[LINK] RFI: PayWave/PayPass Contactless Chip Cards
Stephen Wilson
swilson at lockstep.com.au
Wed Apr 11 16:20:59 AEST 2012
On 11/04/2012 3:33 PM, Roger Clarke wrote:
> 1. The visible chip is a contact-based chip. That technology is of
> long standing, but the banks have only recently started using them to
> reduce the insecurity of card transactions. I've not done a deep
> audit myself of course, but my position on this aspect is that it's a
> good thing generally, including for consumers (because it disguises
> data that would otherwise appear on the mag stripe, or in more
> primitive systems on the embossing).
The ability of the chip to disguise personal data is important and
under-utilised. The ability should be exploited to secure online
transactions as well as POS & ATM transactions [I declare an vested
interest: Lockstep Technologies develops commercial online chip based
security & privacy solutions, for Card Not Present payments amongst
other things].
In general terms, a chip card's ability to encrypt and/or digitally sign
the data it transmits to particular parties could also be exploited in
health & welfare applications, for the benefit of citizens. Chip cards
can conduct end-to-end private dialogues with counter parties (like
e-health providers) without the card issuer having access to the
content, or even knowing that the communication is taking place. This
is what makes smartcards "smart". It would be good if we could have a
fresh and sensible community debate about these capabilities in
government applications, if you know what I mean. ;-)
> 2. The contactless chip that
> supports Visa PayWave and MasterCard PayPass is embedded in the card
> (along with the induction coil), and can't be seen.
Actually no, it's all in the one chip now. A single "dual interface"
chip talks to the outside world through either the gold plated contacts
you see on the surface, or an antenna buried in the plastic. Scratching
off the contacts need not affect the wireless channel. Very
sophisticated smartcards can detect damage to the contacts or other
elements of the electronics and respond by self-destructing, but banks
don't invest in that level of security.
Cheers,
Steve.
Stephen Wilson
Lockstep
http://lockstep.com.au <http://www.lockstep.com.au>
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
More information about the Link
mailing list