| Comments: |
"Security is hard! Let's go shopping!"
On a related note, apparently Canadian banks are covering up debit card fraud, telling victims not to go to the police, fudging numbers, etc.
Debit usage in Canada is apparently a lot heavier than in the US; people are more likely to use it as a cash substitute than a credit card when possible.
In both places, the plastic provider wants to have thier toys take over for cash, so they can charge a transaction fee on every purchase anyone makes.
Well, "debit card" means something slightly different up here, by my understanding -- they're issued by the bank, completely unassociated with credit-card companies, and immediately debit your bank account by the amount charged against it; the POS terminals work pretty much identically to tiny little bank machines, as far as the accounting is concerned. So, it is a cash substitute, and I don't think anyone up here associates debit cards with credit cards except that they're both magstripe cards.
I think the US equivalent is "bank card", but I'm not sure.
Now, if they coupled that with a biometric.. like you had to have your thumb on a spot on the credit card while it was being read, and it checked your thumbprint.. that I might be ok with.
Why? If someone can capture that transaction, it doesn't matter whether there's a trigger that authenticates the authentication for the transaction or not. They can still play it back or use it to crack the encryption (depending on whether there's actually encryption or not) as much as if there wasn't a pre-trigger. You're only guarding against losing the card and calling the bank is a much more logical solution for that, since you're going to need to get it replaced anyway. After all, <paranoid>cash will no longer exist for you to use</paranoid>.
![[User Picture]](http://l-userpic.livejournal.com/5887295/515656) | From: ![[info]](http://l-stat.livejournal.com/img/userinfo.gif) jwz
Mon, 15-Dec-2003 2:19 PM (UTC)
biometrics plusungood | (Link)
|
Biometrics are every bit the snake-oil that RFID is. Biometrics are unique identifiers, but they are not secrets. They are analagous to your name: it can be used as an indicator, but pretty much anyone can find out what it is. A "key" is a secret. Everybody wants to use biometrics as keys, but that's not what they are. The point of a key is that it is revocable. If you lose the key to your house, you can get your locks changed. If you use a non-secret as a key, then anyone who knows that non-secret can open the door. And non-secrets are not easily revocable: it's a big hassle to change your name. Or your fingerprints. Also, bear in mind that in the real world, a biometric is not a "fingerprint", it's a sequence of ones and zeroes. A fingerprint scanner looks at your finger, takes a few dozen samples, and constructs a hash, which then turns into electrical impulses on a wire. You don't have to cut off someone's hand to fake that: you just have to tap and replay the wire. It's probably just USB. ( Schneier on biometrics.)
That'd be swell if fingerprints weren't easier to fake than the new $20US bill...
What this article also doesn't say (quite aside from the security issues) is what's going to happen when you have more than one credit card in your wallet, I imagine that this must be true for a fair proportion of the credit card holding population.
They seriously charge more when the shipping addx differs from the billing? So every time I buy a gift online using a credit card (dear internet hax0rs, i never actually do this, love, marm0t) and have it shipped directly to the recipient, I'm shafting the vendor?
That would be correct, yes. Vendors also get shafted in different ways depending on which card you use; for example, AmEx can take up to three months to pass any actual cash back to the vendor, for which reason I've encountered many places which refused to take AmEx.
![[User Picture]](http://l-userpic.livejournal.com/79674065/701097) | From: mhat
Mon, 15-Dec-2003 8:21 AM (UTC)
It's good to be VISA. | (Link)
|
Yup.
You can even shaft the vendor by having a hotmail/yahoo email address or by using a big ISP like TimeWarner/AOL or a "known" public internet terminal. In most cases the vendor can simply not give this information to VISA. As you might have guessed not giving the information to VISA will also cause the vendor to be shafted!
From: jamiemccarthy
Mon, 15-Dec-2003 7:48 AM (UTC)
Not having to take the card out | (Link)
|
The strange thing is that the pitch for this, as I've seen it described, is that the card will now never have to leave the owner's hand.
