Poll: Should I use my new blink card?
So on Friday I got a little something in the mail: a brand new "blink" Visa card from Chase Bank. We first heard about the blink card six months ago, these are new credit cards with built-in RFID chips that let you pay for stuff by waving your card at a point-of-sale terminal instead of swiping it through a card reader, supposedly/possibly saving you precious seconds of time during checkout. They're currently rolling out the blink card in different parts of the US, and even though my old Visa card isn't set to expire for another couple years, the good people at Chase decided to send me one.
There's only thing: Should I actually use the card?
Hate to be one of those tin-foil hat types, but the stuff Ive been reading about blink and other RFID payment systems (at least the stuff that isnt corporate PR propaganda) isnt exactly reassuring. Heres what HowStuffWorks has to say about blink:
There have been reports of problems in the testing of contactless RFID credit cards, however, that lead to additional security concerns. In some cases, if two or more terminals were close together, not only did both terminals read the card, but the read range of each terminal increased to as much as 30 feet (9 m). Even if the terminal is operating within the proper range of 4 inches, some people are worried that they could accidentally walk too close to a terminal and end up paying for someone elses purchase. The simplest safeguard against this is probably merchants positioning the terminals in such a way as to make this unlikely.
The worst case scenario involves someone getting their hands on a blink terminal and modifying it to increase the range. Potentially, someone could set up the terminal at a crowded location and collect the credit-card data of anyone who came within the terminals read range. This probably wont be a concern at first, since few terminals will be available, but if the technology matures, blink terminals could fall into the hands of criminals.
So far the security risk seems mostly theoretical, but Ive already had my identity stolen once and am not very eager to go through all that again (plus Id prefer not to have to carry my credit card in a special RFID-blocking metal sleeve). Should I cut up the card or am I being overly paranoid?
Filed under: Wireless
Reader Comments (Page 2 of 2)
Tony @ Dec 19th 2005 12:21AM
That whole problem with those readers "extending the range" of the card to 30 ft. reminds me of something I read a while back about proximity cards. See http://cq.cx/prox.pl
The card had to be close to the reader because the reader sent out a weak signal to activate the card, but once the card was activated it sent out a very strong signal. Of course, the author of the web page was able to build a device to capture and reproduce the prox card IDs. Scary stuff if the blink cards are anything like this.
Tom @ Dec 19th 2005 12:21AM
I agree with #48 -- I think Blink is the least of our worries with respect to identity theft. Of the 10 million victims of identity theft last year, how many do you honestly think were from some technologically savvy theif loitering at a Mobil gas station with a scanning device waiting to snatch people's SpeedPass numbers?
Because of misinformation and ignorance about how the Internet works, I think it's much easier for identity theives to get their stolen CCs the "old-fashioned" way: Internet fraud, lost or stolen cards, and stolen PINs. I can't tell you how many e-mails I get (that look very convincing) asking me my SSN for "verification" purposes. Obviously people are still falling for these increasingly elaborate scams. That kind of crap should be more concern to people than Blink.
Scott Rubin @ Dec 19th 2005 12:21AM
I say use it. I got one a few weeks ago and did my research before I activated it. They claim that it is 100% secure. I figure the worst thing that can happen is I call them and complain about fraudulent charges to get my money back. If it turns out that Blink is not 100% secure I can sue teh bejeesus out of them and get some moneys.
I'm risking having to make a phone call in exchange for a chance to be in on a big lawsuit. And maybe I'll be able to walk in and out of a store a little bit more quickly.
WoNdErGeEkBoY @ Dec 19th 2005 12:21AM
The Japanese are already using this! I think I saw this when I was in Tokyo last week. Someone paid using their JCB at the local FamilyMart (7-11/AM-PM). I say its pretty cool!
Steve @ Dec 19th 2005 12:21AM
Something that's RARELY mentioned: These things are actually pretty secure. Swiping the card is a two way communication. A new encryption key (or something) is passed down to the card during every transaction so that only THAT card will work. Creating a duplicate card won't really work as it will with the traditional magnetic stripe.
