Swiping Is the Easy Part [telecom]

Swiping Is the Easy Part

By TARA SIEGEL BERNARD and CLAIRE CAIN MILLER March 23, 2011

The cellphone has been more than a cellphone for years, but soon it could take on an entirely new role - standing in for all of the credit and debit cards crammed into wallets.

Instead of swiping a plastic card at the checkout counter, consumers would merely wave their phones.

There's just one hitch: While the technology is already being installed in millions of phones - and is used overseas - wide adoption of the so-called mobile wallets is being slowed by a major behind-the-scenes battle among corporate giants.

Mobile phone carriers, banks, credit card issuers, payment networks and technology companies are all vying to control these wallets. But first, they need to sort out what role each will play and how each will get paid.

The stakes are enormous because small, hidden fees that are generated every time consumers swipe their cards add up to tens of billions of dollars annually in the United States alone.

...

formatting link

Reply to
Monty Solomon
Loading thread data ...

.......... I'm sorry, but this has to be the biggest crock that I've seen in a while.

The "swipe" function is merely a prox chip that currently is physically located in a flat rectangular piece of plastic, there is nothing special about a phone to contain the same (tiny) prox chip.

The chip could well be placed in your wristwatch or embedded a few millimetres under the skin in your hand, touting phones as getting some sort of new role to carry these chips may push people into changing hardware but the same outcome could basically be achieved by a knife and some glue.

Reply to
David Clayton

You have to understand that the article was written about the United States. In the USA, the majority of our credit card transactions are carried out using the mag stripe on the back of the card. Yes, we still use 1960's technology for the data entry portion of credit card transaction - thus the term "swipe."

Many other countries use RF based technology for their cards - sometimes a "prox chip," as you call it. We just have very little of it in the USA. There are lots of reasons for this, which we'll skip for now.

The challenge presented in this article isn't what technology is used to transfer payment account information from buyer to seller, but who is collecting the fees for that transfer. When we use credit cards, the credit card clearing banks get their piece of the pie; as they've done for decades. If a phone is used, then the phone company claims the fee - cutting the bank's fee or sidestepping it all together!

So, while proximity chips and the like can give us a much more secure transaction, the battle royal is between the existing banks and the "upstart" phone companies who want a piece of the transaction processing pie. The technology used is just a means to get to that bite of the pie.

As always, money trumps all.

-Gary

Reply to
Gary

[Moderator snip]

What's more secure about proximity chips in phone versus cards, and how could they be more secure than a magnetic stripe?

I cannot read a magnetic stripe unless I have physical possession; not true with proximity chips.

Reply to
Adam H. Kerman

There is no encryption and no security with mag stripes. A thief can copy a mag stripe onto another card and use it. Thieves copy stripes by "double swiping" them through either an extra card reader or a modified card reader. Some thieves have been known to electronically steal credit card data en-bulk (sometimes from retailers with bad network security) and use it to write to their own blank cards. This is why blank credit cards are shipped with security that is similar to moving cash.

Electronic devices (smart card, proximity cards, ...), use encrypted communication. Even if the card to register transaction is sniffed, it is very difficult to create a copy of the card.

Of course, the back end systems can detect fraud by monitoring for unusual transactions and users can detect fraud by monitoring their account. This is true regardless of the type of card used. Since mag stripe cards aren't very hard to copy, this is a common way for fraud to occur. RF cards reduce this fraud vector by a significant amount.

I wish we had more secure transactions than the mag swipe here in the USA. I've had my card "lifted" at least once due to someone "double swiping" the card. I think it happened at the a parking lot at the Bayone, NJ Cruise Terminal (a.k.a. "Port Liberty.") At this lot, you pre-pay for parking as you know how long you'll be there (the length of the cruise). The attendant swiped my card. When I got back a week later, I checked my account and saw a few small transactions in Brooklyn on a day I was floating around the Atlantic Ocean. I canceled my card immediately, which caused lots of other hassles with my auto payments and such.

