C. Dewick wrote:
> Bill Bolton <billbolton@[EMAIL PROTECTED]
> writes:
>
>>Matthew Geier <matthew@[EMAIL PROTECTED]
> wrote:
>
>>> Means any one with a stolen reader can read your details by
>>>just bru****ng past you.
>
>>Do you have any hard evidence to sup****t this assertion?
>
> I would suggest that the actual ability/equipment to do this might not
> yet exist, but the capability definitely does. As soon as a
> contactless system is put in place it's immediately possible to
> conceive (and potentially create) equipment/methods to do unsolicited
> accessing of personal details stored on cards.
>
> It's a little like Bluetooth, but with the default user notification
> removed.
>
> I agree with you Bill that currently it's something that isn't going
> to really occur here because contactless cards (except for existing
> RFID access control systems) are more or less not used in Australia,
We got a renewed credit card in the post today. It is a Mastercard
"PayPass" "Tap N Go" contactless credit card with a chip. The Tap N Go
feature is limited to $35 - over that and you have to validate with a
PIN and/or signature. If you use it in any other type of reader, it has
the same old verification required.
According to the bank, there are no personal details stored on the card.
I presume that there is a one-time password system [1] built into the
card so that a clone of the data read from the card is not much use
unless you know the secret key built into the card. Unless hackers can
work out the secret key from the one-time password (which means the
whole system is compromised), reading the card from afar is not much
use. Plus the card would advance to the next one-time password and thus
be out of synch with the bank's copy of the one-time password sequence.
> but once banks, through Visa, MC, Diners, Amex, etc. do start
> wholesale issuing of contactless credit/debit cards, and organisations
> like trans****t companies start using contactless systems, it'll all be
> open to potential abuse without cardholder awareness.
[1] similar in principle to the devices used for logging into some
internet bank sites, such as is optional for Bendigo Bank
See http://en.wikipedia.org/wiki/One_time_password
As an aside, clothing bought from Kathmandu stores seems to have an RFID
tag built in. I wonder if they can detect when you enter a store
wearing one of their products - perhaps they can tell who you are from
the credit card used for purchasing the item you are wearing. Also
maybe they can tell how often you browse without buying anything.
|
