Citizens Bank just sent us both updated debit cards. The new card proudly proclaims that it is PayPass enabled. I'm not familiar with PayPass, but from the minimal information included with the new card and data I've found online, it's a short-range RFID technology. I find my attention particularly called to this bit (emphasis mine):
"Its built-in technology lets you just tap your card on the PayPass reader at participating locations and your transaction is complete. No need to swipe or give your card to cashiers. Smaller purchases [which turns out to be up to $25] may not require a signature or PIN."
This seems to imply to me that someone who can get their hands on a PayPass-enabled card can use it freely without needing to know a PIN, as long as they keep their purchases small. The convenience of not needing to swipe, with the touted feature of "Your card never leaves your hand", is undeniably going to be attractive for many people, but I find the security implications disturbing.
On the other hand,
"All transactions are protected with the Zero Liability Policy for any unauthorized purchases."
The press releases I've found claim that the read range of the PayPass RFID chip is restricted to about 4cm, which - if true - is promising from the viewpoint of remote scanning risks. (I've had difficulty finding much in the way of solid information. Most of the technical data is restricted to licensees. If anyone knows of any accessible useful documentation on the security features, pointers would be welcome.) Interestingly, Motorola has been field-testing PayPass-enabled phone handsets for about 18 months now;
no subject
I googled "rfid security" earlier today and found some interesting discussion.
no subject
'cause the credit cards these days don't require a PIN or a signature for purchses of $25-$50 in any case. i.e. you can swipe them at a gas station for pay at the pump without signing anything.
I'd have a lot more heartburn with a pure ATM card having a non-PIN way to access my money. (And I insist on a non-credit card ATM from my bank. I don't want the MC/VISA logo version. Too much risk.)
no subject
no subject
-Ogre
no subject
no subject
I would read the fine print carefully, or call and ask what this means. In most states, they are not liable for any funds fraudulently withdrawn via ATM card. This is in variance with the policy for credit cards.
This has recently come out because of the stink with the stolen Citibank/Bank of America/Well Fargo ATM data, where a ring had somehow gotten access to ATM *and* PIN numbers, and was making fraudulent withdrawals on a very large scale. (This happened to a friend of mine, who was notified by BoA that $500 had been taken out of his account on a Manhattan ATM. Fortunately, California is a state where the bank *is* responsible for funds fraudulently withdrawn by another party.)
I don't like anything that makes it too easy and "convenient" to make transactions. Old-fashioned verification was there for a reason...