Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Privacy Technology

Visa To Push Swipeless Credit Cards 452

BobPaul wrote in to mention an initiative by Visa to allow for swipeless credit card transactions. From the article: "...consumers need only wave credit and debit cards within a few inches of a reader to complete a purchase. And for purchases of less than $25, no signature is required...Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted". Update: 02/25 16:06 GMT by Z : References to RFID technology removed.
This discussion has been archived. No new comments can be posted.

Visa To Push Swipeless Credit Cards

Comments Filter:
  • by Anonymous Coward on Friday February 25, 2005 @08:47AM (#11776215)
    It is secure. They're using SHA-1 hashes.
  • by IO ERROR ( 128968 ) *
    Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security. Otherwise I'm going to take my low-tech X-Acto knife [hunt-corp.com] and cut that RFID tag right out of the card. Considering that anybody can hack an RFID tag now [eweek.com], I'm not particularly inclined to trust this thing.

    Especially since it would be easy enough to wave an RFID reader at people's purses, back pockets, etc. At, say, $24 each, in a large crowd, you could amass quit

    • by John Harrison ( 223649 ) <johnharrisonNO@SPAMgmail.com> on Friday February 25, 2005 @08:50AM (#11776248) Homepage Journal
      You don't know what you're talking about and neither does /., or at least Zonk. This isn't RFID, these aren't the TI chips. This isn't ISO 15693. If you can break 3DES please let me know. I would be VERY interested.
      • by Delirium Tremens ( 214596 ) on Friday February 25, 2005 @09:04AM (#11776396) Journal
        Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.

        "While 3DES appears to be secure for now, it takes at least 3 times as long to run as DES, and this means that it is inefficient and slow compared to other available block ciphers such as the new standard, AES, which has replaced DES."

        -- W. Diffie and M. E. Hellman, "Exhaustive Cryptanalysis of the NBS Data Encryption Standard," in IEEE Computer, vol. 10, 1977, pp. 74-84.
        • Hey, here is an idea: deliberately using 3DES instead of AES might actually be very smart. Since it is inefficient compared to newer block ciphers such as AES, then it could potentially also be slower to brute-force.

          That is -- of course -- assuming that you are using a 128-bit AES key for comparison. If you use 192-bit or 256-bit keys for AES, it's a whole other story. Bottom line is, if for any kind of reasons you can only play with 128-bit keys ('cause you have limited storage such as on a smart card fo

        • by swillden ( 191260 ) * <shawn-ds@willden.org> on Friday February 25, 2005 @09:42AM (#11776834) Homepage Journal

          Maybe they shoud have moved to the latest standard: AES. Deploying 3DES solutions today is deploying legacy.

          Or maybe not.

          Many security architects aren't going to use AES for a while yet. It's too new. It has received a fairly large amount of scrutiny from the cryptographic community since its birth, so that gives us some confidence, but nowhere near the confidence we have in DES.

          DES has stood up to 30 years worth of attacks and remains essentially unbroken. Sure, the key size is too small, so the cipher can be brute-forced relatively easily, but 3DES fixes that problem and does it by building on the fundamentally solid security of DES.

          The bottom line is that there is really no need to move to AES, since 3DES is perfectly adequate, and the odds of AES being broken sometime in the near future are at least as high as DES being broken. 3DES is, currently, the best choice from a pure security standpoint.

      • Put scanner near someones pocket and charge $24 or record credit card number (depending on how you wish to rip ther person off). No signature necessary nor decryption necessary. You do not have to "break" anything.

        Why is the technology even necessary given the risk? How much harder is swiping versus hovering the card over the scanner, aside from a fraction of a second of your time, what do you gain? The hardest part in either case is just getting the card out of your wallet.

        From a risk standpoint using th

        • Put scanner near someones pocket and charge $24 or record credit card number (depending on how you wish to rip ther person off). No signature necessary nor decryption necessary. You do not have to "break" anything.

          No, but you do have to have a merchant account, and that requires telling the bank in great detail who you are and where to find you. And when all of the complaints roll in, they're going to send some nice folks out to bring you in for a long chat.

          From a risk standpoint using these cards wo

    • by John Harrison ( 223649 ) <johnharrisonNO@SPAMgmail.com> on Friday February 25, 2005 @08:52AM (#11776267) Homepage Journal
      BTW, the specs are out there if you care to look. Here's a hint for you: EMV
    • Now people can steal my identity from 5 feet away! Sign me up, scotty.

      Jesus, what idiot there is thinking up this stuff, seriously? You litteraly couldn't PAY me to have an RFID credit card because hey, someone would just steal it! Stupid stupid stupid.

      • Please show me the reader that can read one of these from 5 feet. I would love to see it. Again, this isn't an RFID tag with a 3 meter range. But you know what? Tinfoil works great. I have a desk full of contactless smart cards here and if you put a single layer of tinfoil around it nobody can read it. I've tried.
        • by Qzukk ( 229616 ) on Friday February 25, 2005 @09:29AM (#11776663) Journal
          People wave this "it only works from inches away" bullshit without having any idea how radio works.

