Smartphone Used To Scan Data From Chip-Enabled Credit Cards 236
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
Qiuck Everyone Panic!!! (Score:5, Funny)
This NFC technology must be stopped. Why should anyone's life be any more convenient than it already is.
Why back in my day a phone was attached to the wall with wires. It made phone calls and only phone calls and we liked it.
You youngsters and all your fancy gewgaws. Get off my lawn!
Re: (Score:2, Funny)
Because swiping a card is ever so difficult. Our brittle wrists are just unable to cope with such massive stresses.
Re:Qiuck Everyone Panic!!! (Score:5, Funny)
You may be joking, but some of us actually carry platinum cards in our wallets. Do you know how heavy platinum is?
Forget tinfoil hats... (Score:2, Insightful)
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
Re:Forget tinfoil hats... (Score:4, Informative)
Re:Forget tinfoil hats... (Score:5, Informative)
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
All joking aside, when I got my RFID "enhanced" VISA card, I got a hammer and hole punch and punched through the chip.
Problem solved.
Did anybody not see this coming? (Score:5, Insightful)
I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.
The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
I've always thought this was massively insecure, and it looks like I was right.
Re: (Score:3)
I knew it was a terrible idea before it was cool. B-)
(No, seriously, like back when Bush was president).
Re: (Score:2)
I remember when it first came out people telling me about it.
My response at the time was "so, all you need to do is wave your card near the reader, and it takes your money ... how do you keep it safe?".
Of course, I was dismissed as somewhat paranoid and got a lot of suggestions I was blowing it out of proportion. From the sounds of it, these things are just waiting to gladly spend your money without caring about your security.
I may be somewhat on the paranoid side, but that doesn't mean this was a giant se
Re: (Score:2)
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
It was a 5 minute phone call for me, when I wanted my Visa to send me a new card without RFID. They sent me the card, and added a flag on my account to not automatically "upgrade" me to RFID ever again.
Re: (Score:2)
It took me less than one minute with a center punch and a hammer, and none of my RFID cards give away my information. Ever.
Re: (Score:2)
I am fairly certain the tap-to-pay systems add a capability not present in standard magstripe systems - a transaction counter within the card.
Yes, failed cards will occasionally trigger a few extra counts, but you can safely assume that all transactions with a given card are going to be monotonically increasing.
If a thief starts using your card, and then you use it - now the CC company is going to see cases where the transaction counter goes backwards, a sure sign that something is VERY WRONG. Easy fraud d
Re: (Score:2)
You cannot clone a chip card. All you can do is record a transaction and replay it. as you've stated, there's a transaction counter that goes up, so this is useless to you as a thief. Furthermore, because of the way it works, cryptograms are used to verify that said data hasn't been tampered with.
In other words, this whole story is scaremongering. You cannot do anything with this data.
Re: (Score:2)
Last time I tried this, the clerk happily typed something to the terminal and told me: "done". It turned out that they only changed the limit for contact-less payments to 0. I told him: "look, the RFID chip is still in the card, knows nothing about what you typed into the computer and will happily answer any RF challenge that it receives. Can you reprogram/disable the chip itself?". I lost him on "RFID". They don't even issue non-co
Re: (Score:2)
It doesn't send any of the really important stuff without authorization. So they can't get the PIN number or CCV that would be needed to clone the card or make fraudulent transactions online. This is a total non-story in that sense.
Additionally the cards don't broadcast anything. They don't generate any signals themselves. They are powered by the RF field that is used for communication. The return signal relies on modulating the reader's RF field. You simply can't do that over more than at 20cm, no matter h
What got my attention (Score:2)
Re: (Score:2)
Install one or two of these in rear seat of a taxi. How many can you snag during a typical shift?
Passports are encrypted (Score:5, Interesting)
The data on a passport is encrypted with a key derived from the "machine readable zone" that's inside the book. To decrypt the data available via NFC you have to actually optically scan the open page. In addition US passports have a shielded chip so the book has to be open to be readable.
I'm pretty impressed with the passports (Score:5, Interesting)
I was very much against them, in fact swearing I would smash my passport's smart chip when I got a new passport that had one.
But having read it with my phone, I'm impressed. You need key data from the printed page to make the NFC work and as you mention, the passports are unreadable when closed.