This is described as "safer," which it is not. Not for the owner. Presumably n% of credit card transactions in which the card is swiped by the checkout staff result in the card being accidentally left behind. This is a problem for the credit card companies because it means they have to cancel cards and eat charges. By federal law, the card owner assumes no risk in such a case. So the concept of a card that is less likely to be left sitting on the counter is safer for the *company*, not for the card owner.
The next question is whether the card will be any different from existing cards, as far as having to "leave the owner's hand" or being "faster." I can't see how there will be any difference. For most things I buy nowadays, I swipe the card myself while the checkout is in progress. The only time the card leaves my hand is when I hand it to the checkout staff so they can type in the last 4 digits (and often the CVV2 number on the back), and to check my sample signature against the scrawl I make in person.
If the new cards don't leave my hand, that means they are less secure because there will be no number check, no CVV2 check, and no signature check. Not to mention the other concerns raised (what if I have two such cards, what if my card got triggered by the guy ahead of me in line, etc.).
If they do leave my hand, they have to go through just the same handover, confirm, handback process, and will take just as long. The only time saved will be the delta between the time it takes me to swipe a card and the time for an EM zap to be applied to my card -- and that time is already subsumed within the whole ringing-up-the-purchases time anyway, so the delta is zero!
So, yeah, this is a big PR scam. At best its benefit to us card owners is zero. More likely, it would transfer risk from the credit card companies to us, and we get no benefit in exchange. Shove it up your stocking, Visa.
![[User Picture]](http://l-userpic.livejournal.com/68832705/563993) | From: jes5199
Mon, 15-Dec-2003 9:17 AM (UTC)
Re: Not having to take the card out | (Link)
|
where do you shop that checks the CVV2? i've never seen that happen.
some clerks want to check to "see if the signatures match", which seems a little silly.
I'm going to sell a line of locking, faraday cage wallets
![[User Picture]](http://l-userpic.livejournal.com/78674788/922107) | From: leolo
Mon, 15-Dec-2003 11:53 AM (UTC)
Tinfoil hats | (Link)
|
A simple RFID frying device will be the tinfoil hat of the Naughties. If RFIDs take off, I hope to be able to fry all the ones entering my house.
From: aaronsw
Mon, 15-Dec-2003 8:14 AM (UTC)
I think you misunderstand the security | (Link)
|
It sounds to me like what's happening is:
Reader: Cards? Any cards? Any cards?
Card: I'm a card! My ID is cardID
Reader: cardID, here's a random nonce
Card: sha1(nonce + secretFunction(cardID)), cardID
[Reader calls up the bank, and asks for secretFunction(cardID). Then it calculates the same thing and makes sure it matches what Card sent.]
Reader: Sold!
(SHA1 is a 128-bit hash.)
I can't think of any obvious holes here.
| From: mhat
Mon, 15-Dec-2003 8:31 AM (UTC)
Re: I think you misunderstand the security | (Link)
|
I don't think the cards are smart enough to perform any sort of crytographic operations. They're just dumb transmitters like a proxy card, right?
![[User Picture]](http://l-userpic.livejournal.com/8017213/585185) | From: novalis
Mon, 15-Dec-2003 9:32 AM (UTC)
Re: I think you misunderstand the security | (Link)
|
SHA1 is a 160-bit hash. Anyway, there's a hole here -- that is, an evil reader could ask for secretFunction (randomId), and charge to that. A better way to do the authorization is to send the nonce and the output of the card up to the bank, which simply sends back a "yes" or "no". Even so, there's a risk of evil readers charging arbitrary amounts at arbitrary times (perhaps without you even noticing). In fact, readers ought to at the very least (a) be issued by the bank, (b) be tamper-evident, and (c) require a PIN.
![[User Picture]](http://l-userpic.livejournal.com/89599835/1232513) | From: jwm
Mon, 15-Dec-2003 1:15 PM (UTC)
Re: I think you misunderstand the security | (Link)
|
I expect they're using either a 128bit HMAC - therefore probably MD5 based, as SHA1 is 160bit - or a 128bit symetric key algorithm, probably tripleDES.
