Find the answer to your Linux question:
Page 1 of 3 1 2 3 LastLast
Results 1 to 10 of 23
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,341

    Are contactless bank cards safe?


    I have just received an updated debit card which has a built-in rfid chip for contactless payment.

    Mail order catalogues nowadays include aluminium wallets for these cards to prevent black hats from reading your card details. Now I know that these catalogues contain a lot of fruitloopery, such as detergent-free wash balls that supposedly generate ionised oxygen, but I don't know enough about near field communication to know if this is a genuine threat or just FUD.

    Can anyone set my mind at rest?
    "I'm just a little old lady; don't try to dazzle me with jargon!"
    www.hrussman.entadsl.com

  2. #2
    I think there would be a lot more victims if they could scan your card on your person. Your pin is broadcast when you select debit. Run all purchase as credit not debit and sign if it is more than $25. If they asked for the security code on the back of the card during transaction then maybe they could scam you.

  3. #3
    Linux Newbie slw210's Avatar
    Join Date
    Apr 2013
    Location
    South Central Florida
    Posts
    194
    You might give these a read.

    How Safe is Your Debit Card?

    RFID Blocking Sleeve or a RFID Blocking Wallet?

    I have a strip card still, probably won't get a chip for a year or two.

  4. $spacer_open
    $spacer_close
  5. #4
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    4,002
    I work with smartcards for my day job. I'm not certain if this is how the banks do it, but they'd be bonkers not to.

    Generally, the pin on the card isn't released anywhere - normally you have a signing key on the card, and when you carry out a transaction, it would be signed using the on-card key - but this is done on the card, you'd submit a data blob for the transaction to the card, it'd need your pin to access the private key which it then uses to sign the transaction, before returning the signature to the calling device. Unless someone has access to your chip and your pin, they can't get at your signing keys.

    We set these things up normally so that the keys are generated on the card, and never go anywhere else. Of course, the public key is exported and held by the organisation so they can prove that you signed a transaction using your card. We'd normally not let the card disclose it's pin either - although I'm not sure how banks would be able to do this and be able to show you the pin either through a reminder letter or on any internet banking website.

    Generally speaking, the private key never leaves the card and all signing operations are carried out in its hardware. For nfc transactions, of course, there'd be no pin entry. If I were setting this up, I'd do it with a second key - one that you didn't need the pin to access, and for (very) small transactions allow it to be used. The bank would know which key was used, and they'd be able to reject transactions signed with the small transaction key if it were for too much money. But even in this scenario the signing operation would happen on the card, and you'd not release the keys to anyone.

    Perhaps someone who knows a little more could tell us exactly how the banks handle it?
    Linux user #126863 - see http://linuxcounter.net/

  6. #5
    Quote Originally Posted by Roxoff View Post
    I work with smartcards for my day job. I'm not certain if this is how the banks do it, but they'd be bonkers not to.

    Generally, the pin on the card isn't released anywhere - normally you have a signing key on the card, and when you carry out a transaction, it would be signed using the on-card key - but this is done on the card, you'd submit a data blob for the transaction to the card, it'd need your pin to access the private key which it then uses to sign the transaction, before returning the signature to the calling device. Unless someone has access to your chip and your pin, they can't get at your signing keys.

    We set these things up normally so that the keys are generated on the card, and never go anywhere else. Of course, the public key is exported and held by the organisation so they can prove that you signed a transaction using your card. We'd normally not let the card disclose it's pin either - although I'm not sure how banks would be able to do this and be able to show you the pin either through a reminder letter or on any internet banking website.

    Generally speaking, the private key never leaves the card and all signing operations are carried out in its hardware. For nfc transactions, of course, there'd be no pin entry. If I were setting this up, I'd do it with a second key - one that you didn't need the pin to access, and for (very) small transactions allow it to be used. The bank would know which key was used, and they'd be able to reject transactions signed with the small transaction key if it were for too much money. But even in this scenario the signing operation would happen on the card, and you'd not release the keys to anyone.

