more RFID stupidity on the horizon

Wired has an article about the latest moronic RFID push: "Wave the Card for Instant Credit." It's moderately head-explodey, so I feel the need to pick it apart...

<LJ-CUT text=" --More--( 6%) ">

For more than a year, MasterCard and American Express have been testing "contactless" versions of their credit cards. The cards need only be held near a special reader for a sale to go through -- though the consumer can still get a receipt.

The card companies say the system is much faster and safer because the card never leaves a customer's hand.

"In some instances it's faster than cash," said Betsy Foran-Owens, a MasterCard vice president. "You're eliminating the fumble factor."

This must mean that these RFID credit cards would not require a signature either. It couldn't ever be "faster than cash" without that. It seems hard to imagine how dispensing with the signature step makes it "more secure", even given how seldom the kid behind the counter bothers to check it.

While old-fashioned credit cards store account information on a magnetic stripe that has to be swiped, the contactless cards keep their data on chips inside the plastic.

Oh, chips! That must be better!

American Express' ExpressPay uses a keychain fob, like the ones used by ExxonMobil Speedpass and similar to the tags in supermarket discount programs.

"I like that it's on your keychain and it's fast to use," said Kristie Beenau, 36, of Peoria, Ariz., who has used ExpressPay for about six months at a CVS Pharmacy and fastfood restaurants. "I charge everything anyways. Now I wave it rather than get my card out. It's more convenient."

I'm going to make a fortune by selling an invention that lets you punch a hole in a credit card so that you can wear it on your keychain. Then later I'll repurpose that invention to let you punch a hole in a $20 bill, so you can wear that on your keychain too!

The contactless cards have no battery or power. When they near a reader, they are jolted to life by the reader's electromagnetic waves. A small radio antenna in the cards instantly transmits account information to the reader. The transaction then proceeds through the credit card network just as if the card had been swiped.

In theory, the transaction could be intercepted without a consumer's knowledge by a technologically savvy thief intent on cloning a card. That's because RFID transmissions themselves are not encrypted.

However, the thief would have to get quite close to his target or have a very sensitive reader.

Thank god there's no chance that anyone will ever build a very sensitive reader, then. Or stand close. They'd have no incentive to that, surely.

Also, the account number on the contactless cards is useful only in the RFID system -- it's not the same as a user's credit card number. A crook would thus not be able to use the card number to go on a fraudulent Internet shopping spree, for example.

Oh, that's a relief, then. Because:

Credit cards that incorporate the technology could be used anywhere regular plastic is accepted, as long as stores install the new readers.

They'd only be able to go on a fraudulent shopping spree at any store that used the new card readers! Whew!

American Express makes the RFID reader verify the card's authenticity with a "challenge-response" exchange that depends on 128-bit encryption encoded on the chip. That strength of encryption is considered safe against "brute force" attacks, in which a hacker tries every possible combination.

MasterCard says it uses a different security system but would not provide specifics.

[...] Simson Garfinkel, another MIT researcher who follows RFID, said credit card companies ought to be using "smart" cards with public key cryptography, a very strong form of security.

I don't know what to make of this. It seems to be saying two things: "the cards use crypto in some way", and yet, "the cards do not use public key crypto." Also, from above, "RFID transmissions themselves are not encrypted."

If those statements are true, then I think this probably means something like, there is one master key that every card uses, that only needs to be cracked once. It seems to imply that there is not a key per card, or at least, not one that has anything to do with the transaction.

This is so obviously a step backwards for security that it's impossible to believe that the credit card companies don't realize this: they are very good at running the "fraud" numbers, and what they do is, pass those costs along to the vendors. Some of you may not know this, but stores make less money when you use credit cards, because they're contractually not allowed to charge more for credit card transactions, and yet, they have to pay a per-transaction fee.

And that fee gets higher the "riskier" the credit card companies perceive the transaction to be. For example, they charge more if you don't take a physical imprint of the card; they charge more if you don't have the new "card verification number" from the back; they charge more if the shipping and billing addresses don't match; and so on.

So I have to assume that they're going to totally shaft the vendors on this one: they're going to ship this amazingly insecure technology, and then pressure the vendors into both supporting it, and paying for it.

The RFID lobby is shaping up to be quite a juggernaut...

Tags: , , ,