Poll: Should I use my new blink card?
So on Friday I got a little something in the mail: a brand new "blink" Visa card from Chase Bank. We first heard about the blink card six months ago, these are new credit cards with built-in RFID chips that let you pay for stuff by waving your card at a point-of-sale terminal instead of swiping it through a card reader, supposedly/possibly saving you precious seconds of time during checkout. They're currently rolling out the blink card in different parts of the US, and even though my old Visa card isn't set to expire for another couple years, the good people at Chase decided to send me one.
There's only thing: Should I actually use the card?
Hate to be one of those tin-foil hat types, but the stuff Ive been reading about blink and other RFID payment systems (at least the stuff that isnt corporate PR propaganda) isnt exactly reassuring. Heres what HowStuffWorks has to say about blink:
There have been reports of problems in the testing of contactless RFID credit cards, however, that lead to additional security concerns. In some cases, if two or more terminals were close together, not only did both terminals read the card, but the read range of each terminal increased to as much as 30 feet (9 m). Even if the terminal is operating within the proper range of 4 inches, some people are worried that they could accidentally walk too close to a terminal and end up paying for someone elses purchase. The simplest safeguard against this is probably merchants positioning the terminals in such a way as to make this unlikely.
The worst case scenario involves someone getting their hands on a blink terminal and modifying it to increase the range. Potentially, someone could set up the terminal at a crowded location and collect the credit-card data of anyone who came within the terminals read range. This probably wont be a concern at first, since few terminals will be available, but if the technology matures, blink terminals could fall into the hands of criminals.
So far the security risk seems mostly theoretical, but Ive already had my identity stolen once and am not very eager to go through all that again (plus Id prefer not to have to carry my credit card in a special RFID-blocking metal sleeve). Should I cut up the card or am I being overly paranoid?
Reader Comments (Page 1 of 2)
Chris @ Dec 19th 2005 12:21AM
This is marketed as a more convinient way of using your charge car, possibly even as a time saver. But when it comes down to it, its another excuse to use your Visa card. First of all the novelty will no doubt increase the usuage of these cards over the traditonal Visa card for a few months. Secondly, the added convinience will give users another reason to use their "blink" card in situations where they really don't necessarily need to.
In my opinion, the blink card is another step by Chase in their quest for world domination. Be careful, very careful.
TIMMAH! @ Dec 19th 2005 12:21AM
Well I hope they've developed some good security around these cards. The Mobile Speedpass has been shown that it can be hacked and spoofed. I do see that they'd be valuable in that my magnetic strip is always wearing to the point where I have to request new cards, and there's always the reader here and there that won't read cards reliably. I do think you'll still be required to open your wallet though to show ID to use the card.
Julien @ Dec 19th 2005 12:21AM
German universities have been using a similar thing for some time in the cafeterias. It's not a bank card, it's a card explicitly for cafeteria usage. However, it works in every university cafeteria within the city and on most vending machines in and around the university, too.
The first difference, though, is that the card has to be very close to the receiver to make your payment. You have to place it on a special terminal. It's cool, you can leave it in your portemonnaie (some people left their card in their moneybags so long, that they have problems finding them when they want to actually get them out for whatever purpose) but you have to place your portemonnaie onto the terminal.
The second difference: it's prepaid, and it's dedicated to a special purpose. The (small) amount of money on it is already paid to central cafeteria billing and you can only pay food with it.
A bank card? Nah, there currently still seems to be too much risk. Not yet.
e @ Dec 19th 2005 12:21AM
I don't think there too much risk in that (1) the cards are relatively low power and need to be in close proximity of the reader, (2) there's no credit card data stored on the card itself (there are encrypted codes that are sent to the reader. The reader decrypts the codes, but needs to relay those codes through to the processor in order for the transaction to be charged and approved.) I have paypass from Citi and it works in the same manner, except that they use a keyfob.
Duncan @ Dec 19th 2005 12:21AM
I'd be a little worried about it, at least until I understood it better.
