Would You Trust RFID-Enabled ATM Cards?

race_k2 asks: "As a regular Slashdot reader I've followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology." So race's question basically boils down to: How safe and secure are the RFID chips that are being embedded in debit and credit cards? To add another issue on to the fire: Would you trust RFID technology on your cards?

race_k2 continues: "My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated 'Don't worry, we use encryption' did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

Disable the RFID

[Ice Wewe]

Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That's the only non-destructive way I'm aware of for disabling an RFID chip.

Nuke it

[brunes69]

An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don't cost anything.

Nuke it from orbit

[krewemaynard]

It's the only way to be sure. [nukeitfromorbit.com]

Re:

[TubeSteak]

Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?"

IMO, a microwave isn't terribly passive.

Now a hammer...

/if you beat the shit out of the RFID, you'll either break the antenna or crush the ID chip.
//works on mag strips too (like your driver's license)

Re:

[Wolfger]

You are assuming that these items (ATM card, passport, etc) continue to function or be valid with a disabled chip. I sincerely doubt that is the case. These things are being put there for more than cosmetic reasons.

Re:

[nasor]

How many cashiers today bat an eye at a card whose magnetic strip is damaged/erased?

Re:

[Wolfger]

You give your ATM card to cashiers? I put mine into an ATM. It does care very strongly about the magnetic strip. I'm sure it will care about the RFID when that takes over. You have a valid point that cards won't become completely useless... Just like I'm sure I could leave the USA with a passport that has a disabled RFID, but I'm not so confident I would be able to return. Certain venues will ignore the RFID, while others will absolutely require it.

Re:

[loki_2525]

Chase was pushing hard on the RFID atm card, until i told them i would cancel my account :)

Since i had a junk chase RFID ATM, i wanted to try the whole microwave thing, here are the results:

Used a microwave on low for 3 sec, POP went the RFID chip. Leaving the rest of the card looking/working fine.
Wanting to push the limit of the ATM card, 15 sec on low starts melting process, after 35 sec the atm card becomes a small glob of goo.

We dont need RFID chips in atm/credit cards, really how hard is it to pull y

Re:Disable the RFID

[value_added]

Just wrap the card in Tin foil.

Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme's The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn't have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.

My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org], and while it's up to each of us to be as vigilant as the article's poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?

Have you scanned yourself, lately?

Re:

[msobkow]

I don't see RFID itself as a problem, but my understanding is that the security of the currently deployed RFID chips has already been cracked. Therefore, I would not want it used for bank cards.

The idea of an encrypted wireless short-range link instead of a mag-stripe swipe doesn't seem too outre to me. But using a technology that is known to be insecure is foolish.

Re:

[couchslug]

"constant game of catch-up and workarounds for the select few in the know"

This has fascinating potential for spoofing.
If, in the future, we can expect to be tracked as a "package" of our worn and carried emitters, we can have a pre-built alternate package ready for use.

While "my" emitters could be providing an alibi, a throwaway set could mask my actions elsewhere.

Re:Disable the RFID

[michaelaiello]

Even better, you can get the real deal. RFID Blocking Wallets and passport cases http://www.difrwear.com/ [difrwear.com].

Re:Disable the RFID

[StressedEd]

More stylish than tin foil, a Muji Aluminium card holder [mujionline.co.uk]. I use one as my wallet, storing everything but coins. It has the added benefit that you absolutely cannot squeeze that one last thing in to your wallet - so it doesn't end up looking like a sphere.

Of course it means I have to take my Oyster card [tfl.gov.uk] out in order to use it, rather than wave the wallet at the reader - but that's the point!

Re:

[race_k2]

Ha, and a tinfoil hat for me to wear in the checkout line as an accessory. I seriously doubt that wrapping a card in foil is a 'practical', not to mention durable, day to day solution to this issue. I can imagine the skeptical look of cashiers everywhere when they see my foil wrapped card. I wonder how long it would take before someone was accused of possible identity theft or similar mis-deeds using this method

Re:

[gsfprez]

how about a read button?

If you are pressing the button, the circuit closes and your card will enable a reader.

If you are not pressing the button, the circuit is open, and disables the RFID on the chip?

I mean, even my MacBook has a power button.

Not suprised about HSBC

[arivanov]

Not surprised about HSBC. In fact surprising about some sense from Chase.

HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.

Frankly - they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.

