 |
THE WORLD'S RFID AUTHORITY
 PREMIUM = Requires Subscription. Learn MoreRFID Journal Blog
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Feed
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RECENT ENTRIES | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The Technology, People and Companies to Watch
Accusations of Anti-RFID Bias Are Deserved
Making Mifare Safe
New Research Papers from the University of Arkansas
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
"Not all security experts are trying to scare people," I was admonished. That person, who is in the security industry, didn't defend the original security expert's comments that I was criticizing in my blog, but did point out that security experts play an important role in exposing security flaws in new technologies so they can be fixed.
It's true—there are many very ethical security experts, and security consultants and companies can play a role in helping expose potential problems before criminals exploit them. And I welcome comments from those who legitimately want to address potential security problems with RFID systems in a helpful way. But all too often, people focus on one potential problem without looking at security as a whole. It's sort of like saying windows are a great security flaw in houses because you can break them and get inside, while ignoring alarm systems, safes and other security measures deployed in those homes (not the best analogy, I admit, but you get my point).
In that blog, I was reacting to a comment in a Reuters story claiming NFC phones "pose the greatest future threat to the security of consumers' financial details." I think that statement is irresponsible, and potentially damaging to the adoption of NFC technology. There are legitimate concerns about NFC transactions, as some of those who responded to my original posting pointed out, but we need to consider all of the security mechanisms involved and put the problem in its proper context.
Security is multifaceted and includes both technology and business processes. Last week, I took a trip to Cancun, Mexico, to speak at ADT's RetechLA 2008 event. After I checked into the Hilton Cancun, I received a call from the front desk saying my card had been declined. I went downstairs, got on the phone with my credit-card company and satisfied them that I was the legitimate card owner and was, in fact, in Mexico, and they removed the block on my card.
The reason the company had blocked my card was because its use in a foreign country had indicated a potential problem. Credit-card companies also limit NFC transactions to less than $25 to reduce their potential risk, and they will deploy systems that will indicate potential fraudulent activity, and put a block on transactions with your NFC phone, if they detect a problem.
It's also worth noting that the level of security must be commensurate with the risk involved. By that, I mean the level of security that can be implemented depends on an item's cost, or the transaction being protected, as well as on convenience. It would not make sense to implement security that costs $5 per transaction for a $10 transaction. Nor would it make sense to ask consumers to provide a DNA sample every time they used their credit card to prove they were who they said they were.
The level of security in NFC phones must not be so onerous that those transactions take four times longer than swiping your mag-stripe card. Thus far, fraud involving NFC transactions has not yet been a huge issue, but I think it's fair to say that's probably because they are not currently in widespread use. Criminals will focus on a new technology when there is an opportunity to utilize it to make significant money (they do cost-benefit analysis, too).
It's important to address security issues in an open, balanced way, and I encourage those with expertise to continue posting on our forums and blogs. Those in the NFC Forum are invited to explain their position. I think it's fair to say that both those who make NFC systems and security experts want to see the technology evolve in a secure manner that serves consumers and businesses alike. That can only happen if we address the issues openly and responsibly.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark's opinions, click here or here.
It's true—there are many very ethical security experts, and security consultants and companies can play a role in helping expose potential problems before criminals exploit them. And I welcome comments from those who legitimately want to address potential security problems with RFID systems in a helpful way. But all too often, people focus on one potential problem without looking at security as a whole. It's sort of like saying windows are a great security flaw in houses because you can break them and get inside, while ignoring alarm systems, safes and other security measures deployed in those homes (not the best analogy, I admit, but you get my point).
In that blog, I was reacting to a comment in a Reuters story claiming NFC phones "pose the greatest future threat to the security of consumers' financial details." I think that statement is irresponsible, and potentially damaging to the adoption of NFC technology. There are legitimate concerns about NFC transactions, as some of those who responded to my original posting pointed out, but we need to consider all of the security mechanisms involved and put the problem in its proper context.
Security is multifaceted and includes both technology and business processes. Last week, I took a trip to Cancun, Mexico, to speak at ADT's RetechLA 2008 event. After I checked into the Hilton Cancun, I received a call from the front desk saying my card had been declined. I went downstairs, got on the phone with my credit-card company and satisfied them that I was the legitimate card owner and was, in fact, in Mexico, and they removed the block on my card.
The reason the company had blocked my card was because its use in a foreign country had indicated a potential problem. Credit-card companies also limit NFC transactions to less than $25 to reduce their potential risk, and they will deploy systems that will indicate potential fraudulent activity, and put a block on transactions with your NFC phone, if they detect a problem.
It's also worth noting that the level of security must be commensurate with the risk involved. By that, I mean the level of security that can be implemented depends on an item's cost, or the transaction being protected, as well as on convenience. It would not make sense to implement security that costs $5 per transaction for a $10 transaction. Nor would it make sense to ask consumers to provide a DNA sample every time they used their credit card to prove they were who they said they were.
The level of security in NFC phones must not be so onerous that those transactions take four times longer than swiping your mag-stripe card. Thus far, fraud involving NFC transactions has not yet been a huge issue, but I think it's fair to say that's probably because they are not currently in widespread use. Criminals will focus on a new technology when there is an opportunity to utilize it to make significant money (they do cost-benefit analysis, too).