Anyway, I'm not going to be using that kind of technology until it's conviently merged into my cell phone so I don't have to carry my wallet around anymore. I hope by that time, my knowledge of this technology will be better.
bryan @ Dec 19th 2005 12:21AM
i would. its their problem if money is somehow stolen, and since youre one of the first ones (and write for a huge blog) they would probably be quick in getting stolen funds back to you. plus it would be kinda cool to be able to just wave the card to buy stuff.
Jeff @ Dec 19th 2005 12:21AM
I think the question is whether you have a choice. Will Chase let you continue to use your old card? Last time I had a bank send me a credit card uninvited it was to switch my Visa to a Mastercard. So now I have two Citibank Mastercards and no Visa, which is pointless. I called to tell them I didn't want it and they said "tough, we're not using Visa anymore."
Usually if a bank just up and sends you a card, it's because they *want* you to *stop* using your old one and start using the new one. They may not even allow you to keep your old one, even if the expiration date is not for a couple years. Banks have a lot of leeway to do stuff like that.
Of course, the solution in that case is to just cancel the card and get another one somewhere else.
e @ Dec 19th 2005 12:21AM
PS- and I believe all of the contactless payment methods all have a cap ($25-$50) on the transaction amounts that don't require signature.
CH @ Dec 19th 2005 12:21AM
Cut it up (although is cutting it up sufficient since it has an RFID tag?). The incredibly minor benefit is not worth the rather substantial annoyance (if your credit info is hijacked).
spiralscratch @ Dec 19th 2005 12:21AM
Is there any labeling on the card or other way to identify that a RFID chip is present?
I don't see any obvious hints to this on my card, so thankfully it looks like I don't have one of these.
Zack @ Dec 19th 2005 12:21AM
I voted against, but not for the reasons given. I'd say don't use it because it's a completely pointless security risk. Scam artists won't be prevailant till the cards are, but if it can be hacked it will be, eventually.
It might not be as big of a security risk as some people are making it out to be, but honestly, how much of a risk is it worth to wave a card 4 inches from a device rather than slide it through a scanner?
Given the imprecision of the range of the scanners, I won't even be terribly surprised if it's more of a pain in the ass to use in some ways than the very precise act of sliding a card through a scanner.
My guess is, this will end up about as "convenient" as the touch screen number pads on the ATM machines at Safeway, which are so lousy at detecting fingers that you have to use the little plastic pen they give you instead.
Duncan @ Dec 19th 2005 12:21AM
Sounds to risky. Don't do it! I'd wait till the technology is more secure.
Nobuyuki Idei @ Dec 19th 2005 12:21AM
"Portemonnaie" sounds gay.
Anyway, the bigger question is, why do banks want you to use it? How is it more secure, or in what possible way does it save the bank money? Any ideas?
Nymaz @ Dec 19th 2005 12:21AM
I think Chris in #1 hit the nail on the head. Is the ~1 sec difference in "pull your card out of the wallet and hold it near the scanner" and "pull your card out of the wallet and swipe it" that much of a convenience especially when compared with the huge security risk? It's like someone suggesting it'd be better to leave our cars unlocked and running in the parking lot for the convenience of not having to deal with unlocking and starting.
This is purely for the neato cool factor which I admit I will often fall for, but definately not this time.
Duncan @ Dec 19th 2005 12:21AM
I think it would be more secure if it only worked when your finger/thumb was on the card/phone in a specific place.
Zed @ Dec 19th 2005 12:21AM
couldnt someone just make one of those readers except on a 30-40 feet radius and stand at the entrance from a mall and steal all numbers
oBLIQUE @ Dec 19th 2005 12:21AM
I say if you have time to wave the card its about the same amount of time to swipe it the old fashioned way and also much safer.
PeterG @ Dec 19th 2005 12:21AM
How lazy and weak have we become? Swiping is now too hard. The friction of pulling the card through the grooves is just to much for some people to overcome? Sheesh.
Ghostshark @ Dec 19th 2005 12:21AM
Here's the Chase blurb about it:
Q: How does blink work?