          Its simply a matter of using the right antenna with the right gain. See the bluetooth sniper rifle [engadget.com] for details (kilometer range! With bluetooth!). If the antenna is too big to hide on your person, set up shop in a dark alley somewhere and scan the masses as they mill by unaware.

          And yeah, tinfoil would work but make it all the more stupid. Not only would the old lady have to fumble the card out of her purse, you'd be sitting around watching her try to unwrap it and wrap it again afterwards. Just swipe the damn thing already!
          • by John Harrison ( 223649 ) <johnharrisonNO@SPAMgmail.com> on Friday February 25, 2005 @09:46AM (#11776870) Homepage Journal
            You can probably eavesdrop on the card to reader communication from some distance. This is known by those that created the spec and they have designed for it. Go read the EMV spec. Tell me if you can hack it. It has been out for years and in production in Europe for a while, though most deployments there are for contact cards.

            The real goal is fraud reduction. Visa isn't aiming for a perfect system, they want a better one that prevents skimming of your mag stripe. This means that they are no longer the low hanging fruit and the fraudsters will target traditional magstripe cards.

          • by Muad'Dave ( 255648 ) on Friday February 25, 2005 @09:55AM (#11776981) Homepage

            You don't seem to have read the spec - this is more about how air core transformers work than radio. These ISO 14443 cards use inductive coupling to power the card, not RF field strength. From this ISO 14443 overview [otiglobal.com]:
            ISO 14443-2 was published on July 1, 2001. This standard describes the characteristics of power transfer (based on
            inductive coupling) and communication between the PICC and PCD. Power is transferred to the card using a frequency modulated [magnetic] field at 13.56 MHz +/- 7kHz.
            Having a crypto processor on board (especially the exponentiator) requires way more power than can typically be delivered by RF field strength (far field tags vs near field tags). EPC tags [epcglobalinc.com] are RF field powered, and can be read from several meters away. Magnetically coupled tags can only be read from a few cm.

            73 de k4det

    • I want to know if stores are going to have "extra security measures" which require you to show your ID when you purchase something under $25.

      It's a real pain in the ass when it is "company policy" to request IDs. I don't shop at a local Cub Food grocery store because they require me to show an ID.

      My signature is usally an unintelligible squiggle. It's nothing like what shows on my ID. Signing credit card shit is a hassle and I make sure to do it as quickly as possible.
      • They probably make it policy because a signature is no security at all. By enforcing an ID policy, they can make the staff enforce the rules more - not asking for ID is far more obvious than not checking a signature, which can be easily forged anyway.

        That's the main reason most countries are switching to PIN based credit/debit card systems. Even the UK is, finally.
      • Hell, checking signatures is retarded, even so called "experts" can not reliably distinguish signatures with anything aproaching 100% accuracy. The real answer is to have all credit cards use smartcards and carry a picture of the person who the card was issued to. Then again I think this move shows what Visa et al are interested in, more convenience, not sucurity. I've had a Visa smart card for the last 5 years and other than using it for online signon I've used it in exactly TWO shops in those five years,
      • The signature is not a security device, it indicates that you accept and agree to adhere to the terms of your credit agreement (ie you will pay your bill).

        If your credit card is unsigned and you refuse to pay, the merchant is on the hook for it.
    • by Thaelon ( 250687 ) on Friday February 25, 2005 @09:12AM (#11776483)
      While this may seem very scary at first it's complete FUD.

      In order to process claims from a reader like this you're going to need a merchant account.

      So let's say you try it, I'll outline the events for you in chronological order:
      1. You obtain a merchant account to be able to collect funds from your portable reader.
      2. You figure out a way to generate transaction IDs without contacting Visa.
      3. You go out and collect ~$24 from fifty people in a crowd, wohoo $1,200!
      4. Let's say you play it smart and only claim those trasnaction monies and random increments over a day or so.
      5. 50 people protest to visa that they didn't authorize your charges.
      6. Visa does about 30 seconds worth of research and realizes that all 50 of these claims lead directly to you via your merchant account.
      7. Visa shuts you down like a bitch and presses charges.
      8. You go to jail since you have no case whatsoever.
      9. Your ass now belongs to Bubba.

      • Yes because obtaining a merchant account through a shell company is SO difficult. I mean Visa has less barriers to entry than Choicepoint and thieves who have yet to be found were able to make MANY false accounts with Choicepoint.
      • Well, there's a long way and a short way.

        Shortway:
        Steal someones card. Put it in your wallet, buy things. They won't ask for ID cause that will slow down the process (and they hardly ever do now anyway). If it's less than $25 there's no paper trail, either. This will work until the person realized their card is missing and reports it stolen. Esentially the same as the present, but at least now they're supposed to verify your identity by comparing signatures or checking for ID... at least there's SOME verif
    • by swillden ( 191260 ) * <shawn-ds@willden.org> on Friday February 25, 2005 @09:33AM (#11776717) Homepage Journal

      Hey, Visa, if you think your RFID system is so secure, publish all the nice technical details on how it works, so we can be confident of its security.

