Visa To Push Swipeless Credit Cards 452
BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.
No, this is different (Score:3, Funny)
Re:No, this is different (Score:2)
Re:No, this is different (Score:2, Insightful)
Re:No, this is different (Score:2)
Show me the security (Score:2, Insightful)
Especially since it would be easy enough to wave an RFID reader at people's purses, back pockets, etc. At, say, $24 each, in a large crowd, you could amass quit
Re:Show me the security (Score:5, Informative)
Re:Show me the security (Score:5, Insightful)
"While 3DES appears to be secure for now, it takes at least 3 times as long to run as DES, and this means that it is inefficient and slow compared to other available block ciphers such as the new standard, AES, which has replaced DES."
Re:Show me the security (Score:2)
That is -- of course -- assuming that you are using a 128-bit AES key for comparison. If you use 192-bit or 256-bit keys for AES, it's a whole other story. Bottom line is, if for any kind of reasons you can only play with 128-bit keys ('cause you have limited storage such as on a smart card fo
Re:Show me the security (Score:4, Interesting)
Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.
Or maybe not.
Many security architects aren't going to use AES for a while yet. It's too new. It has received a fairly large amount of scrutiny from the cryptographic community since its birth, so that gives us some confidence, but nowhere near the confidence we have in DES.
DES has stood up to 30 years worth of attacks and remains essentially unbroken. Sure, the key size is too small, so the cipher can be brute-forced relatively easily, but 3DES fixes that problem and does it by building on the fundamentally solid security of DES.
The bottom line is that there is really no need to move to AES, since 3DES is perfectly adequate, and the odds of AES being broken sometime in the near future are at least as high as DES being broken. 3DES is, currently, the best choice from a pure security standpoint.
Re:Show me the security (Score:2, Insightful)
Why is the technology even necessary given the risk? How much harder is swiping versus hovering the card over the scanner, aside from a fraction of a second of your time, what do you gain? The hardest part in either case is just getting the card out of your wallet.
From a risk standpoint using th
Re:Show me the security (Score:3, Interesting)
Put scanner near someones pocket and charge $24 or record credit card number (depending on how you wish to rip ther person off). No signature necessary nor decryption necessary. You do not have to "break" anything.
No, but you do have to have a merchant account, and that requires telling the bank in great detail who you are and where to find you. And when all of the complaints roll in, they're going to send some nice folks out to bring you in for a long chat.
From a risk standpoint using these cards wo
Re:Show me the security (Score:3, Insightful)
completely anonymous paypal account (who i am sure will have the cash to convince visa to give them access to this system)
Bwahahahah!!!
Jeez, dude, you made me spray coke all over my keyboard.
That's the funniest thing I've seen all day.
Anonymous Paypal account? Riiiiggghtt. Paypal issuing acquiring devices? Riiiggggtt.
And, of course, it would be so much harder to do any of this with the current magstripe system, where you don't even need the card at all.
Re:Show me the security (Score:3, Informative)
Period.
Re:Show me the security (Score:5, Insightful)
Re:Show me the security (Score:4, Informative)
Re:Show me the security (Score:3)
Jesus, what idiot there is thinking up this stuff, seriously? You litteraly couldn't PAY me to have an RFID credit card because hey, someone would just steal it! Stupid stupid stupid.
Re:Show me the security (Score:3, Insightful)
Re:Show me the security (Score:4, Insightful)
Its simply a matter of using the right antenna with the right gain. See the bluetooth sniper rifle [engadget.com] for details (kilometer range! With bluetooth!). If the antenna is too big to hide on your person, set up shop in a dark alley somewhere and scan the masses as they mill by unaware.
And yeah, tinfoil would work but make it all the more stupid. Not only would the old lady have to fumble the card out of her purse, you'd be sitting around watching her try to unwrap it and wrap it again afterwards. Just swipe the damn thing already!
Re:Show me the security (Score:5, Insightful)
The real goal is fraud reduction. Visa isn't aiming for a perfect system, they want a better one that prevents skimming of your mag stripe. This means that they are no longer the low hanging fruit and the fraudsters will target traditional magstripe cards.
