[Clips] Contactless payments and the security challenges

John Gilmore gnu at toad.com
Sun Sep 18 23:44:09 EDT 2005

>  http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART_171100

Interesting article, but despite the title, there seems to be no
mention of any of the actual security (or privacy) challenges involved
in deploying massive RFID payment systems.  E.g. I can extract money
from your RFID payment tag whenever you walk past, whether you
authorized the transaction or not.  And even assuming you wanted it
this way, if your Nokia phone has an RFID chip in it, who's going to
twist the arms of all the transit systems and banks and ATM networks
and vending machines and parking meters and supermarkets and
libraries?  Their first reaction is going to be to issue you an RFID
themselves, and make you juggle them all, rather than agreeing that
your existing Nokia RFID will work with their system.  If you lose
your cellphone, you can report it gone (to fifty different systems),
and somehow show them your new Motorola RFID, but how is each of them
going to know it's you, rather than a fraudster doing denial of
service or identity theft on you?

Then there's the usual "tracking people via the RFIDs they carry"
problem, which was not just ignored -- they claimed the opposite:
"This kind of solution provides privacy, because the token ID is
meaningless to anyone other than the issuing bank which can map that
ID to an actual account or card number."  That is only true once --
til anyone who wants to correlates that token ID "blob" with your
photo on the security camera, your license plate number (and the RFIDs
in each of your Michelin tires), the other RFIDs you're carrying, your
mobile phone number, the driver's license they asked you to show, the
shipping address of the thing you just bought, and the big database on
the Internet where Equifax will turn a token ID into an SSN (or vice
verse) for 3c in bulk.

The article seems to have a not-so-subtle flavor of boosterspice.
Anybody got a REAL article on contactless payments and security


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list