      They're all published and available.

      The basic chip and communications specifications are contained in ISO 14443. It will cost you a few dollars to buy a copy. You purchase your copy from your national standards organization; if you live in the USA, that's ANSI and they charge $18 for each of the four parts. The fee isn't to keep this stuff out of your hands, by the way, *all* ISO standards are copyrighted and cost money to obtain. That's how they fund the standardization and publication processes.

      Above that basic level, most of these cards will be Java Cards. You can get the specifications for Java Card from Sun. They're free.

      Moving up, most of these cards are also Global Platform cards. GP defines an extra set of features above Java Card, mostly to specify security-related characteristics. The specifications are found at the Global Platform [globalplatform.org] web site.

      In Visa's case, their recommended smart card platform is the IBM JCOP. You can find the details of IBM's implementation of Java Card and Global Platform here [http].

      Note that not all issuing banks will use Java Card, or even a programmable card. Visa's recommended non-Java platform is the IBM MFC card operating system. I don't think the MFC team has a web site.

      Finally, the actual payment application, and the component that matters most from a security perspective, is EMV. You can find complete EMV specifications at the EMVCO web site [emvco.com]. The specs are mostly written towards contact smart cards, not contactless, but good smart card protocol designers *always* assume an attacker can get between card and reader, whether it's directly connected via a contact plate, or whether it's over RF, so the contact-oriented security does just as good a job in contactless mode.

      Regarding signatures or no, it's not clear yet how that is going to be handled. EMV provides for several modes of operation, the best being "chip and PIN", which is what's being deployed in the UK right now (with contact cards, not RF). In that mode, you provide your PIN to the card reader through a PIN pad, and that unlocks your card to perform the transaction.

      EMV also allows chip and signature and chip-only (as well as providing for fall-back modes that don't use the chip and rely on the magnetic stripe or even on getting a carbon copy of the embossed card number). The decisions about which mode to require will be made by individual banks issuing cards.

      There is a lot to EMV... so you've got a few weeks worth of serious work cut out for you if you really want to understand it all, but the information is public and peer-reviewed. The countries that have deployed EMV have seen card skimming fraud drop to zero. That's right, so far, there has been no known case of an EMV card being faked or duplicated, and as far as I know, no one has deployed cards with DDA (dynamic data authentication) enabled. They're all SDA (static data authentication), which carry digitially-signed but static data on the chip which is read out every time. The US banks are talking about doing DDA, which involves a cryptographic challenge-response protocol and is vastly harder to duplicate.

      At, say, $24 each, in a large crowd, you could amass quite a bit of money, and many people would never know it happened.

      LOL. Dude, think about what you're saying. Credit card transactions are completely auditable. When dozens of people complain that they didn't authorize those $24 transactions, the issuing banks are going to go back to the merchant who performed them, and his acquirer is going to notice the extraordinarily high level of complaints, *and* that they're all for sub-$25 transactions. The theif will be in prison very shortl

    • For the record, Visa is very paranoid about encryption security. They don't even trust RSA for key exchange, because you are never guaranteed a prime number. They've been using Smart Cards in their credit cards in France since before 2000, and I haven't heard a lot of complaints (if anyone has, I'd be interested to hear). Besides, this will allow a waiter to take a cordless reader to your table to scan your card. Which is the higher security threat, someone who can hack triple DES (and manage to get thei
    • current visa isn't that secure to begin with.

      you can copy the numbers with a fucking hires camera and a zoom lens at a place where they're used.

      this is miles and miles and miles more secure than that..

      (besides, these need a very low range. buy a tinfoil wallet will ya?)
  • by John Harrison ( 223649 ) <johnharrisonNO@SPAMgmail.com> on Friday February 25, 2005 @08:48AM (#11776227) Homepage Journal
    This is a contactless credit card, ISO 14443. RFID is ISO 15693. They are different. The article never mentions RFID. Slashdot has inserted something that was never there. This is misleading, dishonest, and unprofessional. There are MAJOR DIFFERENCES between the technologies. You would think that a techie site like /. would know better.
  • by hot_Karls_bad_cavern ( 759797 ) on Friday February 25, 2005 @08:49AM (#11776236) Journal
    to have the sales folks in a store be able to read the info, check your limit, and in *MY* case, simply leave me alone while i browse, since i'm always broke anyway and don't like to be hassled whilst i look at stuff i can't buy!

    Yes, it's a joke.
  • Security? (Score:5, Insightful)

    by Cyberax ( 705495 ) on Friday February 25, 2005 @08:49AM (#11776239)
    And now a thief doesn't have to guess PINs. It will be enough just to steal a card!
    • Re:Security? (Score:3, Insightful)

      by swillden ( 191260 ) *

      And now a thief doesn't have to guess PINs. It will be enough just to steal a card!

      Umm, under the current magstripe-based system, the thief doesn't need a PIN *or* a card. All he needs is the card number.

