Jim Harper meets with Visa on RFID cards -- and likes the idea [priv]

[Declan McCullagh <declan () well com>]

Previous Politech message:
http://www.politechbot.com/2005/05/20/rfid-wiggles-its/


-------- Original Message --------
Subject: RE: [Politech] RFID wiggles its way into credit cards? [priv]
Date: Fri, 20 May 2005 10:14:49 -0400
From: Jim Harper <jharper () cato org>
To: Declan McCullagh <declan () well com>

Declan:

I had a sit-down with Visa folks about this because they are aware of my 
activism (and that of many others) against the State Department's 
RFID-chipped e-passport.

There is an RFID ISO standard and a "contactless" card standard.  Both 
use radio frequency but they differ in other respects.  Generically, 
they're the same.  In detail, they're different.

What matters to me are the crucial differences, along many vectors, from 
the disastrous e-passport.  Most of all, as you recognize, it is offered 
in the market where people have a right to refuse it.  That distinction 
is fundamental.

The chip and data in the Visa card differs in many other technical 
respects.  The chip has the same info as the magnetic strip (account #, 
CVV) - not name, nationality, and other vital information as the 
e-passport would have had.  It uses triple DES encryption where the 
e-passport was going to use . . . none (none relevant, anyway).

Most interesting, I think, the chip will generate a unique number for 
each transaction that will be correlated to a unique number generated 
using the same algorithm on the card-issuer side.  This will make 
skimming the card information or eavesdropping on a transaction pretty 
close to worthless because a criminal would have to know the *next* 
unique number.  And if that system is somehow cracked, the issuer bears 
the liability for fraud - not consumers or merchants.

The design of the chip and antenna is oriented to very short range 
reading.  I assume, without knowing, that they are going to do better 
than the State Department did with its choice of chip and antenna. 
(Barry Steinhardt illustrated State's poor choice very well at CFP right 
in front of the State Department guy.)  I think mine is a safe 
assumption because the credit card network has its own money on the line 
if it fails.  The State Department only risked our security - nothing of 
its own.  In fact, it would probably have gotten a bump-up in funding to 
fix the e-passport if it really screwed it (us) up royally.

Remaining concerns:

1) Criminals could use a reader to determine that you have a credit card 
in your purse or wallet.  Beating you up and stealing it, they could go 
on a rampage of <$25 transactions (the limit at which the Visa system is 
doing signature-free payments).  The weakness of this concern is that 
pretty much everyone has credit cards already, so using an RFID reader 
to detect credit-card-carrying victims would be an improvement on the 
current criminal art by about 0.01%.  The concern is not chipped cards: 
It's the proliferation of under-$25, signature-free transactions.  But, 
again, the risk of loss is with the card issuer.  I don't see a crime 
wave coming from this.  How many times can you eat at McDonalds before a 
fraud algorithm kicks in and/or the consumer cancels the card?  Rational 
criminals (and most are) will see better avenues, including, one hopes, 
getting a job.

2) The credit card system will have more information about consumers' 
lower-dollar transactions.  This is an expansion on an existing problem 
if the data might be passed over to governments for any of their 
incipient/insipid "data mining" programs.  This is not a particular 
concern with the credit card industry, but with all consumer-oriented 
businesses, which will continue to have more and more consumer data. 
They all need to get clearer about when they share data with governments 
(when there's a proper subpoena or warrant) and when they don't (all the 
rest of the time). Likewise, we need to fight things like administrative 
subpoenas and national security letters, further iterations of which are 
percolating in Congress even now.

3) The credit card system will have more information about consumers' 
lower-dollar transactions.  This is good, in my opinion, when it's used 
to tailor products and market them more accurately and politely to 
consumers.  (That would be nice, right?  ;-)  But information might also 
pass to insurers, employers, and other economic actors.  Before 
screaming about the unfairness, we should recognize that people's 
resistance to the idea of insurers knowing about their McDonalds habits 
is a desire to prevent true information from being used to rate their 
risk to the insurance pool.  I don't eat at McDonalds very much, so that 
makes *my* insurance more expensive.  Still, I'm ambivalent about 
wide-scale sharing of data among different economic actors/entities. 
People who are outright against it should look into the contracts 
offered by credit card issuers (first by demanding better disclosure of 
their policies in the application process) and demand contractual 
protection against these uses if they want it.  Do they represent a 
broad-based consumer interest?  We'll find out by whether they sway 
consumers' choices in the market.  If they do not represent a 
broad-based consumer interest, of course, they will seek legislation 
which is much easier to gin up than getting the bulk of consumers to 
dislike something they don't care about or that they might even like.

This latter point gets us into general, bigger data use issues that are 
only related in passing to the chip in the new credit card.

On balance, I think the contactless payment card is going to be an added 
consumer convenience.  Consumer convenience is good.  Lots of people 
like to react, knee-jerk, against RFID, but there are tons of uses that 
are going to benefit consumers mightily and I think this is probably one.

Jim



Jim Harper
Director of Information Policy Studies
The Cato Institute








_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)