Amex to include RFID in all new Blue cards
By Marc Perton 
posted June 7th 2005 12:26PM
posted June 7th 2005 12:26PM
American Express has announced that it will add the ExpressPay RFID-based payment system to all new Blue cards issued by the company. The ExpressPay card will also be tested in select branches of a number of chain stores, including 7-Eleven, CVS and Ritz Camera. The feature, which is already in the test phase, is similar to the "blink" card being tested by JPMorgan Chase. Like Chase, Amex says the ExpressPay system is as secure as traditional charge cards, and the company provides its standard fraud and theft protection as well. Not that we don't trust you or anything, Amex, but excuse us if we leave home without it for now.
It's not like they don't already know everywhere you're using the card already, so what's the problem?
It seems that credit card fraud in the 21st century is going to involve a high gain directional yagi antenna and a good radio receiver.
what am I missing here? Why would we want this?
You want it so that when you buy stuff you can wave your card near the reader instead of moving it down about 2 inches more and sliding it across the reader. That is why you want it. I thought that was totally obvious jeez. The increased security threat is totally worth the extra effortless buying you will recieve.
This is cool.
I have an Esso SpeedPass - basically a little keychain that allows me to pay for gasoline simply by swiping it on the gas-pump. It's great. I assume this is the same thing. Instead of using the magnetic strip on the card, just use the wireless RFID tag.
The fact that this card might be hackable really doesn't bother me. You have to understand something about american express. They have a best-in-industry 0-liability fraud policy. What this means is, at the end of the month, I visit my online statement and if i see fradulent charges I simply click a box and report them. The charges are then removed from my statement and I don't pay ANYTHING until THE MERCHANT provides proof that the charge is legitimate. So, basically the burden of proof is on the merchant not the consumer. Unless the merchant can prove that the charge is legitimate, I don't pay.
So, is it a smart move for american express to roll out this kind of system considering the possible security implications? Possibly not. But then again, think about it. The 3 test venues, 7-11, CVS and Ritz Camera (never heard of Ritz Camera) are not the kind of place where you are going to walk in and wave your card to purchase a 10k dollar plasma TV. I highly doubt those places will ever allow these "wave" transactions and even if they did they would require the CCV2 number which (presumably) is not encoded on the card. The worst possible attack a store like CVS/7-11 could experience is possibly someone purchasing a lot of Prescription or OTC medication with the card. Both of these attacks can be mitigated by limiting the "wave" transactions to, say, 20$, anything more requires a swipe.
Quite simply, I really don't think this is going to increase fraud, if anything it has the potential to decrease fraud, since a percentage of fraud occurs by cashiers swiping cards through some kind of reader that captures your CCN without you seeing it and this would presumably eliminate this type of attack.
I can't wait for this... plop down thousands of tech goodies from my local store on the counter, then call my unsuspecting, RFID-bearing credit card holding friend over. I do believe a push in the right direction, and ive just max'd out his card :)
I think some of you are missing the point...
a) There is more stored on the magnetic strip than just the card number. Presumably all of that info will also be stored in the RFID chip now. This includes your name, address, and other info. (One piece of info that isn't on the magnetic strip is the "security number" that a lot of online merchants now ask for - that's why they ask for it.)
b) You have never needed physical possession of a card to purchase items with it, or to open other accounts with the info you have fraudulently obtained. Al you need is a phone.
c) All you need to steal personal info from one of these cards is to be in physical proximity to it. Stick an RFID reader in your pocket connected to a PDA and walk around the city; get home and see what you've got. Hacking couldn't be any easier!
Sure it's encrypted, blah blah blah. You know what? So are DVD's, and we all know how that turned out.
I'm wondering if you can't just scratch out/destroy the RFID tag on these cards so they no longer work, and then just use them like a regular card.
Perhaps if you microwave them? Hey, it worked for 20$ bills
I too, don't see the point of "waving" vs "swiping."
I guess it's slightly more convenient, but you still need to physically confirm your purchase somehow, whether entering a PIN or signing.
Otherwise, you'd be "buying" stuff just by walking past a POS terminal.
Damn system removed my HTML link.
Makes my previous post less funny, but here's the relevant link if you don't already know it
http://www.prisonplanet.com/022904rfidtagsexplode.html
Can we PLEASE stop confusing RFID with contactless/NFC technology?! They are NOT the same!
RFID has a range measured in feet. Contactless chips can only be read from an inch or two away. Huge difference.
A criminal couldn't just walk down the street and grab all the card info from people near them.
Now, they could bump against your wallet in the subway, for example, and "read" your card, but that's different from being able to read a whole subway car worth of wallets at once like you could if this was RFID...
Keep in mind that the contactless payment systems are currently being oriented toward low-value transactions (i.e. under $25). With transactions of this size, you can swipe and go. However, depending on the merchant and issuer, the threshold can vary and anything above the threshold may still require a signature.
Transactions of the $25 size are typically made in stores like 7-11 or CVS or Ritz (for photofinishing).
#8 I doubt your personal information is stored on the card. Last time I changed my address, the credit card company didn't send me a new card. I'm guessing it's just a hash string generated from the account #, last name, exp. date and maybe some other unique number tied to your account.
Does the RFID just transmit all of its data whenever it's requested? Shouldn't there be some kind of pin number sent to it? I think That would be the fastest way to confirm a purchase and un-lock/decrypt the rfid info. Of course, a hacker w/ a reader could be standing right next to you when you transmit this pin. Hopefully there's a way for the store to detect these readers.
