Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck IT

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud 273

Sparrowvsrevolution writes with this excerpt from a Forbes piece recounting a scary demo at the just-ended Shmoocon: "[Security researcher Kristin] Paget aimed to indisputably prove what hackers have long known and the payment card industry has repeatedly downplayed and denied: That RFID-enabled credit card data can be easily, cheaply, and undetectably stolen and used for fraudulent transactions. With a Vivotech RFID credit card reader she bought on eBay for $50, Paget wirelessly read a volunteer's credit card onstage and obtained the card's number and expiration date, along with the one-time CVV number used by contactless cards to authenticate payments. A second later, she used a $300 card-magnetizing tool to encode that data onto a blank card. And then, with a Square attachment for the iPhone that allows anyone to swipe a card and receive payments, she paid herself $15 of the volunteer's money with the counterfeit card she'd just created. (She also handed the volunteer a twenty dollar bill, essentially selling the bill on stage for $15 to avoid any charges of illegal fraud.) ... A stealthy attacker in a crowded public place could easily scan hundreds of cards through wallets or purses."
This discussion has been archived. No new comments can be posted.

Shmoocon Demo Shows Easy, Wireless Credit Card Fraud

Comments Filter:
  • by Anonymous Coward on Monday January 30, 2012 @12:31PM (#38866503)

    That is why I have lined my wallet with the aluminum foil that I had left over from making my hat.

  • Mitigating factors (Score:3, Informative)

    by Annirak ( 181684 ) on Monday January 30, 2012 @12:37PM (#38866563)

    Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

    There are numerous ways around this problem. It shouldn't stop people from using the technology.

    • by vlm ( 69642 ) on Monday January 30, 2012 @12:41PM (#38866625)

      Put two of these cards next to eachother, and they won't read. Put them in an aluminium card case, and they won't read. Move more than about 5 cm away from the card and it won't read.

      Stand in line at the convenience store behind victim. Tada, you just got owned.

      There are numerous ways around this problem. It shouldn't stop people from using the technology.

      Its about as secure as tatooing your social security number on your forehead, then telling people its safe because you need a telephoto lens from over 100 feet, or you can just wear a skimask all the time.

      • by jasno ( 124830 )

        I think the point everyone is missing is that credit cards are already utterly insecure. If you haven't been a victim yet you've just been lucky - there are a lot of CC's out there and only so many theives.

        The only way to fix it is to block CC companies from writing-off fraud losses while preventing them from passing them onto the consumer. Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).

        • The only way to fix it is to block CC companies from writing-off fraud losses

          This doesn't make sense.

          while preventing them from passing them onto the consumer.

          This doesn't seem possible.

          Right now, they perform a cursory 'investigation' only for the purposes of justifying the write-off, effectively passing the costs back onto consumers(taxpayers).

          The "cursory investigation" is just a means to determine the legal indemnity for the cost of the fraud. i.e. does the merchant, customer, issuing bank, transaction possessor network (e.g. VISA) or an insurance company pay for the fraud? The merchant pays most often. Customers are almost never charged. This however says nothing of the global incidence of the cost, which may be influenced but probably not entirely controlled via statutory means.

      • false (Score:5, Interesting)

        by dutchwhizzman ( 817898 ) on Monday January 30, 2012 @01:45PM (#38867313)
        You can read RFID cards in peoples wallets at 30 ft with a transponder with higher send signal and a better antenna. The same applied for multiple cards. Some reading devices won't process if there is more than one card in it's reach, but that's a software decision. Devices purpose made to leech RFIDs do not play by the rules and legislation set out for "proper" RFID equipment.
    • by berashith ( 222128 ) on Monday January 30, 2012 @12:41PM (#38866629)

      The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud. They can just refuse to believe this exists, and tell anyone who had their card info stolen that the cause was their behavior, and then never have to honor a dime of repayment. This is enough to let everyone know that theft can occur this way, and liability remains with the CC companies.

      • This is the real concern - not how easy or difficult it is to actually perform the actions, but that the credit card companies are awfully mistaken about it being possible at all. With a flawed fundamental understanding of how the technology actually works, who knows what they may attempt to do with it in the future based on this flawed understanding.