ALTgenetics @ Dec 19th 2005 12:21AM
I really don't think there is an issue with it. I've been using RFID tech everyday for teh past three months. From the train, to my school ID, to my phone. Yes, Japan....Any ways, the tech is encrypted, yes it can be decrypted, but is any one going to stop using ATMs as of late? When an ATM can be duped fairly easily? Chases nor Visa, are dumb companies their not going to implement this kindof tech without propper securities, and "just in case" types of insurance. So I say use it.
Vasco @ Dec 19th 2005 12:21AM
Reguardless of what all of you say, I think the technology is heading in the right direction, but I don't think RFID is safe enough to use as of now.
Later, definately, but they need to SUPER-secure it.
etd @ Dec 19th 2005 12:21AM
#42 that would explain the popularity of this new technology and the momentum for banks to rapidly covert to the new system (think infastructure). Besides it would be be very difficult to swipe your hand (chip) through the current credit card reader...
zach @ Dec 19th 2005 12:21AM
could someone at the post office steal your info without opening or tampering with the envelope before you even get one? or drive by mailboxes with a scanner while these are being shipped out right now?
Dennis T Cheung @ Dec 19th 2005 12:21AM
Hong Kong has been using this for years with their Octopus card.
http://en.wikipedia.org/wiki/Octopus_card
So the big fuss over this is rather silly. Reminds me of back in the day when the NY subway first came into operation, there was fear that travelling so fast could cause your head to explode.
Bryan W @ Dec 19th 2005 12:21AM
Check out www.emvelope.com
Jacob @ Dec 19th 2005 12:21AM
Since magnetic strips are VERY insecure (as in can be duplicated with ease), I wondered why they didn't integrate a "smart chip" into credit cards.
RFID is just stupid. I'm very wary of contactless transfer of banking info.
DaveZ @ Dec 19th 2005 12:21AM
I wonder if the "blink" refers to the Malcolm Gladwell book "blink" and this card should be subtitled "The power of paying without thinking" due to the RFID reading overspill?
Mark @ Dec 19th 2005 12:21AM
Experiment with it.
Put it in the microwave and see if that breaks it. See how well it works through a tinfoil wallet. I'm sure someone will start selling a steel-belted wallet- try it with that.
Put two RFID cards, speedpass, and a building access card in the same wallet and see how they work together. ($25 just to get into the building?)
This is a gadget- you should mess with it if you dare to write a gadget blog.
So, what are the tampering limitations set forth in your End User License Agreement? Cut out the RFID chip and see if it still works. Embed it in another card. Me, I'd put it in my library card- that way if someone stole my wallet, they wouldn't think to use that card to pay for things.
Heck, put it in your shoe- see how much abust the thing can really take.
Yes, be cautious about how the tech can be misused, but strive to be the first one to misuse it creatively.
riffola @ Dec 19th 2005 12:21AM
HSBC sent out new debit cards last month. They use the Mastercard Paypass feature. What I'm curious about is whether the you can use Paypass with Blink and vice-a-versa.
Joe @ Dec 19th 2005 12:21AM
I reeceved a blink card as well, and I immediately called customer service to get a new card without Blink. It took about 3 days, and the new card is RFID-free.
Pete M @ Dec 19th 2005 12:21AM
Why doesn't the US use chip and pin like in the UK - an electronic contact-requiring chip and instead of a signature, a pin.
In fact, if you used the PIN system with the RFID then you wouldn't risk ur card being scanned for someone elses purchase since their PIN number wouldn't work on your card / visa versa.
...still, don't understand why you haven't introduced something inbetween magnetic strip and RFID like in the UK...
Jon @ Dec 19th 2005 12:21AM
#61. They did and it failed in the US: AMEX Blue. The Europeans like smart cards because they authorize the majority of transactions offline. Phone calls in Europe are expensive. A merchant wants to hold on to all of the data and send it in daily. The smart card standard (EMV) was designed so that your card would keep track of your credit balance. The problem with this is online verification is far more secure: if you lose your offline smart card, people can keep charging the thing. Online verification allows the bank to do instant fraud analysis.
