Slashdot: Would You Trust RFID-Enabled ATM Cards?

Slashdot posted an article on RFID-Enabled ATM Cards by one of its readers, race_k2. What is commonly the case, the comments at Slashdot tend to be more entertaining and occasionally more informative than the article itself. This article is highlighting some of the comments that have stood out to me thus far. But first, here’s some quotes from the article:

The Article

race_k2 writes:

“As a regular Slashdot reader I’ve followed the development and implementation of RFID devices in many ubiquitous areas such as clothing, passports and even people. Given that our environment is becoming increasingly tagged, often without our knowledge or consent, and can be monitored or hacked by anyone with the proper hardware, skills and motivation, I viewed the recent arrival of two new ATM cards containing RFID chips with skepticism. While this feature may bring the increased convenience of speedy checkouts, it is not something I am completely comfortable using and decided that the safety of my personal data was more important than the ability to buy things quickly. The vulnerable nature of RFID security coupled with recent, though unrelated, reports of a Possible Security Flaw In ATMs make me seriously question whether the marriage of wireless data transfer with personal finance is a wise application of technology.”

[...]

“My concerns were well received by representatives at Chase and after checking with a supervisor the rep said that a new chip-less card was on its way. On the other hand, the people at HSBC could not fathom why I would not want to have this fantastic new technology in my pocket everywhere I go. The customer service agent said that cards without RFID tags were simply unavailable and I could opt to not use the feature at checkout. The concept of unauthorized reading of the ATM card by a mobile RFID scanner fell on deaf ears and questions regarding the level of security on the RFID ATM card chips were not answered to the technical level that I was hoping for. The stated ‘Don’t worry, we use encryption’ did little to allay my concerns.

Is the unauthorized access of sensitive personal data on an ATM card chip by a home-brew RFID scanner a real possibility? Will we have to worry about the spread of RFID viruses to our back pockets and purses? Finally, are there any passive methods to permanently inactivate an RFID chip without having to resort to its removal or destruction?”

My Thoughts

Immediately upon reading the above article, I was irritated by the fact that these card companies aren’t even educating their customer service departments appropriately in order to field questions be people who are genuinely scared (and rightly so) of RFID chips in conjunction with finance. When race_k2 discussed his experience with HSBC, the fact that his questions were whizzing over the rep’s head and received dumb, uninformative answers is sad. Perhaps it was that specific representative…but I doubt it.

When companies (and governments) adopt such a risky technology in their product and don’t include an opt-out should publicly field questions in a highly visible ‘arena’ to bring the issues out in the open! This would help the company decide on the appropriate direction they should go with RFID as there may be issues they are avoiding due to ignorance; this would also help the consumers make decisions on the company immediately rather than wasting both the customer’s and the company’s valuable time.

That’s never going to happen…but it’d be nice :D Anyways…on to the comments:

The Comments

The article asked its readers for their opinions on the following questions:

  • How safe and secure are the RFID chips that are being embedded in debit and credit cards?
  • To add another issue on to the fire: Would you trust RFID technology on your cards?

Here are a couple responses that I found interesting:

These two comments were regarding the disabling of the RFID chips themselves. I’d be curious to know how effective/successful these ideas are.

  • Ice Wewe writes:

    Just wrap the card in Tin foil. You can keep the magnetic strip (assuming it still has one) uncovered so that you can still check-out the old way. That’s the only non-destructive way I’m aware of for disabling an RFID chip.

  • brunes69 writes:
    Nuke it

    An RFID chip will fry in seconds in a microwave. It takes much longer than that to affect the plastic. And the magnetic stripe will not be affected at all, until the plastic starts to melt.

    Putting the card in the microwave for 3-5 seconds should do the trick. The worst that can happen is you ruin your bank card, so just go to the bank and get another. They don’t cost anything.

This post raised my eyebrow:

  • value_added writes:

    Funny ha ha, yes, but has anyone noticed that many science-fiction movies of recent years have included as a plot device one of the characters embedded with some sort of implant (in the brain, under the skin, etc.) or added to some common item (clothing, watch, pen, etc.) that was carried around? I recently watched Jonathan Demme’s The Manchurian Candidate [imdb.com] on cable and it occurred to me that such a scenario doesn’t have to involve a conspiracy of the highest order to be successful or involve a high-concept goal; unwitting or passive acceptance would work just fine, and the goal can be mundane but similarly insidious.