A: Chase cards with blink include an embedded chip and an antenna, which allows for payment information to be read over extremely short distances by a reader at the point of sale. The chip holds the same information that the traditional magnetic strip does. To use a Chase card with blink, the cardmember simply holds his/her card bnear an enabled point-of-sale terminal at checkout, rather than swiping the card or handing it to the cashier. Moments after the cardmember holds his/her Chase card with blink near the terminal, the point-of-sale terminal will emit a tone and a visual indicator lights up, or "blinks," to signal payment confirmation. All other aspects of the transaction are handled in the same way as a traditional credit card transaction.
Q: Can I be charged twice?
A: No. This card will not send two transactions. Just like when using a traditional credit card (which sometimes gets swiped numerous times), the consumer will only pay once.
Q: Will consumers receive receipts for their purchases?
A: Yes. Consumers will receive merchant receipts for their purchases.
Q: How safe are these transactions?
A: As safe as the credit card you use every day. Chase credit cards are designed to meet the company's stringent security requirements and those of the payment industry. Chase has an excellent record when it comes to keeping its cardmembers safe.
Over 1,300 people work to detect and investigate fraud at Chase.
Chase prevents approximately 80% of fraud before it occurs.
Consumers have an approximately 25% less chance of experiencing fraud with a Chase card than other credit card Issuers (source: Visa).
Exceptional fraud performance does not come at an extra cost to customers.
Q: Are consumers protected against fraudulent activity?
A: Cardmembers are 100 percent protected from any fraudulent activity through Chase's zero liability policy. They are not responsible for any fraudulent charges on their account -- not one cent.
Q: Can these cards be tracked?
A: No. The cards do not emit power or a signal on their own. Nor do they have a battery.
Q: Can a fraudster read the card in a cardmember's back pocket or purse?
A: Chase cards with blink employ dynamic encryption technology to mitigate attempts to illegally obtain card data.
Q: How are the transactions processed?
A: Chase cards with blink are processed through the same secure payment network as magnetic-stripe transactions and are treated the same as all Visa transactions with regard to security and fraud protections.
Steve Pick @ Dec 19th 2005 12:21AM
Get a tinfoil wallet. No seriously, make a foil pocket for the card in your wallet. It should 'foil' any malicious attempts to read the card info.
Chuck @ Dec 19th 2005 12:21AM
Hah. I got my "blink" card on Saturday (also in NYC...). Anyway, I called Chase to ask about it and was assured by the genious who answered that the blink "laser" had to actually see the card, just as the "laser" in current card scanners do. So, he told me, there is no chance that someone could steal my credit card information with a modified scanner as I walk through, say, Times Square. "Laser," you ask? Yeah, that's what he said. Whatever. I haven't yet decided if I will keep it. He did say that I could request a non-blink card if I want.
Responses to a couple of points raised by earlier comments:
1) Yes, the card indicates that it is a "blink" card (i.e., it says "blink"), but it doesn't indicate what "blink" is or specifically note that it has an RFID chip in it.
2) The limit for "blink" transactions is $20.
redoc @ Dec 19th 2005 12:21AM
Its fine, and will make things easier, if I understand it correct. I always have a heck of a time getting the cardreaders to work, usually have to swipe at least 2 or 3 times before it actually reads it correctly. Plus there is the issue of old readers where you have to swipe it the right way, on the right side. All this is gone with RFID. Can it be hacked? Yes. Can Credit Cards be hacked? Yes. I don't think it will make a difference in security. Sounds like you need to modify the readers to do any damage, and hey, if you modify a regular reader you can have it save the info just like this could, so whats the big deal.
Killian Gray @ Dec 19th 2005 12:21AM
I don't think the security risk is real.
apogee @ Dec 19th 2005 12:21AM
Use it like a normal credit card, unless you want to make a statement to Chase by cancelling it.
This happened to me a few months ago when Chase bought BankOne ( I was a bankone customer ). My BankOne card became a Chase Blink.
I mooted the rfid issue with a dremel... took me about 1 minute and most of that was finding where i'd stored the dremel.
For the record, on my card, the chip wasn't in the location you might think based on the little concentric arc logo on the back. Looking at the back, it was about 5mm below the magstrip and 20 mm in from the right edge. You can see the little square indentation pretty easily. It didn't overlap any other functional aspect of the card (signature strip, magstripe, embossing, hologram, etc).
