By Steven Deare, 3 July 2006 08:45
NEWS
MasterCard has dismissed criticism its RFID-based PayPass credit card may be susceptible to skimming and interference amid retailer trials of the technology.
Around 35,000 Commonwealth Bank customers in Australia are currently trialling the cards with selected retail outlets such as 7-Eleven. A scanned PayPass card can make a "contactless" transaction to the value of AU$35 (£14), meaning a signature or identification number is not required.
The speed of PayPass transactions has seen it already widely used in Asia and the US, with seven million cards/devices deployed. In the US, PayPass is accepted by grocery stores, parking stations, pharmacists, retailers, theatres, petrol stations and fast food restaurants.
However, the company is still fighting concerns over the security of the technology.
MasterCard consultant Robert White told a smartcard conference in Sydney this week: "There's been some talk in the market of accidental payment and reading cards in your pocket, and these are perceptions.
"In actual fact, the security is in the application. We don't rely on channel security, we don't rely on protocol security to secure a payment that's in the application."
One conference attendee claimed digital interference could present challenges for the PayPass card if it was carried with other cards.
However the PayPass cards use an anti-collision technology which can detect other signals, according to White.
He said: "If you've got multiple cards in your wallet, or even worse multiple technologies, then when you put it up to the reader, the reader can actually support many different types of contactless payments. So what would happen is you could actually wake up more than one card.
"So at this point the reader basically doesn't know what to do, it can see two cards for instance. However what we actually do is, on the reader, we know there's more than one card. So unfortunately as MasterCard I can't make a payment decision for you. I can't just select your MasterCard. So what I have to do is I have to go back to you, the cardholder, and ask you what would you like to do...
"It does mean if you have multiple contactless cards in your wallet, you would have to select a card to use."
There were no security concerns from participating retailer 7-Eleven though.
Channel development manager of the convenience chain, David Anstee, said he had not fielded any complaints from franchisees so far in the trial.
Anstee said: "One of the nice things about that is we didn't have to do very much. We didn't have to alter our systems, we didn't have to buy new hardware or do any of that kind of stuff... So we don't want to have to deploy a heap of hardware, we don't have to train a heap of people, we don't want to have to alter our backend systems significantly."
While happy with the trial, he did hope transaction speed could be improved.
He said: "We would like to see something that improves transaction speed. It's particularly important for 7-Eleven... we're focused very closely on queue times and that type of thing. So we want it to be fast, reliable, and certainly not more expensive than the payment methods we're getting at the moment.
"So it's important for us that it's convenient and easy to use and that it's a widely accepted thing."
Steven Deare writes for ZDNet Australia
Comments
There are 10 comments. Join the discussion
1. anonymous
The biggest delay I have with credit cards is the authorisation process go into any store or supermarket during a busy period spend a reasonable amount of money and you spend minutes waiting for authorisations to go through. Having an RFID card isn't going to speed this up.
If we have to state which card we want to us (in the UK we have more credicards than head of population) then we are going to have further delays.
2. Graham Coles
So where's their proof?
I seem to recall the banks also dismissed the possibility of phantom withdrawals from cash dispensers back in the 80s, despite these actually happening. They just said it couldn't happen then, too.
I'll believe this only when they publish their protocols so it can be verified by securoty experts. I'd certainly never take their word for it, nor would I use one.
These cards will remain succeptible to scamming until they prove otherwise.
3. Simon
I agree with Anonymous, these things are just too damn slow !
It's not any one person/organisations fault - but nearly everyone should take some of the blame :
BT - we still have a rediculous system where products/charges are set to avoid impacting on it's leased line cash cow. Packet data over ISDN2 for example is still restricted to an expensive and inflexible subset of what's possible with the result that it's not viable for all but the biggest retailers.
Coupled to that, we still have the default of using a dial up analogue phone line. If the card companies pushed other alternatives better then perhaps take up of better options might be better - leading to better economies of scale and pressure on the likes of BT to wake up. Of course, these days most places are going to have a permanent internet connection available which should mean no dial up waiting.
Then we have the retailers that accept this c**p without question.
Then finally, we the public should be asking retailers why they are still using this slow rubbish when there's so many better alternatives. If retailers demand better, then the card companies will make better offerings available - especially if they can use it as a differentiator.
4. anonymous
To Simon:
The problems you mention all relate to the credit card companies procuring old tech networks for their processing. It has nothing to do with BT, the shops or the public. If you're unhappy with the speed of transactions, complain to your credit card company.
5. MP
So this is RFID and PIN I take it, if not it will be as bad/worse than magnetic strip!
6. anonymous
I'm not worried about speed...
...that's for the likes of 7-Eleven to chase, if it affects their business model.
My worry is the fact that contactless cards (read the name again) are designed to be read without touching them - which includes without the card holder touching them - so it is absolutely obvious that someone is going to sit in a car park with a laptop and read (viz. take money from) every card which comes within range of their equipment. This kit will no doubt be attached to a 'burner' (rf amplifier) to increase range...
And if you are naive enough to think it won't happen, cast you mind back to analogue cellphones. Crooks used to sit outside Heathrow and read the Number and ESN of every cellphone, then write into their own phone. They had two weeks of use before you came back from holiday and noticed your bill had increased by a lot...
7. Roger Huffadine
£2000.00 and a skimmer transponder to grab details from someone else's card and purchase with their details is yours. Probably illegal for me to offer to make one - but - this is haw inexpensive and simple it would be.
8. anonymous
Retailers can sack checkout staff.
Its the only reason for this technology. Period. It doesn't make my life easier. It doesn't make me more secure.
The whole principle is so obviously unnecessary and insecure, it makes you wonder where the banks keep their brains, or at least their ethics. But, hey, as long as money keeps changing hands what do they care?
9. Lennie Reeh
So, when the bad guy grabs all the data from your RFID Card, which he can't do from far away because the card does not actually transmitt (it uses a varing mutual inductance Technique), what's he going to do with the data? Make an RFID card?
10. Haraldur
I never use cards Debit or credit for day to day buying. I only use my credit card when i need to buy over the internet.
And i always keep it at home never on me
so i am not worried about someone getting the information off it. Many of my friends are totaly dependant on their cards, so if the the card companys would close their cards they would really be in trouble. No my friends cash is the best solution. What worries me though is the move towards cashless societies.