MasterCard to begin national rollout of swipeless RFID cards
by Marc Perton 
posted Sep 20th 2005 at 10:20AM
After months of testing,
MasterCard is preparing for a major national rollout of its PayPass swipeless RFID credit cards, and expects to have up
to 4 million of them in circulation by the end of the year. Like similar offerings from
American Express and
JP Morgan Chase, the cards can be waved at a retailer's
reader, eliminating the need for a "swipe" or signature. MasterCard and its rivals insist that the new cards are as
safe as traditional credit cards, and often point to the success of ExxonMobil's SpeedPass system as proof. Of
course, with over 4 million RF credit cards lining the pockets of American consumers, crackers may just find the
opportunity to test MasterCard's security too tempting to pass up.
Filed under: Wireless
Reader Comments (Page 1 of 1)
Charlotte Web @ Dec 19th 2005 1:37AM
So, a cracker with an RFID receiver could just walk around the mall and collect MC card information?
I hope they ship these things with a protective sleeve to block the transmission of RFID data.
Brian @ Dec 19th 2005 1:37AM
Maybe you could store it in your tinfoil hat.
icerabbit @ Dec 19th 2005 1:37AM
Exactly!
And how do you "sync" your swipeless card with the right register at the supermarket, gas station, etc?
Nige' @ Dec 19th 2005 1:37AM
Worst idea ever!
Still need to get your card out, so why not swipe it? At least people can't steal your details just by being near you with swipey cards!
Fats Vernon @ Dec 19th 2005 1:37AM
MARK OF THE BEAST! MARK OF THE BEAST! *snort*, ahem, 'scuse me....where was I?....oh, oh yeah.....MARK OF THE BEAST!
Let the comments begin...
Thank you
Fats
Hawkins @ Dec 19th 2005 1:37AM
Uh... Sorry, I don't understand. Why would ANYBODY want this? Ever?
What is the friggin' POINT?
blackf0rk @ Dec 19th 2005 1:37AM
I'm sure they'd put some type of encryption on the card so that only specific and legit recievers could access the information. But still - if it's digital - it will eventually be cracked. And I would not put any trust in that at all....BAD IDEA!
HY @ Dec 19th 2005 1:37AM
I don't see how this is more convenient or safe. Couldn't someone just walk around and make illegal charges to your card without you even knowing?
RBe @ Dec 19th 2005 1:37AM
Its not RFID proper... it is RF though. Its reciever initiated though, and its got a range of something like 6 inches.
(think those id badges at work)
If you had a portable, wireless, reciever for their custom system, i'm sure you could do it, but they'd know who you are most likely, since they'd give you the system.
yet another Matt @ Dec 19th 2005 1:37AM
Theres a lot of RFID bashing going on at the moment, but in London, we have had RFID cards on our transport systems now for a while, and ive not heard of a single instance of people getting into the system. OK, its not your life savings, but its pretty much untrackable.
On another note do you americans have chip and pin?
super_structure @ Dec 19th 2005 1:37AM
Thank goodness these are coming out soon. Swiping cards takes far too much energy. Think of all the new-found free time we'll have.
In all seriousness, this sounds like a whole lot of R&D and infrastructure for what might amount to the smallest problem in the consumer experience. I'd rather them have spent the time and effort in preventing people from trying to steal my identity using existing systems, rather than create new opportunities for criminals.
zoe @ Dec 19th 2005 1:37AM
If it is proximity card like # 9 suggests, hasn't that already been proven an easy to hack and crack technology?
http://www.hackaday.com/entry/1234000080041978/
http://cq.cx/prox.pl
I can't find the link I wanted but ^
Either if these become popular and replace swipe cards I'd suggest "modding" your wallet to include a tin foil lining.
andy @ Dec 19th 2005 1:37AM
A PIN would work great - until someone looks over your shoulder at the supermarket while you enter your PIN, then bumps into you on your way out to read your card with their reader.
At least now if I lose my credit card or my wallet, I have a chance of figuring that out before anything bad happens. Even if someone double swipes my card, I know to look for suspicious behaviour on my account. If someone steals my card's with an rfid reader, my first clue that something went wrong would be when the charges start showing up on my statement, if I happen to look for them.
As a consumer, I would never want this thing, and I would promptly cancel any credit card account that forced a card like this upon me.