Without the communication benefits, the only benefit to smart cards is the anti-cloning security. And that was completely bank side. When a merchant gets magnetic card approval, and a signature, only the bank is liable for fraud. So smart cards never caught on in the US.
RFID gives the benefit of anti-cloning as well as convenience, especially with key tags(AMEX Expresspay has one), and adds the missing benefit to move away from magstripe.
Isamu @ Dec 19th 2005 12:21AM
Hong Kong has been using this for over 7 years. They pay public transport and 7-11 with this card.
It has never been hacked during the 7 years of use. So don't worry about it, use it.
It's not that Europe like smartcards. For instance, I live in Holland and most of the ppl here doesn't like to pay with the smartcard but are forced to by the goverment.
The article mentioned that the card just save a couple of seconds. I can tell you out of experience in Hong Kong, those couple of seconds does a make difference once you've experienced it yourself.
shrinkydinx @ Dec 19th 2005 12:21AM
i wonder how long it will be before some dork integrates the thing into his wallet :)
japanesejay @ Dec 19th 2005 12:21AM
They do this in Japan. Except its not a credit card, its a prepaid card. Its excellent getting around Tokyo. Hope on a train, buy a pack of gum from a local 7-11, buy a USB cable from Bic Camera (an electronic store), etc etc. They even have cellphones embedded with these RFID things so you can swipe your cell instead! Its super convenient!
But again, its PREPAID so the risk of losing or getting scammed thousands of dollars is minimal.
Jim @ Dec 19th 2005 12:21AM
This is completely worthles tech. Until this method of reading the card is combined with some kind of biometric indentifier, there is no advantage to using it. As previous posters have pointed out, the biggest advantage to the banks is that this seems easier to use (it isn't, but it seems that way).
The biggest threat right now to any credit/debit card transaction is in the clerk keeping the carbon copy of the charge slip.
After that would be skimmers, physical card theft (inlcuding theft while in the posession of the US Postal service), corporate data loss, and phishing. The greatest threat is the one you don't even know about until after you get your monthly statement.
RFID makes it even easier to steal card numbers undetected than any of the above-mentioned methods of theft.
Again, I'll wait for biometric confirmation to ensure validity of the charge before I go with one of these cards that can easily be read within 6 feet of the card at any time.
It's hard enough keeping your information private. Why buy into a technology whose greatest claim is that it will literally broadcast that information to all who are trying to listen?
Alex @ Dec 19th 2005 12:21AM
Like all new technology involving your money it will take time to be socially accepted.
It's not like a conventionally card is perfectly secure either - there have been many cases here in Australia of people skimming your card numbers using a simple card reader.
apeguero @ Dec 19th 2005 12:21AM
NO PETER!!!! DON'T DO IT!!!!
I think there's more control and less chance of making an error using the old system. I can't trust something like this man!
Don @ Dec 19th 2005 12:21AM
Looked at this concept 7 or 8 years ago. We rejected the idea because of the obvious scam of embedding a legitimate scanning terminal in the seat of a restaurant booth so it ends up being about 1" from a man's wallet. As you enjoy your taco, the RFID card in your pocket is being "picked". A smart card with contacts would be a better solution.
Trevor @ Dec 19th 2005 12:21AM
I have a blink card and the only place I've found to use it so far is 7-11. I use it for the same reason it makes me nervous using it, I don't even have to take the card out of my wallet!
So it scares the hell out of me that at some point in the future it will be easy to steal my credit card info wirelessly and spoof it but until then I'd say use it.
Foof @ Dec 19th 2005 12:21AM
The picture for the article is the biggest credit card I've ever seen!
Ryan Block @ Dec 19th 2005 12:21AM
Humorously enough, by chance I came home to an unexpected piece of mail tonight -- a new blink card Chase sent over unsolicited. Looks like we're in this one together.
