PHONE me if you feel DIRTY: Yanks and 'Nadians wave bye-bye to magstripe

The usable range is longer than you think

Sure, using most of the certified CE-marked readers, the range is only about 5-10cm

Using a high-powered antenna package, you can get several metres - this is used in other RFID systems, eg automated warehousing to count widgets on a pallet.

However, 5cm is still easily enough to swipe a few hundred cards while on public transport or walking down a busy street.

5cm thick trousers are somewhat less common than casual plate armour.

To some extent, one protection is to fill your wallet with many contactless cards so they all clash.

Or chain mail. That probably works too!

They claim that card fraud has jumped up with the advent of NFC, because it doesn't need any verification for less than AU$100.00. Of course, this only applies to stolen cards for the short time the original owner doesn't realise it's gone. Thieves can still squeeze a fair amount of stuff in that time though.

It takes the better part of a second for a stolen RFID ident to travel to places where the limit is higher. As a matter of fact, AUD 100 is roughly £45, which makes it 50% higher than the UK limit so expect lots of people travelling to Oz who will never actually get there.

The massive problem with NFC is that you can pay without knowing it. I am sure this is intentional by shops (makes impulse buy that much more likely), but as I have said (many times) before, if a credit card company voluntarily limits its own ability to get you into debt (which is where they make your money) you ought to start wondering why - here is that "why".

Even with a mag swipe you have some idea where you had the card in your hands to pay, ditto with a PIN, with RFID you do not and payments can be kept low enough not to show up on your bill, so you better get a wallet with shielding.

And, of course, RFID and CHIP do bugger all against Internet theft which must have taken over physical cloning years ago as it's so much less risk for the crims. I haven't checked, but given that databases are stolen with embarrassing frequency I reckon it must have happened years ago.

It doesn't help that the scaremongers talk of pocket swiping with NFC. But that only applies to close proximity of the cards, meaning the wallet has to be thin, and the pants have to be tight

In lab conditions you get to about 2 meters, in real life it's about 1 meter if you want a reliable one-shot read. You seem to confuse the deliberately bad receivers in the card terminals with actual limits of the radio technology in question. Indeed, in the early days of RFID it did happen often that people were paying who were still queueing and thus paid for someone else's goods (pretty much how thieves would like it).

By the way, leather or fabric does nothing to shield RFID, so good luck trusting your leather wallet and trousers. As far as RFID is concerned, you're naked...

I sorted out my latest credit card. Hold card to bright light, melt hole through induction loop. Problem solved.

The whole "remembering the pin" thing is apparently too complex for the average user

Ah. Finally an explanation why they still don't have sensible gun licensing laws. I knew we were missing something :)

The PIN will come later and is already an option for those of us planning to travel abroad and need it. That doesn't require new hardware beyond what's already going out. For right now, the Credit Card companies are content for the moment with preventing replay attacks using hacked databases (Target, Home Depot) or the PIN Pad switcheroo.

PIN

Not all. My Target credit card not only doesn't have a magstripe at all, but it's only chip+PIN. No signature accepted at all.

Re: Cruel and unusual punishment

Door card in same pocket as phone usually equals unreadable card. Also, hotel door cards are actually quantum devices, as they have three states:

1. Doesn't open the door

2. Turned over and doesn't open the door

3. Turned over again and does open the door.

USB plugs are another example.

Re: Cruel and unusual punishment

One hotel I stayed at I had to ask for two new cards in the same day and a new one on two subsequent days. I didn't keep the cards near my phone and while they were kept in the same pocket as my wallet they weren't toughing the magstrips on either of my cards and there's nothing magnetic in my wallet.

I've a feeling (backed up by Mythbusters) that the whole mobile phone causing issues (with magstrips and NFC and other RID) is a myth anyhow -- I just think that many people keep their various cards near their phones and that the cards are prone to failure and the two are unconnected.

Re: Door Access?

At my place of work, you have to have a swipe card for almost everything. Main building is coded as a G swipe. Want to get into the other block? You need a B swipe. To get into the secure animal facility, you need an X swipe. For the lift lobby, you'll need an L swipe. And if you're going to the toilet, better make sure you have an R swipe.

Re: Door Access?

Are you sure that you actually work there and are not just part (i.e. guinea pig) of a neo-kafkaesque experiment?

Re: "the Joliet-standard verbal password"

> The Rock Ridge extensions were much more reliable.

Personally, I like to Gordon Freeman extension to open up recalictrant doors.

Re: chip and WTF

Visa/Mastercard/etc are requiring terminals to do chip-and-signature

By which they mean those etch-a-sketch terminals with a stylus that produces a squiggle bearing no resemblance whatsoever to my signature?

Re: chip and WTF

"Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

Here in Deepest South Florida lots of small businesses are now requiring Official Gubmint Pic ID be shown for every charge above $25, 'cause they don't have the new card readers, 'cause the new readers cost too damn much. http://www.mypalmbeachpost.com/news/business/deadline-for-new-chip-credit-cards-looms-but-are-r/nnnqP/

Re: chip and WTF

"Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

The problem with this is that the "liability shift" being implemented in Oct. offloads the costs of a security breach from the issuing bank to the small business if they don't spring for the new kit and the card is compromised - basically whoever's payment network tech is "lower" gets stuck with the bill. So the potential cost of not upgrading is likely much greater especially since the swipe card will be the low hanging fruit as even a chip/signature card is harder to counterfeit than the old school cards. That shift wasn't mentioned in this article, but its the reason we are seeing a rollout of these devices actually happening in the States. The banks would have been fine with it, but the millions of POS terminals that required capital investment by a variety of large and small businesses were slow on the uptake, hence the boot in the arse. Mastercard actually said they were hoping it wouldn't actually end up shifting liability around, but would instead drive fraud out of the system...I guess we'll see.

Re: Redundancy

But isn't having a "back up" magstripe sort of defeating the purpose of switching to chip-and-whatever?