I think it's really well done. I'm a bit unsure quite what it's good for since it is slower than swiping it, I can only figure it was done just because putting that much info in a barcode was infeasible.
Now let me submit my pic as a link to a PNG or whatever instead of printing out a picture, having them scan it back in and turn it into a JPEG2000.
Re: (Score:3)
The data stored in the chip is signed using a new PKI. Modern chips can also do challenge/response. So it makes the passports impossible to forge. That's the reason for it.
Harder to forge (Score:2)
That's what it is all about. If the data on the chip doesn't match the data printed on the passport, they know a forgery has taken place.
what app is he using? (Score:3)
I have a VISA card with NFC and multiple tag readers for my phone and none of the tag readers can get any info like that out of the card. I've got apps that can read fare cards, passports, etc. but I can't find anything on my credit card.
What am I missing?
Re: (Score:2)
The power switch?
Re: (Score:2)
The data's probably encrypted. Of course in order to accept credit cards, a merchant needs the decryption key so this has probably leaked all over the place. An "App" is not going to have an illegal copy of the decryption key, but it's not hard to custom-program something for it.
Need a better source than some hack reporter (Score:5, Interesting)
I'd be intrigued to know what app they're using that's returning the code and expiry date.. that information is encrypted on the card and none of the free nfc tag readers I've tried even attempt to decrypt it (I don't trust the banking system to use half decent encryption so not discounting the possibility entirely).
Of course it could just be the typical bullshit scare story that newspapers come out with..
Re: (Score:2)
Re: (Score:2)
No need to reverse en
Re: (Score:2)
It is bullshit. The chip doesn't even store the CCV - the whole point of it is that it can only be read by a human from the card, not from the chip or magnetic strip. The pin number cannot be read either, all you can do it send a PIN to the card and have to accept or decline it. Naturally the chip rate limits attempts to guess the pin, and locks you out after a certain number of failures.
The information you can read via NFC isn't very useful. Same as the chip interface.
Re: (Score:2)
The information you can read via NFC isn't very useful. Same as the chip interface.
You can read it and then replay it for a POS transaction a few minutes later. Since the data is a binary blob, you could have one person wandering a busy mall, and another person appearing to browse at an electronics store. Beep! And a minute later someone's standing in line ready to purchase a giant flat panel on your credit card.
So... you were saying something about how it "isn't very useful"?
I am safe, I dont care. (Score:2)
Re: (Score:2)
*wooosh*
Advertising (Score:2)
Really? I don't know anyone with one. It's all flip-phones, HTC and iPhones where I live. And I'm in Canada.
Re: (Score:2)
Your anecdote is worth more than mine however, given that you see more new people in a given week than me.
"near" is a strange concept (Score:2)
In RF land the concept of placing object A near object B means very little. The big question is antenna gain/directionality and reciever gain and the ability of both to reject out of band noise and not create in band noise.
If a cell phone can read a signal from your credit card over a 2" gap then an antenna in a van can do it from across the street and Jodrell Bank can do it from the other side of the planet.
Re: (Score:2)
IANAL, but according to the all-wise Internet, card skimming is a part of card fraud, and is prosecuted accordingly - as an element of a larger crime (if the info was used) or a conspiracy to commit crime (if not.)
There is no legal reason why would one covertly copy the c/c information of someone else. Every use of that information would be illegal.
Security through Obscurity (Score:2)
Not me! (Score:2)
My wallet is made of stainless steel. Good luck with that.
Re:Almost useless (Score:5, Informative)
Without the CVV (verification code) you cannot do anything usefull...
Bullshit. It will allow you to clone the card and make "swipe" based purchases. You can also use any online or phone retailer who doesn't ask for the CVV, and many of them don't ask.
Re: (Score:2)
It will allow you to clone the card and make "swipe" based purchases.
Are you also going to fake the look and design of a bank card, including, possibly, raised numbering/lettering? Or are you just going to clone it on an old library card?
All this is is a slightly easier way to obtain credit card information from a limited number of NFC enabled cards... but getting that information wasn't particularly hard in the first place...
