Swipe-Free Credit Cards Tested

R. A. Hettinga rah at shipwright.com
Fri Dec 12 17:45:56 EST 2003 

<http://www.cbsnews.com/stories/2003/12/12/tech/printable588346.shtml>

CBSNews.com

Swipe-Free Credit Cards Tested
NEW YORK, Dec. 12, 2003


The familiar process of buying something with a credit card - handing the
plastic to the clerk or swiping it yourself, then waiting for approval and
signing the receipt - could be headed the way of the mechanical brass cash
register.

For more than a year, MasterCard and American Express have been testing
"contactless" versions of their credit cards. The cards need only be held
near a special reader for a sale to go through - though the consumer can
still get a receipt.

The card companies say the system is much faster and safer because the card
never leaves a customer's hand.

"In some instances it's faster than cash," said Betsy Foran-Owens, a
MasterCard vice president. "You're eliminating the fumble factor."

MasterCard has been testing its PayPass system mainly in Orlando, Fla. and
promises a nationwide rollout in 2004, beginning primarily at quick-service
restaurants and other places where people tend to be in a hurry.

American Express has mainly done pilot runs of its Express Pay service in
the Phoenix area, though the company expanded it to New York ferry
terminals on the Hudson River this week.

The new credit cards work much like the Speedpass system that ExxonMobil
has accepted for quick payments at its gas stations since 1997. But the
keychain fobs carried by Speedpass' 6 million users are good only at
ExxonMobil stations and a handful of other retail outlets.

In contrast, credit cards that incorporate the technology could be used
anywhere regular plastic is accepted, as long as stores install the new
readers. The card companies have worked out technical standards that would
let one reader handle multiple brands of contactless cards.

Still, you probably will leave home without one of the new cards for a
while. Forrester Research senior analyst Penny Gillespie predicts it will
take a few years for contactless cards to go mainstream.

Visa USA has developed contactless capabilities but is holding off on a
launch because "consumers seem to be content using the cards they have in
their wallet," Visa spokeswoman Camille Lepre said.

The new cards have chips imbued with radio-frequency identification, or
RFID, the technology that Wal-Mart, the military and other institutions
hope to begin using soon to precisely track inventory.

While old-fashioned credit cards store account information on a magnetic
stripe that has to be swiped, the contactless cards keep their data on
chips inside the plastic.

American Express' ExpressPay uses a keychain fob, like the ones used by
ExxonMobil Speedpass and similar to the tags in supermarket discount
programs.

"I like that it's on your keychain and it's fast to use," said Kristie
Beenau, 36, of Peoria, Ariz., who has used ExpressPay for about six months
at a CVS Pharmacy and fast-food restaurants. "I charge everything anyways.
Now I wave it rather than get my card out. It's more convenient."

MasterCard's PayPass comes on a regular-sized card that also has a magnetic
stripe for swiping if need be. MasterCard also has done tests in Dallas
with Nokia Corp. in which the RFID chip is embedded in the plastic casing
of a cell phone.

The contactless cards have no battery or power. When they near a reader,
they are jolted to life by the reader's electromagnetic waves. A small
radio antenna in the cards instantly transmits account information to the
reader.

The transaction then proceeds through the credit card network just as if
the card had been swiped.

In theory, the transaction could be intercepted without a consumer's
knowledge by a technologically savvy thief intent on cloning a card. That's
because RFID transmissions themselves are not encrypted.

However, the thief would have to get quite close to his target or have a
very sensitive reader.

Also, the account number on the contactless cards is useful only in the
RFID system - it's not the same as a user's credit card number. A crook
would thus not be able to use the card number to go on a fraudulent
Internet shopping spree, for example.

There would be other hurdles.

American Express makes the RFID reader verify the card's authenticity with
a "challenge-response" exchange that depends on 128-bit encryption encoded
on the chip. That strength of encryption is considered safe against "brute
force" attacks, in which a hacker tries every possible combination.

MasterCard says it uses a different security system but would not provide
specifics.

"I have some faith in the credit card companies," said Henry Holtzman, a
research scientist at the Massachusetts Institute of Technology's Media Lab
who started Presto Technologies Inc., a now-defunct company that sought to
develop in-home applications for RFID tags on consumer products. "I trust
them because fraud is a serious issue they have to deal with."

Others are more skeptical. Simson Garfinkel, another MIT researcher who
follows RFID, said credit card companies ought to be using "smart" cards
with public key cryptography, a very strong form of security.

Jeff Chasney, chief technical officer of CKE Restaurants Inc., which runs
the Carl's Jr. and Hardee's fast-food chains, says the new cards are likely
to increase sales because they are so easy to use and ensure that a
consumer won't be limited by the cash in his wallet.

But even Chasney, who is considering a contactless card trial, worries
about the use of RFID in the cards.

"I would suggest to you," he said, "the greatest obstacle is going to be
security."



-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list