    Perhaps someone who knows a little more could tell us exactly how the banks handle it?
    I looked at the two links(thanks slw210), and am wondering how if keys are used thusly would one make, for instance a purchase over the phone, or for that matter, the internet? I bank at a small local credit union and members may not see chipped cards for a while. If someone can get your info that easy and call in a pizza or even worse, ten pizzas, thats more than a little unnerving for me.

  7. #6
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    4,002
    Quote Originally Posted by droidlizard View Post
    I looked at the two links(thanks slw210), and am wondering how if keys are used thusly would one make, for instance a purchase over the phone, or for that matter, the internet? I bank at a small local credit union and members may not see chipped cards for a while. If someone can get your info that easy and call in a pizza or even worse, ten pizzas, thats more than a little unnerving for me.
    Well card purchases where the cardholder is not present have been allowed for many years - they handle over the phone purchases as well as they've always done, they use the long number across the front, just like Amazon and Ebuyer, and others on-line. There is no way they'd be able to sign with any key on your card. For large purchases, you'd either be present when the purchase was made, or the bank may well be phoning you on the number they've got registered. They didn't used to do any of that a few years ago.

    In any transaction someone could steal your credit card details and then use it to order pizza. What happens if you hand your card over to a waiter in a restaurant and he takes it away to be rolled or swiped - while it's out of your sight, he could copy the number off the front and the security code on the back. Its more dangerous than buying on the Internet in that scenario. At least when you buy from a big internet co like Amazon, there is no human involved, and they want you coming back time and time again, so they aren't going to steal pizza money from you.
    Linux user #126863 - see http://linuxcounter.net/

  8. #7
    Linux Newbie slw210's Avatar
    Join Date
    Apr 2013
    Location
    South Central Florida
    Posts
    194
    I don't think the banks do it that way, Roxoff.

    I believe my wife's card has the chip and the strip, she still has to input the PIN on the keypad at the ATM, of coarse we use as credit in face to face store purchases.

    But, as you say, surely the banks plan to switch fully to what you describe when the chip goes full time, supposedly by 2015.

    Most identity theft comes from phishing, stealing your purse/wallet, dishonest store employees and digging through trash.

    Just be cautious where you use your card.

  9. #8
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,057
    Is the technology bullet-proof - no.
    Is there potential for it to be abused - yes.
    Should the fact the transactions are small compared with others you can make using the same card make you feel any better - personal opinion.
    Is it worrying the detail can be read without actually making physical contact with the card - personal opinion.

    Will wrapping the card in tin foil stop it being read - possibly., check it out next time you go to your local store with a reader. If the foil prevents the reading you have a cheap solution, and if it does not then you know the metal container must be at least thicker than tin foil !

    Peoples views about whether it is acceptable for non contact reading of information and payment will be influenced by who is liable for mistakes.

    I don't have one of these cards at the moment ... but when I do end up with one ... I'll be the guy at the front of the checkout queue unwrapping my card to make a payment

  10. #9
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,341
    Quote Originally Posted by Jonathan183 View Post
    Is it worrying the detail can be read without actually making physical contact with the card - personal opinion.

    People's views about whether it is acceptable for non contact reading of information and payment will be influenced by who is liable for mistakes.
    For me this is the point. Phishing is something we can defend ourselves against by using a little common sense. Likewise the scam where they ring you up to say your card's been compromised and ask for your PIN to confirm your identity, then send a rider along to collect the card.

    But common sense won't defend you against the possibility that someone in the crowd around you might simply be able to read the details off your card without you even knowing. If they can actually read your PIN, they could use it for more than small purchases. And how could you prove afterwards that you hadn't given them the PIN?
    "I'm just a little old lady; don't try to dazzle me with jargon!"
    www.hrussman.entadsl.com

  11. #10
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    12,567
    I recently got a passport card (US) that has an RFID chip in it. It came with a "faraday sleeve" that is supposed to block access to the chip unless you remove it from the sleeve. I also have a signal blocking wallet for my regular passport, which also has an RFID chip. Anyway, these sleeves are available from a number of sources, including Amazon.com.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •