Wednesday, May 25, 2005

Ga. Credit-Card Holders 'Blink' Cards

Does anyone here know about the security measures in place for cards like this? What frequencies do these operate at? What's to prevent building a directional antenna that triggers your card from a distance? Or listen in while you reply to a legitimate reader? Is the data transmitted protected with something like public key encryption? Is there a mechanism to authenticate either cards or readers? Will customers still sign receipts?
Ga. Credit-Card Holders 'Blink' Cards - Yahoo! News


Blogger Qian said...

This article at Mac News has slightly more detail. Basically they're doing some hand-waving and practicing security through obscurity. Nobody knows what, if any, security scheme it has. I rather doubt there's any encryption or they'd throw that buzzword in there for sure. Nevermind that a naive implementation would be vulnerable to replay attacks anyway since I can't imagine them actually including signed timestamps ala Kerberos.

It certainly has the potential to make ID theft easier. But it's not really that much less secure than existing cards. If you've ever taken a close look at the kind of security of the whole credit card system, you'd get pretty worried. But it's not really a problem for the consumers or credit card issuers. Consumers have a $0 to $50 fraud liability so they're covered. Credit card issuers don't swallow most of the fraud, either. Instead, any fraudulent transactions are charged back to the merchants who accepted them. It sucks for merchants, but like rent and taxes, it's just a cost of doing business. Plus a significant portion of purchases is funded by credit card debt anyway, so merchants benefit from that more than fraud costs them, at least for now. The problem is that CC fraud is only going to get worse, and the only people that have an interest in stopping them are very ill equipped to do so.

5/25/2005 06:55:00 PM  
Blogger Eric said...

Like you, I don't know the details, but I'll try to wait until I hear more details about the security mechanisms before trying it out.

I agree that while credit card theft is a hassle, legally the customer should have very limited liability and most people can just use another card while they sort things out. A bit scarier is that protection is not guaranteed for either debit cards or old fashioned checks. While it's easy to just use credit cards instead of debit cards, some times checks are still necessary (e.g., paying your rent, taxes). Anyone who sees one of your checks could print out another check on a home printer and drain your checking account. Of course, you can dispute it and will probably get your money back eventually, but in the mean time you may need the money, have bounced checks, late fees, etc.

Another question for mathhuters... What precautions do people take to secure data on their laptops?

5/26/2005 12:15:00 AM  
Blogger Justin said...

Just as an FYI, federal law limits your debit card liability to $50 if you report the problem within 2 days of discovering it and $500 otherwise. Every bank that I'm aware of voluntarily sets debit card liability to match credit card liability. Massachusetts requires them to do so.

5/26/2005 10:08:00 AM  
Blogger Eric said...

Thanks for the FYI. I guess my paranoia isn't keeping up with the times.

5/26/2005 10:16:00 AM  
Blogger Justin said...

Have you not been keeping up with patchsets for the tinfoil-hat package?

5/26/2005 11:46:00 AM  
Blogger Vincent said...

So, isn't this essentially like a Mobil Speedpass?

5/28/2005 07:03:00 PM  
Blogger Eric said...

Not having a car, I haven't paid as much attention to the gas/toll booth RFID payment systems. I would guess that they probably are similar. But I would guess that they work only at Mobil stations/toll booths. So the potential reward for hijacking someone's RFID is much less than with a credit card. And if someone sold the info, then it would be easy to point out that you couldn't/wouldn't have driven through a toll booth in Maine, then one in Pennsylvania, then one in Massachusetts, and then one in DC all in one day.

5/28/2005 08:25:00 PM  

Post a Comment

<< Home