    My guess is that monitoring technologies in various forms will increasingly become part of our daily lives. RFID chips, for example, seem destined to be everywhere [wikipedia.org], and while it’s up to each of us to be as vigilant as the article’s poster, the future will play out as a constant game of catch-up and workarounds for the select few in the know. Computers are part of our daily lives but knowledge of them is superficial at best. Should we expect the average person to have an inkling of how other technologies that come in smaller packages work?

    Have you scanned yourself, lately?

A comment on security:

  • arivanov writes:

    Not surprised about HSBC. In fact surprising about some sense from Chase.

    HSBC recently forced me to subscribe to the Verified by Visa marketing pseudosecurity garbageshiteware gimmick (the only one of cards I have that actually forced me to do so). During the subscription process I found out that the idiotic subscription interface does not maintain state with most non-mainstream browsers. In fact if you use Konqueror (or play around with your browser a bit) you can cruise through it with flying colours without it asking for verification information, passwords and the like. I was seriously tempted to go all the way and register a few cards for entertainment purposes, but end of the day decided not to.

    So I tried to get the wankers which run the “HSBC Goodness Gracious Me” call center to give me a security contact and a reference to report the bugs. Guess what – they neither understood the concept of “Your credit card interface has a major security flaw”, not could provide a contact. Still better then Amex though. Under similar circumstances 4 years ago when I tried to contact the Amex security dept with a similar bug they subscribed me to a mandatory 60 days of phone marketing and email marketing for good measure.

    Frankly – they have no clue. Banking security at its best. Understanding is not required, BS and ISO numbers are.

And of course, a rather humorous post after a tool posts his opinion:

  • The tool: Groo Wanderer writes:

    I would, but everyone seems to forget that you can have RFID and a PIN or other second form of ID. I would have no problem as long as there was an OPTION for a second method of authentication to be applied.

    Sure, it would cut down on convenience, but only a little, and would more than make up for it in added safety.

  • The level-headed responder: writes:

    Tell you what, why not post your card details here (including the three digits on the reverse), but NOT THE PIN, and we’ll see how many of us can buy something with it.

    Willing to stand by your statement? Are you sure you still don’t have a problem with other people having access to your card data?

And the comment that is one of my biggest concerns regarding RFID chips in ATM Cards is as follows:

  • inviolet writes:

    With an RFID-enabled credit card, the credit card company is the first line of defense against fraudulent usage. The customer is only secondarily responsible, and in any event does not lose any cash or interest. So, you can be certain that the security system and the implementation will be sound.

    With an RFID-enabled ATM card, all of that is reversed. A fraud will cause the customer to lose his or her cash and interest… and the customer must then fight with the bank to get them back. The bank has only secondarily responsibility, and therefore only secondary incentive, to get the plan right and to maintain the implementation. It’s like a config.rc file with the wrong default value: loss-paid-by = customer.

    It’s a given that few people in any organization (banks or otherwise) actually understand security, encryption, or the very pertinent issue of “identification versus authentication”. But even if Chase or whoever has done their research, the incentives for protecting customers from atm fraud are inherently perverse.

Slashdot Redesign

slashdotLast month Slashdot held a very open-ended competition for a redesign of the long overdue layout. I had initially thought I’d enter but laziness took the best of me and I never completed my design. The winner was Alex Bendicken who created a pretty clean and snazzy design. CmdrTaco estimates that the new design will go live in a couple of days…say goodbye to the eyesore that was the circa 1990′s layout.

The winner of the contest will be receiving a sweet laptop (valued at up to $4000) plus the bragging rights of redesigning one of the world’s most popular tech/geek blogs. Good times. Over the course of the contest I had been hoping Peter Lada’s design would win out, but Alex’s is just as snazzy (with fewer frills) so I’m happy.

Slashdot Goes Tagging!

Slashdot is a blog no matter how much they attempt to deny it. Its about time that the well known nerd news site implements more searchable articles besides categories. Folksonomy is definately the way to go! Currently, Slashdot is labeling tagging as a Beta feature (*sniff sniff* do I smell web 2.0?). All Slashdot needs to do is make good with its proposed redesign and I’ll be a happy reader once again. Until then, I suppose I’ll remain the slightly disgruntled, yet loyal, reader that steals and elaborates on a number of their topics! w00t!

Google’s Private Internet? WTF Dale’s Back?

I stumbled upon an article on Slashdot that points at Times Online UK. Times Online UK seems to be claiming that:

Google is working on a project to create its own global internet protocol (IP) network, a private alternative to the internet controlled by the search giant, according to sources who are in commercial negotiation with the company.

