> > http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART_171100
Interesting article, but despite the title, there seems to be no mention of any of the actual security (or privacy) challenges involved in deploying massive RFID payment systems. E.g. I can extract money from your RFID payment tag whenever you walk past, whether you authorized the transaction or not. And even assuming you wanted it this way, if your Nokia phone has an RFID chip in it, who's going to twist the arms of all the transit systems and banks and ATM networks and vending machines and parking meters and supermarkets and libraries? Their first reaction is going to be to issue you an RFID themselves, and make you juggle them all, rather than agreeing that your existing Nokia RFID will work with their system. If you lose your cellphone, you can report it gone (to fifty different systems), and somehow show them your new Motorola RFID, but how is each of them going to know it's you, rather than a fraudster doing denial of service or identity theft on you? Then there's the usual "tracking people via the RFIDs they carry" problem, which was not just ignored -- they claimed the opposite: "This kind of solution provides privacy, because the token ID is meaningless to anyone other than the issuing bank which can map that ID to an actual account or card number." That is only true once -- til anyone who wants to correlates that token ID "blob" with your photo on the security camera, your license plate number (and the RFIDs in each of your Michelin tires), the other RFIDs you're carrying, your mobile phone number, the driver's license they asked you to show, the shipping address of the thing you just bought, and the big database on the Internet where Equifax will turn a token ID into an SSN (or vice verse) for 3c in bulk. The article seems to have a not-so-subtle flavor of boosterspice. Anybody got a REAL article on contactless payments and security challenges? John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]