Re: (Score:2)
Look and design - Blank magstripe cards are the same shape and size, the face design can be printed:
http://pvc.idcardgroup.com/productdetails.aspx?item=800059-106-01 [idcardgroup.com]
Raised lettering - using a set of letter stamps intended for metalwork.
Re: (Score:3)
The point is not that it cannot be done - I have cloned magstripe cards myself. The point is that there are hurdles to jump before you have a card you can actually use in person, and other hurdles for card not present transactions.
If you are willing to print on the card face and do the raised lettering for each card's information, good for you - what is the time and cost involved in doing that, versus the value of the fraudulent purchase you can make, versus the risk of the fraud being traced back to you?
Re: (Score:2)
Since when do employees at the average retailer ever bother to check that the raised lettering actually corresponds to the data on the magstrip?
You could just need to create one realistic looking card and then you could keep rewriting it with fraudulent details whenever you liked.
Re: (Score:2)
Re: (Score:3)
Raised lettering is no longer required. Which is fine, because basically nobody has a manual imprinter these days. Which is terrible at the drive-through when the machines are down...again.
Re: (Score:2)
Raised lettering is no longer required.
I know, but the vast majority of cards still have it, which means that cards without it get more scrutiny... so if your cloned card with fake printing doesn't have raised lettering, it might get a second look, at which point the person swiping it might notice that something's a bit off.
Re: (Score:2)
almost every retailer has cameras
unless you use the card for small purchases the real owner won't notice, the cops will go after you
Re:Almost useless (Score:5, Funny)
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Re:Almost useless (Score:5, Interesting)
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
Re: (Score:2)
I was gonna suggest lawyers and lobbyists that ensure the government picks up the liablity.
That way the consumer's still happy, and keeps using the card, no matter how many times it gets stolen.
Re: (Score:2)
They do however employ very good lawyers and lobbyists who probably ensure that any liability ends with the consumer or the store not them.
I don't think any cards with personal liability exist. Every card I have has zero liability for fraud--of course, that's kind of a scam, since they just charge me the cost of fraud in my interest rate.
Re: (Score:2, Insightful)
In the UK (and probably other places) chip and PIN was brought in by the banks so they could push liability onto the customer. They argue that because chip and PIN is "secure" then you MUST have given your PIN to a third party, ending their liability.
Re:Almost useless (Score:5, Informative)
The credit card industry is staffed by morons that wouldn't know security from their own asshole. Really, it's that simple.
Yes and no... a few years ago when I got my first RFID card from Mastercard, I had to threaten to cancel the card if they didn't send me one without it. Two years later, when I got one from Visa, it was a 5 minute phone call and the new card (minus RFID) was in my inbox 3 days later.
That says it all, I think. And TFA says that I was right, and I will be quite smug all day about it. ;) (and will continue to insist on having cards without the RFID).
Re:Almost useless (Score:5, Informative)
A minor point, but one that people on Slashdot don't seem to understand, is that you don't actually get your cards from Visa or MasterCard at all.
They are payment processors and they pass payments from one bank to another. They ensure that the X banks in the world don't have to build connectiors to X-1 other banks just to let you buy something at a shop or online. Instead each bank just connects into Visa or MasterCard (or sometimes both) and then calls it a day.
The relationship you have is actually with your bank (in industry speak, your card issuer). They are the ones that decide what payment scheme to use and issue you a card for that scheme. They are also the ones that would decide whether or not to make available to you the option to have a non-contactless card. Visa and MasterCard have no say in what they give you.
Hopefully that clears things up a bit.
Re:Almost useless (Score:4, Informative)
Canada, actually... most credit cards being issued here have RFID and Chip/PIN together. You have to ask them to send you one without RFID... they won't send you one without Chip/PIN because they're in the process of upgrading bank machines to require it. We've had Chip/PIN longer than Europe.
Re: (Score:2, Interesting)
Re:Almost useless (Score:4, Funny)
Re: (Score:3)
You realize that prostitution IS big business, right?
Re: (Score:3)
And you have a place to swipe the card there :)
Time to install the NFC reader in the butt/vagina.
Re: (Score:2)
Of the three, only lack of security can bleed a company dry of funds in milliseconds.
Re: (Score:2)
Just like the IT staffers are morons who wouldn't know how to run a successful business from their own asshole. Really, it's that simple. Fuck convenience, usabilty, and all that other crap customers want! I KNOW that SECURITY is the most important thing.
