No. of Recommendations: 1
I recently saw a video about RFID chips embedded in credit cards.

http://youtube.googleapis.com/v/lLAFhTjsQHw%26sns=em

Is this for real? And if so, why would anyone want one? It looks too easy to steal someone's credit card information.

Any thoughts?

Andy
Print the post Back To Top
No. of Recommendations: 1
why would anyone want one?

The video answers that question. "It's designed to be a faster way to pay at stores all over town."
Print the post Back To Top
No. of Recommendations: 0
In Europe a couple of cards already have been equipped with it.

The security mechanism is that you can only pay for a small amount like 15 EUR, which would be enough at the news agent to speed up the transaction.
Print the post Back To Top
No. of Recommendations: 2
Millions of Americans who have credit cards equipped with radio frequency identification (RFID) chips for easy use can also have their account info stolen with relative ease by criminals.

http://www.clarkhoward.com/news/clark-howard/personal-financ...

Unfortunately, we will continue to be vulnerable until we get modern "smart chip" security standards for our credit cards like they have in Europe. American Express tried to lead the charge on this stateside, but the banks pushed back. Sounds like the heavy hand of government may have to intervene with some regulations on the industry before anything gets better.

http://www.clarkhoward.com/news/clark-howard/personal-financ...

American Express and Bank of America have both announced they'll begin implementing "chip and pin" technology in their cards. Here's how it works: A unique computer chip placed within your card is associated with a secret PIN code that you enter with each use. So if the card is stolen, the criminal won't be able to access your funds.

http://www.clarkhoward.com/news/clark-howard/personal-financ...

Fuskie
Who notes we are years behind Europe in credit card security as our financial institutions have decided it's cheaper to write off losses from fraud and theft rather than prevent them, no matter the consumer inconvenience...
Print the post Back To Top
No. of Recommendations: 0
Fuskie
Who notes we are years behind Europe in credit card security as our financial institutions have decided it's cheaper to write off losses from fraud and theft rather than prevent them, no matter the consumer inconvenience...


Do the European credit cards have RFID chips? And do they have some better form of security for them?

Or do you mean our lack of credit card security exists in the processing of the card info ala Target?

It sounds like RFID chips are just a bad idea if they can be read by strangers.

Andy
Print the post Back To Top
No. of Recommendations: 2
What they use overseas is beyond RFID chips. American banks have made the business decision to not adopt a more secure technology but to just clean up after card and identity theft, fraud and abuse.

Fuskie
Who notes the European mobile industry wipes the floor with the American cell phone industry as well...
Print the post Back To Top
No. of Recommendations: 3
Fuskie,

You wrote, What they use overseas is beyond RFID chips. American banks have made the business decision to not adopt a more secure technology but to just clean up after card and identity theft, fraud and abuse.

- You assume American banks have a clue as to what it would take or what it would cost to try to solve the problem.
- You assume they'd pay to hire the talent that could educate them.
- You also assume (most of) their management could understand what they were told.
- You assume they care to do more than they are required to by law when doing so involves spending money with no clear understanding of what it will save the bank - or how it might positively impact that manager's (or CEO's) bonus.

- Joel
Print the post Back To Top
No. of Recommendations: 0
do [European credit cards] have some better form of security for them?

They all have a unique identifying chip built-in to the card. It's not an RFID card, but it is unique to each card, which makes counterfeiting impossible (or at least uneconomical).

Some of them require a PIN for every transaction.

If you plan on traveling overseas, many American banks will issue you a smartcard to replace your regular card. It still has the magnetic stripe, and so can be used at terminals that don't have chip readers.
Print the post Back To Top
No. of Recommendations: 2
stevenjklein,

You wrote, They all have a unique identifying chip built-in to the card. It's not an RFID card, but it is unique to each card, which makes counterfeiting impossible (or at least uneconomical).

A unique ID does nothing to make a card / chip impossible / expensive to duplicate. Case in point: Your credit card number is unique.

Also, Some of them require a PIN for every transaction.

