![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Citizens Bank just sent us both updated debit cards. The new card proudly proclaims that it is PayPass enabled. I'm not familiar with PayPass, but from the minimal information included with the new card and data I've found online, it's a short-range RFID technology. I find my attention particularly called to this bit (emphasis mine):
"Its built-in technology lets you just tap your card on the PayPass reader at participating locations and your transaction is complete. No need to swipe or give your card to cashiers. Smaller purchases [which turns out to be up to $25] may not require a signature or PIN."
This seems to imply to me that someone who can get their hands on a PayPass-enabled card can use it freely without needing to know a PIN, as long as they keep their purchases small. The convenience of not needing to swipe, with the touted feature of "Your card never leaves your hand", is undeniably going to be attractive for many people, but I find the security implications disturbing.
On the other hand,
"All transactions are protected with the Zero Liability Policy for any unauthorized purchases."
The press releases I've found claim that the read range of the PayPass RFID chip is restricted to about 4cm, which - if true - is promising from the viewpoint of remote scanning risks. (I've had difficulty finding much in the way of solid information. Most of the technical data is restricted to licensees. If anyone knows of any accessible useful documentation on the security features, pointers would be welcome.) Interestingly, Motorola has been field-testing PayPass-enabled phone handsets for about 18 months now;
no subject