While I can't be certain the parking guy had a modified card reader, the circumstantial evidence is very suspicious given the timing and nature of the fraud. He (and maybe his partners) knew that the people paying would be gone for a week. I think the small transactions were tests to see if I'd notice when I got back. If I didn't, I think I'd have been hit with bigger fraud in a month or two. And yes, I did report this to the police in case a larger criminal ring was behind it.

If I'd been able to use an RF card, it would have been much harder for the thieves to lift it. Next time, I'll use cash.

-Gary

Reply to
Gary

Prox chips are much harder to clone. If you can read the stripe on someone's card, you know everything you need to know to make a copy of the card. This is why there are ATM skimmers.

R's, John

Reply to
John Levine

The proximity chips in credit/cash cards in Europe have a PIN associated with them that need to be entered at the same time.

Presumably, the smartphone system would have some sort of control over pin input interface with some level of control of what data can leave the NFR chip rather than just having a contactless chip embedded in the phone case somewhere.

Reply to
Doug McIntyre

The "swipe" function comes when your chip, rather than the chip of the guy in front of you or behind you, gets charged for someone else's purchases. This can be either accidental or intentional. I've observed it happening with Mobil SpeedPass (one guy handed his SpeedPass over the other register, which probably had something to do with it, although how they each managed to get the other's charge on their SpeedPass rather than both on one is not obvious). It was discovered because the guy driving a semi bought much more gasoline than the guy with the car could possibly fit in his tank, and the guy with the car looked at his receipt.

In proposed or actual systems to be installed in phones in the USA, what is the connection of the phone and the prox chip (beyond two devices super-glued together)? Do they share anything except perhaps battery power? Is the phone (data or voice) used for any purpose during the transaction? Does the prox chip work on a phone with no service (due to not subscribing or failure to pay the bill) or with no service (due to being far away from a cell tower) or with a dead or removed battery? Does the prox chip work on a GSM phone with no SIM card? Is there a way to lock the prox chip?

Can a virus on the phone charge something? Could it leak information (by "phoning home") sufficient to charge something?

I carry a number of cards in my wallet and I carefully choose which card to use for a particular transaction (considering, among other things, which cards the merchant accepts, the balances if any on the cards, and what I'm buying and rewards for that type of purchase). How do I do that (select which card to use) with a phone-prox chip?

This just screams "DESIGN ERROR"!

Reply to
Gordon Burditt

AFAIK *all* of these payment authorisation systems are based on physical tokens. The card with the mag stripe is just one sort of token (as it was before mag stripes were created and physical card imprints were taken). The card with the "Smartcard" chip in it which requires insertion into a terminal is another token, and the cards with the prox chips in them are also just another type of token.

All of these tokens are (currently) issued and controlled by financial institutions and require authorised back-end infrastructure at a vendor to be utilised. How a "phone" gets involved in this system has me baffled.

Currently the "Contactless" transactions use a prox chip token device (on a card) swiped within a short distance of a terminal device to process a transaction, I see nothing special about a "phone" that can replace the prox chip - with all the security etc. - that these financial institutions issue.

The last thing financial institutions would want are phones capable of imitating prox chips (even if that was technically possible), so my question remains - what was that nebulous article actually about?

The *only* [time] I have seen "phones" replace existing tokens is when using them with barcodes on their displays to replace physical items like Boarding Passes at airports or entry Tickets to venues - and I'd pretty certain that sort of thing won't apply to financial transactions.

Reply to
David Clayton

There's also a contact version of EMV chips. Every credit and debit card in most countries other than the US has one. I don't entirely understand why the US banks are going straight to contactless.

R's, John

***** Moderator's Note *****

Maybe it's because they let the _other_ guys do the scut work for a change? Perhaps it's because they had an attack of common sense, and decided to let someone else do free R&D?

Bill Horne Moderator

Reply to
John Levine

ObTelecom: The Europeans did smartcards first so they could do offline authorization. The card itself knows its authorization limit. That's because it was a lot more expensive to make phone calls than in the US, where for a very long time all but the tiniest card transactions are authorized online with the bank.

R's, John

Reply to
John Levine

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.