This sounds like my ‘ole Mennonite friend’s plan of attack. Perhaps he’s gained a foothold in the search giant’s upper echelons with his revolutionary idea that he mentioned to me a couple of months back.

I also am planning, too, to start up a whole new internet as well.

[...]I suppose that you are referring as to “how” all this can and/or could come about – from a technical point of view? Well despite the fact that I do a lot of stuff online, yet in certain aspects, I am still in the dark as to some of the technical aspects in how the net actually functions … but I do know this, that it is a whole bunch of computers all “linked” together, with people using their own computers, seeking information, of which is stored in these “linked” computers. And so, because the “root” of the system will, and can only always be the same, for no matter which internet “concept or idea” comes along, it will all function the same, right. And so, such is the same with my idea, … it will “piggy back” the root system as the “mainstream” internet does. In fact, it will actually piggy back the main internet (or domain system), through “sub” domains. Now obviously anyone who has done a certain amount of internet stuff will know that this system has already been used for a long time already, but it’s in my “philosophical” and “attitude” approach that hopefully will set my “sub” domain “principle” apart from the rest.

Eepah.

Alexa Search Data For The Masses

Alexa – for those of you that don’t know – is an Amazon owned subsidiary that tracks “valuable information about the web, how it is used, what is important and what is not.” For example, you can search Alexa for amazon.com and find traffic information, related links, etc. Alexa is a hugely useful tool for developers that want to watch their traffic and compare against competing sites. While combing sites and gathering statistics (which it does by the use of the Alexa toolbar as well as piggy backing onto the back of various other toolbars), Alexa has amassed huge amounts of data…and when I say huge amounts of data…I’m serious! Alexa spiders 4 billion to 5 billion pages a month and archives 1 terabyte of data a day.

They’ve been stockpiling search data since its inception in 1996. The great news? They are now opening it up to the public as a pay to play access to their data! Its called the Alexa Web Search Platform. Wired News writes:

To illustrate the new service’s potential, Alexa developed a photo search engine that allows users to query photo metadata normally hidden from standard keyword searches, such as the date the photo was taken or the camera used.

[...]

From computer scientists to web hobbyists, [Alexa CEO Bruce] Gilliat predicted Alexa’s inexpensive services will spawn numerous creative results.

And Slashdot writes:

The Alexa framework is not for the weak of heart — expect to learn how to use their C API, and expect to pay micro-amounts for requests and CPU cycles used — but it also seems to be more powerful than the rival APIs from Yahoo and Google.

While I have no huge reasons to sign-up and pay (however cheaply) for this service just yet, I look forward to seeing what comes of it! Having that much data available at your fingertips is a huge boon to the development and marketing community!

Slashdot Getting a Face Lift

Finally! I have been frequenting Slashdot for quite a few years now and the current layout…well…sucks. I have often remarked to my friends that the geek news site really needed a new look. You see, I wouldn’t consider myself a super graphic designer or artsy person but I know what I like. I’m somewhat critical with sites and their layouts, especially with ones that are extremely high profile like Slashdot. There is a LOT of great news articles that come from them but I can never fully get past the icky layout. Well, I have been praying to the binary gods of THE internet and they have seen fit to answer. Slashdot – after 8 years – will be moving to a CSS layout with a more up-to-date look’n’feel. Read the article!

World of Warcrack and the future of MMOGs

[[innerindex]]WoW Dude I began gaming in the early 90′s. Looking back at what gaming was then compared to what it is today causes me to do a double take. Things have changed so much so fast. Of particular note is the Online Gaming industry. What started out as geek-only text-based fantasy games has morphed into a globe encompassing communication/entertainment mega-games….Massively Multiplayer Online Games (MMOGs). Before I explain my awe when it comes to these games, I’ll start out with a short definition and a little history.

What are MMOGs?