Re:Not suprised about HSBC

[Bazman]

Talk to a financial journalist. Not only will they have contacts at the bank, but the bank will fear them more than they fear you...

Re:Not suprised about HSBC

[canesfan]

"pseudosecurity garbageshiteware"

Hence forth all software found wanting shall be refered to as "pseudosecurity garbageshiteware". Man law???

Re:

[Anonymous Coward]

Man Law

he proclaimed from his parent's basement

why should they care abotu security, it's...

[Anonymous Coward]

been made your problem by way of the 'identyty theft' myth. There's no such thing as identity theft. When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

Effing brainwashed sheep have bought into the identity theft ruse hook, line, sinker, and hummer to the fisherman.

Re:why should they care abotu security, it's...

[multisync]

When someone gives your money or loas their money to the wrong person, thinking it's you, THEY ARE AT FAULT.

They may be at fault, but you are the one who is screwed.

Re:Not suprised about HSBC

[EatHam]

So I tried to get the wankers which run the "HSBC Goodness Gracious Me" call center to give me a security contact and a reference to report the bugs. Guess what - they neither understood the concept of "Your credit card interface has a major security flaw", not could provide a contact.

Careful doing that. I've heard of *ahem* someone *ahem* doing the same thing with a bank, and having to spend several weeks giving depositions to the police, talking to the fbi, and basically being treated like a criminal. Moral of the story, switch your account and shut up about it, or it could easily become a giant hassle for you.

Re:

[plover]

I wouldn't say you were "forced" to do anything. You're perfectly free to cancel any accounts with them and open a different card at a different bank. Not that anyone at HSBC will shed a tear to see you leave; after all, you're just a "privacy kook" in their eyes.

But maybe someday us "privacy kooks" will leave in statistically significant numbers, and eventually someone might notice.

Nope for anything that needs security

[vancbc]

No can do, I wouldn't trust RFID for anything that requires a password or requires any sort of security.

I'd use it for inventory management etc. like was the big hype when it first came out but I'd keep it out of ATM cards, passports... PEOPLE.

Absolutely not

[techmuse]

As a security expert who has done studies on RFID security, I would have to say absolutely not. I would switch banks.

Re:

[jambarama]

Would You Trust RFID-Enabled ATM Cards?

Sure why the heck not? We've got rfid passports and government IDs, rfid in our cars (toll passes), and rfid boarding passes just on the horizon. I mean, we've even got rfid in our TIRES making is possible to TRACK OUR CARS!!

Would /. trust rfid atm cards? No. Will the general public? If it is either pushed on them (see the rfid tires) or if it adds some kind of convenience (see the toll passes) you bet they'll trust it and they'll love it.

I don't think thi

Re:Absolutely not

[nasor]

If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? I've never understood why people care so much about credit card security. If someone steals your credit card number and uses it to buy something, you just report the charge as fraudulent. No credit card company charges customers from fraudulent charges made on there account.

Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.

Re:

[scdeimos]

If your bank really wants to make it easy for people to rip them off, it's not really your problem is it? [blah blah, waffle waffle, etc...]

That's absolute crap. As someone who's been on the pointy end of the stick by having their Visa card abused after its details were stolen from a vendor's supposedly-secure (PCI compliance be damned) database I can tell you it is a big problem for the consumer. The bank has nothing to do with it: Visa themselves took every single one of their 45 business days to "inve

Re:

[metamatic]

Using a credit card seems much safer than cash. If someone steals my cash, I'm out of luck. If someone steals my credit card or uses my account number without my authorization, I don't lose anything except the 10 minutes or so that I have to spend on the phone with the credit card company.

Until you try and buy a house, and find out the mortgage lender won't lend you any money because some asshole in Los Angeles you've never heard of has run up a $5000 unpaid bill in your name.

Happened to me.

Not only no

[bhima]

Not only no but hell no.

Liability for unauthorised transactions?

[farnz]

My answer would depend entirely on who pays if the remotely accessible card data is used to make transactions without my authorisation:

If I pay, then it is in my interests to worry about the security of the card, and I'll want a card that's unlikely to be used without my authorisation (a PIN I set required, mechanical action needed to start the process etc). I do not want to risk paying for fraudulent transactions, and I will do what I can to minimise that risk.

If the bank pays, then I can leave the se

Re:Liability for unauthorised transactions?

[bhima]

Do you honestly think that banks don't pass every single expense they incur along to the customer?

