[wordup] More RFID stupidity on the horizon
Adam Shand
ashand at wetafx.co.nz
Mon Dec 15 17:50:16 EST 2003
Not that there was ever any *good* news about RFID, but ...
Just think, soon (lets say within the next 10 years) everything you buy
will have an RFID tag embedded in it, and will spew that code to any
interested reader within X feet. So once stores know the ID of one
thing you've bought they can not only track you, but they can
potentially track all the other purchases you make and add that to
their "customer database".
Yay!
From: http://www.livejournal.com/users/jwz/287421.html
More: http://www.wired.com/news/technology/0,1282,61603,00.html
More RFID stupidity on the horizon
Wired has an article about the latest moronic RFID push: "Wave the Card
for Instant Credit." It's moderately head-explodey, so I feel the need
to pick it apart...
For more than a year, MasterCard and American Express have been
testing
"contactless" versions of their credit cards. The cards need only be
held
near a special reader for a sale to go through -- though the consumer
can
still get a receipt.
The card companies say the system is much faster and safer because
the card
never leaves a customer's hand.
"In some instances it's faster than cash," said Betsy Foran-Owens, a
MasterCard
vice president. "You're eliminating the fumble factor."
This must mean that these RFID credit cards would not require a
signature either. It couldn't ever be "faster than cash" without that.
It seems hard to imagine how dispensing with the signature step makes
it "more secure", even given how seldom the kid behind the counter
bothers to check it.
While old-fashioned credit cards store account information on a
magnetic
stripe that has to be swiped, the contactless cards keep their data
on chips inside the plastic.
Oh, chips! That must be better!
American Express' ExpressPay uses a keychain fob, like the ones used
by
ExxonMobil Speedpass and similar to the tags in supermarket discount
programs.
"I like that it's on your keychain and it's fast to use," said
Kristie Beenau,
36, of Peoria, Ariz., who has used ExpressPay for about six months at
a CVS
Pharmacy and fastfood restaurants. "I charge everything anyways. Now
I wave
it rather than get my card out. It's more convenient."
I'm going to make a fortune by selling an invention that lets you punch
a hole in a credit card so that you can wear it on your keychain. Then
later I'll repurpose that invention to let you punch a hole in a $20
bill, so you can wear that on your keychain too!
The contactless cards have no battery or power. When they near a
reader,
they are jolted to life by the reader's electromagnetic waves. A small
radio antenna in the cards instantly transmits account information to
the
reader. The transaction then proceeds through the credit card network
just
as if the card had been swiped.
In theory, the transaction could be intercepted without a consumer's
knowledge by a technologically savvy thief intent on cloning a card.
That's because RFID transmissions themselves are not encrypted.
However, the thief would have to get quite close to his target or have
a very sensitive reader.
Thank god there's no chance that anyone will ever build a very
sensitive reader, then. Or stand close. They'd have no incentive to
that, surely.
Also, the account number on the contactless cards is useful only in
the
RFID system -- it's not the same as a user's credit card number. A
crook
would thus not be able to use the card number to go on a fraudulent
Internet
shopping spree, for example.
Oh, that's a relief, then. Because:
Credit cards that incorporate the technology could be used anywhere
regular
plastic is accepted, as long as stores install the new readers.
They'd only be able to go on a fraudulent shopping spree at any store
that used the new card readers! Whew!
American Express makes the RFID reader verify the card's authenticity
with a
"challenge-response" exchange that depends on 128-bit encryption
encoded on
the chip. That strength of encryption is considered safe against
"brute force"
attacks, in which a hacker tries every possible combination.
MasterCard says it uses a different security system but would not
provide
specifics.
[...] Simson Garfinkel, another MIT researcher who follows RFID, said
credit card companies ought to be using "smart" cards with public key
cryptography, a very strong form of security.
I don't know what to make of this. It seems to be saying two things:
"the cards use crypto in some way", and yet, "the cards do not use
public key crypto." Also, from above, "RFID transmissions themselves
are not encrypted."
If those statements are true, then I think this probably means
something like, there is one master key that every card uses, that only
needs to be cracked once. It seems to imply that there is not a key per
card, or at least, not one that has anything to do with the
transaction.
This is so obviously a step backwards for security that it's impossible
to believe that the credit card companies don't realize this: they are
very good at running the "fraud" numbers, and what they do is, pass
those costs along to the vendors. Some of you may not know this, but
stores make less money when you use credit cards, because they're
contractually not allowed to charge more for credit card transactions,
and yet, they have to pay a per-transaction fee.
And that fee gets higher the "riskier" the credit card companies
perceive the transaction to be. For example, they charge more if you
don't take a physical imprint of the card; they charge more if you
don't have the new "card verification number" from the back; they
charge more if the shipping and billing addresses don't match; and so
on.
So I have to assume that they're going to totally shaft the vendors on
this one: they're going to ship this amazingly insecure technology, and
then pressure the vendors into both supporting it, and paying for it.
The RFID lobby is shaping up to be quite a juggernaut...
More information about the wordup
mailing list