Wednesday, July 9, 2008

Smart Cards-- Not so safe

Now you don't have to swipe your credit card. Just hold it near something. PayPass by MasterCard, PayWave by Visa, ExpressPay by American Express, Blink by JPMorgan Chase and ZIP by Discover.

It's true when new technology comes out it's always said to be safe just because no one has cracked it yet. I find this technology a lot more dangerous than online shopping or banking. Their only protections are "it's safer because it doesn't leave your hand" and "it's safe because you need to be within 1-2 inches of the scanner". But you realize the scanner goes right through your wallet and clothes?

And why do they have a sushi chef explain the security features of this new technology? I am not being disrespectful but I'd have more respect for almost anyone else. Have you considered a doctor, a dentist, a police officer, a guy in a wheelchair (I don't know why I respect them), a nerd, a biochemist, a German, at least a sushi chef with a knife? But come on, what does a white sushi chef know about security? At least a Japanese PhD student wearing glasses.

How vulnerable it is regarding

What others have to say from:

I very much share Randy’s dream, or at least I would if smart-cards really couldn’t be be forged, copied, and altered. But they can. Several of the applications that Randy so prominently features, such as the Oyster card, were just recently shown to be easily crackable. More than 85% of today’s smart-cards in transport applications are vulnerable to wireless theft—a thief can simply walk past you to steal the value on your card. Credit cards that were mentioned as the prime applications of contact-less technology today are also currently prime victims for this attack (called skimming).

NFC will create even more security hazards. By interconnecting cell phone, payment device, and personal data storage, all of these become exploitable if only one of them is vulnerable. And contact-less smart cards are currently the least secure technology. Now imagine once again walking past that movie poster and your cell phone automatically downloads the newest virus. Very convenient—at least for the prankster who has hidden an NFC tag behind the poster.

While it might appear this way, contact-less smart cards don’t necessarily have low security. Well thought-through standard such as those for passports provide a high level of protection, but also come at a price that most payment and transport operators are not willing to afford. Identity theft and fraud will therefore become worse through smart cards, before they will get better after security is thoroughly understood in the industry.

— Posted by Karsten Nohl

Are there any countermeasures to stop the unscrupulous owner of a smart-card reader from installing one of these under the seats at a busy bus terminal? Someone sits down and the reader promptly deducts $49 from the smart-card in the person’s wallet (which is likely conveniently nearby).

— Posted by Brice

I cannot understand the willingness of some people to rush us into a world in which anyone — government or otherwise — can look in on our purchases, activities, travel, even whether our autos are polluting more than the law allows. All of those things are being done now even without smart cards. Imagine the gold mine of information government will have when we can be tracked in every detail through smart cards. It will not matter whether Congress is willing to back the president’s push for expanded citizen surveillance. There will be nothing to stop any level of surveillance. Permission will not be required. Credit card purchases are already tracked for a database from which everyone from political campaigners to merchants to scam artists draw detailed information, information that has been used to target voters, sell merchandise, and bilk seniors out of millions. Why in the world would we want to make it easier when there are no issues with cash or existing technology? Who will benefit? Citizens? Not likely. Consumers? Not even close. Government and multinational corporations? You got it.

— Posted by Charlie

People have hacked cable & satellite TV and satellite receiver smart cards for years. Just wait and see how many hackers get involved if and when smart cards are issued as currency.

— Posted by Marty

I’ve noticed that every time a group comes out with a new technology with the potential for storing and manipulating data, they always immediately claim their product is safe and secure, and dismiss all the “security nuts” who worry about the privacy and safety of their private data. Then I look around at the high prevalence of identity theft, the regular announcement of massive data breaches, and think back on the three or more times I’ve had to file fraud alerts on my credit report because group using supposedly “secure” products and procedures managed to compromise my data. As a result, any time a spokesman declares their product secure and dismisses quite valid privacy and security concerns out of hand, I’m quite disinclined to believe them. I would have liked to see this rep pressed a bit harder on those security issues, instead of allowing his blanket security statements to go largely unchallenged, without much, if anything, in the way of proof to back it up. Plus, you can make the card itself as secure as you like, but all you need for a security breach is one unscrupulous insider with access to the back-end database.

— Posted by Dave


chriis said...

Oh, neat. They can make it cost you much more than £10 to challenge a fake payment. So very few people will bother going through all the hoops.

Then they point out that very few people are successfully claiming for fake payments, which proves that there are very few fake payments, which proves that the cards are secure.

Once the cards are (by force) generally accepted then they can start bumping the £10 limit up.

John Parker said...

"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."

I like the way the concerns of people walking around say the tube, with a battery powered, modified (amplified) for larger distance scanning have been addressed! 'Scammers simply won't be bothered to rip these off.'

It's a terrible idea. I could easily set up a shill business as a sandwich shop or whatever, then make my real, tax free, proper incoming scanning cards on the underground/other busy public place all day, and charging say £9 per hit... even just a hit a minute yields me a healthy £540/hour... or £2160 for a 40 hour week.