And that's how you just bought someone who stood next to you on the subway a couple of new iPhones.
Wasn't that convenient?
Re:Almost useless (Score:5, Informative)
News flash! Now they are cloning - and altering - the swipe machines, to capture everything including PIN and sending it through hi intensity bluetooth. The machines (GPRS -EDGE) are being switched without the merchant's knowledge.
Re: (Score:2)
Seriously, didn't anyone see this coming? "Swipe" the card and bam -- the purchase is done. How can that be considered secure? No signature, no PIN, no CVV, nothing; just pass it, and it's done. How the fuck was this even considered for adoption? Now, what everybody with half a brain imagined is happening.
Sure they all saw it coming. And "smart chip" credit cards that would hold biometric authentication have been teased for a decade. Problem is, security doesn't *sell*. Not when you can just tell the merchant that fraudulent use is their problem, and then give them no viable way to increase security aside from asking tellers to ask for ID (and we know how well that works).
Re:Almost useless (Score:5, Informative)
Hai! "Expert" here (And by "expert" I mean I work in the industry, my company has a hand in testing everything from the cards themselves right up to the host in your Bank's basement).
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about. It takes no time at all to clone a magstripe card. It can be done using a $10 reader off ebay. It's easy to do and has been a direct cause of so much fraud you wouldn't believe.
Chip cards, on the other hand, work completely differently. They use the same technology that's in the SIM card of most GSM phones, the chip isn't just a static bank of data but an actual miniature computer (likely running a cut-down version of Java). It doesn't just hand over your card details upon request, it actually uses a lot of cryptogeraphy, using public/private keypairs (Amongst other things) to ensure that no two transactions are ever the same. Cryptograms are used to ensure that data being sent and received is valid, it's impossible to change any data without breaking this. Even a compromised terminal can, at best, record an existing transaction and nothing more - it can't change amounts or anything like that without breaking it. If EITHER the card or the terminal suspects anything is up, it'll either decline or force the transaction "online" - to your bank, where they have the final say.
Contactless chip cards are nothing more than a wireless standard that compliments the above. Similar to Wi-fi versus ethernet, it's only the transmission medium that actually differs here, the same sorts of cryptograms and hashes are done here. The net result? Yes, you can skim some data using any NFC equipped smartphone, but it's useless to you because you cannot even replay a transaction because you don't have any of the private keys.
Yes, you can use the information to clone the magstripe on a card - the card gives you enough information in the clear to do this, but you'll find that the magstripe is largely useless to you as it's only used as a fallback. These days, even magstripe transactions are used "online" - that is, the terminal WILL contact the host to veryify it, a side effect of the rampant card fraud that goes on. The host will question why a chip-enabled terminal is doing magstripe with a card it knows is chip-enabled. The result? Transaction voided. Terminal prompts you to use the chip, because the terminal knows there's nothing wrong.
As for online shops - those shops that DON'T ask for the CVN are liable for the fraud, so few are left out there that don't. What's more, most cards these days have a secure online payment page requiring you to type in a password before continuing.
Sum total? This is a non-issue, there is nothing new in this article and anything else you hear is scaremongering. You cannot clone a chip card, it's physically impossible.
Re: (Score:3, Insightful)
Re:Almost useless (Score:5, Interesting)
Ah, well, see here's the thing - the USA is supposed to be moving entirely over to chip technology soon.
Of course, it isn't and nobody's in any position to move over because this takes a long time to roll out and a huge amount of the industry isn't as prepared for it as perhaps they should be.
But here's the good news! You're not liable for card fraud, the bank is. At least, the bank is for a short period of time, then that liability will switch over to the merchant because he hasn't upgraded to chip technology yet. That happens in 2015 and oh boy is it going to be a fun one to watch out for!
So anyway, getting back to my point - most of the rest of the world is already on Chip technology (known as EMV, by the way) - the US is the last of the G20 countries to move over to it. Canada did it years ago, the UK did it in the 1990's, etc.