Whisky @ Dec 19th 2005 12:21AM
I just got this Paypass device for my Citibank Mastercard, same concept except i don't it uses RFID, something else...
Anyways I have only got it to work once. It worked once at CVS pharmacy, but has not worked at McDonalds, 7-Eleven, and also CVS again..
Instead of tapping and fast paying, i end up holding up the line and people start giving faces and end up pulling out the regular CC and swipe..
Brandon @ Dec 19th 2005 12:21AM
NO WAY! I just clicked to view the poll results....and check it out!
http://nsgn.net/brandonstuff/666.png
I SWEAR this is not a photoshopping. I DIED laughing. Thats amazing.
Image hosted by the NSGN.net Online Christian Community. (also not a joke, hehee)
sirhc @ Dec 19th 2005 12:21AM
so what? because the old magnetic strip terminals were so crappy, we're going to all switch to something that has even more potential for being a piece of crap?
the security risk isn't even an argument. the encryption on such an RFID card could be broken quicker than you could blink. the only type of RFID current day credit cards could possibly hope to incorporate is Passive RFID. this means that the WIRELESS TRANSMITTER (see: not laser: post #20) gets its power from the scanner. the RFID chip is dependant on the scanner (see: no security if someone builds the right scanner).
oh, and gosh, i don't suppose anyone could get this information by just taking apart one of these cards that Chase is to graciously giving out. certainly not!
Clay @ Dec 19th 2005 12:21AM
My vote goes to cellphone/pda based payment systems.
lpret @ Dec 19th 2005 12:21AM
I completely agree with #49. My parents said the same thing about handing this new thing called a credit card to some kid to swipe in the back of a restaurant -- and really, how much time would that save over just counting out the cash or simply writing a check?
Now, we, us, the engadget people who can't wait to have the newest tech and should be the best early adopters, are scared because of some theoreticals and whatnot? At most we're talking about a basic double-swipe -- something you see every day with incompetent card-swipers at your local Mexican restaurant.
Further, as others have pointed out, it's capped at 20 bucks. It's not like someone is going to go buy a Porsche with your blink info.
I dunno, I say go for it. Try it out, see if you like it. If not, explain your concerns and I'm sure Chase would be happy to give you an RFID-free card.
DarkFader @ Dec 19th 2005 12:21AM
http://ubiks.net/local/blog/jmt/archives3/004311.html
I say... give everyone his own terminal.
E-Paper + RFID + touch sensors.
Show seller's logo and price, touch "OK"
AMRivlin @ Dec 19th 2005 12:21AM
I have PayPass and Blink, MC and Visa use the same network, and I am 99% sure this technology is shared between the cards. McDonalds, CVS, and Edwards theaters are the only places I have seen RF readers.
Even if someone steals my rf id, it is not much different than losing my card or filling out a phishing form, so what, I call BankOne/Chase or MBNA, give me back my money please... and purchases are signed for over 25 bucks, so there is a paper trail...
I am all for not signing for a liter of cola, or a movie ticket. About Time.
John Anderson @ Dec 19th 2005 12:21AM
"you don't sign anything unless your purchase exceeds a specified limit (blink is $20, amex and citi may have higher limits)"
Whoopee.
1. Most places I shop can distinguish between a credit card and a debit card. I generally use my debit card, because I don't have to sign.
2. $20 limit for not having to sign? First, other than a burger-and-drink, what can you buy for that? Second, my debit card limit for not signing is $1200. Third, I mostly buy gas (circa $30) or groceries (circa $80) or books (circa $70).
Sooner or later, I will probably be issued a debit card with this tech. I'll use it.
The Professor @ Dec 19th 2005 12:21AM
Holy Moly for a bunch of self-proclaimed techno heads you are all way off the mark. So let me get this straight, you're concerned about women carrying purses whos only contents are radio readers and they walk around among all of us law abiding citizens and they conduct transactions unbeknowst to the rest of us - we don't find out until it's too late.
