Here are RFID Debit Cards, whether you wanted them or not.
In the world of banking, attention has turned to the prospect of using RFID technology for contactless transactions via bank cards. While this in of itself is a security concern, John Leyden brought to light in his article (http://www.theregister.co.uk/2008/01/27/paywave/) that some banks have started phasing in these cards without the consent of their customers.
In the UK, some banks such as Halifax are trying a system backed by Visa known as PayWave. Under PayWave, customers can make transactions under £10 without the need for a pin or having to sign anything. In the article, we find that Pete is one of the customers upon whom this technology has been pushed without their consent. After destroying the new PayWave card (which he did not request) out of security concerns, Pete found that Halifax had also cancelled his old card. The replacement card Halifax ended up sending him was also a PayWave card. Though Pete was eventually able to obtain a non-PayWave card by enough complaining, it alarms me that banks would presume that convenience outweighs security for every customer. What prevents a “vendor” from rigging up a reader located in a backpack that would allow them to roam the streets charging a small transaction to every passing card. Few people would notice such a miniscule charge on their statements, and the “vendor” could potentially obtain a large sum of money over time. In my opinion, companies that are entrusted with our money should be much more responsible when it comes to security. Or at least they should ask their customers first.
Comment by Brian
January 27, 2008 @ 3:54 pm
I wonder if we’re going to see a big market for RF-shielded wallets over the next few years, so you at least have to take your card out of your wallet for it to be read. Being able to make transactions without a PIN or signature or other means of authentication seems pretty stupid.
Even if the cards/readers are short-range, an RFID pickpocket would only have to walk close to you or bump into you while walking down the street, and you’d never know that anything had been taken until you checked your bank account later.
Comment by nnunley
January 27, 2008 @ 10:15 pm
I agree that the PayWave card is poorly thought out, and I wonder if this security concern was actually unknown while it was designed. It seems to me that the people backing this technology did not even bother to get this system reviewed from a security perspective. This is surprising design flaw since one of the main concerns for banks is security. I think it is interesting that this product almost specifically trades security for convenience, without really changing the way the product is supposed to work.
I think this is one of the many examples where people are being trusted to make decisions outside their area of expertise. For me this is one of the biggest problems facing the technology community today. Business executives and politicians are in charge of making decisions for technological policies and products that they don’t understand.
Comment by rudd
January 27, 2008 @ 10:35 pm
Pablos really hit the nail on the head about why credit card companies rolled this out without much of a security review. They aren’t losing any money off of this, and (theoretically) you aren’t either. In the end it’s merchants who have to pay, but they don’t have much of a choice about accepting credit cards. RFID enabled cards mean more small purchases on credit, something that banks and CC companies probably wouldn’t want to wait 5 extra years to roll out because of a security issue.
Regarding RF-shielded wallets, I would love to hear what anyone who lives/has lived in Japan has to say about them, as Japan has had a huge amount of RFID tagged credit cards for quite a while. I’d be curious to know if most people actually use RF shields, or if they don’t really considering card skimming to be that much of a threat.
Comment by BRIAN SMITH
January 27, 2008 @ 10:50 pm
I agree with everything that’s been said, but I what other problems ubiquitous RFID will incur. Of course, having your money and identity is severe, but there will be other problems. One is that people could be easily tracked through a mall(by advertisers), through a city(by anyone), or through an office(by employers). The fact that banks are rolling out these things without anyone knowing means that people could easily take advantage of public ignorance. Its not a stretch to think that RFID readers could be planted throughout a space, not only to steal information, but to track productivity, shopping habits, or someone’s daily schedule. This is simply a breach of privacy, though control over these systems is near impossible. It certainly encourages me to think about a Faraday Cage wallet.
http://www.thinkgeek.com/gadgets/security/8cdd/
Comment by robertm2
January 27, 2008 @ 11:06 pm
I’m a mixed bag on the security of these RFID cards. On one hand, they don’t really do anything more than what our credit cards already do (well, at least that I know of) – transmit the number to the receiver. It’s pretty easy for our card numbers to be stolen anyways currently; anyone that works at a store can just glance at the card and the security code on the back while swiping it. They can then go online and use it to buy a bunch of stuff. However, I guess this does make it fairly easy and thus convenient for adversaries to steal the card numbers under certain conditions. I can imagine anyone with a reader being successful in very crowded cities like New York. This makes me wonder if the credit card companies will reimburse any unauthorized charges as some of them currently do…
Comment by Chad
March 6, 2008 @ 8:33 pm
I think the RFID Cards are a great idea, there are always going to be security issues, but if people are responsible with their credit cards they shouldn’t have much to worry about.
Comment by dschen
March 9, 2008 @ 10:09 pm
Aside from just RFID payment cards, there are also RFID payment tags, which are pretty much tiny RFID tags that you can attach to your keychain. I personally have one of these PayPass things and find it quite convenient since I;m very lazy…
I’ve had no problems with my PayPass at all. Of course, if you lose your tag/card the thief can have a field day since there is no signature required for many purchases. Then again thats why you use this on a credit card, not a debit card where you only tie up your available credit instead of your available funds.
One thing about these payment tags is that they have no card number or any other information printed on them, so you get around the old problem of people stealing your credit card number by peeking at your card over your shoulder.
Another thing is that it takes maybe 3 seconds at very close proximity (i.e touching the tag/card to the reader) to get the reader to read your card/tag… Though I’m sure a more powerful reader could get the information from longer distances.