No matter who pays at first, in the end we all pay more because of shitty security.

Re:

[farnz]

No, but I have the option to switch banks, which keeps the charges under control; if HSBC has to charge me more/pay me less interest than Chase to make the same profit (because HSBC's RFID cards are insecure, and Chase doesn't issue RFID cards), then I'll switch to Chase. Thus, HSBC either has to fix the security issues with their RFID cards, stop issuing RFID cards, or make less money.

Re:

[voice_of_all_reason]

I thought moving more than X dollars between accounts automagically flagged you as a terrorist? Pretty sweet deal for the bank:

Me: I've had enough of this shit, I quit
Bank: If you do, we'll have the government sieze all your money
Me: Hey, let's negotiate!

Re:

[RAMMS+EIN]

The problem is that, even if it's nominally the bank's responsibility, it will still hurt you. You still have to check on the bank to see if they're not letting any unauthorized transactions slip, you will still be the victim if someone uses your account data (and cleaning up the resulting mess can take years), etc. Also, as another poster pointed out, any costs that the bank incurs will be passed on to you. So, in short, when your bank's security sucks, you lose.

Re:

[ozbon]

I don't bother to check my statements - because they're old data.

I check out my online banking at least once a week - and usually more often - so I'll be aware of any odd transactions (and I include 'the £/$10 here or there' in that statement) pretty much as soon as they've happened.

If you've got access to online banking, I don't get why you wouldn't use it for that kind of thing, and keeping a fairly regular check on your account(s) that way.

New fashion accessory

[eeyore]

Your grandfather's old silver cigarette case has just acquired a new lease of life as a Faraday cage.

What use is an RFID to a bank?

--

E

um cost?

[tomstdenis]

Instead of spending that money on putting RFID in, why not just release, oh, I dunno, SMART CARDS!!!

Oh, no, we're north american, we have to be different *cough* cdma *cough*, no way we can conform with the rest of the fucking world *cough* soccer *cough*...

Besides, RFID is not meant for privacy or security. It's meant to track inventory. The sooner these "experts" realize that the better. The sooner they realize that RFID readers are common place the even better.

Re:

[sangreal66]

American Express released the smart card American Express Blue many years ago. I still have the free smart card reader they gave out with it. It was pretty worthless and not widely adopted. They probably still have chips in them, but no-one cares. I now have an RFID Citi paypass keychain which I find incredibly convenient, and I can't say I lose sleep over the security.

Re:

[tomstdenis]

The problem with Blue is that they didn't work with others on it. For a smart card system to work all of the banks have to participate.

And it's not like we don't have the readers here. All of the common retail stores I go to here in Ottawa (that have debit/credit) have a reader built-in (I imagine because the machines are made in one factory and chances are it's good for tourism).

So really the only problem left is to actually roll out the cards and start enforcing their use.

The point of the smart card, is

Speaking as a guy that does RFID for a living...

[meldroc]

I'd say that no, it isn't ready yet for handling security-sensitive tasks like credit card or debit card transactions. It's happening anyways, but I don't think it's mature enough to trust our bank accounts to them.

Just for a tiny bit of reassurance, RFID tags and readers used in credit card/debit card applications (I know because I help make these readers, though I'm still new to the business) include cryptography features such as encrypted data transfer and authentication. In other words, if you don't

An article you may want to read.

[DeQuincey]

My answer is no, as well. [theregister.com]

Despite assurances by the issuing companies that data contained on RFID-based credit cards would be encrypted, the researchers found that the majority of cards they tested did not use encryption or other data protection technology.

RFID Detection

[Chaos1]

Does anyone know if there are RFID Detection scanners available? I know there are remote readers, but I was thinking more along the lines of a scanner which simply lights up an LED, beeps or something along those lines when it comes in close proximity to RFID. It seems with all the hidden tagging of clothes, shopping carts, etc. that this might be something handy to have.

Check the incentives

[inviolet]

With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest... and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It's like a config.rc file with the wrong default value: loss-paid-by = customer.

It's a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of "identification versus authentication". But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

Re:

[RemovableBait]

It's like a config.rc file with the wrong default value: loss-paid-by = customer.

Wow. You must be the biggest geek on earth.

Another solution? How about Altoids tins?