Re:Show me the security (Score:4, Insightful)
You don't seem to have read the spec - this is more about how air core transformers work than radio. These ISO 14443 cards use inductive coupling to power the card, not RF field strength. From this ISO 14443 overview [otiglobal.com]:Having a crypto processor on board (especially the exponentiator) requires way more power than can typically be delivered by RF field strength (far field tags vs near field tags). EPC tags [epcglobalinc.com] are RF field powered, and can be read from several meters away. Magnetically coupled tags can only be read from a few cm.
73 de k4det
Re:Show me the security (Score:2)
It's a real pain in the ass when it is "company policy" to request IDs. I don't shop at a local Cub Food grocery store because they require me to show an ID.
My signature is usally an unintelligible squiggle. It's nothing like what shows on my ID. Signing credit card shit is a hassle and I make sure to do it as quickly as possible.
Re:Show me the security (Score:2)
That's the main reason most countries are switching to PIN based credit/debit card systems. Even the UK is, finally.
Re:Show me the security (Score:2)
Re:Show me the security (Score:3, Informative)
If your credit card is unsigned and you refuse to pay, the merchant is on the hook for it.
Re:Show me the security (Score:5, Insightful)
In order to process claims from a reader like this you're going to need a merchant account.
So let's say you try it, I'll outline the events for you in chronological order:
Re:Show me the security (Score:2)
Merchant account not required (Score:3, Informative)
Shortway:
Steal someones card. Put it in your wallet, buy things. They won't ask for ID cause that will slow down the process (and they hardly ever do now anyway). If it's less than $25 there's no paper trail, either. This will work until the person realized their card is missing and reports it stolen. Esentially the same as the present, but at least now they're supposed to verify your identity by comparing signatures or checking for ID... at least there's SOME verif
Re:Show me the security (Score:5, Informative)
Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.
They're all published and available.
The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.
Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.
Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform [globalplatform.org] web site.
In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here [http].
Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.
Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site [emvco.com]. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.
Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.
EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.
There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.
At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.
LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl
Re:A built-in PIN pad? (Score:3, Insightful)
Is that PIN pad on the card itself?
Nope, it'll work the same way PIN pads at Wal-mart (and wherever else) work right now.
Can that be made durable enough to live in my wallet?
Durability isn't the problem with putting a PIN pad on the card. The problems are power (where do you get it?) and cost -- mostly for the increased manufacturing complexity.
It sounds like these cards are going to be pricey (several dollars each to manufacture).
About $3 each. Current cards cost about $0.25 each. Cards wit
Re:Show me the security (Score:2, Insightful)
Re:Show me the security (Score:2)
you can copy the numbers with a fucking hires camera and a zoom lens at a place where they're used.
this is miles and miles and miles more secure than that..
(besides, these need a very low range. buy a tinfoil wallet will ya?)
People, this isn't RFID!!!!!!!! (Score:5, Interesting)
Re:People, this isn't RFID!!!!!!!! (Score:3, Insightful)
1) Use misleading buzzword to capture
2) Front page story.
3) ???
4) Profit!
Give them a few hours, (Score:5, Funny)
Re:People, this isn't RFID!!!!!!!! (Score:3, Funny)
The editors aren't techies. (Of course, they're not competent editors, either).
Zonk is the Games section editor (Score:2)
Re:People, this isn't RFID!!!!!!!! (Score:3, Insightful)
Re:People, this isn't RFID!!!!!!!! (Score:4, Insightful)
Yes it is! (Score:3)
ISO 14443 and ISO 15693 operate on the same principles, the essential difference is that the ISO14443 protocol allows a higher data bandwidth which results in shorter maximum range (ca. 10cm instead of ca 1m).
In general, ISO14443 chips are less low-cost, able to store more data and supporting cryptographic capabilities. But this has more to do with the market that they target than with technical issues.
Sure would nice... (Score:5, Funny)
Yes, it's a joke.
Security? (Score:5, Insightful)
Re:Security? (Score:3, Insightful)
And now a thief doesn't have to guess PINs. It will be enough just to steal a card!
Umm, under the current magstripe-based system, the thief doesn't need a PIN *or* a card. All he needs is the card number.
Re:Security? (Score:3, Informative)
Tracking down criminals (Score:3, Informative)
Tracking down online transactions isn't necessarily s
Re:Tracking down criminals (Score:2)
Very Secure? (Score:5, Insightful)
Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.
What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!
It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!
