|
There are people who have gotten intensely paranoid about paywave thinking that there's a wave of bandits with scanners who pinch money wirelessly from their wallets. Or if they stand too close next to someone at the supermarket they'll accidentally pay for their shopping. I've seen some people actually punch out the chips from their card while others line parts of their wallet with alfoil.
|
# ? Jul 10, 2016 02:20 |
|
|
# ? Jun 4, 2024 19:52 |
|
WebDog posted:There are people who have gotten intensely paranoid about paywave thinking that there's a wave of bandits with scanners who pinch money wirelessly from their wallets. Or if they stand too close next to someone at the supermarket they'll accidentally pay for their shopping. Here's some info on RFID tech and theft. https://www.youtube.com/watch?v=kp63MZ6RudE
|
# ? Jul 10, 2016 03:02 |
|
WebDog posted:I've seen some people actually punch out the chips from their card while others line parts of their wallet with alfoil. My mom actually bought and still uses those aluminized mylar sleeves for her credit cards, even before she got cards with chips.
|
# ? Jul 10, 2016 05:02 |
|
My understanding of how Paywave/Paypass works is that IF your card is skimmed from an rear end in a top hat with a reader, they can use it only until you use the physical card again. Not entirely sure if it's legit, but the only one in danger of ruining my credit is me when drunk.
|
# ? Jul 10, 2016 05:52 |
|
Code Jockey posted:I have a little babby Dell Atom-based netbook with an extended battery, and it makes a pretty decent Arduino development thingy. Also, I figure I could use a USB to serial and use it to manage my network switches too via serial interface, but that would rely on me finding a non-garbage USB to serial interface. In case I haven't spammed about them before or you didn't notice, FTDI make (or at least used to make) good USB to serial interfaces. They cost a bit more but you get what you pay for, and unless you want lots of these things it's not going to break the bank, like roughly $20 vs. maybe $5 for the shittiest ones on the market. Someone else recommended them to me and they don't seem to do the dumb poo poo that the cheap ones do, like stop working until you disconnect and reconnect them at the USB end. No I'm not affiliated with FTDI in any way although I wish they gave me a dollar every time I shilled for them, I'd probably have $5 by now Gromit posted:I love Paywave for the reasons you mention. It's just like having a wallet with cash in it except I don't have to count things out or get change. Yes someone could buy small stuff with my card if I lose it, just like they could with losing my cash. But I can call the bank and immediately cancel my card, which I can't do with my cash. And any stolen purchases made are worn by the card company, not me. It's a win-win all the way. I guess in the end you/everyone pays for theft in fees, but it's like insurance, balancing out the risk across all customers. I figure if some technology like that results in huge amounts of theft, the card processors will have some incentive to fix it, so individual users may as well not worry about that kind of stuff - it's not like just because you choose not to use the technology, your fees aren't going to go up when everyone else on the face of the earth uses it and gets stolen from. I guess if someone was really worried about that stuff they should "be their own (terrible) bank" and use bitcoin
|
# ? Jul 10, 2016 06:12 |
|
Those are pretty good points, if Paywave was inherently insecure then it wouldn't exist in the first place. I dunno, it still doesn't quite feel right to me. I think it's because there's not even any kind of confirmation step before the transaction happens. Even just a prompt asking you to confirm the payment before it happens (you wouldn't even need to put in a PIN) would make me feel much better about it.
|
# ? Jul 10, 2016 06:26 |
|
Buttcoin purse posted:In case I haven't spammed about them before or you didn't notice, FTDI make (or at least used to make) good USB to serial interfaces. They cost a bit more but you get what you pay for, and unless you want lots of these things it's not going to break the bank, like roughly $20 vs. maybe $5 for the shittiest ones on the market. Someone else recommended them to me and they don't seem to do the dumb poo poo that the cheap ones do, like stop working until you disconnect and reconnect them at the USB end. Oh right, I do remember someone - you apparently - mentioned options for good adapters. Thanks!
|
# ? Jul 10, 2016 07:18 |
|
Humphreys posted:My understanding of how Paywave/Paypass works is that IF your card is skimmed from an rear end in a top hat with a reader, they can use it only until you use the physical card again. Not entirely sure if it's legit, but the only one in danger of ruining my credit is me when drunk. You can't even do that - the whole point of chip cards is that they can't actually be skimmed, because (unlike swipe cards) the information needed to make a transaction later doesn't ever leave the chip. The only thing you can do is just use the card to make a transaction immediately, which isn't very appealing as a fraudster since it's basically impossible to turn that into actual money without it being trivially traced back to the perpetrator.