Wil @ Dec 19th 2005 1:37AM
Sorry to be so picky. But it's spelled ExxonMobil not ExxonMobile (i work for them, and you get a lot of flack if you mess that up)
Hans Gruber @ Dec 19th 2005 1:37AM
Why not just use the Chip&Pin system like Europe has adopted? Surely we should be able to use the same systems worldwide?
Web Design Ireland @ Dec 19th 2005 1:37AM
Is it just me or is this system totally open to abuse? At least with chip and pin, if you loose your card, it cannot be wavedd in someones face to pay for something.
The Professor @ Dec 19th 2005 1:37AM
People, think . . . .
Who here has taken the subway in either DC or NYC? In DC you have a card with RF or a mag stripe card. Which one is easier? (NYC uses tokens so it's not really the same, but the card is RF). Anyone used Speedpass? That thing is great. Anyone ever had a store clerk go "oh it's not working, let me swipe it over here." Well, gues what? He's storing your numbers via the mag stripe. Also, the RF is read only, not write. It's a evolution not a revolution.
MGD @ Dec 19th 2005 1:37AM
SpeedPass has been proven to but utterly unsuccessful for security. They really shouldn't be pointing at it as an example.
The following is a report by Johns Hopkins University researchers describing how insecure SpeedPass is:
http://rfidanalysis.org/DSTbreak.pdf
digitaldame @ Dec 19th 2005 1:37AM
I don't think I like this idea...i feel more comfortable swiping and signing my name. It only takes 5 seconds more.
Michael @ Dec 19th 2005 1:37AM
#17: you are right on. I was going to make a similar comment about how the RFID would work. Chicago recently introduced a similar card and Singapore has been using this technology for at least a year now.
For those not familiar with this type of technology: you do not have to remove the card from your wallet but it does have to be in close proximity to the card reader. I do not recall SpeedPass pumps given free guess to me when the person across the station used theirs. But if passengers on the subway or in line at your local grocery store are particular close (and smiling), there is now a new reason to consider. The question that I have about the technology is whether someone could read and duplicate the signal. And can someone read and charge me for something without my knowledge. I do not want to want to find internet order charges during the time that I am on my way to work.
I would imagine however that the technology that goes into the reader is proprietary and names the merchant so that it can be traced back to who the reader was distributed to.
Alex @ Dec 19th 2005 1:37AM
As someone who has worked with one of the credit card companies offering this new RFID card, I can confirm... it's only capable of handshaking with an RFID reader several inches away. Also, RFID purchases are capped to a maximum of about $25 per transaction.
If you consider, this isn't really much different from small purchases you use your check/credit card for today. At gas stations, fast food establishments, etc. you aren't required to sign and reciepts are optional.
There isn't a huge incentive for customers to use one at this point, it's mostly just a small convenience. But for retailers, research has indicated that transaction time is considerably reduced and you can process a higher volume of transactions per terminal. For this reason, you'll start seeing these adopted pretty quickly.
emmanuel M @ Dec 19th 2005 1:37AM
Here I come with the same request again: CAN SOMEONE SELL ME A PORTABLE RFID READER DETECTOR?
These device emit a rather powerful magnetic field, so it should be easy to detect. If I had a gadget that beeps when I approach one of these readers, I would know if someone is secretly trying to read the numerous RFID tags on me, including my credit card.
If you know where I can get one, email me - I'm serious: emmanuelm-at-health-dot-nb-dot-ca
TAZ427 @ Dec 19th 2005 1:37AM
I think you'll find a rift initially between those who will RFID in the US and those who won't.
Many people are afraid of ID theft from using it. There's ID theft and then there's ID theft. The comon form is somebody gets your CC information and uses it to buy stuff, usually caught early and quickly and is an annoyance, but doesn't hurt you like REAL ID Theft does. Really ID theft is somebody gets a SSN, ID, Starts taking out loans, ... Then it's a long drawn out battle to prove who is the real Jane Doe.
The REAL ID theft isn't going happen with an RFID card. The simple ID theft (i.e. credit card information theft) is actually less likely than with the swip varity. It's so easy to hide a hand swipper any place and quickly swipe a persons ID when paying.
It's much more difficult to do this and crack a 128byte encryption key later to get the CC information so that it can be used to make a new card. And still once it's been identified that someone stole your CC ID, most intelligent people spot it on their first CC statement with the charges and the CC companies cover the charges.
That being said, I'd not have one tied directly to my bank account, but I'd love to have one for basic purchases. Having gone from swipe cards to RFID in our work badges, you see the benefits when going in and out of labs/buildings/parking areas and the same would be try for stores.
