Sunday, December 12, 2010

Contactless Credit Cards and Electronic Pickpocketing

Recent development in the Credit Card market is the contact-less cards - just wave at the terminal to pay.
Providers include
Visa: Visa Contactless, PayWave
MasterCard: PayPass
American Express: Express Pay

In Australia, major banks like Commonwealth Bank, ANZ, Macquarie Bank & NAB are offering.
Limit: Visa PayWave - AU$100 and Mastercard PayPass - AU$35

Benefits:
  • Greater convenience - no need to carry cash in hand
  • Greater speed to pay
  • Innovative experience
  • Greater security – while purchasing goods, your card will never leave your hands. This reduces the risk that your card details may be copied or compromised in any way.

How Does a Contactless Credit Card Work?
The cards contain RFID chips and the communication between credit card and terminal are completed through radio waves and the data transmission encrypted. It will work as long as the card is 4 centimetres or less from the terminal. No more swiping or insertion into card reader; simply tap and go.

Risks & explanations

These chips encode basic information (e.g., account numbers, expiration dates) that can be picked up by point-of-sale RFID readers, eliminating the need for cards to be physically handled or swiped. One possible drawback to this technology is that unauthorized persons might use RFID readers of their own to surreptitiously glean that same information using a card reader and a netbook computer to engage in card "skimming".
Luckily, The data streams emitted by contactless cards don't include such information as PINs and CVV security codes or in newer cards,  customer name. Without those pieces of information a card skimmer should not be able to utilize the stolen card numbers to print up counterfeit cards or engage in Card Not Present transactions.
Payment companies claim that the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards transmit a dummy number that does not match the number embossed on the card and that number can be used only in connection with the verification token, that is encrypted before being sent.
Alternately a stainless steel wallet saves the card ;)

They are already popular in transport world:
  • Octopus card in Hong Kong (1st ever)
  • Oyster card in London
  • Navigo pass in Paris
  • Suica in Tokyo
  • SL Access card in Stockholm
  • Clipper card in San Francisco
  • Delhi Metro rail

In2Pay Contactless Payment - even iPhone App
Visa and DeviceFidelity collaborated to combine Visa’s contactless payment technology Visa payWave with the In2Pay technology. The microSD memory slot of the iPhone enables a mobile contactless payment device. This applies to any mobile phone.
 The In2Pay solution transforms any mobile phone with a microSD memory slot into a mobile contactless transaction device, offering a full-featured user interface that supports multiple mobile operating systems. The In2Pay microSD v2 is Trusted Service Manager (TSM) ready, allowing TSM client software on mobile devices to interact with the In2Pay Secure Element through a new Java based Application Programming Interface (In2Pay API). The patented TSM ready architecture of the In2Pay v2 allows TSM providers to support the In2Pay solution without modifying the TSM server designed for embedded or SIM based NFC solutions. With In2Pay v2, DeviceFidelity builds on the plug-and-play features of previous versions to meet the growing market demand for a mobile contactless solution that can interact with wallet solutions of established TSM vendors and can be issued through multiple delivery channels.

Misc:
Open Project Directory
RFID - Radio Frequency Identification 
CVV - Card Verification Value (normally 3 digit security code behind the card)