      • What I don't understand is how the CC companies can't be employing anyone with any knowledge in the field. Seriously, they don't have anyone on staff that doesn't have a hobby in this area who could have explained it to them? Or are they just putting a banana in their ear and claiming they didn't hear anything?

        Then again, tobacco companies seem to have plenty of people on staff to tell them how safe tobacco is, so I guess I shouldn't be quite so surprised.

        • They are working on the basis that potential fraud will be less than the cost to improve the security.

          It's why wireless/pinless transactions are limited to £15 and what ever the limit in the US is.
      • The issue isnt being able to mitigate, the issue is that if the CC companies convince everyone that this isnt possible, then they have an easy path to never having to pay out against fraud.

        It was posted here several years ago that some insurance companies were using the same line to claim that RFID cars were 'impossible to steal' [slashdot.org] and were refusing to pay out on claims because of it.

    • Put them in an aluminium card case, and they won't read.

      This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

      Move more than about 5 cm away from the card and it won't read.

      People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

      Put two of these cards next to eachother, and they won't read.

      Care to point to some resources? Because that would mean the fixed readers at warehouses are pretty much useless.

      • by Joce640k ( 829181 ) on Monday January 30, 2012 @01:27PM (#38867111) Homepage

        People typically carry their wallets in their back pockets and purses, both of which a hacker can get arbitrarily close to. 5cm is way too much.

        Yep, at a Kevin Mitnick conference last year he showed an RFID reader which fit in the palm of your hand (with a wire up the sleeve to the main unit). It worked at more than 5cm, too.

      • by Tsingi ( 870990 )

        Put them in an aluminium card case, and they won't read.

        This is not something people typically do. You cant get the majority to store their cards in faraday cages just because of this.

        I have one. I know lots of people who have them.

        • by sjames ( 1099 )

          Since the only way to be safe is to have a special shield so you have to take your card out to use it anyway, it might as well ditch the near field and go back to contact only.

          The new technology gains you nothing (it actually cost you the price of the special case) and exposes a lot of people to fraud. (which still costs you since those losses are recouped through fees that show up on the retail price).

          • Exactly, this technology gains you nothing and exposes you to more potential fraud vectors. I don't see the point - I'd rather swipe my own card through a standard pad and type in my PIN. I'm already standing there; I don't need some stupid tap technology to go "DURRR, IT TOOK MUH MONEY AND I DIDN'T EVEN HAFTA ENTER MUH PIN!!".

            The one place I think contactless cards make a difference is in transit systems. While in Japan I used the refillable PASMO card, and it was nice to be able to tap my wallet on the

    • The RFID technology used in credit cards is more based on magnetic fields than electric fields. As such, stacking the cards doesn't help. The magnetic ones were somehow assumed to be more secure because they can only be read from a few inches away. Then again, store security systems use magnetic fields as well and they can read at least 4 ft away.

      A Faraday cage is one defense.

      Or, burn out the chip and just use the magnetic stripe (best defense). I have yet to use one of these no-contact credit card read

    • There are numerous ways around this problem. It shouldn't stop people from using the technology.

      Remember the security motto: "Attacks always get better..."

  • FUD (Score:5, Insightful)

    by OverlordQ ( 264228 ) on Monday January 30, 2012 @12:38PM (#38866579) Journal

    In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

    You should be more worried about waiters and cashiers then somebody in a crowd grabbing your data.

    • There are still plenty of online sites that don't require the CVV at all... And if you can use a card-magnetizing tool, then you could use the card at any physical location. Can't remember the last time a cashier looked at my card or asked for the CVV.

      • Can't remember the last time a cashier looked at my card or asked for the CVV.

        Because that information is on the stripe.

        • The CVV1 is on the stripe, the CVV2 code is not on the stripe - it's the second code on the signature strip.

          In many countries in Europe, it's mandatory to provide the CVV2 code for authorization of "cardholder not present" transactions. Online retailers that don't ask for it now make me nervous.