I'd keep only one CC with RFID and then I pull out my wallet at the gas pump and hold it up next to the reader. Not trying to figure out which way the card goes in the slot if the image has been scratched off (or is backwards) Not having to give the card + ID to a clerk (who could swipe the information as I've had done on a couple of occasions.)
TAZ
Elias G. @ Dec 19th 2005 1:37AM
I saw the readers for this the other night at a new Regal Cinemas movie theater.
-- Elias
icerabbit @ Dec 19th 2005 1:37AM
... and if you don't have to pull the card from your wallet: How does the system know which one of my 5 credit cards I want to use?
Big thanks to Zoe for the Hopkins University RFID; which proves in detail that RFID is less secure than I even though.
I vote for chip-cards with pins in the US. Unfortunately they sometimes are several years behind on the EU.
evo @ Dec 19th 2005 1:37AM
I'm all for RFID-enabled cards, but what happens when you have several of these in your wallet? There goes the convenience of not taking your card out of your wallet to use it. Once you have to take the card out, it's only slightly more annoying to "wave" it through a slot.
Honestly, this sounds like more of a novelty to entice customers to switch to this card for the short time it takes everyone else to catch up. Once that happens, we're back in the same boat convenience-wise.
Jeff @ Dec 19th 2005 1:37AM
No, purchases are NOT limited to $25. I have an AmEx with this feature, so I say this from experience.
Also, nobody is going to read the card unless they are pressing up against you. Even if it is read, they have to crack the encryption. Even if they do that, they don't have your account number that can be used online like the embossed number. The number used when you RFID scan is different. Wouldn't it be easier to just break into the CC company's database? Or Amazon's, or PayPal's, etc???
Doug @ Dec 19th 2005 1:37AM
Thanks #23. Personally, I want one of these. I think the SpeedPass is the nicest thing since sliced bread. If I could get rid of my wallet and keep my credit card on my keychain (hello speedpass) SIGN ME UP. As far as someone stealing my credit card number... who cares? It's my credit card company responsible for it, not me.
From the article: "Ruth Ann Marshall, Americas president for MasterCard, said that Citibank, HSBC and Key Bank had all begun offering the cards" apparently nobody at Citibank got the memo, as this is the response I got when asking for one of their new RFID cards (and got another similar response when I called):
"The product that your are requesting is a speed pass. It is only available with Exxon Mobile cards to work with gasoline stations at the current time. No further information on this product being expanded is available at this time."
Maybe if I told them I was an Engadget reader they would not insult my gadget-ness by explaining what a speedpass is...
Jerusalem @ Dec 19th 2005 1:37AM
encription is just not enough! a team of two people with a simple set connected readers could do as follows: a person uses a card detector to locate a "mark" in the line that has such a RAIF card in his pocket. he then places a reader/transmitter next to his wallet (using an anntena he should be able to do this from a distance much larger then 6").
a secound person now goes to the cashier, and uses a devise inside his wallet that gets the chalenge from the chseare, sends it to his buddys devise, and this devise in turn sends the chalenge to the poor mark's wallet. it reads the answer, sends it to #2's device, and this sends it back to the cashier. no decription needed, no fuss, and very hard to trace. And all it really takes are a pair of RAIF readers and a bit of short range communication.
Rob @ Dec 19th 2005 1:37AM
Think of a antenna portal that you walk thru, you would not even have to pull your wallet out at the check out line...Your face/profile would appear on the screen for clerk to verify that- Yes it is you....and all store bought items that are also taged with small rfid tags will automaticly be scaned and added up and chraged thru the rfid credit card.
Binary89 @ Dec 19th 2005 1:37AM
If they decide to use a thick cypher like 128bit AES it should stop hackers.
J3bu @ Dec 19th 2005 1:37AM
Oh dear, they're gonna regret this!
EECore @ Dec 19th 2005 1:37AM
To 31, yes, but for how long?
People are getting too lazy, what happens if, by chance, someone walks past with their AmEx card out? Do they get charged instead of the customer?
IMO it has too many possible flaws to be a good idea at this time.
frankie @ Dec 19th 2005 1:37AM
Chip and pin is not the great thing that a lot of people seem to think all it does is ship the respoceabilty from the shop keeper to the customer if money disappers out of your account then its up to prove that you never gave anyone your pin number an almost impossible thing to do, also the technoligy has been around for years to put your photo on your card that would be much better ,...