Previous Politech message: http://www.politechbot.com/2005/05/20/rfid-wiggles-its/ -------- Original Message -------- Subject: RE: [Politech] RFID wiggles its way into credit cards? [priv] Date: Fri, 20 May 2005 10:14:49 -0400 From: Jim Harper <jharper@private> To: Declan McCullagh <declan@private> Declan: I had a sit-down with Visa folks about this because they are aware of my activism (and that of many others) against the State Department's RFID-chipped e-passport. There is an RFID ISO standard and a "contactless" card standard. Both use radio frequency but they differ in other respects. Generically, they're the same. In detail, they're different. What matters to me are the crucial differences, along many vectors, from the disastrous e-passport. Most of all, as you recognize, it is offered in the market where people have a right to refuse it. That distinction is fundamental. The chip and data in the Visa card differs in many other technical respects. The chip has the same info as the magnetic strip (account #, CVV) - not name, nationality, and other vital information as the e-passport would have had. It uses triple DES encryption where the e-passport was going to use . . . none (none relevant, anyway). Most interesting, I think, the chip will generate a unique number for each transaction that will be correlated to a unique number generated using the same algorithm on the card-issuer side. This will make skimming the card information or eavesdropping on a transaction pretty close to worthless because a criminal would have to know the *next* unique number. And if that system is somehow cracked, the issuer bears the liability for fraud - not consumers or merchants. The design of the chip and antenna is oriented to very short range reading. I assume, without knowing, that they are going to do better than the State Department did with its choice of chip and antenna. (Barry Steinhardt illustrated State's poor choice very well at CFP right in front of the State Department guy.) I think mine is a safe assumption because the credit card network has its own money on the line if it fails. The State Department only risked our security - nothing of its own. In fact, it would probably have gotten a bump-up in funding to fix the e-passport if it really screwed it (us) up royally. Remaining concerns: 1) Criminals could use a reader to determine that you have a credit card in your purse or wallet. Beating you up and stealing it, they could go on a rampage of <$25 transactions (the limit at which the Visa system is doing signature-free payments). The weakness of this concern is that pretty much everyone has credit cards already, so using an RFID reader to detect credit-card-carrying victims would be an improvement on the current criminal art by about 0.01%. The concern is not chipped cards: It's the proliferation of under-$25, signature-free transactions. But, again, the risk of loss is with the card issuer. I don't see a crime wave coming from this. How many times can you eat at McDonalds before a fraud algorithm kicks in and/or the consumer cancels the card? Rational criminals (and most are) will see better avenues, including, one hopes, getting a job. 2) The credit card system will have more information about consumers' lower-dollar transactions. This is an expansion on an existing problem if the data might be passed over to governments for any of their incipient/insipid "data mining" programs. This is not a particular concern with the credit card industry, but with all consumer-oriented businesses, which will continue to have more and more consumer data. They all need to get clearer about when they share data with governments (when there's a proper subpoena or warrant) and when they don't (all the rest of the time). Likewise, we need to fight things like administrative subpoenas and national security letters, further iterations of which are percolating in Congress even now. 3) The credit card system will have more information about consumers' lower-dollar transactions. This is good, in my opinion, when it's used to tailor products and market them more accurately and politely to consumers. (That would be nice, right? ;-) But information might also pass to insurers, employers, and other economic actors. Before screaming about the unfairness, we should recognize that people's resistance to the idea of insurers knowing about their McDonalds habits is a desire to prevent true information from being used to rate their risk to the insurance pool. I don't eat at McDonalds very much, so that makes *my* insurance more expensive. Still, I'm ambivalent about wide-scale sharing of data among different economic actors/entities. People who are outright against it should look into the contracts offered by credit card issuers (first by demanding better disclosure of their policies in the application process) and demand contractual protection against these uses if they want it. Do they represent a broad-based consumer interest? We'll find out by whether they sway consumers' choices in the market. If they do not represent a broad-based consumer interest, of course, they will seek legislation which is much easier to gin up than getting the bulk of consumers to dislike something they don't care about or that they might even like. This latter point gets us into general, bigger data use issues that are only related in passing to the chip in the new credit card. On balance, I think the contactless payment card is going to be an added consumer convenience. Consumer convenience is good. Lots of people like to react, knee-jerk, against RFID, but there are tons of uses that are going to benefit consumers mightily and I think this is probably one. Jim Jim Harper Director of Information Policy Studies The Cato Institute _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Fri May 20 2005 - 08:04:56 PDT