Re:Very Secure? (Score:2)
Re:Very Secure? (Score:2)
No money would be lost by consumers (Score:3, Insightful)
Re:Very Secure? (Score:3, Informative)
What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!
That's easy to answer! It's almost certainly based on the technology they already use.
VISA and others have been making smart cards for a while - they have a chip in which a smart card reader can talk to. You've probably seen cards with the contacts on the front already. T
Re:Very Secure? (Score:4, Funny)
The normal task of using a credit card:
1.) Get out your wallet.
2.) Get out the card.
3.) Place the card in the reader
4.) Swipe downward
That Step 4 was just killing me!
Tinfoil (Score:5, Funny)
big deal -- Mobil already does this (Score:2, Informative)
All Visa is moving the RFD dealie from a little wand on your keychain to the card.
Another Fine example of Slashdot "journalism" (Score:5, Insightful)
And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.
Re:Another Fine example of Slashdot "journalism" (Score:2, Insightful)
It's passive (minimal activity required by anyone to get something scanned) and it's long range. While the ability to link identity to purchases (assuming no cash transactions) exists with bar-code readers, it's a much more active system, and the user has much more control over when and where this information is collected.
If with a few minutes thought, you can't construct a worst case scenerio for long-range
Re:Another Fine example of Slashdot "journalism" (Score:2)
so lets say they do limit the range to just a centimeter or two. then it would merely take a new type of pickpocket carrying around a reader for these new types of cards and just swipe it past the wallet in your pocket. they won't even need to touch you, and yet would be able to steal money from you. and because no signature is required for purchases up to $25, they could charge $25 to your
Re:Another Fine example of Slashdot "journalism" (Score:2)
BZZZZZTTTTT! Thanks for playing, would you like to try again?
First of all, Visa doesn't pay for SQUAT. Chargebacks are funded by the merchants, who in most cases are forced to eat the fraud.
And even if that were NOT true, TAANSTAAFL. Regardless of who foots the bill for the losses, ultimately those costs are passed back to the consumer in the form of higher costs.
Trust me, I know. http://theboyz.biz/ [theboyz.biz]
Re:Another Fine example of Slashdot "journalism" (Score:2)
Used to be the case that either they, or the store, paid if someone stole your card and forged your signature.
Now it's the case you pay if someone steals your card and uses your pin.
Getting pin's is easy, most people are too timid to shield the pin from the cashier and the guy looking over their shoulder.
Re:Another Fine example of Slashdot "journalism" (Score:2)
Now it's the case you pay if someone steals your card and uses your pin.
Not with credit card transactions. What you're saying is true for ATM transactions (and "debit" transactions at the point of sale, which are the same thing as ATM transactions).
For credit, US law (assuming that applies to you) limits your exposure to $50. In practice, you don't even pay that much because the credit card market is highly competitive and issuers don't want to take the chance of pissing you off.
Re:Another Fine example of Slashdot "journalism" (Score:4, Insightful)
I am not inclined to believe anyone when they say they have a secure system. If it's not a OTP scheme then it's crackable.
Re:Another Fine example of Slashdot "journalism" (Score:5, Insightful)
I believe it is an issue of knowledge. Specifically, with RFID and RFID-like technologies that do not require physical contact or personal interaction (like a PIN or swipe) it is conceivable that your information can be read at a distance* without your knowledge.
Does that mean the VISA card in this article is going to allow someone to drain your bank account because you walked too close to a vendor's shop? Not necessarily. However, consider this:
1. The "secure" WiFi protocols have all been beaten;
2. The "close-range" of bluetooth has been increased to over 1/4 of a mile by use of a shotgun-style antenna;
3. In general, people continue to use these technologies even if they are informed of the flaws, because they do not want to lose the convenience (or believe that "if it was really insecure, they wouldn't be able to sell it" or "It won't happen to me").
So do I think that a card like this will eventually be cracked, and will eventually be used to spy or steal from people (successfully or not**)? Yes. Yes I do.
*Here, "a distance" could be a few feet, or could be across a street through a shop window using a shotgun antenna (see bluetooth example).
**Here, I refer to the idea that someone who did this in bulk would likely get caught, and if they got caught it would not be a successful theft; then again, people steal checks and forge transactions to pay their utility bills all the time, and are rarely prosecuted for this provided the dollar amounts are small.
Making Fraud easy and fun! (Score:3, Insightful)
Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence?
