Tuesday, March 28th, 2006 04:46 pm

Citizens Bank just sent us both updated debit cards.  The new card proudly proclaims that it is PayPass enabled.  I'm not familiar with PayPass, but from the minimal information included with the new card and data I've found online, it's a short-range RFID technology.  I find my attention particularly called to this bit (emphasis mine):

"Its built-in technology lets you just tap your card on the PayPass reader at participating locations and your transaction is complete.  No need to swipe or give your card to cashiers.  Smaller purchases [which turns out to be up to $25] may not require a signature or PIN."

This seems to imply to me that someone who can get their hands on a PayPass-enabled card can use it freely without needing to know a PIN, as long as they keep their purchases small.  The convenience of not needing to swipe, with the touted feature of "Your card never leaves your hand", is undeniably going to be attractive for many people, but I find the security implications disturbing.

On the other hand,

"All transactions are protected with the Zero Liability Policy for any unauthorized purchases."

The press releases I've found claim that the read range of the PayPass RFID chip is restricted to about 4cm, which - if true - is promising from the viewpoint of remote scanning risks.  (I've had difficulty finding much in the way of solid information.  Most of the technical data is restricted to licensees.  If anyone knows of any accessible useful documentation on the security features, pointers would be welcome.)  Interestingly, Motorola has been field-testing PayPass-enabled phone handsets for about 18 months now;

"Motorola is excited to be working with MasterCard to create a phone that has the potential to be lifestyle changing, and offers a convenient, fast, and secure method of payment.  In essence your phone will become your wallet, key chain and your ID," said Ron Hamma, vice president and director of enterprise business development, Motorola, Inc.  "Fully integrating MasterCard PayPass technology in our phones is a natural fit and major benefit to the consumer."

Tags:
Tuesday, March 28th, 2006 02:09 pm (UTC)
Can they limit the read range of the chip? I thought they could limit the read range of the transmitter/reader, but not the chip.

I googled "rfid security" earlier today and found some interesting discussion.
Tuesday, March 28th, 2006 02:59 pm (UTC)
Is this a pure ATM card, or is this a "fake Mastercard" as well?

'cause the credit cards these days don't require a PIN or a signature for purchses of $25-$50 in any case. i.e. you can swipe them at a gas station for pay at the pump without signing anything.

I'd have a lot more heartburn with a pure ATM card having a non-PIN way to access my money. (And I insist on a non-credit card ATM from my bank. I don't want the MC/VISA logo version. Too much risk.)

Tuesday, March 28th, 2006 05:24 pm (UTC)
It's a Mastercard-logo debit card.
Tuesday, March 28th, 2006 04:39 pm (UTC)
Cool, time to build a reader that will fit in my pocket, then go walk around in very crowded areas...

-Ogre
Tuesday, March 28th, 2006 07:16 pm (UTC)
Lies, all lies, as far as I remember. I think the crypto is breakable (40 bit public key), fancy antenas will get you much longer range, people have demo'd how to break the system. Rather amazing anyone would field such a system. Or perhaps it was all limited to one companies systes, google it I guess.
Wednesday, March 29th, 2006 04:32 pm (UTC)
It says "All transactions are protected with the Zero Liability Policy for any unauthorized purchases."

I would read the fine print carefully, or call and ask what this means. In most states, they are not liable for any funds fraudulently withdrawn via ATM card. This is in variance with the policy for credit cards.

This has recently come out because of the stink with the stolen Citibank/Bank of America/Well Fargo ATM data, where a ring had somehow gotten access to ATM *and* PIN numbers, and was making fraudulent withdrawals on a very large scale. (This happened to a friend of mine, who was notified by BoA that $500 had been taken out of his account on a Manhattan ATM. Fortunately, California is a state where the bank *is* responsible for funds fraudulently withdrawn by another party.)

I don't like anything that makes it too easy and "convenient" to make transactions. Old-fashioned verification was there for a reason...