> > > On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: > >> less attractive to commit credit card fraud. You are, however, not >> making it harder. That's why I believe the credit cards companies will >> indeed have a good, long look at smartcards. Probably not tomorrow or >> next week but in the near future. > > Actually, smart cards are here today. My local movie theatre in Berkeley, > California is participating in a trial for "MasterCard PayPass." There is > a little antenna at the window; apparently you can just wave your card at > the antena to pay for tickets. I haven't observed anyone using it in > person, but the infrastructure is there right now.
Interesting, they have a card (smart card)? and key fob version. I hope their key fob version is not as insecure as the SpeedPass RFID transponder token used by Exxon/Esso, which has recently been broken http://rfidanalysis.org/ The SpeedPass implemented an authentication algorithm (I think it was a CRC-like challenge response based on a secret that defined the polynomial used) based on a 40-bit key. Bono & al. figured out the algorithm (based on a patent, which described the algorithm generically, they figured out the constants that were chosen). The question is why did they use a 40-bit secret? Is there some technological constraint preventing the use of something better? The other thing is that many of the smart cards also have a magnetic strip, so your security level is as strong as the weakest point (magnetic stripe type payments). Untill all the cards are smart cards, readers will accept both type. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]