"No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure. Yeah, I heard about it on the news, too. Never need to see my ID again. Compleltly safe. Don't forget to put that $1,235.65 on "credit". okay?"
And while the article says there is a code that can't be re-used for other readers, wont a signal jumper (the ones used to grab car alarm frequencies) still be able to get the 16 digit card number, plus exp. date?
Yeah, sending important financial data through the air sounds like a great idea. To the tech savvy, this is the same as screaming the numbers to the woman behind the register. Would you do that?
Re:Making Fraud easy and fun! (Score:2)
Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence? "No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure."
No, it doesn't mean that. The ID isn't to make sure the card isn't faked (how could it?), it's to make sure that your name is on the card. Other technology is used to make sure the card isn't faked -- and it's fairly weak technology.
These new cards will be very, very difficult
Is this technology really necessary?! (Score:4, Insightful)
Is it really so hard to swipe your card through a reader as you checkout? Does Visa really think people are so lazy that swiping a card is too much work?
This is an example of technology being used simply because it exists. This adds ZERO value for the consumer and opens up huge security holes. Who believes for one second that this technology is actually 100% secure?
I guess we're supposed to be reassured by the quote from the Visa rep in the article reminding us that there is no consumer liability for fraud.
I can only imagine what is going to happen if they roll out debit/checkcards linked to actual bank accounts with this technology!
Re:Is this technology really necessary?! (Score:2)
theft (Score:2, Insightful)
Re:theft (Score:3, Funny)
Wear a T-shirt saying "pencil $19.95", "ask for a refund if not satisfied" and walk around in a crowd handing out pencils whenever your battery powered and cellphone internet accessed credit processing system successfuly charges someones credit card for "pencil" at $19.95 bucks.
"Thank you, Here's your pencil sir"
they look at you funny and take your pencil cause your some crazy guy wearing a backpack with antennas sticking out all over and a tin foil hat and they don't want to mess with you.
Y
Lazy bastards (Score:3, Funny)
Re:Lazy bastards (Score:2)
Visa has to get the first step to work well, and people used to it, before they move any furhter.
Better watch those monthly statements! (Score:2, Insightful)
Hopefully not as easy as stopping payment on questionable charges to the account. The advantage of online progressively-updated statements becomes infinitely greater here; you'll have to check your statements every WEEK if it gets bad. Genuine cowhide is out, 100 mil thick aluminum is in!
What's the point? (Score:3, Insightful)
It speeds things up greatly. (Score:2)
Re:It speeds things up greatly. (Score:3, Insightful)
Signatures? How quaint... (Score:2)
Re:Signatures? How quaint... (Score:2)
It's a hell of a lot easier for a criminal to forge a PIN than a signature - especially given the total lack of security on the card machines.. anyone within about 20 feet could find out your pin every time you use it.
Plus there's the little change in the law that means that if someone forges your PIN you are now 100% liable not the credit card companies (which is the real reason
Re:Signatures? How quaint... (Score:2)
It's certainly far more secure than signatures.
Excuse me, sir... (Score:3, Funny)
Unsuspecting stooge: "sure, your total is
Scammer: "maybe you can read it from a little closer"
Unsuspecting stooge: "...$598. And it looks like your credit card was just approved too."
Scammer: "Oh, thanks you very much."
Unsuspecting stooge: "You're welcome"
Signatures (Score:3, Interesting)
Does anybody in N. America check signatures? They hardly seem to look at my cards. I have a friend who wrote "See ID" on the signature strip of their card and it took four months before she had a request. Having emmigrated from the UK, I really notice this. Over there they seem to make more of an effort, hold on to the card for longer and really compare it against the signed receipt. On many occasions in the UK I've been asked to resign things. In fact, I was once chastised by a cashier in Sainsburys in Norwich and told to stop being so lazy and make more of an effort! You see my signature had deteriorated in to a squiggly line that barely even resembled the signature on the card.
Besides, doesn't anybody else find those signature strips hard to sign? They don't have much height, and the surface seems to "writes differently". It's nigh on impossible to put a good approximation of my signature on it! Furthermore, I think the only way to tell a signature isn't faked is because every one is different so it shouldn't be identical to the one on the card!
Vent my Credit Card/Check Card Pet Peeve (Score:5, Insightful)
WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?
I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.
And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?
