December 14, 2003

A Technology Which Isn't Learning From Wi-Fi - Radio-fueled credit cards could end swipe - Dec. 13, 2003

OK, RDIF credit cards are a BAD idea. Even with encryption. Let me explain.

First, let's just look at the problems we have with security in the first place with the radio-based technologies that we have: Wi-Fi and cell phones. Basically, you have three major security problems.

The first major security issue is this: you're broadcasting your information. Radio is a broadcast; this means you can, given enough ability to recieve weak signals, pick up said radio signal at long distances. Note that you can pick up Wi-Fi signals at mile distances with the right equipment -- and you can pick up cell phones with modified scanners or old TVs (cell phones use the spectrum that used to be high UHF channels.) Don't expect that these things, despite being low-powered, will not be picked up by someone inside of the store. Or by someone while you're passing by. Or by anyone with the technology.

The second security issue harkens back to one of the first issues with cell phone security. Cell phone companies had taken the time to put in some simple security on some of their cell phones. I forget the details on it -- it's been a few years -- but the companies had put in the capability to have high security... and then put in security codes that set most of the digits to zero.

Mastercard is using 128-bit security... which can be secure. But if you have a known value -- like your credit card number -- you can possibly crack the code. It cuts down the security. Also, if the 128 bit security is the same for every card, then it's basically a joke. American Express, though, isn't saying how they're doing their security. I can understand American Express not wanting to broadcast how they secure their cards. But when they don't, and are broadcasting your credit card number, that's not responsible either; a two-bit password isn't a secure transaction. A 512 bit passcode, used properly, is. But we won't know unless they say how it's being secured.

The final security issue is the same as you have with Diebold computers: they want to skip the paper trail with this, and that ain't right. Without a paper trail, I have to take the company's word on this that I have not had my credit card stolen or false charges placed on them -- and who hasn't had a mistaken charge on it that didn't show up when they balanced their card? It's not uncommon for a mistake to happen. It's insane to trust the company that you owe money to, to bring up false charges.

These are just 3 off the top of my head -- and I'm sure there's more. It's a bad idea. Watch out.

Posted by Ted Stevko at December 14, 2003 04:39 PM | TrackBack