Replace secret fucntion with a key on the chip, and set the card verifier up to just send the resulting reponse back to the
credit card system to be checked, so you don't send the secret over the wire to the store, and you have a reasonable challenge -response system.
The interesting security aspects are the particulars of the implementation, like how big is the secret? It should be a 128bit key generated by a cryptographically strong RNG at
the card providers end. Where is the response examined? Doing it at the terminal by sending the secret over the wire is obviously dumb, as it gives the store a primo opportunity to steal secrets. How easy is it to get the secret out of a card, once programmed? This defines the window of time before
a misplaced card can be duplicated.
Of course, without a biometric or password, a stolen card is instantly usable by any thief. They really need to couple it with a photo and require you to wave the card in front of the check out, but obviously they seem to want to chase convenience over security.
I wonder how quickly a card can be disabled if reported stolen. And how particular they are about who reports it.
![[User Picture]](http://l-userpic.livejournal.com/89965487/110702) | From: octal
Mon, 15-Dec-2003 9:51 AM (UTC)
| (Link)
|
I'm doing some contracting in this area, and IMO the security is overall pretty decent. Most of the systems use either a challenge-response counter using a strong crypto hash, or PKC operations ("DDA"). See also EMV specs for contactless.
And it's still more secure than magstripe.
![[User Picture]](http://l-userpic.livejournal.com/15468157/1037622) | From: mackys
Mon, 15-Dec-2003 10:27 AM (UTC)
Which is stupider? | (Link)
|
Credit card companies using wireless credit cards that can be read by people walking past you in the mall.
OR
Or Journalists who don't understand the proposed wireless credit card systems they're reporting on?
I hope your version is a lot more accurate than the story Jamie posted. As explained by the story, wireless credit cards are just begging for millions of dollars a day worth of fraud.
People use words like "secure" and "security" about credit cards without saying whose security is in question. Here there are three parties: the card issuer, the vendor, and the customer. The card issuer wants to increase their income from transaction fees, perhaps by making fraud harder; the vendor wants to decrease transaction fees and chargebacks, perhaps by making fraud harder; and the customer wants to make the chances they'll lose any money in this racket smaller, and perhaps make shopping more convenient.
Ignore the card issuer and vendor. For the customer, the major protection from fraud is the refund guarantee offered by the card issuer, rather than any fancy cryptography or whatever. The fancy cryptography is there to protect the vendor and issuer -- hence the recent nonsense about replacing signatures with PINs. For the customer, the questions to ask are probably, "Will this make it easier or harder for fraud to take place against me?", and -- and more importantly -- "Will this make it easier or harder to prove fraud against me?"
I don't know about the situation in the US, but in the UK the answer to the second question is not promising. In cases of fraudulent withdrawals from ATMs, banks have successfully argued that their computers are "infallible", and therefore that claims of fraud must be false. It's much harder to do this for a conventional cardholder-not-present transaction or one where a questionable signature has been given.
To me, this RFID idea looks like it fails on the second question. I don't know if it will make fraud more common; that probably depends on how quickly the technology to spoof the things becomes available and whether this new transaction method makes any difference to the numbers of other types of transactions which take place. But it will probably make it harder for cardholders to recover their money when fraud takes place.
my first thought is, if credit card companies charge vendors some enormous price for the lack of security, maybe the vendors just won't buy the new machines and won't take the transactions. of course, if the trends already in place hold, that may mean credit card companies -requiring- vendors to take them... ah, the stupid.
it's funny, they talk about the time saved by such technology, as if the extra 3 seconds makes that much of a difference. "Every time I wave my Visa Credstick, it gives me 3 seconds more in my fast-paced high stress life to think about work and how I'm going to pay all my bills" and the keychain fobs? great, so now when you lose your keys, someone has access to your car, home, and credit. talk about identity theft. yesterday I was at an albertsons that had a 4-station self-checkout system. it has one human attendant who pushes the "it's all good" button every time the system goes batshit. I guess grocery store checkers are getting paid a lot, if it's worth it to the company to install a million dollar robot system to save the cost of paying 3 employees. http://marshallbrain.com/manna1.htm
![[User Picture]](http://l-userpic.livejournal.com/80740146/375343) | From: curgoth
Mon, 15-Dec-2003 7:00 PM (UTC)
Re: conveniance | (Link)
|
According to my admittedly Evil Corporate Bosses, the self-checkout things are necessary because "no one wants to work a check-out counter any more". The claim is that (in Canada at least) there's a shortage of human checkout droids.