This is a good first step as long as the PIN is always required and as long as the PIN does not have to be short. But just a PIN is not enough as they can be taken through skimming or shoulder surfing.

It seems to me that the only right way to solve this is to use a cryptographic grade handshake involving a shared secret. The handshake must be able to validate the connection through a shared secret (cypher key) known only to the device and the bank without disclosing the secret over the network. This is the same type of problem found in any secure communications protocol. I don't know whether the European card standard actually solves the problem in part because I never travel to Europe...

- Joel
Print the post Back To Top
No. of Recommendations: 0
My info is that all credit cards will have RFID in the next couple of years. Several are already offered: http://www.lowcards.com/credit-cards-rfid-13517.

Various travel blogs recommend you get one if you are travelling to Europe. Theoretically, American cards must be honored there, but it doesn't work that way in practice, such as in toll booths.
Print the post Back To Top
No. of Recommendations: 1
A unique ID does nothing to make a card / chip impossible / expensive to duplicate. Case in point: Your credit card number is unique

Perhaps I failed to make myself clear. I didn't claim it was difficult to duplicate because it's unique.

It's difficult to duplicate because the chip itself cannot be easily duplicated.

With credit card readers that focus only on the magnetic strip, anyone with a card reader/writer could copy the magnetic strip from one card to another, creating a perfect duplicate.

There have been attacks on card readers, tricking the reader into subsequently accepting fake cards.

But so far as I know, no attacker has managed to create a chip-intact clone of an EMV credit card.

In every country that has rolled out this system, fraud has dropped dramatically, as the bad guys shift their attention to low-hanging fruit — countries that haven't yet implemented EMV cards. I suspect that's a big reason why credit card fraud is increasing in the US.

http://en.wikipedia.org/wiki/EMV#Successful_attacks
Print the post Back To Top
No. of Recommendations: 3
stevenjklein,

You wrote, It's difficult to duplicate because the chip itself cannot be easily duplicated.

First, the chips are dirt cheap. Second, in the US you don't have to duplicate the chip - you just have to program a card with a magnetic strip that fakes the card's info that was captured from the chip.

Also, With credit card readers that focus only on the magnetic strip, anyone with a card reader/writer could copy the magnetic strip from one card to another, creating a perfect duplicate.

Like I was saying, you don't have to dup the chip - at least not in the US. Also, an RFID reader isn't that expensive.

What's more, I *own* an EMV card reader. My employer bought it for me for VPN access. (My badge contains an EMV chip.) Cost? $10. The reader can write a card as well. I don't have the knowledge needed to clone my security badge; but it should be possible - though I admit it's probably a much tougher problem. Also, I suspect you would need to duplicate the chip's unique ID, which might be problematic if that is never directly exposed.

Finally, In every country that has rolled out this system, fraud has dropped dramatically, as the bad guys shift their attention to low-hanging fruit — countries that haven't yet implemented EMV cards. I suspect that's a big reason why credit card fraud is increasing in the US.

http://en.wikipedia.org/wiki/EMV#Successful_attacks


I agree US banks need to do something. Credit card fraud is rampant. Unfortunately its businesses that take the brunt of it as banks and card holders are mostly immune.

The first attack mentioned in this wiki article do not inspire confidence in EMV. This piece mentions what is known in wireless circles as a replay attack. It's a well-known attack vector and secure communications protocols have been dealing with them effectively for nearly two decades. It's not even that hard a problem to address. The hard one is a man-in-the-middle attack - though those tend to be harder to carry off (especially in bulk) when the communications are effectively near-field.

The other attacks appear to focus on harvesting the PIN or bypassing PIN verification. It appears the European system stores the user's PIN on the card somewhere. This is fundamentally insecure, even if the device never directly discloses the PIN once programmed. Keeping both the key and the PIN on the same device circumvents most of the advantages found in 2-factor authentication methods.

But like I said, we may need to force the banks to do something to make it harder - if only because so many businesses get taken by credit card fraud.

- Joel
Print the post Back To Top