Conversly, though, you think it's perfectly fine to hand your mag stripe card to a 20 year old waiter and have him leave with said card - same thing goes with gas stations especially in NY's neighbor NJ.
Looks like it's time to buy some tinfoil, boys.
Boys, dear boys, have you forgotten how much it stinks to wait in line at, say, mcdonalds, CVS, Walgreens, 7-11 or any other low transaction retail location (of which there are a ton). If RFID can get you through the line quicker and get you back to your computer playing the latest multi-user game I suspect most of you will forget these wild tales of ladies and purses.
Factoid @ Dec 19th 2005 12:21AM
"Women blink nearly twice as much as men."
SuperChuck @ Dec 19th 2005 12:21AM
This is the same concern people had with credit cards online. What if someone gets it?
WHO CARES?
If questionable charges appear on your bill, you fill out the form on the back of the bill and the purchase amount will be charged back to the merchant.
In fact, most of the time the credit card company notices strange activity and contacts you before you know anything's happened.
Josh Witkowski @ Dec 19th 2005 12:21AM
"I do think you'll still be required to open your wallet though to show ID to use the card."
Get real. I work in a retail shop, and even when people don't sign their credit cards we don't usually ask for ID. Why? It's a hassle to us and the customer to ask them to dig out their ID and hold up the line to check an ID against the signature on their receipt, or to ask them to sign the card. Do you really think some teenager at the grocery store is going to give a shit and stop everyone who comes to their checkout with one of these cards? I think not.
Besides, how does this really save us any time, when we're held up waiting for some tool to figure out the most destructive way to pack four cans of soup on top of a bunch of bananas and a carton of eggs? You'll have plenty of time to swipe your card while that goes down.
StopSpamming @ Dec 19th 2005 12:21AM
If you call it an RFID card, it has to work within the 2 categories of frequencies...a) Low RF (below 300 KHz) b) Ultra High RF (between 902-928MHz). This card in your hand operates at 13.56MHz, it falls under the category of Contactless Chip card. It is not the same as those proximity cards that normally function in 125KHz.
The 13.56MHz Contactless Chips are currently governed by 2 ISO standards - ISO 14443 & ISO 18092. There are about 500 million Contactless Chip cards currently in used in various fields. The Hong Kong Octopus card mentioned here use Sony's FeliCa chip on ISO 18092. A few years ago, MasterCard has decided to adopt Mifare chip on ISO 14443. As of last month, Sony announced its first 100 millionth chip shipped, so take a guess, how many Mifare chips are there in the market.
Nevertheless, before launching PayPASS, MasterCard beefed-up all the aspects of ISO 14443 specifications, including all the transmissions protocols. It has done such a good job that even Visa signed in early 2005, a licencing agreement with MasterCard to adopt its PayPASS specifications (fondly called the enhanced ISO 14443 specifications) in ALL Visa's contactless products. You may read about this agreement here..in a PDF file:- http://partnernetwork.visa.com/cd/download/PaypassAgreement.pdf
Visa's early contactless products were launched in Asia Pacifics, namely Taiwan, Korea, Japan and Malaysia...naming it Visa Wave! Blink is an US variant of Wave.
JCB's contactless product - QuickPay has recently adopted FeliCa, for obvious reason - Sony is Japanese too. :-)
On the issue of transaction speed, it was never aimed to save the time of the card-holder like you and me. It was designed to save the check-out time at the cashier. Current experience shows a saving of 35-55% of check-out time...and that translate to billion of dollars in saving a year! For all of us, this contactless card only promises us convenience!
On another issue of signature requirement, there is an inherent policy in both MasterCard & Visa that all transaction below US$25 may be exempted from the signature requirement. Hence, all these contactless payment do set a limit below US$25.
What is NEXT?
Take a look at Asia Pacifics again...these contactless cards are transforming again...the chip & anthenna have found their ways into mobile phones, watches, PDAs...etc.
