micropayments ftw

I can just imagine now, in the not so distant future, some not entirely honest vendor in a busy public place using a boosted antenna and subtracting a small fee from every person that passes. The amount deducted, say 50p, would be too small for many people to complain about or even notice, and wouldnt trip the transaction fee limits. now say it was something like a sporting venue, thousands of people could wander past, and that small fee would quickly add up to a tidy profit.

Mine is the coat with the faraday cage woven in.

Barge pole, not touching tag?

So, are they going to implement anything resembling security on these things? I'm thinking of how secure Oyster is as a relevant example.

No? What a surprise. I'll be using those small metal or linen tokens until they sign a contract that makes them liable for any and all of any loss I report to them (unless Bruce Scheier or Ross Anderson can prove I was acting fraudulently)

@ POPE Mad Mitch

There's a solution, I've had one of these for about a year now:

http://www.thinkgeek.com/gadgets/security/8cdd/

No idea whether it works though, guess I'll test it if I get contactless payment on my cards.

More than one card in my wallet

Just wondering what happens if you've got more than one contactless card in your wallet. How do you know which card will be charged?

I can see little benefit

I fail to see how the current chip and pin system is slow! The bottleneck is when the terminal itself taking ages to accept and process the payment. Not sure how waiving your magic card will make it much quicker. Also, I already use my card for everything. 73p is my best to date in a well known supermarket which I know probably cost them about that much to accept my card.

It will only be the big retailers who get setup with this tech anyway as they can afford the processing costs. Small shops just won't bother until cash costs more to bank than accepting cards, which I can see happening soon enough since the banks control this too.

Only reason Oyster works

Is its unique, therefore i know how much i should have paid them and on the fairly frequent occasions when it charges me £4 instead of £1, i notice and often journey data shows that its an error.

So in a crowded shop, how does it know to take money from MY card, not my friend's or that bloke in the queue that is too close or the granny at the second checkout.

Just because contactless is possible, it does not mean it desirable or secure!!!!

Please get your facts right....

"The communication protocol used by both Visa and Mastercard conforms to the EMV specification, though the kernel and encryption systems are kept secret - a strategy which rarely works out for the best,"

The communication protocol is an ISO standard (ISO 14443). The encryption systems are standard EMV (again, a public standard), and Visa and Mastercard then have their own card application standards built upon EMV (but again, available to terminal and card manufacturers). The kernel - well, that's the logic which goes inside a terminal, which is proprietary software in that each terminal manufacturer will - however, it operates to EMV standards.

A contactless transaction is just a variant of a normal EMV transaction. There's little different apart from the interface used - and certainly there are no proprietary encryption systems used. The only 'secret' part is the private keys loaded onto the cards. In any PKI system, the private keys are kept, well private. The public keys are used to verify the data on the cards. Anyone with an EMV spec, a card reader and a bit of programming skill can perform an EMV transaction (that doesn't mean that they can actually get any money - although they can trigger the risk management logic, which then requires a full 'online' transaction to reset it (ie. in the case of a contactless card - a standard EMV transaction with PIN and communication with the issuer).

Please, don't scare monger on things which don't need it.

Where to drill

..Anyone know where the specs are so we can drill through the RFID/whatever-paywave-is chip without frying the chip and pin one? Microwaving the card would work but would fry them both :(

@POPE Mad Mitch

The range on the cards is very small - a couple of cm at best. An amplified aerial to power up the card at a distance (e.g. even 1m) needs significant power output to do so (although is theoretically possible). Cards being closer than 1m are likely to be damaged in the process!

This ignores the problem of actually receiving the response from the card. It works by modulating the signal from the reader - which needs to be super, super sensitive to pick it up at a distance of 1m. Again, possibly not impossible - but in practice, with cards moving through the field, other cards moving in, moving at angles to the reader etc - makes it practically impossible in a real world situation. Oh, and add to that 'noise' and interference from other RF emitters means the super sensitive receiver gets overloaded with noise.

The fact that everyone walking past a retailer suddenly gets burning coins and molten cards in their pocket is likely to be a bit of a give away...

Still, it makes good headlines....

Obvious flaw in this system

What happens when every card has this technology? If your wallet contains 4 cards which one will it take payment from?

@Nic Brough

Oyster and contactless EMV payments have little in common apart from the fact they communicate over the same medium. The fault with Oyster (well, actually Mifare) was that NXP/Philips designed an in-house encryption system which was flawed. Cryptographers could not validate their encryption methods - and as often happens without peer review - vulnerabilities were found.

With EMV it uses standards based RSA PKI cryptography. People can look the EMV standard and check it. You can validate RSA for vulnerabilities. It's actually a pretty open standard.