[ClayJar]

For several years now, I've been carrying my personal card collection (credit, discount, ID, etc) in an Altoids tin. It's the perfect size for such cards, and it protects them from me. Also, it has the added benefit of being quite the faraday cage. Unlike foil, which can easily tear, an Altoids tin can take *quite* the beating without any significant damage.

At work, we have RFID security badges. Mine is, obviously, in my Altoids tin. I can hold the tin against the sensor as long as I want; it won't scan. I pop it open (which is really easy to do one-handed once you get used to it), and it'll read from several inches away.

They also have several designer colors: red peppermint, aqua wintergreen, tan ginger, and my personal favorite -- black liquorice. :)

Re:

[elgatozorbas]

I pop it open (which is really easy to do one-handed once you get used to it)

One-handed manipulation of electronic devices shouldn't pose much of a problem to the majority of the /. readers...

Destroy the tag...

[Ghostalker474]

I've been researching this for one of my masters classes (I know, I'm a student, but hear me out) and I came across 2 ways of non-destructively stopping the tag. The first is simply blocking the tag with another tag, so that when the RFID reader goes to energize the tag, it gets a garbled response that even error-correcting software can't figure out. The second is to broadcast a kill-code to the tag. The kill code closes the circuit to a specified part of the chip, effectively overwriting the memory. This is the equivalent of removing the CMOS password on a motherboard, close the circuit, and when energized.... game over. The best thing to do would (yes) throw it in the microwave for 3-5 seconds [so as not to melt the plastic or the magnetic strip] and then go on using it with the RFID feature disabled. Personally, after all the research I've done on the security of RFID... I doubt the encryption is strong enough to block a dedicated reader. Hell, remember when they said WEP on 802.11b was unbreakable? I'll stick with my small-hometown bank, since they likely won't upgrade for some time.

Re:

[Creepy Crawler]

Talk about a low cost solution to that ;-D

Just like the sharpie on "protected cd's"

Course I was thinking that a x-acto knife could extract the chip. I dont care if the antenna is still in there.

oh hell

[John Harrison]

First of all it probably isn't an RFID tag but a contactless smart card. Yes there is a meaningful distinction.

Second, do you know whether there is any security around it or not? Some implementations have no security at all, others do mutual authentication and create encrypted sessions. You are considerably more secure using the latter of these than your traditional mag stripe.

Get educated before sticking your head in the sand. Mag stripe is going to go away. Hopefully EMV will come to the US soon and

Re:

[perky]

Thanks for the sanity. Will probably go unnoticed round here, though.

Re:

[John Harrison]

you are correct. Slashdot has a tough time on these issues. The sky is always falling.

Survey says.....

[DaveV1.0]

No! Because it is way too easy to compromise the system

How Long?

[vtcodger]

So, How long until wallets start coming with built in shielding to discourage unauthorized RFID readout?

I was lied to by Chase

[MrLint]

I called chase for an rfid-less card. they said they would send one. They did not. they sent YA 'blink' card. I called again and was told that if I want one that is still a 'check card' I have to pay a fee. So basically, in order to get the same security I had before I have to *pay* for it, but for free I get a feature I don't want.

I have already written my senator.

What is this mania with RFID about?

[hey!]

A European guy asked me recently why American companies are using unproven RFID technology in their credit cards, when Smart Cards are not only proven, but more easily shown to be secure.

I think there are several reasons.

First, when Smart Card technology was first proposed some twenty years ago, the idea got earlier traction in Europe. One reason, if I recall correctly, was that at the time the cost of installing and using phones under many state telecom monopolies made the kind of system we use in the US

Re: Check the incentive

[Erick Lionheart]

Uh... no? If the credit card companies were the ones paying for the fraud done with credit cards, there would BE next to 0 fraud.

As it is, they make the -merchant- pay for it! And not only do they make us cover the price of the fraudulent transaction, but they ALSO tag an extra $25 -per fraud transaction- !! Heck, at this rate they might actually be MAKING money from fraud!!

If one customer buys 3 times with same fraudulent cc over a few days (say, for $5 items!), we pay $75 in -addition- to the cc company taking back the $15!!!!!

With the hundreds of Billions they process every day, do you really think there would be so much fraud if the cc companies were the ones really paying for it?? :/

Re:

[bill_mcgonigle]

You're quite right. I've been through a PCI audit - the requirements are both unreasonable, non-helpful, wildly unclear, and leave gaping holes in security if you comply with all of it. The requirements document sounds like a college intern went through an event log and came up with requirements based on single vectors from prior events.