  • Very Secure? (Score:5, Insightful)

    by bigtallmofo ( 695287 ) on Friday February 25, 2005 @08:49AM (#11776240)
    From TFA:

    Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted, a key security feature, he said.

    What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!

    It's a standard scam now for an unscrupulous merchant to charge millions of people a small amount of money fraudulently with the hopes that the vast majority won't even notice. Imagine what they will do when all they have to do is walk around a mall waving something at people purse's and backpockets!
    • This seems absolutely correct. If no confirmation is needed below $25, the possibilities for small scale fraud by a large number of vendors would seem to be quite high. Although such fraud should eventually be detected by the unusual transaction patterns, the chance that end users would get reimbursed seems remote. The problem with all "make it easy for the customer to spend money" technologies is the large number of dishonest people who will look to exploit them. Much as retailers would dislike it, what I
      • Easy: Set up a small business of some sort in a mall where you get lots of small credit card transactions. Then bill few thousand people more a month say $20 each.. that extra should allow you to make profit even with a crappy business plan.
      • The merchant does not add a $20 item and transfer money instantly. It has to go thru the issuing bank, and not instantly, and not without the possibility of chargebacks, and then that merchant will lose his VISA account and be out of business. If you dispute the matter, and they see a pattern of some merchant going bananas with $20 chargebacks, he will be in banana-skin city. The merchant will lose. This is credit cards.
    • Re:Very Secure? (Score:3, Informative)

      by sbryant ( 93075 )

      What protects consumers from fraudulent merchants waving some kind of electronic cash-sucking wand by your back pocket which contains your wallet which contains your RFID Visa card? There's no mention of this in the article at all!

      That's easy to answer! It's almost certainly based on the technology they already use.

      VISA and others have been making smart cards for a while - they have a chip in which a smart card reader can talk to. You've probably seen cards with the contacts on the front already. T

  • Tinfoil (Score:5, Funny)

    by Mork29 ( 682855 ) * <keith.yelnick@noSPAM.us.army.mil> on Friday February 25, 2005 @08:54AM (#11776279) Journal
    I've always wanted an excuse to carry around a wallet made of tinfoil.... it'll match my hat, and my under.... I mean socks....
  • by Anonymous Coward
    Mobil gas stations give you a little RFD dealie to authorize gas purchases at the pump and other purchases in the store. They've done this for years.

    All Visa is moving the RFD dealie from a little wand on your keychain to the card.
  • by sQuEeDeN ( 565589 ) on Friday February 25, 2005 @08:57AM (#11776322)
    Seriously. IT DOES NOT MENTION RFID ANYWHERE IN THE ARTICLE. Just so y'all realize. Why is slashdot so anti-RFID, anyways? Are you guys anti-barcode? It's just a longer range barcode. And the chipmaker can set the length. It's just a way to get small amounts of information in to a computer. Relax.

    And, I'm inclined to listen to visa a little bit when they say their card is secure. I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.
    • Privacy freaks are anti RFID (and any similiar distance tagging method) for precisely two reasons:
      It's passive (minimal activity required by anyone to get something scanned) and it's long range. While the ability to link identity to purchases (assuming no cash transactions) exists with bar-code readers, it's a much more active system, and the user has much more control over when and where this information is collected.

      If with a few minutes thought, you can't construct a worst case scenerio for long-range

    • the entire problem is that it is a contactless card...meaning the reader doesn't need to touch the card to read it.

      so lets say they do limit the range to just a centimeter or two. then it would merely take a new type of pickpocket carrying around a reader for these new types of cards and just swipe it past the wallet in your pocket. they won't even need to touch you, and yet would be able to steal money from you. and because no signature is required for purchases up to $25, they could charge $25 to your
    • If the system is hacked, they pay, not you.

      BZZZZZTTTTT! Thanks for playing, would you like to try again?

      First of all, Visa doesn't pay for SQUAT. Chargebacks are funded by the merchants, who in most cases are forced to eat the fraud.

      And even if that were NOT true, TAANSTAAFL. Regardless of who foots the bill for the losses, ultimately those costs are passed back to the consumer in the form of higher costs.

      Trust me, I know. http://theboyz.biz/ [theboyz.biz] ;)
    • I mean, they are not exactly a company that can win by skimping on security. If the system is hacked, they pay, not you.

      Used to be the case that either they, or the store, paid if someone stole your card and forged your signature.

      Now it's the case you pay if someone steals your card and uses your pin.

      Getting pin's is easy, most people are too timid to shield the pin from the cashier and the guy looking over their shoulder.
      • Now it's the case you pay if someone steals your card and uses your pin.

        Not with credit card transactions. What you're saying is true for ATM transactions (and "debit" transactions at the point of sale, which are the same thing as ATM transactions).

        For credit, US law (assuming that applies to you) limits your exposure to $50. In practice, you don't even pay that much because the credit card market is highly competitive and issuers don't want to take the chance of pissing you off.