    • Re:FUD (Score:5, Insightful)

      by Dr_Barnowl ( 709838 ) on Monday January 30, 2012 @01:20PM (#38867019)

      Untrue ; waiters and cashiers will eventually get busted by data mining - you just need to correlate the transactions that pay for food and note the common location, then go through their time cards.

      Whereas with wireless, you could collect the data in a location not covered by security cams, and transmit it, encrypted (how ironic) to avoid detection, to another location where payments are processed. A crowded subway car would be ideal - people are not going to be using their cards, and it's the ultimate in cultured anonymity - everyone goes out of their way not to notice anyone else.

    • You are more likely to die of heart disease than cancer.

      So what?

      There may at least a paper trail when a cashier is involved.

  • by nick357 ( 108909 ) on Monday January 30, 2012 @12:38PM (#38866591)

    Put her in jail for teaching others how to defraud the public!!!!

    * Obvious to the credit card industry

  • by MrCrassic ( 994046 ) <[li.ame] [ta] [detacerped]> on Monday January 30, 2012 @12:40PM (#38866619) Journal
    Its been well known that RFID cards are suspectible to this kind of threat. The only reason why jammers and blocks havent been enforced as much is because there haven't been enough cases of this happening to justify wide-scale enforcement. I really like the convenience of contactless payment systems and hope jammers and guards become ubitquitous enough for banks to provide them along with these cards.
  • by Shoten ( 260439 ) on Monday January 30, 2012 @12:41PM (#38866623)

    Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”

    In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.

    So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

    • by RichMan ( 8097 )

      You don't need a big field. You need a high gain directional antenna. Preferably one made by beam forming that could be steered to sweep a room.
      High gain directional beam formed steerable antennas and control hardware are mass produced and small enough to go in handheld devices.

      An 802.11n basestation is an example of a steerable beam forming device that could suit the purpose.

      • by Shoten ( 260439 )

        You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You ca

        • by Big Smirk ( 692056 ) on Monday January 30, 2012 @01:22PM (#38867045)

          Both, wrong... you less so.

          The credit cards use an induction form of RFID. The wavelengths in question are very long - would require a big antenna to transmitt and an equally big antenna on the card to receive.... well the cards aren't big enough. So you see this spiral pattern (inductive loop) that is the antenna.
          YAGI won't do it. You need something more along the lines of the magnetic sensors as you leave a store (EAS - Electronic Article surveillance).

          Credit cards are 13.56 MHz RFID. That's a wavelength of ~75ft. Not going to hide that YAGI very well....

          Nope, inductive loops. That's why it only works over about a meter because the strengths of the magnetic fields.

        • It would be easy enough to swing around a YAGI antenna from the confines of a mesh hide - net curtains would be enough to conceal a distant antenna spook from view without obscuring his view of potential targets.

          Combine a YAGI with an invisible laser rangefinder to set the power and you have yourself a range-safe power snooper for RFID cards.

      • You need a high gain directional antenna. Preferably one ... could be steered to sweep a room.

        Say... Is that a high gain directional antenna in your pocket or are you just happy to see me?

    • by barc0001 ( 173002 ) on Monday January 30, 2012 @12:52PM (#38866741)

      "with this attack you MUST be the next person to use the card's credentials." "the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base"

      Because it's impossible to build a rig that fits in a briefcase or backpack that scans cards within a meter or two of the holder and automatically runs scripted transactions as soon as a card is detected in range, right?

      Just because it's not AS bad a picture as the doomsayers are painting as a worst-case scenario doesn't mean it isn't ripe for exploitation.

    • by oneiros27 ( 46144 ) on Monday January 30, 2012 @12:54PM (#38866773) Homepage

      So we'd have to funnel people through a chokepoint to isolate them ... and it might not work if they had more than one RFID enabled card in their wallet? And then you have to use it quickly, like this was done (while still on stage), rather than waiting for the person to try to make a legit transaction.

      I'm guessing that someone standing near the entrance to a subway system could work within those restrictions well enough that even if they got less than 1% success rate per person entering could still turn a nice little "profit" during rush-hour.

