Monday, July 31, 2006

Blog Stuff: Does this seem like a good idea?

Yeah, that's just what I want: My cell phone constantly blurting out my Visa number wherever I go... Why not have it broadcast my bank account number and directions to my house, while we're at it?

7 comments:

Standard Mischief said...

I don't know why everyone has a hard-on for contactless financial transactions. Those smartcards that they have elsewhere in the world work pretty well, and they actually require you to put card "A" into slot "B" before anything is transmitted, and nothing is ever transmitted over the ether. That makes it much more secure.

The press release^H^H^H^H^H^H news story didn't indicate as such, but I would hope you would have to press a doohicky on your phone before your charge card number would broadcast over radio waves to the cash register, so that's a little better, thieves would only have a brief moment to snag your number.

phlegmfatale said...

Aw, crap. I knew there was some reason to enjoy the incommunicado state of a road trip - no news like this. And this, of course, is a great idea because NO ONE ever loses or steals a cell phone, ever. *much eye-rolling* This is outrageous and not at all surprising.

ColtCCO said...

Not particularly. I might us one if it had a cap of say, $5 transactions, linked to an account that would be limited to very small withdrawls, and didn't cost me any extra, but I could also just pull a $5 out of my back pocket - Less stuff to go wrong there.

ColtCCO

IZHUMINTER said...

Electromagnetic radiation comes in two forms: "E field" or "far field" radiation (which occurs at greater than five wavelengths from the source) and "M field" or "near field" radiation (which occurs roughly five wavelengths or less). American cell phones operate in two bands depending on the technology, and the near fields for them are about 1.8 meters and about .8 meters. It takes fairly powerful and specialized equipment to actually pull a signal at that distance, so you could probably round them down to 1.5 meters and .5 meters, respectively. Lower the power on the transmitter (to save battery life and allay privacy conerns) and you could easily lower the operational distance down to a couple of centimeters. Add a PIN before any transaction can be completed (like they already use for some smart chip enabled scanners) and you might have yourself a pretty convenient little system.

Now take the system a step or two further: a credit or debit account linked to your phone could let you call for pizza and pay for it at the same time. It's fantastically good for commerce (and bad for undisciplined spenders' pocketbooks) because it would open the door to even easier impulse purchasing. That's where I see the biggest problems, not with intercepting the signal.

Standard Mischief said...

IZHUMINTER,
Your point is well taken, however every year at Defcon they try for a world record in reading RFID tags. The current record is 69 feet.

http://www.technologyreview.com/read_article.aspx?id=14631

I'm unwilling to base security on merely low power RF or magnetic waves. Someone may come up with some kind of phased array fractal antenna mojo.

Those RFID speedpass thingys you use at the gas pump have been hacked. Because they are “promiscuous” they will respond to any query. Because they are silent, they do not indicate to the owner when they are being accessed. To exploit them, the thief would move his laptop within range and then brute force attack the speedpass. Then they could clone the fob and use it to buy gas and stuff. A simple switch on the keyfob would prevent the attack, you would actually need to posses the speedpass fob for a while to brute force it. If you could get your hands on the thing you could just steal it too.

Instead, sometimes the pump requires the user to enter in the billing address zipcode. By adding this level of security, they don't have to recall the physical hardware. They can also use the tag to track you.

Again, the tag is silent and “promiscuous”. In theory, they could not only keep a record of what you buy, but they could also use RFID readers to track you whenever you walk in the store. They could compile statistics on how long you tend to use the restroom, or how long you linger near the sales display, or even when you decide to pay cash. Since it's so inexpensive to data warehouse this information, corporations love to archive this kinda stuff, and if they can make a bit of scratch telling your insurance company that you prefer BLTs over turkey subs, heavy on the mayo, and they think they can get away with it, they would be more than happy to sell it. (through a third party overseas proxy, why give up plausible deniability?)

Naturally, they can record exactly what you buy when you use a standard credit card, but they only get the data when you decide to charge it.

It's just so much better all around when it doesn't squeal until I tell it to.

IZHUMINTER said...

standard mischief-

There are huge differences between this new toy and RFID tags or keyfobs. RFID tags are completely passive and unpowered devices; they require an outside energy source (usually RF energy) in order to function. They are, to simplify things a bit, nothing more than an antenna and a printed circuit. When RF energy is received by the antenna, it is modified by the preprinted circuit and then re-radiated. The stronger the primary emitter is, the stronger the RFID tag will transmit. RFID tags are "dumb": they will operate every time they are flooded with the right energy, no matter what the source is.

This new device, on the other hand, is an actual honest-to-goodness two-way transmitter linked to your phone. That means it can be turned on and off (unlike an RFID tag) and can have quite a few "smart" features (biometric or PIN confirmation of all purchases, ignoring queries from user-defined transmitters, encryption, etc.).

Standard Mischief said...

IZHUMINTER said...
This new device, on the other hand, is an actual honest-to-goodness two-way transmitter linked to your phone. That means it can be turned on and off (unlike an RFID tag) and can have quite a few "smart" features (biometric or PIN confirmation of all purchases, ignoring queries from user-defined transmitters, encryption, etc.).

Gee, read what I said in my first comment:

...but I would hope you would have to press a doohicky on your phone before your charge card number would broadcast over radio waves to the cash register...

and my second comment:

...It's just so much better all around when it doesn't squeal until I tell it to.

Any questions?