|
# ? Jul 10, 2016 07:34 |
|
Buttcoin purse posted:In case I haven't spammed about them before or you didn't notice, FTDI make (or at least used to make) good USB to serial interfaces. They cost a bit more but you get what you pay for, and unless you want lots of these things it's not going to break the bank, like roughly $20 vs. maybe $5 for the shittiest ones on the market. Someone else recommended them to me and they don't seem to do the dumb poo poo that the cheap ones do, like stop working until you disconnect and reconnect them at the USB end. Everyone copied FTDI hardware and used their drivers, because their stuff was the best, then FTDI pushed a driver update (through Windows Update) that bricked all of the counterfeits. It was a huge dick move because it’s difficult to be 100% certain you have legit chips, unless you are the Department of Defense. FTDI still make a good product, but that behaviour really soured me to them. Forget ethical arguments: the surest way to avoid having your chip bricked is to avoid FTDI clones and ostensibly genuine chips. I’d buy from one of their rivals. Even if a clone gets into the supply chain without my knowledge, it’s not going to brick my device. Platystemon has a new favorite as of 08:22 on Jul 10, 2016 |
# ? Jul 10, 2016 08:18 |
|
Has there been any actual confirmed cases of anyone skimming PayWhatever cards just by walking about? I can find heaps on heaps of and scare stories, or stories of someone fiddling with an actual terminal but no actual official police/news reports of someone just walking through a crowd and raking in the mad
|
# ? Jul 10, 2016 10:52 |
|
Croccers posted:Has there been any actual confirmed cases of anyone skimming PayWhatever cards just by walking about? I can find heaps on heaps of and scare stories, or stories of someone fiddling with an actual terminal but no actual official police/news reports of someone just walking through a crowd and raking in the mad This is different from the magnetic strip on a card which is completely passive and just contains the private data, all the authentication is performed by the terminal.
|
# ? Jul 10, 2016 11:33 |
|
Collateral Damage posted:You can't skim a chip or paywave card. Paywave essentially works the same way as the chip, the only difference is the chip is a physical connection while paywave uses a short range magnetic field. Simplified, the chip is a tiny computer that gets powered up by the terminal and exchanges a couple of authentication tokens back and forth with the terminal. The actual private data on the chip is never communicated.
|
# ? Jul 10, 2016 13:26 |
|
Collateral Damage posted:You can't skim a chip or paywave card. Paywave essentially works the same way as the chip, the only difference is the chip is a physical connection while paywave uses a short range magnetic field. quote:Simplified, the chip is a tiny computer that gets powered up by the terminal and exchanges a couple of authentication tokens back and forth with the terminal. The actual private data on the chip is never communicated.
|
# ? Jul 10, 2016 15:15 |
|
I guess you could mod a genuine payment terminal with a better antenna and walk around charging people? It sounds like it would have a bad effort:payoff ratio if you could even get it to work, and it should be simple to track the owner of the account the money went to. Still, theoretically possible?
|
# ? Jul 10, 2016 15:18 |
|
Computer viking posted:I guess you could mod a genuine payment terminal with a better antenna and walk around charging people? It sounds like it would have a bad effort:payoff ratio if you could even get it to work, and it should be simple to track the owner of the account the money went to. Still, theoretically possible? Setting wireless skimming aside, there are still a lot of possibilities with physical access to chip cards without actually cloning the chips (which should be impossible). In europe, chip and PIN cards were supposed to provide a lot of additional protection (basicallly making it impossible to use stolen physical cards), but it turned out there's a flaw in the protocol that enables a small device sandwiched between the chip's contacts and the payment terminal to convert PIN transactions into pinless transactions, which essentially defeats the entire purpose of having PINs.
|
# ? Jul 10, 2016 15:31 |
|
mystes posted:Another interesting theoretical idea would be relay attacks where one person would wirelessly communicate with a card and another would use another device to essentially use that card at a genuine merchant's terminal in real time (the two devices could easily communicate over the internet at any distance). This probably isn't that practical right now, but it could become more of an issue in the future. Part of the spec defines the allowed latency between request and return on information between the card and the terminal. You'd never be able to have a person far enough away to make it worth it.
|
# ? Jul 10, 2016 19:13 |
|
EoRaptor posted:Part of the spec defines the allowed latency between request and return on information between the card and the terminal. You'd never be able to have a person far enough away to make it worth it. quote:How far away can the fake card be from the genuine card?
|
# ? Jul 11, 2016 01:42 |
|
We use Eagle Cash in the military when on bases abroad; it's a chip card that you can load funds onto at kiosks -- you need the card+pin you to at a kiosk to load funds. It actually works well enough because unless you're unloading or loading funds, it doesn't touch or have your account info on the card. The funds are stored on the card and the card can be locked immediately if it's lost or stolen, provided you can find a kiosk or office. This allows people to transfer money directly to other Eagle Cash cards as well, so that you can pay someone without carrying around cash. Basically the only system attached to your bank account is the network side, that none of the retailers or cards have access to, which actually puts me at ease because there have been skimming attacks at the POS in a lot of places, and carrying a wallet full of cash is dumb.
