[17751] in cryptography@c2.net mail archive
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
daemon@ATHENA.MIT.EDU (David Alexander Molnar)
Sat Jul 9 23:35:53 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 9 Jul 2005 15:12:29 -0700 (PDT)
From: David Alexander Molnar <dmolnar@EECS.berkeley.EDU>
To: =?UNKNOWN?Q?J=F6rn?= Schmidt <joern2473@yahoo.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050709184521.52291.qmail@web60922.mail.yahoo.com>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
---559023410-959030623-1120947149=:26900
Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Sat, 9 Jul 2005, [UNKNOWN] J=F6rn Schmidt wrote:
> less attractive to commit credit card fraud. You are, however, not
> making it harder. That's why I believe the credit cards companies will
> indeed have a good, long look at smartcards. Probably not tomorrow or
> next week but in the near future.
Actually, smart cards are here today. My local movie theatre in Berkeley,=
=20
California is participating in a trial for "MasterCard PayPass." There is=
=20
a little antenna at the window; apparently you can just wave your card at=
=20
the antena to pay for tickets. I haven't observed anyone using it in=20
person, but the infrastructure is there right now.
Here's the MasterCard fact sheet about PayPass:
http://www.paypass.com/fact_sheet.html
It appears to be a contactless smart card/RFID that uses the=20
ISO 14443 standard for the RF interface. There is some documentation=20
available, unfortunately most of it restricted to licensees.
https://mbe2stl101.mastercard.net/hsm2stl101/public/login/ebusiness/mobile_=
commerce/paypass/documentation/index.jsp
You can do some Google searching to find MasterCard's involvement in=20
standards-setting for EMV via smart cards over the years. From that it is=
=20
possible to guess what PayPass might be doing, but I would prefer to know=
=20
for sure. By the way, Visa is doing it too:
http://usa.visa.com/personal/cards/contactless/
Chase appears to be issuing them now; you can apply for one online.=20
www.chaseblink.com
From=20what I understand, contactless transactions are currently limited to=
=20
$25 or less. This should reduce the incentive for someone to carry out the=
=20
kind of relay/chess grandmaster attack described by Gerhard Hancke
"A Practical Relay Attack on ISO 14443 Proximity Cards"
http://www.cl.cam.ac.uk/~gh275/relay.pdf
Hancke and Markus Kuhn have a paper on "distance bounding" protocols to=20
combat this kind of relay attack. Unfortunately it does not appear to be=20
on Hancke's web page yet.
One of the nice things about these cards is that they also support the=20
standard card number on the front and magstripe. So you could imagine a=20
situation where the number is used as normal until fraud is detected, then=
=20
revoked, but the contactless pay capability is not revoked. I have no idea=
=20
if that is what they actually do, though.
-David Molnar
---559023410-959030623-1120947149=:26900--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
