profits banks have seen in the past few years has reflected that (ok they're in trouble now, but sub-prime is a whole different ballgame).