However, as I mentioned above in the USA card fraud is already rampant, it's incredibly trivial to clone a magstripe card and there are already measures in place to fight against that (not quite as effective as moving to chip, of course, but it's there). The point is, there aren't many chip cards in the US so it isn't worth even trying to skim people's wallets for the odd one that DOES have a chip card, just so you can clone said card - it's far more efficient to tackle the magstripe swiping directly as every card has one. Then when the USA finally starts to switch to EMV and chip cards become more prevelant, the magstripe terminals will be mostly replaced and the ones that aren't - as I said earlier - you aren't liable for, the merchant is.
Re: (Score:3)
That particular paper is well known and if you read it, the vulnerability lies with the terminal and the entering of the PIN. You still need the physical card there, which you cannot clone. If your card is stolen, online fraud is much more likely and dangerous than someone using a dodgy terminal (or a shim of some kind inserted into the terminal to perform a MITM attack).
And if you were to objectively read it and other papers on the topic you would see that there is good evidence that these or similar attacks have been used to commit fraud without the collusion of the cardholder. Furthermore, when one case of a poor design decision is found, we can reasonably assume it is not the only one, and that poor decision-making was pervasive.
As you are a self-proclaimed expert deeply involved in the testing of this system, I find your attitude deeply disturbing. You write, and presu
Care is restricted (Score:2)
I had an ATM have trouble reading my card, so it resorted to using the magstripe. However, when in magstripe mode I was limited to withdrawing only $20. So the magstripe is pretty much useless nowadays, at least up here in Canuckistan.
Re: (Score:3)
Here's the deal - chip IS secure. What's more, contactless is also secure. Or rather, it's a hell of a lot more secure than the shitty magstripe you're talking about.
'Secure' and 'better than magstripe' are two different things, and as you acknowledge, it is the second of them that is most accurate. Nevertheless, it is a valid point that chip technology is much more secure than magnetic stripe.
Three things bother me, however. The first is that while the security is better, it has not, so far, been state-of-the-art. There is a team at Cambridge University that has found a number of exploits of the British chip 'n pin system, and good evidence that these exploits are bein
Re: (Score:2)
How is something as arbitrary as a "signature" considered secure either? Anyone can make a random squiggle on a bit of paper. That provides absolutely no authentication whatsoever.
A PIN is about the best option available at the moment, since stealing or cloning the card won't get you that.
Re: (Score:2)
...and every grocery store, which has never, ever, checked my ID.
Re: (Score:3)
Wal-Mart, Best Buy, grocery stores....? Plenty of brick & mortar stores with big ticket items. Most of them let you swipe the card yourself, so it doesn't even have to look very real.
Re:Almost useless (Score:5, Insightful)
Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.
Re: (Score:3)
ABout 2 years ago, I got a new credit card. I started making online purchases. A year later, I had a purchase rejected. Turns out that I used the wrong CVV- I used the CVV from the old card it replaced. I'd been using that CVV the whole time. I'd been using the wrong CVV for over a year, and this was the first time it had stopped the transaction.
Basically, almost no merchants check it.
Re:Almost useless (Score:4, Interesting)
Not necessarily. You said the new card was a replacement for the old card - often those replacements don't change the card number, so really all that will have changed is the expiry date and the CVV. It's possible that the online systems thought you were still using your old card and thus accepted the CVV because the "new" card had never been activated. So it's not the CVV they don't necessarily check, but rather the expiry date (Because hey it's in the future and that's good enough).
It's not ideal though, it should be much stricter than that.
Re: (Score:2)
It's the CVV. Not all websites even ask for it, which is proof that it isn't needed.
Re: (Score:2)
Is it impossible for someone to implement a way (even brute-force) to get those 3 (or 4) digit numbers?
Sure, you might even get 4 or 5 attempts before you get locked out.
Re:What are we going to call this? (Score:5, Funny)
I'm pretty sure I proposed "cardsnarfing" many years ago, trying to find the post now...
Re:What are we going to call this? (Score:5, Interesting)
Given how close you need to get to do this, more like wargrinding.
Testing with my GS3 and Interac Flash-enabled debit card, the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
Re: (Score:3)
Same with a Nexus 4. Even a thick case causes problems. I'd actually like to have a bit more range for reading NFC tags.
Re: (Score:3, Funny)
the card needed to be in physical contact with the back of the phone to be read, despite their "4 inches" claim.