    • A barcode cannot be read through your wallet at a distance. Personally I do not have a wallet with a mylar insert, though you may. RFID tags can be read at a significant distance with off the shelf (though perhaps not handheld) equipment. Bar Codes can be read at basically any distance if you have line of sight and the bar is more or less perpendicular to you. Can you see the difference now? Here's another one to mull over: There was an article here about putting RFID in the shoe soles, ostensibly to track sole inventory. Can you imagine a more ideal situation if you're trying to track pedestrians? Every floor mat, sidewalk segment, et cetera is a potential hiding place for an RFID antenna, and with a large antenna at close range like that, the potential for error is vastly reduced.

      I am not inclined to believe anyone when they say they have a secure system. If it's not a OTP scheme then it's crackable.

    • by DaveJay ( 133437 ) on Friday February 25, 2005 @11:35AM (#11778166)
      Why is slashdot so anti-RFID, anyways?

      I believe it is an issue of knowledge. Specifically, with RFID and RFID-like technologies that do not require physical contact or personal interaction (like a PIN or swipe) it is conceivable that your information can be read at a distance* without your knowledge.

      Does that mean the VISA card in this article is going to allow someone to drain your bank account because you walked too close to a vendor's shop? Not necessarily. However, consider this:

      1. The "secure" WiFi protocols have all been beaten;
      2. The "close-range" of bluetooth has been increased to over 1/4 of a mile by use of a shotgun-style antenna;
      3. In general, people continue to use these technologies even if they are informed of the flaws, because they do not want to lose the convenience (or believe that "if it was really insecure, they wouldn't be able to sell it" or "It won't happen to me").

      So do I think that a card like this will eventually be cracked, and will eventually be used to spy or steal from people (successfully or not**)? Yes. Yes I do.

      *Here, "a distance" could be a few feet, or could be across a street through a shop window using a shotgun antenna (see bluetooth example).

      **Here, I refer to the idea that someone who did this in bulk would likely get caught, and if they got caught it would not be a successful theft; then again, people steal checks and forge transactions to pay their utility bills all the time, and are rarely prosecuted for this provided the dollar amounts are small.
  • by kbonapart ( 645754 ) <lashan_lynn.yahoo@com> on Friday February 25, 2005 @08:58AM (#11776330)
    So, when Wal-Mart incorporates this technology, can I just have the bag containing the stolen card near the reader to purchase my illicit goods? And *IF* I am questioned about it, I can say that I didn't know it was in there, and I thought it was going to read my REAL card.

    Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence?

    "No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure. Yeah, I heard about it on the news, too. Never need to see my ID again. Compleltly safe. Don't forget to put that $1,235.65 on "credit". okay?"

    And while the article says there is a code that can't be re-used for other readers, wont a signal jumper (the ones used to grab car alarm frequencies) still be able to get the 16 digit card number, plus exp. date?

    Yeah, sending important financial data through the air sounds like a great idea. To the tech savvy, this is the same as screaming the numbers to the woman behind the register. Would you do that?
    • Also, does this mean that around the holidays in the mall, I wont have to hand the card over along with my driver's liscence? "No, you don't need my ID, maam. Don't you know those cards can't be faked? It's completely secure."

      No, it doesn't mean that. The ID isn't to make sure the card isn't faked (how could it?), it's to make sure that your name is on the card. Other technology is used to make sure the card isn't faked -- and it's fairly weak technology.

      These new cards will be very, very difficult

  • by William_Lee ( 834197 ) on Friday February 25, 2005 @08:58AM (#11776342)
    All this looks like to me is credit card companies trying to generate a new revenue stream by getting existing merchants to pony up for the new technology required to use this system.

    Is it really so hard to swipe your card through a reader as you checkout? Does Visa really think people are so lazy that swiping a card is too much work?

    This is an example of technology being used simply because it exists. This adds ZERO value for the consumer and opens up huge security holes. Who believes for one second that this technology is actually 100% secure?

    I guess we're supposed to be reassured by the quote from the Visa rep in the article reminding us that there is no consumer liability for fraud.

    I can only imagine what is going to happen if they roll out debit/checkcards linked to actual bank accounts with this technology!
    • what they forget to mention is that visa ALSO is usually not liable for fraud, they try everything they can to push it down the chain assuming they are never to blame. So, in cases of ID theft where visa could have known of this being the case based on weird purchase patterns they happily push the burden on to the merchant, who really has NO other way to figure out if a card is legit other than calling visa and getting an OK. Then 6 weeks later they have to pay it back or lose their merchant accounts... Esp
  • theft (Score:2, Insightful)

    So now instead of someone having to take my wallet to steal my credit card they can just walk by me with a contactless reader?
    • Re:theft (Score:3, Funny)

      by BloodSprite ( 557023 )
      Even better.

      Wear a T-shirt saying "pencil $19.95", "ask for a refund if not satisfied" and walk around in a crowd handing out pencils whenever your battery powered and cellphone internet accessed credit processing system successfuly charges someones credit card for "pencil" at $19.95 bucks.