With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?
Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.
Thanks.
A major problem with your plan. (Score:2)
they flat out refuse to accept such.
(individual offices aside, they are all supposed to be doing this like gangbusters)
For that matter, most merchant agreements (I've read enough) also instruct merchants not to accept such, but instruct that the customer must sign the card, or be refused...
Re:Vent my Credit Card/Check Card Pet Peeve (Score:2, Insightful)
Re:Vent my Credit Card/Check Card Pet Peeve (Score:5, Interesting)
I work part time in retail and our store used to have a policy about asking for ID with every CC purchase, but Visa threatened to pull out of our store because of it...
The CC companies and orgs do not want under any circumstances for retailers to ask for ID, even if the card is not signed. They are also against any and all PIN initiatives, or any other thing that might prevent credit cards from being used.
Even if there is a fraudulent charge, the only people that lose money are consumers. Retailers and Credit Card companies have insurance against fraudulent charges, and the cost of those premiums is worked into the merchant rate, which is passed along to consumers.
This is why CC companies and retailers DON'T CARE ONE BIT if a CC is stolen. If the retailer gets charged back, they just claim on their insurance, and pass the premium costs along to the consumer. If the chargeback is denied and the CC has to write it off, they claim _their_ insurance and pass the cost along to merchants, who then pass it along to consumers. If the thief gets away with it, the consumer is stuck with the bill for the fraudulent charge.
So, in any case, it's the consumers that are screwed, as usual.
Re:Vent my Credit Card/Check Card Pet Peeve (Score:5, Interesting)
There's plenty to be said about not treating your customers like criminals (DRM, copy-protection), but it seems to me that, as a consumer, I have just as much to gain from protecting my credit card as a business does.
Interestingly enough, I've heard that part of some contracts that retail outlets and credit card companies make nowadays specifcally state that the credit card companies do not want you to check ID's. Apparently they want credit cards to be as convenient as possible so that consumers will ring up as much debt as possible, so the banks can collect interest and fees. I guess if that's true, the ratio of fraud to legit purposes isn't so bad.
I've got see-ID on the back of my cards too. Sometimes they'll flip the card over and pretend to look at it, then give it back without asking for ID. Amazing. If they do ask for ID, I make it a point to thank them.
Re:Vent my Credit Card/Check Card Pet Peeve (Score:5, Informative)
You're an idiot. That signature panel is not there to identify you to the store clerk. Its there to prove that you have agreed to abide the provisions of the cardmember agreement. (ie pay your bill) Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.
The purpose of checking your signature is to cover the merchant. If you don't sign your card the merchant is liable if you refuse to pay
PIN-based electronic transactions are actually considered digital signatures. The fact that you set or remembered your PIN signals your acceptance of the card agreement, and entering your PIN signs your transaction. Merchants prefer that you do a PIN transaction because it is cheaper and does not require them to store boxes of signed credit card drafts in the back for a year or more.
No, you are ignorant (Score:3, Insightful)
I'd like to see some store manager so ignorant as to try to confiscate my credit card because it tells him to to ask for I.D.
Re:Vent my Credit Card/Check Card Pet Peeve (Score:3, Insightful)
No, they are not. You further listed Mastercard rules, and it permits (or requires) that they refuse sales in certain circumstances. It does not state that they are allowed to confiscate cards for not being signed. I don't have a full agreement with me (or the hours necessary to read it), but the cards themselves do not identify themselves as the property of the bank.
And, if yo
Signatures/ID are poor(ly implemented) security (Score:4, Insightful)
Generally as a customer I don't. Not that I think showing ID is bad idea but I generally find the signature and to a lesser extend ID security measures to be as pointless as most of the airline "security". They're half heartedly implemented, irritating, and as implemented don't really do much to stop crime. It's appearance of security without substance. I wouldn't mind people asking for ID except that almost no one does, so what's the point? And the signature matching is a stupid since any thief with half a brain (admitedly some lack even half) will just look at the card and make at least a half-hearted effort to copy it. It's not like he has to look hard for it...