    • with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

      Implicit in this statement is the assumption that the hacker will be unable to discover the sequence of CVV codes based on the one they have right now. Given Sony's epic failure to implement proper encryption on the PS3, are you willing to take the chance that the CVV code generation algorithm will remain a secret forever?

    • So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.

      You've never been to a train station have you? Or sat outside at a coffee shop? Or sat in a car at a busy mall? Sounds pretty trivial to me. Wait for a good signal to walk by, swipe and swipe. Wait for next good signal. Rinse and repeat.

    • Still:

      It wouldn't be too hard to come up with a scheme to steal a bunch of cards and use the number immediately. You just hook the scanner up to a device that can make purchases at the same time the scan happens. Heck, build it into some sort of anonymous money scheme paypal account where you pay yourself and you could simply steal money. (Quick note, I don't know if or how anyone would actually do this but there must be ways.)

      Beyond that it seems a bit to me like the real reasons there aren't recorded inst

    • by CimmerianX ( 2478270 ) on Monday January 30, 2012 @01:04PM (#38866861)

      >> the cards are set to offer up a one-time CVV code with every scan

      Wait, I thought RFID only offered up static information. Does this infer that the cards have some sort of logic onboard to generate these 'one-time codes' and have create a new code on every scan that matches up with its processor? How does this effect an inadvertent scan, do the codes get all out of sync? Is there resync logic as well? How would this be handled throught payment processors and 3rd party clearing houses?

      Now, someone enlighten me on this if it's true. But this sounds to me like total bullcrap.

      • The "Smart" in SmartCard indeed means that they are smart. The ones we use at work are programmable, run a tiny OS, and can be logged into (after a fashion). The CPUs do real crypto using RSA. A SmartCard has flash to store data, so a one-time key (like CVV2) is not hard at all. My SmartCard can generate an SSH key-pair and does not ever release the private key. It does the RSA challenge-response operations allowing secure login to a standard SSH client.

        While I don't know if the CVV stuff is true, it is

    • A big magnetic field... or a choke point, like a door to the conference center.

    • by Yakasha ( 42321 )

      So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails.

      Not hard to have a scanner & processor working at the same time.

      It's not quite as bad as they make it out to be here.

      Perhaps financially for individual consumers, but it can be a huge problem in other ways. Wouldn't it suck if your RFID enabled credit card & passport were read at the same time and you purchased a 1-way ticket for some terrorist (Does Godwin's law include terrorism references yet?).

      Naturally restricting the liability to just a couple (or 1) transaction means individuals will not be out a lot of money. But it can still cause problems

    • Those codes can only be used for one transaction, and have to used in the order they’re generated.

      So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.

      Ummm....yes it is. Being the next person use the card isn't very difficult if you can do it via an iPhone. The chances of somebody using their card in the ten minutes after you grab their details is very small.

    • that's only if you were to copy the RFID contents. The CCV2 is a one-time thing and isn't copied on the magnetic strip. The blank card she made can be used until it's blocked by the CC company, as long as no CCV1 or PIN are requested by the vendor. Typically, for low amount purchases, that's not the case, so it may take a while before the card gets blocked.
    • by Rary ( 566291 )

      with this attack you MUST be the next person to use the card's credentials.

      I don't know about you, but I don't use my credit card every day, but I do come into contact with strangers every day. If someone were to sit next to me on my morning bus ride to work and read the card in my wallet, they'd have anywhere from as little as four hours, if I happen to go shopping at lunchtime, to as much as a few days to put the information to use.

    • So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here.

      No, this really is as bad as it's made out to be. From what I've read above, the attacker has to be the next person to use the card's credentials from the RFID part, not just any credentials. So if the cardholder gets his credentials stolen, and then uses

  • by Woil ( 25266 ) on Monday January 30, 2012 @12:41PM (#38866635) Homepage

    I've been using a Faraday Cage wallet and passport holder by DIFRwear: http://difrwear.com/ for several years now. I don't work for them, but with the very cheap wallet prices and sturdy construction I've been very pleased with the products. I can testify that they do work as I have an RFID key card and it won't activate the door if in the wallet.

