On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
less attractive to commit credit card fraud. You are, however, not
making it harder. That's why I believe the credit cards companies will
indeed have a good, long look at smartcards. Probably not tomorrow or
next week but in the near future.
Actually, smart cards are here today. My local movie theatre in Berkeley,
California is participating in a trial for "MasterCard PayPass." There is
a little antenna at the window; apparently you can just wave your card at
the antena to pay for tickets. I haven't observed anyone using it in
person, but the infrastructure is there right now.
Here's the MasterCard fact sheet about PayPass:
http://www.paypass.com/fact_sheet.html
It appears to be a contactless smart card/RFID that uses the
ISO 14443 standard for the RF interface. There is some documentation
available, unfortunately most of it restricted to licensees.
https://mbe2stl101.mastercard.net/hsm2stl101/public/login/ebusiness/mobile_commerce/paypass/documentation/index.jsp
You can do some Google searching to find MasterCard's involvement in
standards-setting for EMV via smart cards over the years. From that it is
possible to guess what PayPass might be doing, but I would prefer to know
for sure. By the way, Visa is doing it too:
http://usa.visa.com/personal/cards/contactless/
Chase appears to be issuing them now; you can apply for one online.
www.chaseblink.com
From what I understand, contactless transactions are currently limited to
$25 or less. This should reduce the incentive for someone to carry out the
kind of relay/chess grandmaster attack described by Gerhard Hancke
"A Practical Relay Attack on ISO 14443 Proximity Cards"
http://www.cl.cam.ac.uk/~gh275/relay.pdf
Hancke and Markus Kuhn have a paper on "distance bounding" protocols to
combat this kind of relay attack. Unfortunately it does not appear to be
on Hancke's web page yet.
One of the nice things about these cards is that they also support the
standard card number on the front and magstripe. So you could imagine a
situation where the number is used as normal until fraud is detected, then
revoked, but the contactless pay capability is not revoked. I have no idea
if that is what they actually do, though.
-David Molnar