|
# ? Jul 11, 2016 10:12 |
|
mystes posted:If so then good, but, for example https://www.cl.cam.ac.uk/research/security/banking/relay/ It's an interesting attack, though doing it practically seems unlikely as : Genuine and fraudulent payment need to occur nearly simulataneously ' yes, I would like to buy this diamond. No, not yet...hold on....nearly ready to pay...is that Elvis there?....yes I definitely want it....did you go anywhere nice on your holidays?... Yes! I will pay now!' Fake card has a bunch of wires hanging out of it that the genuine merchant can't notice 'this? no, I just add this so I won't lose my card, pay it no attention and sell me that diamond' Fraudulant transaction has to take place in genuine trader's premises 'no officer, I don't remember the man who bought a diamond with a fake card as it was a month ago and I am not good with faces. But as I sell diamonds, my shop has 14 cameras that record in HD, so will that be of use to you?'
|
# ? Jul 11, 2016 10:26 |
|
spog posted:It's an interesting attack, though doing it practically seems unlikely as : On the other end, rather than a fake card with wires, wireless payments mean you could just use a physically unmodified NFC-capable android phone (NFC is just RFID) with special software.
|
# ? Jul 11, 2016 10:52 |
|
US cards are in fact PIN and chip, so theory crafting around a no-PIN version isn't very useful.
|
# ? Jul 11, 2016 11:02 |
|
Elliotw2 posted:US cards are in fact PIN and chip, so theory crafting around a no-PIN version isn't very useful. Chip and signature not pin
|
# ? Jul 11, 2016 11:32 |
|
mystes posted:I linked that just because it demonstrated that the protocol itself allows sufficient latency to permit relay attacks in the real world, but in my case I was envisioning that on the end with the real card, the attack would be performed wirelessly, which might be possible since there are no PINs in the US (I believe that researchers have already successfully performed relay attacks against other RFID devices, such as mifare cards). By performing the attack wirelessly, there wouldn't need to be an obvious fake payment terminal; indeed, the victim wouldn't need to know that their card was in the process of authenticating a payment at all. This might ameliorate the timing issue. Ah, I get you. http://www.cs.bham.ac.uk/~tpc/Relay/ http://www.cs.bham.ac.uk/~tpc/Relay/stoppingRelay.pdf It's a pretty demo, but according to their own research, you have at most a 10sec window to complete a transaction: so you'd need to have your victim's card in sight and be ready to make a payment within that small window. With the low max transaction limit on contactless payments, is it worth the effort to steal £30 worth of goods/services?
|
# ? Jul 11, 2016 12:03 |
|
FruitNYogurtParfait posted:Chip and signature not pin Some are chip-n-sig, some are chip-n-pin. Dunno why they don't just all go chip-n-pin, I can punch my PIN in faster than I can fumble with that dumbass little plastic pen and scrawl a completely unintelligible blob on the screen.
|
# ? Jul 11, 2016 13:22 |
|
JnnyThndrs posted:Some are chip-n-sig, some are chip-n-pin. sometimes the screen doesn't recognize finger touch and you have to pin with the pen
|
# ? Jul 11, 2016 13:41 |
|
Most US debit cards that I've encountered are chip and PIN, while most credit cards are chip and signature. I'm in Europe at the moment and oddly my US debit card worked as chip and PIN, but my credit card had to be swiped old school.
|
# ? Jul 11, 2016 15:26 |
|
I just got from Montreal and most chip credit cards worked. They wouldn't take non-chip debit cards (which sucked since that's what I had) and sometimes they wouldn't take chip + pin debit cards from other countries. And sometimes your poo poo just didn't work even if you had all the pins and all the chips. At least ATM's worked regardless.
|
# ? Jul 11, 2016 16:17 |
|
Of the two chip cards I use regularly (both credit cards, one from Capital One and the other from my credit union), one is chip+sig but depending on the merchant might not require the signature when the chip is used, and the other is chip+PIN, but the PIN can just be bypassed at some merchants. Not to mention the dozens of merchants that have the new hardware with the chip slot taped over, so the card has to be swiped anyway. Southern California.
|
# ? Jul 11, 2016 16:22 |
|
Chip + PIN and contactless has been the norm here (Canada) for years now. Even remote lovely towns with mom & pop grocery stores have Chip & Pin at the least. How does America not have Chip + PIN standard yet??