Typical real-world vs. "guy" measurement. (right girls?)
Re: (Score:2)
Hopefully Adria Richards will not read your comment.
CC.
Re: (Score:3)
Typical real-world vs. "guy" measurement. (right girls?)
Hopefully Adria Richards will not read your comment.
Although, I could be implying the example, "I caught a fish this big..."
As for Ms. Richards... She has many valid points, but often seems to choose the wrong battles and/or focus on things that, while apparently important to her, are actually rather trivial and/or harmless in reality. Many jokes may be inappropriate, but finding offense is a task for the small minded and/or insecure. Perhaps she doth protest way too much. My heart goes out to her for standing up for what she believes and suffering the c
Re: (Score:2)
CC.
Re:What are we going to call this? (Score:4, Informative)
Yeah, and the FUD comment that "omg phones MIGHT have greatly increased NFC range in the future" is bullshit.
Increasing range would require:
1) More power (eats battery)
2) More antenna surface area. To get a range of about 6-10 inches, you need an antenna that is more than a foot on each side. (I need to hold my badge within 6-10 inches of the reader when badging into the largest readers at my workplace - which are over a foot in both width and height.) Oh yeah, that's with a fixed reader that has all the power it could ever want.
Re: (Score:2)
I found my GS3 could actually read a card with less than 1cm overlapping between the card and the phone's back.
Also it will easily go through my wallet. I can get about 2-4cm of range.
Re: (Score:2)
Given how close you need to get to do this, more like wargrinding.
So... get CC data AND make a new friend!
Is that a smart phone in your pocket or are you just mildly pleased to see me?
Re:What are we going to call this? (Score:5, Funny)
Re:What are we going to call this? (Score:5, Informative)
How fast does it read the card?
Using the TagInfo app from NXP (Who apparently made the NFC chip in my card), takes about 1.5 seconds to read it.
Re: (Score:3, Insightful)
A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?
We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...
Re:Sensationalist.... (Score:5, Insightful)
Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.
So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.
Re: (Score:3)
You'd be surprised how many people will give you that info if you just walk up to them and tell them you are a credit card technician from MC/Visa/etc while wearing a jacket with the logo badly sewn on it.
Re:Sensationalist.... (Score:4, Insightful)
Surprised isn't the right word. Appalled, sure. Surprised? No.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.
Re: (Score:2)
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
What the hell. You mean that *wasn't* microsoft calling me, to let me know that my 'nix system was compromised. Son of a...
Re: (Score:2)
And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
At which point, they face the same hurdles of using credit card information fraudulently that every other fraudster does.
I'm not saying this doesn't make it easier to get the information - it clearly does. However, you typically need to put in more effort than just getting that information before you can perpetrate the fraud, which the article ignores. I also don't care for the insinuation that Google should ban NFC apps.
They probably shouldn't put NFC chips in cards - there's little benefit to be had from
Re: (Score:3)
Or do away with the idea of pull based transactions completely...
Instead of giving the retailer access to your card, where they could pull any amount from it, rather operate a push system whereby they give you an address (lets say via qr code), you scan the code, approve the amount and your bank then sends that amount (and only that amount) to the retailers account. The retailer is not in control, you are.
Re: (Score:2)
I've got a hot news story for you - everyone person you hand your credit card to is able to access your card number, name, and expiration date!
With the advent of chip/pin cards, I can't remember the last time I actually had to hand my credit card to somebody in order to complete a transaction. It was many years and multiple cards ago.
the same can't be said for RFID cards: they can be read with a suitably powerful antenna from 50 feet away.
I guess you don't live in the US? (Score:2)
Re: (Score:2)
In most fast food places the c/c terminal is either built into the till, or is placed right next to the cashier, or is on a counter that the customer can see. There is no danger of illicit copying of the card if you can observe it constantly.
If the waiter at a large restaurant wants to take your c/c, they cannot refuse you to tag along. The terminal will be not too far anyway.
Re: (Score:2)
Canada... we had Chip/PIN before Europe did. I know this, because I had a Chip/PIN card last time I travelled in Europe, and nobody knew what it was. :)
Re: (Score:2)
I don't think you know how NFC works. Tell me, how is this extended antenna going to power the card?