Interesting People mailing list archives
Contactless payments and the security challenges
From: David Farber <dave () farber net>
Date: Mon, 19 Sep 2005 11:56:38 -0400
Begin forwarded message: From: John Gilmore <gnu () toad com> Date: September 18, 2005 11:44:09 PM EDT To: "R.A. Hettinga" <rah () shipwright com> Cc: cryptography () metzdowd com Subject: Re: [Clips] Contactless payments and the security challenges
http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp? Q=BF_WEBART_171100
Interesting article, but despite the title, there seems to be no mention of any of the actual security (or privacy) challenges involved in deploying massive RFID payment systems. E.g. I can extract money from your RFID payment tag whenever you walk past, whether you authorized the transaction or not. And even assuming you wanted it this way, if your Nokia phone has an RFID chip in it, who's going to twist the arms of all the transit systems and banks and ATM networks and vending machines and parking meters and supermarkets and libraries? Their first reaction is going to be to issue you an RFID themselves, and make you juggle them all, rather than agreeing that your existing Nokia RFID will work with their system. If you lose your cellphone, you can report it gone (to fifty different systems), and somehow show them your new Motorola RFID, but how is each of them going to know it's you, rather than a fraudster doing denial of service or identity theft on you? Then there's the usual "tracking people via the RFIDs they carry" problem, which was not just ignored -- they claimed the opposite: "This kind of solution provides privacy, because the token ID is meaningless to anyone other than the issuing bank which can map that ID to an actual account or card number." That is only true once -- til anyone who wants to correlates that token ID "blob" with your photo on the security camera, your license plate number (and the RFIDs in each of your Michelin tires), the other RFIDs you're carrying, your mobile phone number, the driver's license they asked you to show, the shipping address of the thing you just bought, and the big database on the Internet where Equifax will turn a token ID into an SSN (or vice verse) for 3c in bulk. The article seems to have a not-so-subtle flavor of boosterspice. Anybody got a REAL article on contactless payments and security challenges? John --------------------------------------------------------------------- The Cryptography Mailing ListUnsubscribe by sending "unsubscribe cryptography" to majordomo () metzdowd com
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Contactless payments and the security challenges David Farber (Sep 19)
- <Possible follow-ups>
- Contactless payments and the security challenges David Farber (Sep 19)