But, all that aside, the real problem is that merchants need to store credit card numbers. This is entirely bogus.

As a real simple first blush at a solution, you take the

No

[rlp]

Next question.

RFID is already dead for this application.

[ivan256]

When you have two or more RFID cards in your wallet, chances are neither of them will work on any given attempt to use them unless you take the card you want to use out of your wallet....

So what's the benefit?

My Glutes Will Gain Strength

[Sfing_ter]

While I carry around a Lead Lined wallet :)

NO!

[Secret Rabbit]

Wholely crap NO!!! A question to you is, what the hell is wrong with you that you'd even need to ask this question?

Not New and Not That Scary

[monk]

Lets be clear what we are talking about here. The risk is that with special equipment someone might be able to read the same information that is printed on the card. RFID credit and debit cards have been around for awhile speedpass being an example. And while it is possible to read the information passed between the card and reader with enough effort, you probably hand your credit card to the waiter in a restaurant and don't even think about it. That person walks out of your sight and in some cases steals t

RFID is irrelevant here

[iabervon]

RFID is getting to be like VoIP: there are a wide variety of applications which fit the acronym but are otherwise unrelated, and people lump them together. These bank cards and inventory tags in clothing have about as much similarity to each other as they have to 802.11. They use radio waves, and they use identification.

A well-designed smart bank card will use SASL to prove its identity to the bank without revealing information that would allow anybody else to use the identity. So it doesn't matter if peopl

Yes, yes, a thousand times yes!!!

[mogrify]

Yes! Bring it on, baby. What with all these old ladies doing pilates and such, it's getting too dangerous to snatch purses anymore.

What's really sad is...

[CODiNE]

A common garage door opener has more security than these RFID ATM cards. At LEAST a garage door opener has a table of codes that gets rotated through, it could take literally thousands of uses before the same code shows up twice. Yet what does an RFID ATM have to protect from cloning? Sad.

How about an on/off button?

[gsfprez]

You know, like on everything else?

If you aren't pressing the button/leaving the circuit open, zapping the RFID device does nothing.

If you are pressing the button/closing teh circuit, the RFIC device will read?

Why the FSCK am i the only person alive that seems to see RFID as not a problem if you put a power button on it?

Solution in Search of a Problem

[Sir Holo]

Aside from the security issue, I don't think most people would care if their ATM card was RFID vs swipe.

It doesn't save anyone any time, really. At an ATM, I've got my wallet open anyway, to put the cash in. In the grocery checkout, I've got plenty of time to reach briefly into my pocket or purse, while waiting for the checker.

It's a solution in search of a problem.

an analogy

[bitspotter]

If you could print your credit card information in X-ray ink, bold face, on the back of your jacket, such that only people with special x-ray spec could read them, would you? We don't do that now, why would we suddenly want to change?

Of course "we use encryption". So the info on your jacket is encrypted. But we didn't use encryption before, even though we should have been (depending on how good it was).

By using RFID, companies are trying to trade off the very intuitive insecurities of radio broadcasting wi

Re:Yes but.....

[flyboy974]

The reality is that by forcing a "swipe" of a card through a reader, this enforces the act of choosing to provide the information. With RFID, you can read it from across the room given a good transmitter and a sensitive receiver. Why should we need to add a new layer when the old physical layer works just fine. The new RFID does NOT save time. You can't just wave your wallet or purse over the weak reader (which is far weaker than a hacker would be using) if you had multiple cards. How would it tell it apart. You still end up having to take the card out. The difference is Mag Stripe (physical contact.. almost), or RFID, Radio Broadcast. I'll take the Mag Stripe or the Smart Card chip (which required physical contact).

Re:

[slidersv]

Well, they could install "on/off" switch right on the card. You then can turn on the card right before checkout, and card would turn itself off after 5 seconds (so you have just enough time to go through checkout scanner thing)

Re:

[WhatAmIDoingHere]

These are non-powered RFID tags. There is no "on/off" for them. If you wanted powered RFID, you'd have to include a battery, making the new card larger and bulkier than the old cards.

Re:

[gsfprez]

Yes, they are powered. They are powered by RF.

If you put a power switch on them, they wouldn't send back a signal even if you were getting RF energy.

