A Simple Swipe on a Phone, and You're Paid [telecom]

For several years 7-Eleven stores in the metropolitan Oklahoma City area have posted on the gas pump the authorization limits for each card company for transactions without a signature or PIN. More recently drug stores have stopped asking for signatures on a charge below a certain amoungt. At Walgreen's it's $25. If your card company on its web site shows "pending transactions" you'll find a $1.00 pending charge at any gas station at the pump, which goes away when the full charge is posted a day or two later. Also a PayPal payment the same way. I assume this assures the the card is for a valid account and will be honored up to the limit by each card company. Wes Leatherock snipped-for-privacy@aol.com snipped-for-privacy@yahoo.com

10% to 20%? You obviously haven't shopped around. Most front load with 10 or 20 cents and then 1% or 2%. Say you swipe the card for $20.

The fee would be $0.20 + 2% of $20 or $0.40. The total fee would be $0.60.

By your rates it would be $2 to $4 for that $20 transaction. BTW, the rates I provided are what Google Checkout charges.

They're also going for the easily hacked award too. Know how easy it would be to read those little swipe cards in a casual setting? Only have to get withing a foot or two to read it, store the data, then write to your OWN card.

Definitely. This reminds me of the 4-part article the IEEE Spectrum ran early 1970s highlighting the eleventy-seven bazillion things wrong with BART ((San Francisco) Bay Area Rapid Transit

It is my understanding that the comms between these chip cards and terminals is all encrypted with inbuilt keys so any monitoring would be as useful as capturing a HTTPS session on the 'net.

There are very good reasons these things are moving away from simple encoded card numbers on a mag stripe.

-- Regards, David.

David Clayton Melbourne, Victoria, Australia. Knowledge is a measure of how many answers you have, intelligence is a measure of how many questions you have.

A few months ago, Citicards issued my a new card. Today, I noticed a logo for "Paypass" on it. According to Wikipedia

is an RFID scheme.

Now, how to disable it? I notice lots of stuff on Youtube about defeating the chip. I'm going to study this stuff.

Richard

Not really. It's an EMV chip. See

If you're thinking it's like an inventory tag, and it just broadcasts what's on the mag stripe on your card, it's not like that at all. EMV cards run a complicated crypto protocol, and even if a bad guy could eavesdrop on the conversation, he could only steal money using a rather complex man in the middle attack that you're not likely to see on a random gas station terminal.

The Wikipedia article has a good overview, and a discussion of some of the security issues (with contact EMV chips, which use the same protocol) found by people at Cambridge U. in England.

R's, John

How vulnerable is it to a paid-the-wrong-bill "attack"? (Or paid-the-other-guy's-bill-too "attack"?) I'm not sure there's much profit in doing this, or that it can be done deliberately with any consistency, but it's still a headache. I saw this happen at one gas station, I think with Mobil Speedpass. Two people were paying for their gas at two very-close-together registers, and I was waiting behind them to pay with one of those insecure magstripe cards. One grabbed his receipt and took off for his 18-wheeler. The other one looked at his receipt, then complained that he couldn't possibly put that much gas in his compact car. The clerk flagged the guy who had left and straightened out the bill, which had gotten swapped between the two. I am not sure either were above the limit where they needed to enter a PIN.

The main problems with these systems are that the burden is on the customer to prove that he didn't deliberately reveal his PIN, and it's impossible to prove a negative.

I like to think that I can't accidentally pay something I don't know about any time I open my expensive Faraday-cage wallet (say, to remove cash).