Let me be clear. I have the mistfortune of being a man with a name that is very rarely associated with the masculine gender. As irritating as that is to me, I should get asked for my ID all the time. But I don't which tells me that the the store management and credit card companies don't really percieve it as a problem. And they have the data to know whether it is or isn't. It's not like they're guessing. Furthermore, when I do get asked for ID, it's almost always at places like an airport (where I've been asked for my ID 20 times) when buying a $4 magazine, never for the $1000 printer. As a customer, I'll admit that being asked for ID is irritating and I don't like being regarded as a potential criminal but if it were a widely implemented security measure, I could deal. But since the credit card companies and most retailers don't regard it as enough of a problem (actions speak louder than words) to ask for ID consistently, I'd rather they save me the irritation and not bother at all.
It gets repeated here ad-nauseum that authentication consists of some combination of what you have, what you are and what you know. The signature is worthless as a security measure because it is simply two instances of something you have in the same item. Someone who takes my credit card also has my signature. Asking for photo ID sort of gets at what you are, though it can be forged by an ambitious criminal. But it could slow down the smaller thefts were it actually used. A pin code is actually useful IMO because it is something you know but is not used (for cost reasons mostly) for credit cards here in the US. And unlike biometric ID, it can be changed if there is a mixup.
While I'm venting, what really irritates me is when they have those swipe-it-yourself pads but still ask to see the signature! I've already mentioned that I think signature comparison is worthless as a security measure, but this practice just wastes both my time and the clerk's time. Furthermore they don't physically have the card at the right time if the credit card company tells them to hold the card. If they want to see my signature, the clerk should swipe the card him/herself and check. By having me do it, they don't save any time and they don't improve security. If they are going to ask for something they should ask for ID at that point, not a signature.
Its hard sometimes (Score:3, Funny)
Then I went to buy gas.
I put the card in the machine, and waited.
"Beep," it said.
I showed it my ID.
"Beep."
"No, this is my ID. See?"
Still, it refused to look. "Beep."
The crowd got larger and larger, but it still refused to look at my id. "Beep."
Now I'm stuck on my bicycle.
hawk
Sometime in the distant future... (Score:2, Funny)
Fry: $30? I can't afford that. Unless...[He pulls out his wallet.] Do you take RFID Visa?
Salesman: RFID Visa hasn't existed for 500 years.
Fry: RFID American Express?
Salesman: 600 years.
Fry: RFID Discover card?
Salesman: Uh, sorry we don't take RFID Discover.
Not really... (Score:2, Informative)
According to Visa:
"Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted"
So... not really, no. Just because two products use the same base technology doesn't mean that one is as fallible as the other. All cars made of metal and fiberglass don't rate the same in crash tests.
Faraday Wallet (Score:2)
(Tinfoil would work too, yes, but that wouldn't be durable and would probably scratch the mag-stripes off your non-evil cards.)
American Express also starting to roll out RFID (Score:3, Interesting)
American Express is also starting to roll out [americanexpress.com] an RFID solution, although seperate from their card and also available on a preload basis. Their national partner [google.com] I am aware of seems to be CVS drugstores, which seems to have rolled out credit card terminals which can read these cards locally even through I know of no other place I could use their RFID tag.
What if I carry multiple VISA cards? (Score:2, Insightful)
Fraudulent readers are not the only issue (Score:4, Interesting)
1)install reader in door frame
2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
3)...
4)profit!!
or Blockbuster:
1)Take out advert at superbowl "THE END OF RENTAL FEES"
2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
3)...
4)profit!!
That's so insane (Score:5, Interesting)
No signature needed for under $25, works from a few inches away?
I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.
Multiple cards in wallet.... (Score:3, Interesting)
I assume the terminal will only charge one card, but if I have to take the card out to make sure the preferred one registers, I might as well swipe it.
Re:How long till... (Score:2)
i am sure the readers for these new cards aren't going to be too expensive otherwise retailers probably wouldn't go for them.
Re:How long till... (Score:2, Interesting)
Then you take the stolen cards and make lots or $25 purchases, without having to forge a signature.
Who thought this up? The Guild of Thieves?
Re:How long till... (Score:2)
Re:Hmm, So it's all about making it easier? (Score:2)
The current regime doesn't discourage me from making small purchases with plastic. It doesn't discourage anyone I know. I don't think it discourages anyone else either.
H*LL, credit card readers were showing up in fast food restaurants in the early 90's. If that isn't a "casual credit card use", then what is?
It is likely that anyone who cares to is already using credit cards for small purchases and making the process more casual or less secure really isn't going to do much to alter the habits o