That would pretty much end the ability for someone to sniff out your RFID tags in your credit cards and passports until you pressed the button - closing the circuit between the antenna recieving the RF power signal and the part that generates and broadcasts the signal back.

how it would work in the real world is - you'd pull our your credit card at the store, s

Re:

[superstick58]

"With RFID, you can read it from across the room given a good transmitter and a sensitive receiver."

I don't know if this is the case. Everyone seems to assume you can "intercept" the RFID information from many meters away. I guess I'm not sure which technology is used in credit cards, but if it's anything like ISO 14443 [wikipedia.org] standard or even ISO 15693, the max distance is only going to be 1.5 meters or less.

In the end, it's always the path of least resistance. It's easier just to steal a credit card or dig up s

Re:

[harl]

And what happens when someone doesn't follow the standard? When they put more juice into the card and use a stronger antenna?

A standard dictates how something should work but has nothing to do with how it does work. It is entirely possible to follow the standard to the letter and still have the card readable at over 1.5 m.

Shit we buried an ethernet cable to the building next door for a project. Yes that was the easiest way at the time. The run was much longer than the standard dictated. The cable worke

Re:

[Muad'Dave]

900MHz RFID chips can be read from 30+ feet under good conditions. The transmitter puts out a 1W spread spectrum signal into an antenna with up to 6 dBi gain, resulting in a max EIRP of 4W. That beats the heck out of your 13.56MHz ISO14443 milliwatt transmitters.

See Alien technology [alientechnology.com] for examples of UHF tags.

Re:

[superstick58]

I completely agree about the UHF technology. I work directly with UHF and Alien is one vendor who I've done an implementation or two with. I doubt that UHF is going to be used in any credit card implementation.

Re:

[plover]

I don't know if this is the case. Everyone seems to assume you can "intercept" the RFID information from many meters away. I guess I'm not sure which technology is used in credit cards, but if it's anything like ISO 14443 standard or even ISO 15693, the max distance is only going to be 1.5 meters or less.

Anyone stating "max distance" for RF is creating limits where none exist. With a correctly-sized transmitter, a sensitive enough receiver, and a large enough antenna, there's nothing preventing reading o

Re:

[superstick58]

The two examples you gave are not quite valid in this case. The Defcon example looks like it used a Matrics [symbol.com] (now Symbol technologies) reader which operates in the UHF range. I perfectly agree that these can operate 69 ft and under better conditions would bet MUCH further read ranges are possible. The second (WiFi) is a completely different technology.

My assumption in this case is that the RFID technology will be of some standard similar to those stated in my parent post (ISO 15693, 14443 or other HF stand

Re:

[0xABADC0DA]

They just need to put the check-out "beep" noise into the card itself -- make the reader charge up a capacitor with induction so the tag has enough power to sound off before it gives up the goods. Then if somebody reads it from 100ft away it still goes "beep" in your wallet and they can blame you for not reporting your RFID code as 'stolen' right away.

Re:Yes but.....

[tttonyyy]

I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

-Charlie

Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we'll see how many of us can buy something with it.

Willing to stand by your statement? Are you sure you still don't have a problem with other people having access to your card data?

Re:

[Aladrin]

Maybe you are still not being clear, because his point is valid. Maybe you meant 'cannot read ANY of the information remotely.' Your statement says that you don't mind if it can be read remotely, as long as some of the information is still not remote-readable.

Cannot read all = might read some. It's the contrapositive, see?

Cannot read any = can read none.

The GP was stating that if you are so uncaring about your details, you might as well post them here. It'd be just as safe as walking around the mall wit

Re:

[shawb]

No... he's saying that a pin in and of itself will not protect the rest of the info on your card. If every gas station, used tire store and cigarette depot can get access to the card scanners it is likely that "the bad guys" can get access to the card scanners and figure out a way to reverse engineer them into a remote reader. Entering the PIN is something that happens on the scanner, so your privacy is not ensured. At the very least the customer behind you in line could watch you enter it. What he was

Re:

[WhatAmIDoingHere]

"A pin is part of the necessary info to make a transaction.

Not really, no. For Debit cards, yes. But you can just use them as a "Credit" card, and all you have to do is sign your name. You can also make online purchases without a pin.

Re:

[Andrew Penry]

I have a merchant account, so I tested it to see the minimum amout of info needed to complete a transaction.

Account Number
Expiration Date
Amount to charge

That's it. No PIN, no 3 digit code from the back, no name, and no address required. It's a little frightening that you don't even need a name.