As for the data stored on the RFID chip, it's encrypted (typically 3DES) and decoded at the terminal.
depending on the merchant or issuer, they may require physical card verification (either numbers, or signature).
I think it's great that issuers are looking at various ways to improve current payment methods. Just look overseas and how far advanced their payment technologies (smart cards, contactless, rfid, cellular) are relative to the US.
I think the problem with this is that it's attached to your personal info. In Hong Kong they have the "Octopus Card" that works on all public transportation, at convenience stores [you can pay with and put more money on them there] and vending machines. It's a prox card so you can just hold your wallet/purse near the sensor and it works. It's also completely anonymous.
The reason it works is that it's intended for small transactions and is easy to replace, lend to a friend or whatever. The card itself costs HK$50 [about $6] which you can get refunded along with the money that's left on it.
I don't know the tech details behind it but it's by far the best "electronic cash" system I've ever seen.
#7, #8 etc: Why do you morons feel compelled to comment on this when you don't understand how it works? Google is your friend, use it.
What most of you are missing is the marketing aspect of the embedded RFID. Stores, with the help of AmEx, can easily setup RFID readers at their enterances. Right next to the detectors that detect shoplifters.
You walk into Best Buy and AmEx knows, even if you didn't buy anything. Next thing you know AmEx sells this data back to Best Buy and suddenly you start getting junk mail. Again, without buying anything.
Give me the old fashioned magnetic strip, at least then I know when I'm getting screwed.
But this problems easily solved. Just pop the card into the microwave for 5 seconds -- POP -- no more RFID.
Firstly, address information is NOT stored in the credit card strip. What is stored in Blue cards are: Full name, card expiration date, and card number. All of this info is printed on the face of the card, along with the 4 digit security code (3 on visa/mc)
Secondly, let's say this does take off... when we have our chase card and our amex card in our wallets (and all the others eventually), doesn't that mean that the card-readers will get confused when they receive multiple numbers? We're going to have to get shielded wallets to mask the card(s) we do not want to use, meaning when we want to use the card(s) we'll have to physically remove them. Seems like a waste. Anyone have any answers to this dilemma that I forsee?
I've got a one up on all your tinfoil hats.
That card has my birthday on it!
How did they know?
I've been using Express Pay since about November. Its quite handy for small purchases such as lunch/coffee, and saves you carrying loads of money around with you at work.
Slightly annoying that the terminals don't really provide a significant audible/visual cue when you successfully scan your card/fob - you are left looking confused for a few moments whilst you wonder if it scanned or not.
Interestingly, due to the operational costs of maintaining the infastructure, the kind of payments that these things are designed for (sub $10) acually cost the company money, as opposed to generating income, just like if you used your credit card for such a small amount. In essence AXP are using it as a loss-leader, designed to provide another incentive into getting an Amex card and then buying big expensive things with it!
I'm tired of arguing with privacy morons, I'm going to resort to name calling...
Noise, you're an idiot. Now go back to your underground bunker.
Forget encryption. Any good hacker worth his/her salt can decrypt DES encryption. Has anyone heard of frequency hopping spread spectrum? That's the stuff good RFID tags are made of.
Just saw that my local gas station had these readers on their counters tonight. Looked like a cheap plastic box labeled w/both the American Express & MasterCard logos on it. Might test it out, when Chase & Am-Ex get around to mailing out my replacement cards. Honestly though, I don't see much benefit, other than saving a cashier the extended effort of physically swiping the card.
Adam,
I know you were properly joking when you posted that link but didn't it occur to them the popping noise is just the metal strip in the banknote sparking like if you put an aluminium lined juice carton in the microwave. The heat causes the paper to singe/ catch fire.
How does that prove the presence of an RFID chip?
Well, looks like some people just don't do research:
Research has shown RFID and Smart-Card chip transactions have almost KILLED credit card fraud in countries that use them instead of strip cards, such as the UK. In the UK, they have it to where if a Merchant doesn't have a smart card terminal by a certain date, all fraud originating from them becomes their responsibility. Because of this, almost all merchants are smart card ready, and don't use the strip. This makes it impossible for thieves to steal your card, since a PIN is associated with it, much like debit in the US. In fact, people who steal cards in the UK are known to go over to France or another country to use it, since that is nearly the only way to access a mag strip terminal! Talk about hard to hack! And AS FOR SECURITY, this is another one where many of you are morons. The card is encrypted and decrypted by a key stored on Amex's servers, this is nothing like your little DES and WPA for your little 50 dollar wireless router, this is serious s%$t. Therefore, the only people that could possibly hack the cards are those at Amex corporate, and if that happens, I'm sure that's the least of our problems. So as you can see, your arguments to security are utterly useless. Everyone else has moved away from the old Mag strip, its about time that the US gets outta the stone age and does the same, embrace technology, don't kill it with your stubbornness.
Adrian,
The ExpressPay from American Express has no pin. just wave it in front of reader and off you go.
And to correct you, it's probably challenge-response system just like they had on the previous blue (smartcard). Whilst the security of the transaction is quite high, depending on implementation, it could have vulnerability beyond theoretical security. that is why there is a lot of concerns because people could be attacking you without your realizing.
But like I said, this system requires no ID or no signature. it's not very comforting to know that if physically stolen, they won't hindered in using it.
https://www124.americanexpress.com/cards/loyalty.do?page=blue.expresspay.learnmore
if you read the literature, you'll see that they market it as absolute no hassle payment. this means no hassle for pick pockets as well.