Now, I'm not saying that EMV is perfect - but it's nothing like Mifare. It's almost like saying that one brand of car rusts badly - therefore all cars rust badly.

do they.....

get a big water flume installed at work so they can slide home and pay for things on the way?

If so, am sold!

I can't wait

I will give my card to the kids while im in a public place surrounded by CCTVs and the kids can go on a spending spree. (the kids will be wearing an IR hat to block their face from the instore CCTV)

I couldn't have possibly have purchased those items m'lud, I was was here - see.

watch fraudbay for low priced items as <ahem> items are laundered

oh yes, brilliant idea

what's the point?

Presumably I'll still have to enter my pin, so what's the point? If I still have to enter my pin, why limit it to transactions under £10?

If I don't have to enter my pin then where is the security in this system? Being the tight-fisted yorkshireman that I am, someone nicking £10 is just as concerning as someone nicking £100.

@adnim

"I don't use Barclays, but I am sure other banks will follow suit especially if the sheeple see this as a good thing and it takes off."

No no no, you don't see the big picture. This is nothing whatsoever to do with the individual customer. Barclays have launched this new 'product', which its customers will get whether they like it or not.

The inevitable next step is that the boards of other banks will look at what Barclays have done and say: ... uh oh, our competitor is offering a new product that we don't ... they're in a new market that we aren't(*) ... QUICK! get working on our own version of this 'product'!

sad but true, this is the abstract box-logic thinking which drives these huge corporations, which incidentally how the credit crunch came about.

(*) Yes, Bill Hicks had it spot on.

@AC (@POPE Mad Mitch)

AC, maybe you should go and read the article "Passport RFIDs cloned wholesale by $250 eBay auction spree" - that could read RFIDs from 30 feet away and the researcher thinks he can extend the range to over a mile

Cash is king

I reverted to cash when chip and pin became manditory.

Everything I buy that is expensive I buy online with a credit card, the debit card is never used anymore.

Haven't had any negative experiences and it's miles easier to balance the books at the end of the month.

@AC (@POPE Mad Mitch)

To add to ACs post above it seems like every time a technology comes along using radio people have said "you'll never be able to get the range". Whether this is in the context of good ("It'll prevent RFIDs being read from a distance") or bad ("You'll never be able to broadcast further than...")

I've heard the bizarre ideas that if you could the world would cave in, "coins would melt" and the singular quantum thingy would stop being so singular

Seems to me its been proven wrong everytime so far, long wave radio, digital radio, your mobile phone, satellite phone, college students reading entry passes from miles away....

What makes you think that these cards will be any different?

Also what makes you think range is even an issue? Pickpockets don't exactly work from the other side of the road but last time I looked they were quite real. Barclays just invented a new way of having your pocket picked which requires little skill, just wave a reader over peoples bums and no actual contact so far less risk

I can easily imagine a certain breed of criminal drooling over this one

Mines the coat that will always need to be stolen from the old fashioned way

No outlets

I've had a onepulse card for about a year, and I have never seen anywhere I can use it as a paywave/contactless card.

The oyster feature on it is well worth it though, I put all my travel spending on the one card.

@John Scott: 12p was my lowest card transaction, at M&S. In my defence their self service machine repeatedly refused my 20p so I gave it all the change I had and paid the remainder on my card.

@ Tawakalna

Then you, my friend, are a terrorist pedofile*!

*If you're going to mess with an already incorrect word you might as well go the entire pig.

thirteen

point five six megahertz is the frequency for this (nearly) iso14443 RFID. One of the weaknesses/threats is that your mail could be scanned at 13MHz and any interesting letters/mail-sacks that ping back are either a credit card/ePass/european citizens card or whatever. I have an HP4700 ipaq PDA with CF based 13.56MHz antenna podule, I could be scanning your mail now, but I'm not! There's also a possible man-in-the-middle 'relay attack' against eCC, but the relay reader would have to be within centimetres of your card,the attack is possible due to the up to 5 seconds transaction windows that have been defined. Watch out when consumer RFID starts to implement the 900MHz band like for USA eDriving licence & passport cards, =big read range. Personally I will terminate with prejudice my eCC, provided the postman delivered it in the first place!

Bugger

Where can I buy foil lined wallets from then ? No doubt the huddeled masses will swallow this wholesale, then moan when they get shafted by that man with the large briefcase they walked past...

Once again Barclays try to force a badly implemented change on their account holders...

Barclays don't care what their customers think, they just come up with some half-ar*ed idea and then force it onto account holders whether they like it or not.

They're a very very silly bank.