      "Thank you, Here's your pencil sir"

      they look at you funny and take your pencil cause your some crazy guy wearing a backpack with antennas sticking out all over and a tin foil hat and they don't want to mess with you.

      Y
  • by Leroy_Brown242 ( 683141 ) on Friday February 25, 2005 @09:03AM (#11776381) Homepage Journal
    RFID and Visa, for when it's too much effort to slide your card, you can just wave it around!
    • This is just the first step. You've probably seen the IBM ads where we pick the stuff we want and simply walk out of the store. We never even have to stop and check out. That's the final step.

      Visa has to get the first step to work well, and people used to it, before they move any furhter.
  • "Security is a question," Gillespie said. "How easy is it for someone to interact with a wireless communication and pick up a number?"

    Hopefully not as easy as stopping payment on questionable charges to the account. The advantage of online progressively-updated statements becomes infinitely greater here; you'll have to check your statements every WEEK if it gets bad. Genuine cowhide is out, 100 mil thick aluminum is in!

  • What's the point? (Score:3, Insightful)

    by Lemuel ( 2370 ) on Friday February 25, 2005 @09:06AM (#11776408)
    Why do I need a contactless transaction? What is so hard about running my card through the slot in the terminal?
    • Doesn't sound like it would matter, but it does. In a lot of cases it speeds lines up which equals lots of savings. A few seconds here and there adds up when you've got a lot of people.
      • But the slow part involves getting out the card, answering the debit/credit question, printing the receipt, and signing it. If the goal is speed up the process the debit/credit question could be removed and the signature. I'm assuming people still want receipts, although I could be wrong there.
  • When I first moved to the UK from Norway five years ago, the first thing that annoyed the hell out of me was having to sign when I used my cards instead of just entering a PIN. Now signatures are rapidly being phased out here as well. I'd happily get rid of having to insert my card in the reader, as long as the PIN is still required.
    • I prefer signatures... luckily none of my cards are PIN cards (they can't force you to use them, it's part of the legislation).

      It's a hell of a lot easier for a criminal to forge a PIN than a signature - especially given the total lack of security on the card machines.. anyone within about 20 feet could find out your pin every time you use it.

      Plus there's the little change in the law that means that if someone forges your PIN you are now 100% liable not the credit card companies (which is the real reason
      • It's not that easy to see someone typing a PIN: just don't type the PIN with one finger, place your fingers on the keypad like you would with a computer keyboard and press the keys down gently.

        It's certainly far more secure than signatures.

  • by Colonel Panic ( 15235 ) on Friday February 25, 2005 @09:07AM (#11776421)
    Scammer: "Could you step over here and read this number for me, I need to get new glasses or something."
    Unsuspecting stooge: "sure, your total is .... Yeah this is tiny print..."
    Scammer: "maybe you can read it from a little closer"
    Unsuspecting stooge: "...$598. And it looks like your credit card was just approved too."
    Scammer: "Oh, thanks you very much."
    Unsuspecting stooge: "You're welcome"

  • Signatures (Score:3, Interesting)

    by Malc ( 1751 ) on Friday February 25, 2005 @09:11AM (#11776473)
    "And for purchases of less than $25, no signature is required."

    Does anybody in N. America check signatures? They hardly seem to look at my cards. I have a friend who wrote "See ID" on the signature strip of their card and it took four months before she had a request. Having emmigrated from the UK, I really notice this. Over there they seem to make more of an effort, hold on to the card for longer and really compare it against the signed receipt. On many occasions in the UK I've been asked to resign things. In fact, I was once chastised by a cashier in Sainsburys in Norwich and told to stop being so lazy and make more of an effort! You see my signature had deteriorated in to a squiggly line that barely even resembled the signature on the card.

    Besides, doesn't anybody else find those signature strips hard to sign? They don't have much height, and the surface seems to "writes differently". It's nigh on impossible to put a good approximation of my signature on it! Furthermore, I think the only way to tell a signature isn't faked is because every one is different so it shouldn't be identical to the one on the card! ;)
  • by Confessed Geek ( 514779 ) on Friday February 25, 2005 @09:13AM (#11776491)
    Please excuse me while I get this personal pet peeve off my chest.

    WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?

    I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

    And the debit cards. The advertising on them is insane. They have some celebrity come out and get asked for ID then say - "With our Check Card, you Never need ID" And how is this supposed to be a good thing? I'm supposed to be happy that it is even easier for someone who has stolen a card to go and clear out my checking account? Who the heck goes out with their credit cards, but skips their ID? Who the heck runs around without an ID in the first place? What, your going to go into your wallet or purse, take out the debit card, and leave your licence/ID in there?

    With all the credit card fraud and identity theft gong on, why would anyone make it even easier to ruin your credit rating and entangle you in hours upon hours of sometimes futile effort to get it set straight?

    Mind you I will screem like hell if somebody REQUIRES me to carry an ID all the time - but cash spends fine without any verification.