Chris McDowell @ Dec 19th 2005 12:21AM
not any easier or convinient but way more chance of credit fraud. Your call
Alex K. @ Dec 19th 2005 12:21AM
HEY i got an idea!
why not make it so that the card has a tiny button on it so that in order for you to make a purchase you push some kind of button on the card to activate the RFID chip in the card so you know for sure that you aren't paying when you shouldnt have to
they should make the cards like that.
althouhg i dont get the point of the cards in the first place. you still have to take the card out of your wallet, so you might as well swipe it instead and it would be more secure.
Bob M @ Dec 19th 2005 12:21AM
I personally would not use one of these, there is no security on the transmission of the data across the area.
Quite a few people seem to get worked up about RFID, but it is not new technology at all... it is basically the same technology as the proximity badges used on buildings for the past 15+ years and they are notoriously easy to nab from nearby.
Just imagine some lady with a purse whose only contents is a reader, storage device, and battery for reader/storage. Now she just accidently bumps into you on the way past you and has your card numbers.
I will take the swipe any day, just make sure you are using it at a reputable store.
MR @ Dec 19th 2005 12:21AM
Banks have a lot more to lose from poor security than does their average customer, so they've probably done a little bit of thinking about it. RFID is here to stay as much as ATMs were a few decades ago. Like ATMs, younger folks will adapt, older folks will stay away (or wrap their wallets in foil).
MrHoju @ Dec 19th 2005 12:21AM
This is just another variable that you have to worry about in an already full list of concerns.
Just think about the time saved vs. the potential time required to straighten accidental charges, fraud, or stolen identity.
This is just not worth it.
Steve @ Dec 19th 2005 12:21AM
My AMEX had this tech for over a year. Noone has hijacked it yet... I'm thinking someone with a reading device could do the bump-steal-the-wallet-move and not have to steal you wallet like a true criminal, just get close enought to speedpass your hip.
Dr. Benway @ Dec 19th 2005 12:21AM
It's a good thing the bank didn't have to divert scarce resources to putting a photo onto a credit card to reduce fraud. That would have been really hard and a total waste of time.
No, this sh*t is really worth it.
Sam @ Dec 19th 2005 12:21AM
wait. hold up. what if someone gets your card. doesnt this make it easier to steal if u dont get a signature and stuff?
olderty @ Dec 19th 2005 12:21AM
I equate the security risks of RFID to Bluetooth. Rare, but definately possible.
Here are plans to make your own RFID spoofer:
http://cq.cx/prox.pl
Robert @ Dec 19th 2005 12:21AM
Do you still sign your receipts or does this new system not require it?
falcom @ Dec 19th 2005 12:21AM
You're personal value per hour: $6 (average over 24hours in a day)
Value saved by using RFID vs Swiping: 1 second, or $0.16.
Getting your identity stolen in less the 1 second: PRICELESS.
InSaNeBoY @ Dec 19th 2005 12:21AM
Well my bank has decided to change over to the mastercard 'pay pass' system. Which is the same as visa 'blink'. I don't want one, but the bank said I had to use it when i got it. Because of this I'll be changing banks at the end of the month.
Patricia @ Dec 19th 2005 12:21AM
Don't be their guinea pig. Wait 'till the techhnology matures.
Mike @ Dec 19th 2005 12:21AM
Don't use it. I don't see a reason to. How much time is it really saving you?
Shawn Rutledge @ Dec 19th 2005 12:21AM
They ought to require a PIN; that would solve the problem.
Jon @ Dec 19th 2005 12:21AM
Woah? This is news? AMEX has been giving out ExpressPay (same standard) for more than 4 months on all their new Blue cards (go to their website and see their pictures). The readers have shown up in Meijer, all McDonalds around MI, and 7-11s. The range, in free space, is about 1 inch. I can't get it to read through a wallet. In practice, you have to touch the card to the reader and hold it for about three seconds.
