[18519] in cryptography@c2.net mail archive
RFID Payments
daemon@ATHENA.MIT.EDU (R.A. Hettinga)
Tue Sep 20 17:24:38 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 19 Sep 2005 13:10:26 -0400
To: cryptography@metzdowd.com
From: "R.A. Hettinga" <rah@shipwright.com>
I've got Dave's updated article here, for them as wants it...
<http://www.philodox.com/pdfs/RFID_Payment_Security_2.pdf>
Cheers,
RAH
--- begin forwarded text
 Subject: RFID Payments
 Date: Mon, 19 Sep 2005 17:21:14 +0100
 From: "Dave Birch" <dave.birch@chyp.com>
 To: <gnu@toad.com>, "Bob Hettinga" <rah@shipwright.com>,
 	"Ian Grigg" <iang@systemics.com>
 John (and Bob and Ian),
 Thanks for the interest in the article, which I really appreciate.  I can
 safely say I had no idea that NCC IT Advisor was so widely read!
 >
http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART171100
 >
 >  Interesting article,
 Thanks, much appreciated.
 > but despite the title, there seems to be no
 >  mention of any of the actual security (or privacy) challenges involved
 >  in deploying massive RFID payment systems.
 Please find enclosed an updated draft of a longer version, which I hope
 helps to stimulate this debate further.
 >E.g. I can extract money
 >  from your RFID payment tag whenever you walk past, whether you
 >  authorized the transaction or not.
 You can extract a transaction, certainly.  But not money: the only place the
 money can go to is a merchant acquiring account (if you're talking about
 Visa, MC, Amex schemes).
 > And even assuming you wanted it
 >  this way, if your Nokia phone has an RFID chip in it, who's going to
 >  twist the arms of all the transit systems and banks and ATM networks
 >  and vending machines and parking meters and supermarkets and
 >  libraries?
 Transit is a special case, so let's put that to one side for a second.
 As for banks, supermarkets etc: they're already installing the terminals.
 > Their first reaction is going to be to issue you an RFID
 >  themselves, and make you juggle them all,
 Just like your existing payment cards.
 >rather than agreeing that
 >  your existing Nokia RFID will work with their system.
 No, not really.  Your Nokia phone will become your Visa or MC card and
 therefore work with the terminals.
 Things may develop in a different direction in the world of NFC, but that's
 a different issue (ie, phone as POS terminal rather than phone as card).
 >If you lose
 >  your cellphone, you can report it gone (to fifty different systems),
 >  and somehow show them your new Motorola RFID, but how is each of them
 >  going to know it's you, rather than a fraudster doing denial of
 >  service or identity theft on you?
 Very good point, and this will have to be addressed.
 >  Then there's the usual "tracking people via the RFIDs they carry"
 >  problem, which was not just ignored -- they claimed the opposite:
 Remote tracking is a non-issue with these schemes, the range is too short.
 I'll track the tag on your shirt rather than your card.
 >  "This kind of solution provides privacy, because the token ID is
 >  meaningless to anyone other than the issuing bank which can map that
 >  ID to an actual account or card number."  That is only true once --
 >  til anyone who wants to correlates that token ID "blob" with your
 >  photo on the security camera,
 Or the loyalty card I used in the transaction.  But your point is correct:
 using my MasterCard keyfob gives me privacy from the clerk etc, but of
 course it is not designed to be impervious to correlated data fusion.
 > your license plate number (and the RFIDs
 >  in each of your Michelin tires), the other RFIDs you're carrying, your
 >  mobile phone number, the driver's license they asked you to show, the
 >  shipping address of the thing you just bought, and the big database on
 >  the Internet where Equifax will turn a token ID into an SSN (or vice
 >  verse) for 3c in bulk.
 That's a different kind of privacy.  I am not claiming that the payment
 tokens being introduced provide any kind of anonymity.  Nor do they and nor,
 as far as I am aware, will it ever be one of their design goals.
 >  The article seems to have a not-so-subtle flavor of boosterspice.
 Absolutely.  I love contactless payments.
 >  Anybody got a REAL article on contactless payments and security
 >  challenges?
 Please let me have a copy as I'm interested in anything around this topic.
 And thanks again for taking the trouble to comment: I genuinely do value the
 input.
 Best regards,
 Dave Birch.
 --
 -- David Birch, Director, Consult Hyperion <www.chyp.com>
 --
 -- Tweed House, 12 The Mount, Guildford GU2 4HN, UK
 -- voice +44 (0)1483 468672, fax +44 (0)8701 338610
 --
 -- Digital Identity 6, 25th/26th October 2005 <www.digitalidforum.com>
--- end forwarded text
-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com