    Thanks.
    • Ever go to the post office?
      they flat out refuse to accept such.
      (individual offices aside, they are all supposed to be doing this like gangbusters)

      For that matter, most merchant agreements (I've read enough) also instruct merchants not to accept such, but instruct that the customer must sign the card, or be refused...

    • Why not get a credit card with your photo on it?
      • by EmagGeek ( 574360 ) <gterichNO@SPAMaol.com> on Friday February 25, 2005 @10:26AM (#11777321) Journal
        I had one of those cards a while ago... I glued a picture of Chris Rock on the front of it, and not ONCE was I ever questioned (even though I'm a white guy)...

        I work part time in retail and our store used to have a policy about asking for ID with every CC purchase, but Visa threatened to pull out of our store because of it...

        The CC companies and orgs do not want under any circumstances for retailers to ask for ID, even if the card is not signed. They are also against any and all PIN initiatives, or any other thing that might prevent credit cards from being used.

        Even if there is a fraudulent charge, the only people that lose money are consumers. Retailers and Credit Card companies have insurance against fraudulent charges, and the cost of those premiums is worked into the merchant rate, which is passed along to consumers.

        This is why CC companies and retailers DON'T CARE ONE BIT if a CC is stolen. If the retailer gets charged back, they just claim on their insurance, and pass the premium costs along to the consumer. If the chargeback is denied and the CC has to write it off, they claim _their_ insurance and pass the cost along to merchants, who then pass it along to consumers. If the thief gets away with it, the consumer is stuck with the bill for the fraudulent charge.

        So, in any case, it's the consumers that are screwed, as usual.
    • by cowscows ( 103644 ) on Friday February 25, 2005 @09:29AM (#11776667) Journal
      A few years back I was working retail at a store where the manager told us to require ID for all credit card purchases. Some people would get so upset about it. I don't know if it was because they believed that we were accusing them of being dishonest, or if they were just lazy.

      There's plenty to be said about not treating your customers like criminals (DRM, copy-protection), but it seems to me that, as a consumer, I have just as much to gain from protecting my credit card as a business does.

      Interestingly enough, I've heard that part of some contracts that retail outlets and credit card companies make nowadays specifcally state that the credit card companies do not want you to check ID's. Apparently they want credit cards to be as convenient as possible so that consumers will ring up as much debt as possible, so the banks can collect interest and fees. I guess if that's true, the ratio of fraud to legit purposes isn't so bad.

      I've got see-ID on the back of my cards too. Sometimes they'll flip the card over and pretend to look at it, then give it back without asking for ID. Amazing. If they do ask for ID, I make it a point to thank them.
    • by duffbeer703 ( 177751 ) * on Friday February 25, 2005 @10:11AM (#11777140)
      I Don't sign my cards. I write in bold letters on the back MUST SEE ID. Still only about 1 in 20 times am I asked for an ID, even when makeing a $50+ purchase.

      You're an idiot. That signature panel is not there to identify you to the store clerk. Its there to prove that you have agreed to abide the provisions of the cardmember agreement. (ie pay your bill) Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

      The purpose of checking your signature is to cover the merchant. If you don't sign your card the merchant is liable if you refuse to pay

      PIN-based electronic transactions are actually considered digital signatures. The fact that you set or remembered your PIN signals your acceptance of the card agreement, and entering your PIN signs your transaction. Merchants prefer that you do a PIN transaction because it is cheaper and does not require them to store boxes of signed credit card drafts in the back for a year or more.

      • I too sign my cards CHECK I.D. This is accepted practice. Some credit card companies have even recommended it. Stores are SUPPOSED to ask for ID in that case, the point being to see that the photo ID matches my face, and the names match.

        I'd like to see some store manager so ignorant as to try to confiscate my credit card because it tells him to to ask for I.D.
      • Merchants are actually permitted to confiscate your card (which is the property of the issuing bank) if you refuse to sign it.

        No, they are not. You further listed Mastercard rules, and it permits (or requires) that they refuse sales in certain circumstances. It does not state that they are allowed to confiscate cards for not being signed. I don't have a full agreement with me (or the hours necessary to read it), but the cards themselves do not identify themselves as the property of the bank.

        And, if yo
    • by sjbe ( 173966 ) on Friday February 25, 2005 @10:49AM (#11777617)
      WHY, do companies and stores think that NOT showing ID when using a credit card/debit card is something that people would want?

      Generally as a customer I don't. Not that I think showing ID is bad idea but I generally find the signature and to a lesser extend ID security measures to be as pointless as most of the airline "security". They're half heartedly implemented, irritating, and as implemented don't really do much to stop crime. It's appearance of security without substance. I wouldn't mind people asking for ID except that almost no one does, so what's the point? And the signature matching is a stupid since any thief with half a brain (admitedly some lack even half) will just look at the card and make at least a half-hearted effort to copy it. It's not like he has to look hard for it...