The system uses the exact same hashed challenge-response system they use on smart cards (EMV Online standard), so it can't be cloned. RFID transactions use a separate RFID-only number anyway. Somebody would need a RFID-authorized merchant account to use a long range reader exploit, and even then, remember that the bank holds their money for them in their merchant account. Excessive RFID chargebacks=instant fraud investigation.
e @ Dec 19th 2005 12:21AM
#29- you don't sign anything unless your purchase exceeds a specified limit (blink is $20, amex and citi may have higher limits).
If you consider that you don't have to sign and all they give you is a receipt, there is an added convenience factor. Whether that translates into time savings and less lines we'll have to wait and see.
Richard @ Dec 19th 2005 12:21AM
What a lot of people above have no idea about is that it's not about the difference in time you save by "blinking" versus swiping!
The time you save is that the transaction is almost INSTANTLY approved!
No waiting for "APPROVED" to show up on the screen. No waiting for mom and pop shop to dial out on their modem to authorize your card.
And that's a HELL OF A LOT of time you save doing that.
Blink transactions MUST be under 20 bucks or you have to physically swipe the card. There's a reason for this: it limits the liability of the bank in case of fraudulent transactions... you think the bank's computers aren't programmed to watch for a flurry of sub-20 dollar transactions on your card? Of course they are! Not to mention that you'd need a retailer in on the scam! And the banks watch for that, too!
Stealing the RFID number is USELESS unless you can tie into the bank's system. Unlike a regular credit card number... The RFID number is not the same as the CC number.
People really need to understand the technology before they talk about why it's so evil.
I just ordered my Blink card, I can't wait to get it.
I'm originally from Toronto, where a company called Dexit has been running something similar with a keyfob for a couple of years; buy a cup of coffee, swipe, leave. 2 seconds or less approval. Works great. Saved me tons of time fumbling for change or cash and waiting for change back. Swipe, beep, done.
nick Bonadies @ Dec 19th 2005 12:21AM
http://static.flickr.com/18/70618187_965dc4b568.jpg
crappy phone cam pic!
Richard @ Dec 19th 2005 12:21AM
P.S. If the Blink terminals run anything like most other instant pay systems, they have a T-1 or ISDN (I'm leaning on ISDN, cheaper) directly connected to Chase's server network... just in case anyone was interested about the backend...
Robert Schwartz @ Dec 19th 2005 12:21AM
Do you suppose a tinfoil wallet would help?
Shawn Rutledge @ Dec 19th 2005 12:21AM
I think the problem this solves is not that swiping is so hard but that the mag stripes have a tendency to wear out or get demagnetized by accident. My debit card usually doesn't last much more than a year and at some places they always have to do the plastic bag trick (anybody even know why that trick works?) I will be glad to have it replaced with something more robust.
Mag stripes are also easy to read and write, whereas a chip can have built-in encryption hardware.
So IMO using a smart card to replace the mag stripe is a good idea, but if they can't secure the RFID data link, and require the user to authorize each purchase, then they could always go back to contact-type smart cards.
I figured since chip-and-pin is the standard in the UK now, that it would be here as well soon.
Dave @ Dec 19th 2005 12:21AM
#25: You're giving Chase too much credit.
Paul J. @ Dec 19th 2005 12:21AM
Key is doing this too with their debit cards. I think it's retarded. How is it more convenient to take out your credit card and tap it to the pad than to just swipe it on one of those readers they use now?
Al Scagnetti @ Dec 19th 2005 12:21AM
How is it possible that readers of this blog are a bunch of knee-jerk reactionists that are drumming up potential problems without considering the existing ones? Did 60 Minutes or Dateline instill fear when I wasn't looking?
I suppose none of you have ever handed your credit card to a waiter or waitress? None of you have ever doled out your card number to some faceless person on the other end of the phone? Let's get serious here. They've instituted a maximum transaction limit on these things, and you're probably not liable for theft - just like if your DC/CC were stolen today. Gawd...
Scott @ Dec 19th 2005 12:21AM
It think this new blink swiping might be adopted by some older people who have memory issues. My Mom sometimes forgets her Pin Number(shes old) and this would solve those issues on purchases under 20 dollars, like the newspaper and food.