|
# ? Jul 11, 2016 16:25 |
|
robodex posted:How does America not have Chip + PIN standard yet?? My my time on these forums, I've learnt that for a superpower, the USA is surprisingly rear end-backward in some areas such as telecoms, banking, workers rights, etc
|
# ? Jul 11, 2016 16:45 |
|
1000 Brown M and Ms posted:Those are pretty good points, if Paywave was inherently insecure then it wouldn't exist in the first place. What. All kinds of poo poo that's inherently insecure gets pushed out into the marketplace and persists there. Probably the number one example is SMTP: it is *entirely* insecure. There's no confidentiality, because SMTP emails aren't encrypted during transport or at any other time. There's no integrity, the protocol does no error checking on its own, it cannot ensure that nobody has tampered with the message en route (The transport protocol has error checking, but if you control any of the nodes along the transport path changing the contents of TCP packets is trivial). It provides neither authentication nor prevents repudiation; literally anyone in the world can just write your email address into the "From:" field in the header and that's that, and because you can't verify that the listed sender actually sent it he can just say "No, I didn't send that." It is entirely insecure, from the ground up, it fails at all four fundamental aspects of information security, and the entire world has been using it for decades. For a more recent and well-known example of something that was inherently and entirely insecure and still existed in the first place: https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
|
# ? Jul 11, 2016 17:13 |
|
spog posted:...the USA is surprisingly rear end-backward in some areas such as telecoms, banking, workers rights, etc We're not remotely centralized. I used to be a broadcaster, so I was very familiar with federal regulations regarding that industry. It's one of the most-regulated industries in the US...more so than even the banking industry. Think of us as 50 little countries, with laws and regulations just far enough apart to make a noticeable difference, but not so far apart to restrict trade. Short version: our banks are allowed to do whatever the hell they want. When they decide RFID chips on their cards (for example) are the way to profit, that's what they do. I have 2 checking accounts, one for my household and one for my business. Two different banks. One has adopted chip cards, one has not. Pain in the rear end for me? A tiny bit, yes, but not to a degree that would make me switch banks. Both will be 100% chip by the end of the year, because that's what the market now demands. Very short version: just because it's the theoretical best option, that doesn't mean the free market really wants it. The US is a free market, so we're sometimes a bit behind the European hive. Same reason we don't have a rail system or soccer.
|
# ? Jul 11, 2016 21:43 |
|
Lincoln posted:Very short version: just because it's the theoretical best option, that doesn't mean the free market really wants it. The US is a free market, so we're sometimes a bit behind the European hive. Same reason we don't have a rail system or soccer. We have a *huge* rail system, it's just that it's primarily used for moving freight, not passengers. Europe's the other way around, rail's primarily for people and most freight moves by road. Turns out that getting passenger trains and freight to work well on one set of rails is kind of difficult! quote:We're not remotely centralized. This.
|
# ? Jul 11, 2016 21:53 |
|
Phanatic posted:We have a *huge* rail system, it's just that it's primarily used for moving freight, not passengers. Yeah I should have been clear. We do have a truly world-class rail system, it just doesn't haul people. Like, at all. I used live in Germany, so I've seen the best-possible rail system for people. The US is simply too spread out for something like that to be feasible. For now, cars on highways is our best option. I honestly think driverless cars will start to serve the same purpose in the US as European short-distance surface rail in the very near future, simply because it's what our infrastructure is designed to accommodate. For now, Uber, then driverless when the tech catches up.
|
# ? Jul 11, 2016 22:28 |
Lincoln posted:Like, at all. I used live in Germany, so I've seen the best-possible rail system for people. Germans will fight you if you say that into their face.
|
|
# ? Jul 11, 2016 22:36 |
|
To be honest, the #1 rule of Public Transit is, even if you have the best transit in the world with no issues, people will always find something to complain about. Transit is always better in a place you don't live in
|
# ? Jul 11, 2016 22:41 |
|
Lincoln posted:I used live in Germany, so I've seen the best-possible rail system for people. Is this a subtle holocaust joke?
|
# ? Jul 11, 2016 22:42 |
|
Lincoln posted:I used live in Germany, so I've seen the best-possible rail system for people. So you've been to Japan too?
|
# ? Jul 12, 2016 00:32 |
|
Lincoln posted:The US is simply too spread out for something like that to be feasible. For now, cars on highways is our best option. Sure, if you literally travel hundreds of miles every day to a wide variety of locations. People like saying this while ignoring the fact Europe is larger than the continental US.
|
# ? Jul 12, 2016 02:12 |
|
|
# ? Jun 4, 2024 19:52 |
|
ryonguy posted:Sure, if you literally travel hundreds of miles every day to a wide variety of locations. People like saying this while ignoring the fact Europe is larger than the continental US. Stating that America Is Big is some weird tic they have, just ignore it.
|
# ? Jul 12, 2016 03:10 |