      Let me be clear. I have the mistfortune of being a man with a name that is very rarely associated with the masculine gender. As irritating as that is to me, I should get asked for my ID all the time. But I don't which tells me that the the store management and credit card companies don't really percieve it as a problem. And they have the data to know whether it is or isn't. It's not like they're guessing. Furthermore, when I do get asked for ID, it's almost always at places like an airport (where I've been asked for my ID 20 times) when buying a $4 magazine, never for the $1000 printer. As a customer, I'll admit that being asked for ID is irritating and I don't like being regarded as a potential criminal but if it were a widely implemented security measure, I could deal. But since the credit card companies and most retailers don't regard it as enough of a problem (actions speak louder than words) to ask for ID consistently, I'd rather they save me the irritation and not bother at all.

      It gets repeated here ad-nauseum that authentication consists of some combination of what you have, what you are and what you know. The signature is worthless as a security measure because it is simply two instances of something you have in the same item. Someone who takes my credit card also has my signature. Asking for photo ID sort of gets at what you are, though it can be forged by an ambitious criminal. But it could slow down the smaller thefts were it actually used. A pin code is actually useful IMO because it is something you know but is not used (for cost reasons mostly) for credit cards here in the US. And unlike biometric ID, it can be changed if there is a mixup.

      While I'm venting, what really irritates me is when they have those swipe-it-yourself pads but still ask to see the signature! I've already mentioned that I think signature comparison is worthless as a security measure, but this practice just wastes both my time and the clerk's time. Furthermore they don't physically have the card at the right time if the credit card company tells them to hold the card. If they want to see my signature, the clerk should swipe the card him/herself and check. By having me do it, they don't save any time and they don't improve security. If they are going to ask for something they should ask for ID at that point, not a signature.
    • by hawk ( 1151 )
      I tried that.

      Then I went to buy gas.

      I put the card in the machine, and waited.

      "Beep," it said.

      I showed it my ID.

      "Beep."

      "No, this is my ID. See?"

      Still, it refused to look. "Beep."

      The crowd got larger and larger, but it still refused to look at my id. "Beep."

      Now I'm stuck on my bicycle.

      hawk
  • by Anonymous Coward
    Salesman: $30 please.

    Fry: $30? I can't afford that. Unless...[He pulls out his wallet.] Do you take RFID Visa?

    Salesman: RFID Visa hasn't existed for 500 years.

    Fry: RFID American Express?

    Salesman: 600 years.

    Fry: RFID Discover card?

    Salesman: Uh, sorry we don't take RFID Discover.
  • Not really... (Score:2, Informative)

    by niki9 ( 580026 )
    "isn't that very similar to how TI's car RFID system was made?"

    According to Visa:

    "Each transmission between card and reader has a unique code that cannot be reused even if it is intercepted"

    So... not really, no. Just because two products use the same base technology doesn't mean that one is as fallible as the other. All cars made of metal and fiberglass don't rate the same in crash tests.
  • For those who are afraid of this technology's potential for abuse, I wouldn't worry too much. I'm sure that even before this thing gets released Thinkgeek will start selling a wallet which is also a Faraday Cage.

    (Tinfoil would work too, yes, but that wouldn't be durable and would probably scratch the mag-stripes off your non-evil cards.)
  • by Cerlyn ( 202990 ) on Friday February 25, 2005 @09:37AM (#11776780)

    American Express is also starting to roll out [americanexpress.com] an RFID solution, although seperate from their card and also available on a preload basis. Their national partner [google.com] I am aware of seems to be CVS drugstores, which seems to have rolled out credit card terminals which can read these cards locally even through I know of no other place I could use their RFID tag.

  • I could just see me pull out my wallet and have it just be in range of the reader. I intend it to charge to one card and...whoops, it charges to the card I'm almost over limit on.
  • by pseudosocrates ( 601092 ) on Friday February 25, 2005 @09:51AM (#11776930)
    What happens when shopping malls decide they don't generate enough revenue by rent alone...

    1)install reader in door frame
    2)print EULA on doorstep stating there is a $5 charge to enter. "By stepping over this threshold you agree to the following terms...."
    3)...
    4)profit!!

    or Blockbuster:

    1)Take out advert at superbowl "THE END OF RENTAL FEES"
    2)Place item at #296 in the website FAQ - "There will be a $15 charge for entering the store
    3)...
    4)profit!!
  • That's so insane (Score:5, Interesting)

    by photon317 ( 208409 ) on Friday February 25, 2005 @10:01AM (#11777040)

    No signature needed for under $25, works from a few inches away?

    I forsee myself building a better antenna for my visa charging device and running through a crowded area charging everyone 24.99 as I pass by.
  • by McFly777 ( 23881 ) on Friday February 25, 2005 @12:54PM (#11779284) Homepage
    OK, I have several cards in my wallet (Mastercard, Discover, AmEx). Assuming they all follow Visa's lead and incorporate this contactless tech., what happens when I wave my wallet with all three cards in it? Which card responds? is there a race condition?

    I assume the terminal will only charge one card, but if I have to take the card out to make sure the preferred one registers, I might as well swipe it.

On the eighth day, God created FORTRAN.

Working...