Watch out for the next variant - Near Field Communications (NFC) by Philips & Sony. Major players like Nokia has thrown in their support for this mode, which incidentally is under ISO 18092 like the FeliCa chip.
Hope this helps.
Go ahead, use it and enjoy it. Fear not of any security issues...most of the contactless chips offered in the market, be it from Philips or Infineon had achieved EAL4 or EAL5 security standards. :-)
Reality Check @ Dec 19th 2005 12:21AM
So much mis-information (along w/ some informed opinions), where to begin? A recent report listed average transaction times: for checks are 64 seconds; for credit/debit, 48.4 seconds; for PIN debit, 44.4 seconds, for cash, 28.5 seconds; for Pay By Touch,15.6 seconds; and for contactless,12.5 seconds. I think all calculations poste here need to be revised from 1 second.
I don't think this audience (in general)is well-suited to discussions of cryptography, but the ICs inside the credit cards are capable of cryptographic functions. True, in the US the cards are not utilizing this feature, as the US does not have the fraud occurences prevalent in other countries. However, the plans are to move in that direction as this technology is rolled out. All credit card issuers have credit card protection, and these cards are limited (as noted several times in this string)in the purchase amount.
I can't believe the technophiles here at Engadget are so technophobic. This technology is more convernient, and as it is further incorporated and accepted it will only allow for the technology to get better at adding even greater conveniences (i.e. these cards can host multiple applications on the same card>>eventually the phone host several "cards") The only draw back I can see is now I will be losing more when I lose my phone.
T_R_J @ Dec 19th 2005 12:21AM
The F'd up thing is I have co workers who are strong believers in Christianity and they truely believe that RFID is the oncomming "mark of the beast". How retarded.
HK David @ Dec 19th 2005 12:21AM
As a few have mentioned, Hong Kong have been using RFID for our public transportation for years. The difference is that these cards are debit cards, with relatively small amounts of money inside (usually less than $50 US) -- so not an interesting target for thieves. But what we can also learn from the Hong Kong example is RFID's sensitivity: women just put their handbags over the sensor, which senses their Octopus card, throught the handbag and the wallet inside. Kids put their backpacks over the sensor and gents place their wallets... Payment is instant (no waiting) due to the patience of people in this city that is like, well, New York on speed.
So if a thief got hold of some sort of discreet sensing device, they could ostensibly wave it next to women's handbags and men's back pockets, stealing much larger amounts of money from this Visa card.
RFID works great for ID checks and for debit cards -- the Octopus system is fantastic, and works very well at convenience stores and all modes of public transportation, making them more efficient. For credit cards and larger transactions, however, I think that the more secure method we have today is preferable.
Joel @ Dec 19th 2005 12:21AM
Peter, I got my Amex ExpressPay card last week and blogged about it. What's even more disturbing is Customer Service's lack of knowledge and education about their own product.
Personally, I won't be using the ExpressPay feature and actually plan on using a hole punch to "excise the demon", so to speak. Maybe I'll burn the RFID chip and mail it back to Amex. heh
Michael @ Dec 19th 2005 12:21AM
I do not have knowledge pertaining to the Visa technology, but have worked with the MasterCard program. The MasterCard system generates a new key at each transaction, so a "replay" fraud scenario could happen (theoretically) only once. You would be alerted the next time you attempted to use your card in a contactless fashion.
The bigger threat is, is it possible to extract enough information from the wireless signal to create a fake magnetic only card?
My take, who cares? I have $0 liability (as do you) for a reason.
Jamar @ Dec 19th 2005 12:21AM
Here in China, I've got a similar card to pay for transportation costs, with no problems (at least things like accidental double-charging). Also, I am sure that RFID readers have not been widespread- if it hasn't happened here in China it won't happen elsewhere- at least, not easily.
Echilon @ Dec 19th 2005 12:21AM
If you used chip and pin like in the UK, there wouldn't be any problems. You need to scan the card, then just enter your pin instead of signing.