[LINK] Contactless Credit Cards in Oz
Alex (Maxious) Sadleir
maxious at gmail.com
Wed Jan 6 17:54:06 EST 2010
On Wed, Jan 6, 2010 at 3:50 PM, Roger Clarke <Roger.Clarke at xamax.com.au> wrote:
> "EMV chip technology ... provides both data protection and
> transaction security via the use of keys and the latest encryption
> "Visa payWave-enabled cards are just as secure as any other Visa chip
> card and carry the same multiple layers of security protection,
> including Zero Liability, which ensures you are not responsible for
> fraudulent or unauthorized transactions. In addition, with Visa
> payWave, you retain control of your card during the transaction,
> which reduces the risk of fraud.
> [Authentication and encryption processes are necessary; but they're
> not easy to implement because of the processor power and time
> constraints. The information provided in the FAQ is inadequate.
> Where's the pointer to the certification written by an independent
> security consultancy and backed up by warranties and indemnities?]
Anytime I see the words "EMV chip technology", I shudder. The cost
cutting on physical EMV smart cards embedded in debit cards, and the
eventual exploits, are well documented. As usual, Visa says "well, the
fraud detection will handle it!".
In terms of the contactless credit card technology, there was a 2006
study conducted by the aptly named "RFID Consortium for Security and
Privacy (RFID-CUSP)" that found not only were the cards skimmable
(that is they could be cloned and used for purchases successfully) but
also that they transmitted the card holder's name in plain text! Visa
and Mastercard responded by removing the card holder text in 2007 .
A successful plain text credit card number reading attack was
demonstrated in 2008 using a merchant RFID credit card reader
purchased off eBay .
More information about the Link