  • by Darkness404 ( 1287218 ) on Monday January 30, 2012 @12:44PM (#38866665)
    And in other news anytime you take your credit card out to do anything and it is out of sight for a moment people could record your number, expiration date and your security code and then use it to buy things using your credit card. But of course we won't worry about that because technology is SCARY!!! Despite the fact that this doesn't work if you:

    Have more than 1 credit/debit card with an RFID chip.

    Aren't really close to the card.

    Store your card in an aluminum wallet.

    Sure, it is possible, but we focus so much on the possible technological side while totally neglecting the fact that people could quite easily just record your credit card info when you pay for things.
    • However, when people record the info when you pay for something, that person becomes directly traceable. I.e. if the police look into the matter, they can almost certainly quickly find out who is responsible. The RFID method is completely 100% anonymous (unless you memorize the faces of everyone you pass on the street, and even then you simply will not be able to trace down the person responsible). This adds a psychological, if not a real, barrier to CC skimming for employees.

      The RFID system is quick, ano

    • by Rary ( 566291 )

      I must've missed the part of the article where it said "don't worry about any other form of credit card theft, because this one is all that matters".

      This is yet another potential attack. Other attacks are well documented. The fact that those other attacks exist, or even that many of them are more likely to occur, does not in any way mean this threat should not be publicized so that it can be mitigated.

      I have one card with a chip. I wander through busy public areas daily where multiple strangers brush past m

  • (sarcasm) Well, the obvious solution is to prosecute Randy for violation of some type of copyright/jail-breaking/illegal use law. If we don't have one yet for this -- we can write one quickly! No need to have people worry about this type of stuff. Our economy is in shambles, we need people to use their cards! You can't grow GDP without breaking a few eggs! (/sarcasm)
  • by randomlogin ( 448414 ) <chris.zynaptic@com> on Monday January 30, 2012 @12:48PM (#38866701) Homepage
    The fact that you can make a payment via Square without any form of authentication is the biggest failure here. At least with the RFID payment you've got a cryptographically strong authentication method which is pretty hard to fake. The sooner the credit card companies get rid of the magstripe the better...
  • Clearly the problem is the iPhone and eBay.
    Hurry, oh wonderful American government, censor both of these things!
  • by Anonymous Coward

    Kristin Paget [twitter.com] used to be Chris Paget [tombom.co.uk], famous GSM hacker. With that out of the way, we return you to this awesome hack.

  • The article also mentions that Paget's company is working on a jamming device called GuardBunny that slips into your wallet, complete with a rabbit head logo and eyes that glow (there's a picture on page two) when it's activated. I'm not sure if this is meant to be a humorous Monty Python [youtube.com] reference? "Run away, High-Tech Pickpocket! Run away!" Or a creepy Donnie Darko [youtube.com] reference? "Why do you wear that stupid bunny suit?" "Why do you wear that stupid smart credit card that broadcasts its credentials?"
  • by twotacocombo ( 1529393 ) on Monday January 30, 2012 @01:04PM (#38866859)
    What exactly is the advantage to these RFID credit cards? All the readers I've seen still require you to get the card close to it to work. Has the world really grown so lazy that we can no longer be bothered to make a vertical swiping motion? I can see the benefit for payment-enabled cell phones or key fobs, but credit cards? Seems like a solution to a problem that didn't exist.
    • Ostensibly, they allow for more brains behind the card than is possible with a magstripe. The current solution is simply a one time use CCV code, if a more recent code has been used it rejects all the codes that came before it, meaning that A) A stolen card can only be used once and B) Not even once if the legitimate user makes a purchase in the meantime. To me, with a bit more processing power, it seems like it should be possible to set up an encryption scheme where the person reading the card only ever

      • Well, all that is encoded in a credit card's 2 tracks is account number, expiration date, and name. What is keeping someone from grabbing this information via RFID, then encoding it into a standard magstripe card and going on the usual spending bender? Seems like a lot of extra work to make a counterfeit RFID card when you can just go the quick and dirty route and make a card that can be used anywhere they take plastic, not just the places with contactless readers.
      • by mmontour ( 2208 )

        Ostensibly, they allow for more brains behind the card than is possible with a magstripe.