Re:

[metamatic]

Depends on the bank. Some actually demand a matching name and delivery address. (e.g. MBNA and American Express). I've had merchants have to contact me because AmEx denied a transaction because they didn't recognize the address.

Re:

[trianglman]

The only credit card parent company that requires a CID for online purchases is American Express. Visa, MasterCard, and Discover do not enforce this policy.

Source: I work in e-Commerce for a catalog company.

Re:

[voice_of_all_reason]

The same benefit any big company finds with technology

Step 1: Higher up finds he's got all this money, but it's tied up in the company and he wants to sneak it out into my own pocket.

Step 2: Contract out with a friend for a zany new technological upgrade that does nothing for the business or it's customers. Overspend like it's going out of style.

Step 3: Split profit

Re:

[spinnerbait]

The problem with RFID encoded is they can be viewed by anyone that has the right equipment. I work for a company that uses RFID encoded labels because of there ease of reading the data off the label. Since you don't have to be within close proximity of the RFID chip to get a good read, someone can point a RFID reader at your butt and read the card from thirty yards away. Also, some RFID chips are very fragile and can be altered given the right condition which are not that extreme. My vote is we go back to

Re:

[shawb]

Most Americans have much better credit than that.

Re:

[QuantumG]

Alas, television has lied to me once again.

Re:

[karmatic]

If you have halfway decent credit, you maximums can be way higher than that. In fact, I've repeatedly had limits raised automatically, without asking - sometimes by over $3000 at a time.

Also, for the Amex, "no pre-set limit" doesn't mean "no limit".

Re:

[metamatic]

The average American has $8,000 in credit card debt. OK, yes, that's spread over multiple cards, but still...

I've only had credit in the USA for 9 years. I currently have a card with a credit limit that was over $16,000 last time I looked. I didn't at any stage ask for it to be increased, either.

Pay off your bills for a few months and banks will throw credit at you, to try and tempt you.

Re:

[QuantumG]

My guess is that he, like I, does not live in the US and is only informed with your customs by the few times we've visited and the drivel we see on television.

But thanks for being a prick about it. Karma I suppose.

Re:

[RAMMS+EIN]

``Until we have the stats there is no use of debating ether..''

Not true. I don't want to use a system I know to be insecure, no matter if it has been exploited many times or never at all.

Re:

[Overzeetop]

Which, of course, defeats the purpose of speedpass, which was to avoid any interaction other than pumping the gas. I'm always amused when I got to Lowes and OfficeMAx, and after I swipe my card in the user terminal, the cashier is required to enter the last four digits of the card manually into the POS terminal. Wouldn't it have been faster for me to hand the cashier the card to begin with and have him/her swipe the card on the POS terminal, since they then don't have to key the digits?

Re:

[melstav]

Keeping your RFID tagged cards in a metal case only prevents them from being read while you've got them stored away. Anytime you pull your card out to use it, someone could have an RFID reader nearby to scan it mid-air.

Or, much easier, find someplace with an RFID reader at the cash register and find someplace to hide a high-gain directional antenna. Let the legitimate reader do the work of powering the tag on the card, and then log the data being broadcast by the tag with the antenna.

RFID tags broadcast omn

Re:

[mpapet]

Let me add to the very informative post. Contactless cards are a politically expedient answer to smart card banking infrastructure being implemented in the rest of the world.

The costs to the banks in other parts of the world are huge, but essentially the investments are being supported in one way or another by the governments enforcing the adoption.

In the U.S., this isn't happening at all. American regulators will be asking the banks, "What are you doing to protect and secure customer information? Is our

Re:

[perky]

You do know that you could just cut the card up and throw it in the bin? Regardless of the fact that this is FUD, the personal choice argument extends to your choice not to use the product.

As an aside, 5 million Londoners have an Oyster card in their pocket. Mine currently has about 80 quid of pre-pay on it. I am not in the slightest bit worried that someone will be able to steal this, and I haven't heard of this happening to anyone. This is basically the same contactless smartcard implementation that will

Re:

[cdrguru]

OK, the question is "So what?"

Debit card? What the heck are you using something like that for anyway? You give it to a waiter in a resturant and they can take all your money with no recourse.

Credit card? Dispute the charge. Period. No liability. Not even the $50 that they claim might be your maximum liability. I've never heard of anyone losing anything on a credit card dispute when it is filed within the time limit.

Do you think the card has your locker combination at the gym on it? Or maybe it has y