It's important to address security issues in an open, balanced way, and I encourage those with expertise to continue posting on our forums and blogs. Those in the NFC Forum are invited to explain their position. I think it's fair to say that both those who make NFC systems and security experts want to see the technology evolve in a secure manner that serves consumers and businesses alike. That can only happen if we address the issues openly and responsibly.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark's opinions, click here or here.
3 Comments
M-payments to Prevent Skimming
we all know mag card skimming is a 2 billion dollar strong...when i was in Symbian I have designed a que free transaction system, self scanning by an RFID enabled phone and wireless payment through messaging component on Symbian directly to retailer's bank account (without sharing) and the retailer's bank inturn sends the list of items to be released...all that retailer needs is payment, they don't have the need to swipe, view, store customer's CC info...in majority of skimming cases from bars in dark areas...the mag card is swiped into a skimming devive and CVV noted...the users phone does both the halves...transaction validation and payment authetication (like an embded POS) and this could be a boon to the retai industry stores where atleast 10% of customers drop the shopping carts frustrated to the long ques...or get a phone call and leave...(advantage reatailer) where does the need for NFC or mag-stripe arise when we can put money straight in the retailers account against the list of items scanned...for a buz free exit. thus making it old fashioned to share CC infomation to retailers insecure, prevent potential skimming.
Posted By: Venkat Nemani 7/8/08 at 11:16 PM
we all know mag card skimming is a 2 billion dollar strong...when i was in Symbian I have designed a que free transaction system, self scanning by an RFID enabled phone and wireless payment through messaging component on Symbian directly to retailer's bank account (without sharing) and the retailer's bank inturn sends the list of items to be released...all that retailer needs is payment, they don't have the need to swipe, view, store customer's CC info...in majority of skimming cases from bars in dark areas...the mag card is swiped into a skimming devive and CVV noted...the users phone does both the halves...transaction validation and payment authetication (like an embded POS) and this could be a boon to the retai industry stores where atleast 10% of customers drop the shopping carts frustrated to the long ques...or get a phone call and leave...(advantage reatailer) where does the need for NFC or mag-stripe arise when we can put money straight in the retailers account against the list of items scanned...for a buz free exit. thus making it old fashioned to share CC infomation to retailers insecure, prevent potential skimming.
Posted By: Venkat Nemani 7/8/08 at 11:16 PM
A WINNING METHOD
Thank you for pointing out the importance of being fair and balanced.
Addressing the issues openly and responsibly is exactly what it will take to arrive at a reasonable solution. A Fort Knox level of security is neither always necessary nor is it even the best solution. Understanding the holistic environment is what it takes.
Posted By: Mike Ahmadi 6/19/08 at 3:43 PM
Thank you for pointing out the importance of being fair and balanced.
Addressing the issues openly and responsibly is exactly what it will take to arrive at a reasonable solution. A Fort Knox level of security is neither always necessary nor is it even the best solution. Understanding the holistic environment is what it takes.
Posted By: Mike Ahmadi 6/19/08 at 3:43 PM
Security & Trust
It seems payment industry will discuss this topic for a while.
Yes there are security gaps to cover, but i belive these
issues are not just security problems - in the long run, but also a "TRUST" issue.
First of all let's admit that even though NFC has been discussed/implemented in some parts of the world a bit longer than
Europe and US it is very much "new" to most of the people.
2ndly - I'm not a sociologist but- i think that people rely on the things that they used to know for years.
And yet this is a very much new technolgy and no one using it !!!
Forget about cvv or cloned cards; the card carries the pan and expire date and cvv2 on it- not "in" it nor encrypted.
If you are good at remembering the numbers you do not even need a tool to a make fraud. But we are still using our cards.
You know why? Because we (most of us) trust the system and we (most of us) feel comfortable about using it.
This does not mean that we should ingore the issues which are underlined by the experts and yes we should keep
discussing it but also i totally agree that these discussions should be "fair".
Posted By: CAN BAYINDIR 6/19/08 at 3:20 AM
It seems payment industry will discuss this topic for a while.
Yes there are security gaps to cover, but i belive these
issues are not just security problems - in the long run, but also a "TRUST" issue.
First of all let's admit that even though NFC has been discussed/implemented in some parts of the world a bit longer than
Europe and US it is very much "new" to most of the people.
2ndly - I'm not a sociologist but- i think that people rely on the things that they used to know for years.
And yet this is a very much new technolgy and no one using it !!!
Forget about cvv or cloned cards; the card carries the pan and expire date and cvv2 on it- not "in" it nor encrypted.
If you are good at remembering the numbers you do not even need a tool to a make fraud. But we are still using our cards.
You know why? Because we (most of us) trust the system and we (most of us) feel comfortable about using it.
This does not mean that we should ingore the issues which are underlined by the experts and yes we should keep
discussing it but also i totally agree that these discussions should be "fair".
Posted By: CAN BAYINDIR 6/19/08 at 3:20 AM
Please enter your name or an alias and your email address.
Only your name or alias will appear in your post.
Only your name or alias will appear in your post.