Massively Multiplayer Online Games (a.k.a. MMOG, MMO, MMORPG) are pay-to-play games where a player interacts with an evolving game-world and hundreds (to thousands) of other players at the same time. Within these games, players typically wander around killing monsters, collecting/crafting items, creating organizations, and often times Player Killing (hunting down other players and killing them for experience, loot, or simply just for fun). In addition to the above…MMOGs tend to be highly addictive! I, myself, have been prone to spurts of MMOG addiction :)

A Brief History

I suppose the best way to fully understand these MMOGs is to see where they come from. Back in the ancient days of 1977, the first MUD (Multi-User Dungeon) was born. These geek-only games of sweetness gained popularity due to their ability to connect like-minded fantasy buffs to interact with eachother in a text-based reality, however, the popularity remain primarily in the geek community due primarily to the fact that most MUDs contained no graphics beyond ASCII art. While cool to some, many people found them fairly boring…I mean sheesh. read?!. (I was one of those geeks that played MUDs… EotL to be exact)

It wasn’t until 1997 when Ultima Online launched that MMOGs began to really take off. Ultima Online reached 100,000 users fairly quickly which spurred a whole industry of MMOGs with a variety of gaming engines, rules, and monthly price ranges. Some of the most popular: Asheron’s Call (AC), Dark Age of Camelot (DAoC), EverQuest (EQ), Ultima Online (UO), and the fairly new World of Warcraft (WoW).

Why Are MMOGs So Popular?

Oooo Doggy. Good question. MMOGs aren’t just games for geeks anymore. As the games become more advanced and appealing to the eye, more and more people are buying the games and paying the monthly fees. All types of people! Geeks, teachers, athletes, construction workers, housewives, etc!

  • Its a Role-Playing Game.

    MMOGs allow us to be an object of our own fantasy and participate in a world with very loose rules that allow us expose us to experiences when we want to experience them. In WoW I have the freedom to create a character that walks around being a bastard to people: swearing at them; stealing their items; player killing defenseless characters (griefing). While at the same time I could make a second character that is the perfect angel. Always willing to help those in need; an active contributing member of a guild; a good party member. I could make a third character with a whole different personality. Thats the beauty of it, you can play how you want with minimal fear of Real Life retaliation. You are simply a character on a screen, nothing more. When you get tired, you simply log off the game and you are back to your real life. A co-worker of mine directed me to this essay that explains this mode of thought:

    If you don’t understand the gravitational pull of an MMORPG (Massively Multiplayer Online Role Playing Game), I’m going to enlighten you with just a dozen words: you get to pick what you look like and what your talents are.

    That’s the real beauty of it. The first thing you do in the MMORPG World of Warcraft is design your own body and decide what your strengths will be. You pick your race. What could be more seductive than that, the ability to turn in all of the cards you were dealt at birth and draw new ones from a face-up deck? If you have friends who’ve gotten sucked into the WoW black hole and you don’t understand why they never talk to you any more, this is it. I remember being a chubby teenager with bad skin and astigmatism and pants that didn’t fit quite right. What would I have given to be reborn as a strapping warrior with rippling pecs and armor of hammered silver?

    On that kid’s screen now is a dozen noble warriors of exotic races, brandishing elaborate weapons and charging a gigantic demon across a fire-scarred mountaintop. The dwarf next to him is controlled by an accountant planted at his own computer in Cleveland, two babies sleeping in the next room and his pregnant wife on the sofa. The robed priest in the back casting healing spells is actually a 250-lb. ex-gangster, playing from the computer lab of a maximum security prison in Pennsylvania. The elf on his left, sprinting and drawing his mighty magical bow, is the digital body of a wheelchair-bound 12 year-old girl in Miami.

  • For some its the social aspect of the game. For example:

    I get my kicks from MMOGs for this very reason. Most MMOGs have some ability to create in-game organizations (in WoW they are called Guilds) and from these organizations grows in-game politics. Bylaws are often created; characters vie for rank; hierarchies are established; there are inter-guild events and disputes. It may seem silly at first glance because its “all a game,” but more often than not these organizations are taken very seriously by their members – despite the fact that they may have a guild name like “Vicious Chickens of Bristol” – and many Real Life friendships can be won and lost. So whats the draw? The ability to socialize with people from around the world and organize under one purpose. People are simply drawn to structure and conflict. I am. I love it :)

  • Yet another reason for MMOG popularity is the story.

    MMOGs typically have a wonderfully rich background story that explains the hows and whys of the virtual world. World of Warcraft (yes, I’m using WoW as the example again because I love it so :) ) has a very wonderful story line that allows its characters to participate in quests that unfold the WoW story to that user. The quests can be anything from a short delivery quest where you take one item from point A to point B, or it can be a whole chain of quests that build up an epic plot, OR it can be a comedic side story that gives an amusing reward. In WoW there are hundreds of quests and every few months many more are added/tweaked. The world is constantly evolving giving those that thrive on storylines plenty of story to keep them active for months and months on end!