        You get that benefit from having a microprocessor on the card, such as a standard "chip card" with metal pads (like a SIM card) that you insert into the reader. Adding all of the RFID nonsense on top of that just makes it less secure.

        (I'm aware that "chip+pin" also has known security flaws, but it's better than the alternatives).

    • by xanthos ( 73578 )

      What people fail to notice is the "Analog Hole" part of this demonstration. Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe). As long as the amount of money lost through theft is a fraction of the cost of upgrading the infrastructure to get rid of magstripe, this capabillity will remain.

      FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not ha

      • Paget did not clone the RFID card. She transferred information from a secure environment (RFID) to an insecure environment (mag stripe).

        FWIW, the who needs RFID cards is defintely an American bias. When I was in Paris last year there were a number of times where not having a RFID card was a real PITA.

        Ah, this is what I just asked about in another reply. Until they lock out mag stripe reads on an account, they will always be the weakest link.

        I was in Paris in '10 as well, and the only place I recall where RFID would have been worth using was at the Metro ticket counters, so that the card didn't need to be passed through the safety glass. Places like gift shops and restaurants wouldn't have seen much of a benefit...

    • by pz ( 113803 )

      What exactly is the advantage to these RFID credit cards?

      One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.

      Personally, neither is a compelling enough argument for me as a consumer to get one. If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.

      • by twotacocombo ( 1529393 ) on Monday January 30, 2012 @02:24PM (#38867881)

        One advantage is that magnetic stripes wear out. RFID cards won't. Similarly, swipe readers wear out, get gummed up, etc., whereas RF readers don't.

        If I were responsible for the maintenance of POS terminals for a store, especially one with non-trivial traffic, that might be a different story.

        The magstripe can wear out, but you can still key in the number manually when this happens. RFID chips are not invincible, and can be damaged, but certainly not as easily as a magstripe.

        I did phone tech support for 7 years, working on various makes and models of credit card machines. The number of units that I personally saw during that time that genuinely had the reader head worn down to the point of malfunction was less than 10. I replaced far more units due to beer damage. Most read failures were either due to a badly abused card, or a slightly dirty head. Wrapping a dollar bill around a card and running it through a few times cleared up the read problems almost 100% of the time. And no, it doesn't have to be a $1 bill. If I had one for every time I was asked THAT question...

    • In addition to the the reasons given below, I would like to point out that you are assuming an advantage exists for consumers. It is the transaction possessors and merchants that reduce risks and costs from RFID cards. It is sold as a novelty to consumers and card holders.

    • It all about speed. No PIN numbers and no direct contact in a small fiddly slot means the transaction will be quicker, which makes cards usable in those low value high volume transactions where cash still reigns supreme.

      PayWave and those types of authentication schemes are not about security, they are about finding away to replace the last of the legal anonymous cash transactions.

      And the CC companies are quiet happy to refund any fraudulent transactions in the short term in order to get to that long term
  • gender (Score:2, Insightful)

    by Sebastopol ( 189276 )

    Probably should be modded as off topic for this, but why did the article feel the need to point out Paget's gender change? did it make her a better programmer, or design better hardware? or were there lots of people reading the article were like "Hey, I knew I guy with the last name Paget that worked there, I wonder if they are related? ... Oh!" /scratches head

  • The bit not mentioned in the article is the reason why you need to be close to the card to read it: bad aerials in the card terminal.

    If you build a better aerial (larger) and ensure the receiver stage has a decent low noise entry you can read those RFIDs from quite a distance..

  • by speedlaw ( 878924 ) on Monday January 30, 2012 @01:51PM (#38867385) Homepage
    Wasn't RFID the subject of the Mythbusters episode that was "squelched" by Visa ? Adam made a few comments and the issue was clamped down upon by all. The credit card companies (huge advertisers-when you get 29% interest you have lots of money) made it clear that RFID weaknesses were not a subject to be discussed in public to a lay audience.

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...