![[User Picture]](http://l-userpic.livejournal.com/60120982/859153) | From: bitwise
Mon, 15-Dec-2003 1:42 PM (UTC)
Technology can be fun | (Link)
|
I love the idea of crap technology making its way into wide public use. Think of the fun projects that become possible:
1. Build a man-in-the-middle device that pretends to be a valid card, while reaching out to other cards in the store and using their numbers instead.
2. Build jammers that work on the same frequency, and carry them into The Gap. Watch the fun that ensues as all wireless transactions stop working. Extra points for building battery powered jammers and hiding them near the checkout area so you can happily take down an entire mall in an afternoon. For extra malicious fun only turn on the jammer when people of a chosen ethnicity or skin color are at the register. Watch the fun as the store manager tries to talk their way out of that one!
3. Assuming RFID devices can be fried by some sort of narrowband EMP, try it in the bank, the post office (where shiny new cards are on their way to their new owners), movie theaters, houses of congress, meetings of credit card company executives... so much more effective than just bringing a bulk eraser to Blockbuster.
4. If you're a sleazy retailer (or want to make people think your retailer is sleazy), just start charging people for merchandise they don't want. After all, you just need to get near them. Crooked store owners will sit around and laugh about the bad old days when you actually needed to see or swipe someone's card to rip them off. Oh, and make sure you actually take the merchandise, because you wouldn't want to mess up the store's inventory numbers, now, would you?
| From: jwz
Mon, 15-Dec-2003 2:23 PM (UTC)
Re: Technology can be fun | (Link)
|
I think there might be a position available for you in my Secret Organization.
OK, I disagree with you in general, I think RFID is going to be the bees knees, but I won't go into that in general. I did want to point out the usability value in the keychain thing, which you poked fun out of once directly and once indirectly.
> I'm going to make a fortune by selling an invention that lets you punch a hole in a credit
> card so that you can wear it on your keychain.
Laugh if you will, but I, personally, like my speedpass and like having my video store, library, etc., cards on my keychain. I'd LOVE to carry my credit cards on my keychain, as long as they are small (e. g. little squares of plastic). It's a pain in the butt to have to dig out my wallet, pull the card out of the slot, etc. but my keys are usually quicker to find. That's not everything, though. Oh, and I know plenty of people who DO punch a hole in their ID card to carry on a keychain
> They'd only be able to go on a fraudulent shopping spree at any store that used the new
> card readers! Whew!
Right, which would be every store rather quickly. More to the point, though, the person who stole my credit cards would also have the keys to my car and house. I point that out not to say thieves will be more likely to steal your keys... I just mean that your keychain ALREADY has a lot more direct value than any credit card, and you're not liable for more than - what, $50? on a credit card. You're more likely to keep solid tabs on your keychain, and it's easier to fasten to your body. I suspect fraud rates would stay the same or go down, anyway. Sure, they pass the cost of fraud to the retailer, but it still eats the credit card companies' profits.
I'm more interested in how it's going to work when you have four credit cards on your keychain. When they say short range, and how a thief would have to get very close to register the transaction, they must mean SHORT RANGE, as in 2-3 cm, or else the reader would pick up all 4 of your cards and have to ask which you mean.
It's coming, and it will catch on like crazy. The real enterprising person would start designing something like a keychain, but specifically for credit cards.
![[User Picture]](http://l-userpic.livejournal.com/336173/259618) | From: zoe_bat
Tue, 16-Dec-2003 10:00 AM (UTC)
don't loose your car keys | (Link)
|
| |
