[LINK] RFI: PayWave/PayPass Contactless Chip Cards

Stephen Wilson swilson at lockstep.com.au
Wed Apr 11 16:20:59 AEST 2012 


On 11/04/2012 3:33 PM, Roger Clarke wrote:

>  1. The visible chip is a contact-based chip. That technology is of
>  long standing, but the banks have only recently started using them to
>  reduce the insecurity of card transactions. I've not done a deep
>  audit myself of course, but my position on this aspect is that it's a
>  good thing generally, including for consumers (because it disguises
>  data that would otherwise appear on the mag stripe, or in more
>  primitive systems on the embossing).

The ability of the chip to disguise personal data is important and 
under-utilised.  The ability should be exploited to secure online 
transactions as well as POS & ATM transactions [I declare an vested 
interest: Lockstep Technologies develops commercial online chip based 
security & privacy solutions, for Card Not Present payments amongst 
other things].

In general terms, a chip card's ability to encrypt and/or digitally sign 
the data it transmits to particular parties could also be exploited in 
health & welfare applications, for the benefit of citizens.  Chip cards 
can conduct end-to-end private dialogues with counter parties (like 
e-health providers) without the card issuer having access to the 
content, or even knowing that the communication is taking place.  This 
is what makes smartcards "smart".  It would be good if we could have a 
fresh and sensible community debate about these capabilities in 
government applications, if you know what I mean. ;-)

>  2. The contactless chip that
>  supports Visa PayWave and MasterCard PayPass is embedded in the card
>  (along with the induction coil), and can't be seen.

Actually no, it's all in the one chip now.  A single "dual interface" 
chip talks to the outside world through either the gold plated contacts 
you see on the surface, or an antenna buried in the plastic.  Scratching 
off the contacts need not affect the wireless channel.  Very 
sophisticated smartcards can detect damage to the contacts or other 
elements of the electronics and respond by self-destructing, but banks 
don't invest in that level of security.

Cheers,

Steve.

Stephen Wilson
Lockstep

http://lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

More information about the Link mailing list