What MMOGs Have Become

MMOGs have become an addiction and a communication powerhouse.
I’m a World of Warcraft addict. I play a Human Priest (named Heuric) and help run a guild called the Crimson Eagles. The scary thing is, is the fact that I get so excited even talking about the game (whether verbally or typing). It has become a very real part of my social life. And before you can ask the question, I’ll answer it: No, it is not my only social life…I spend maybe 5-15 hours a week in the game. Seem like a lot to you? Well, I’m considered an almost non-active member in my guild. There are people I know that spend almost all their time at home playing these games…sometimes more than 40 hours a week!

You see…weekends allow for game play times of 10+ hours straight! I have been known to do this and have also been known to forget to eat because of it. Yeah. I often suffer from the “five more minutes….I just need to kill 3 more” syndrome. Well sometimes I don’t miss just one meal…I sometimes may miss 2 and on a couple of rare occasions I have missed 3. Remember when I said that I am considered pretty inactive? Scary huh? Thank god I have a wife that keeps me in line :) (I only miss meals when I’m home alone)

Its an MMOG addiction. And I’m not alone. There are over 3 Million people in the world that own and play World of Warcraft…and thats just one game!

Ten years ago when I wanted to talk to one of my friends, I’d call them up on the phone. 7 years ago I’d e-mail them. 4 years ago I’d instant message them. Now…I log in to WoW. There they all are, running around PKing in Alterac Valley; questing in Searing Gorge; trading in Iron Forge; raiding in UBRS; or grinding in the Western Plaguelands. (all locations in WoW). Despite the fact that they are all doing their own thing, I can type or pop on a headset microphone and and talk to them. We plan get togethers, discuss work, news, politics, religion, etc…right there in game.

MMOGs have become a source of income (and I’m not talking companies)
WTF!?!?! Yeah. People can play for money. While generally frowned upon by both the companies that produce the games and by the average player, the buying and selling of accounts, items, and in-game currency has become a very profitable business. Here’s an article at TechAngel that talks of a man that makes ~$1,800 a month! In this article at 1up.com they explain how game profiteers are establishing Gaming Sweatshops in China, India, Mexico, etc where people are forced to play outrageous hours farming in-game currency for measely wages ($0.59/hour).

This is bad on multiple levels…first and foremost, the workers work long hours for very little money and are placed in situations where if the quit their jobs they’d lose their homes too. Its also bad for in-game economy. (yes, these virtual worlds have their own economy) These gold farmers jack up the prices of items causing many under-handed players to resort to purchasing money on E-bay and various game currency reseller sites…just to purchase a rare item in game! Its amazing to what lengths someone will go simply for the satisfaction of attaining certain items and a certain in-game status.

Where are MMOGs going?

They aren’t leaving any times soon, thats for darn sure. I can speculate that they will continue to grow in popularity and be taken more seriously. Even now we are seeing how serious some are taking these ‘games.’ MSNBC has an article where one man killed another because an in-game sword was stolen…Its a sad story that shows just how real some people believe these to be:

Qui went to the police to report the “theft” but was told the weapon was not real property protected by law.

“Zhu promised to hand over the cash but an angry Qui lost patience and attacked Zhu at his home, stabbing him in the left chest with great force and killing him,” the court was told.

More and more online gamers were seeking justice through the courts over stolen weapons and credits, the newspaper said at the time the case went to trial.

“The armor and swords in games should be deemed as private property as players have to spend money and time for them,” Wang Zongyu, an associate law professor at Beijing’s Renmin University of China, was quoted as saying.

As these incidents occur (and mark my words…more will come) what laws will be birthed because of them? Southeast Asia tends to be on the bleeding edge of gaming/tech culture and obsession. It is here that many of the ‘firsts’ occur (such as the murder mentioned above). Because of these incidents they are attempting to prevent them with some interesting laws:

What laws will carry over world wide? Will there be Real Life implications for what we do in game? Only time will tell…and I will be watching the clock with curiosity and a wary mind.

UPDATE (9/7/2005):
It seems that Slashdot has a post going on how WoW is now the 800-pound gorilla in the room…the big question from the New York Times:

WoW is now the 800-pound gorilla in the room. I think it also applies to the single-player games. If some kid is paying $15 a month on top of the initial $50 investment and is devoting so many hours a week to it, are they really going to go out and buy the next Need for Speed or whatever? There is a real fear that this game, with its incredible time investment, will really cut into game-buying across the industry.’ What is the Slashdot opinion on World of Warcraft’s impact on the gaming industry?