[LINK] RFI: PayWave/PayPass Contactless Chip Cards

Paul Bolger pbolger at gmail.com
Fri Apr 13 13:26:33 AEST 2012 

It's not the 'crims' I'm worried about. As we heard recently large
businesses put a huge amount of effort into tracking customers (the story
from the US about Target predicting when female customers become pregnant).
If you have an RFID chipped card in your pocket which answers with a unique
number whenever you go past a reader - and most modern department stores
must be bristling with them by now - it wouldn't take much to build up a
pretty clear picture of who you are, what interests you etc. Use your
credit card (if its not RFID in itself) while carrying the chipped card and
you'll end up matched. Go back into the same shop, or another which shares
the same database, and you'll be adding to your profile.
I think a good place for privacy lobbyists to start might be to ask for
shops to not be allowed access to identification data from credit cards -
when you pay with a card they should only see that the payment is approved,
not get to record who made it - unless that information is voluntarily
provided  by the customer. Of course this does nothing to stop them
tracking you with facial recognition software off the CVTV....
On Apr 13, 2012 2:49 PM, "Roger Clarke" <Roger.Clarke at xamax.com.au> wrote:

> At 17:54 -0700 12/4/12, Rick Welykochy wrote:
> >Wouldn't it make more sense to return the risk of RFID card compromise
> >to the provider of the card?
> >Does it take a class action suit against a bank to raise their awareness
> >that what they have provided their customers is insecure?
>
> The problem is that instances of occurrence of the risk have to be
> detected.  Otherwise crooks prosper at the expense of consumers.
>
> For a card-holder to take advantage of the card-issuer's
> (undertaking? obligation?) to reimburse loss, the following has to
> happen:
>
> -   the consumer has to discover that one or more transactions have
>     occurred for which they deny responsibility
>
> -   that means in practice that they have to reconcile their statements,
>     and do so within whatever 'statute of limitations' the card-issuer
>     imposes on them - currently probably 60 days
>
> -   in order to reconcile, they need something to reconcile against.
>     But for a great many small transactions a receipt has to be
>     requested.  And there are disincentives, such as:
>     -   the look of disbelief on the cashier's face
>     -   the pressure of the queue behind them
>     -   in time, the lack of a working printer, or of any printer
>
> -   in order to have the energy to reconcile, the consumer has to
>     overcome the disincentives, including:
>     -   the huge number of entries that are now on the statement,
>         as a result of the use of the card for myriad small transactions
>     -   the large numbers of unreconciled entries that need to be
>         thought through, to try to reconstruct each days' activities
>     -   the infrequency with which fraudulent entries are found
>         because they
>         -   will tend to cluster, e.g. when someone borrows the card;  or
>         -   will tend to be isolated and semi-random, e.g.
>             -   when the card passes too close to a reader in the
>                 premises of a crooked merchant
>             -   when the card passes too close to a third-party reader
>                 installed in a (for the crim) convenient location.
>                 The example I've used in seminars for the last few years
>                 is embedded in the backs of the seats in auditoria such as
>                 university lecture-theatres
>     -   in time, the likely need to opt-in to receive a full statement,
>         because most consumers will throw away the wads of paper, and
>         card-issuers will seek to reduce their costs (and the usage of
>         paper, electrons, etc.)
>
> For the above reasons, it's likely that only a very small proportion
> of fraudulent transactions will ever be discovered.
>
> That in turn will embolden the crims, creating a non-virtuous cycle
> of 'tried, didn't get caught, try some more', which in turn invites
> conversion from small-time criminality to organised-crime racket.
>
>
> Constructive critiques of the above analysis gratefully received!!
>
>
> --
> Roger Clarke                                 http://www.rogerclarke.com/
>
> Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                    Tel: +61 2 6288 1472, and 6288 6916
> mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
>
> Visiting Professor in the Faculty of Law               University of NSW
> Visiting Professor in Computer Science    Australian National University
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>

More information about the Link mailing list