Needs of the Many

Bring Your Lies & Half-Truths … I Will Destroy Them

If You Use SpeedPass, SpeedPay, Or PayPass … Beware Of The Risks.

Posted by Casey on March 10, 2008

Quite frankly, I can’t believe that I have to explain how insecure SpeedPass, or other similar programs, really are. This should be a complete no brainer for most consumers, but the population continues to be sucked into this scheme. Hell, even the commercial advertisements for this technology illustrates how easy it is to steal someone’s identity can be stolen with this product. To prove my point I would like to present:

Exhibit A – MasterCard’s PayPass Commercial

When I first saw this commercial I was outraged. However, everyone around me offered up only words of praise for such a cute commercial. The idea that a pet would take your card, go into town, and buy you all these things to make you feel better received a near unanimous reaction that the commercial was “cute.” It was cute after all, but the commercial said something very different to me. While others saw merely the “cute” factor of this advertisement, I saw the horrific truth of what MasterCard was telling me. They were saying that even an animal could steal your card without you knowing it, go into town, visit several retail establishments, spend your money without your permission, and no one would dare stop them from stealing from you.Recently, my wife and my bank accounts were hacked into when hackers hit my bank. I had to cancel all of my debit cards, and order new ones. Being the recent victim of identity theft as a result of my bank’s negligence, I was enraged when they finally sent my new debit card (which I had to order twice thanks to more negligence). When I opened the envelope containing my new card I noticed there was more things to read than usual when getting a new card. My eyes zeroed in on the word “PayPass.”

Apparently WAMU has started issuing debit cards with PayPass as a standard feature, and failed to notify me. The paper with my card provided a very convenient list of what fast food establishments accept PayPass … very comforting to know that I would be able to buy a meal for a thief if they stole my card. To make matters worse, engraved in bold type on my shiny new debit card was the word “PayPass.” So not only do I have to worry about the fundamental lack of security by the PayPass system itself, but I had to worry about the fact that any criminal who stole/found my card would instantly know that it was PayPass ready. Which is like offering free money to criminals right from my wallet. When a thief sees PayPass on a card, they instantly know they can use it at accepting locations without the fear of being asked for ID, or having to input a code to verify their identity. At the very least the bank could have exercised some common sense, and kept the PayPass feature a secret between me and the bank.

I immediately called WAMU to ask if this was a standard feature they have just added to their debit cards. When the CSA answered the phone I explained that I would like a debit card without PayPass capability. Her response was that I could use PayPass to pay for tolls on the road. I live in Las Vegas … we don’t have any toll roads. What we do have in Vegas is the nation’s highest rate of identity theft. Finally, a little surprised by my request, she said she’d ask if I could get a card without PayPass. After being on hold for about 8 minutes she came back and told me that a manager was on the line, and would help me out. Now I’m not stupid. I know damn well they had a good ‘ol conversation about how crazy I was before getting on the line with me.

The manager informed me that they did have a debit card without PayPass capability, and she could issue me one. Now my question is why wouldn’t they give me the option of which card I wanted if they have both? I smell conspiracy. Anyway, she was fairly cold towards me, and clearly irritated that she would have to humor such a paranoid as myself. After some time she asked me to confirm that I would like a debit card without PayPass. I responded by saying I wanted a card without PayPass because it was the most insecure thing I’ve ever seen, and I was just the victim of identity theft as a result of WAMU’s lack of security. She said nothing, and never addressed the security issue with PayPass at all. I would have expected that WAMU would have at least instructed their employees to deflect such criticism, but nothing was said. Which probably means she knows how insecure PayPass really is. To WAMU’s credit, they ordered me a new card without PayPass.

I’ve talked about the dangers of “pass” technology several times on my show, and tonight was no different. When I got home from work I decided to look up stories related to the lack of security with pass technology, and found quite a bit … which was expected.

I found this article from 2005 talking about how to get free gas using someone else’s SpeedPass.

The end result is a hardware system that can extract the 40-bit digital signature from any SpeedPass token without first knowing the signature, given just two challenge-response transactions. A token can handle eight transactions per second, so acquiring the data is essentially instantaneous and, because it’s RF, doesn’t require physical possession of the token. A few hours of computation on a special-purpose parallel processor, which costs a few kilobucks, suffice to crack the crypto and produce the signature.

The researchers project that some engineering and a touch of Moore’s Law can increase the range to a few feet, stuff the machinery into an iPod-size case, and shrink the cracking time to a few minutes. The attack scenarios include sniffing SpeedPass tokens at a valet parking station (just wave the victim’s keyring near your pocket) and walking the length of a subway car or mall holding a neatly wrapped package containing a big antenna.

The SpeedPass system’s fraud-detection logic trips on excessive purchases, impossible locations, or atypical usage. However, if you harvest a few thousand tokens and use each one exactly once, you can probably get free gas for a long, long time.

As someone who lives in the city that hosts the annual hackers convention … this isn’t good.

This article illustrates, in more detail, the research Johns Hopkins University did on compromising the technology.

I also found this blog post where the author describes his experience of having his SpeedPass card stolen, and used in the exact manner I most fear.

Apparently SpeedPass fraud is so extensive in some places that new laws are going into place to require SpeedPass users to input a code to authenticate their identity.

If you pull up to the self-service gasoline pumps in some Boston neighborhoods, or use a credit card to buy aspirin at the local Walgreens drugstore, don’t be surprised if you’re asked for your ZIP code.

It’s an effort to fight credit card fraud at gas stations and retail stores.

ZIP-code authorization may be coming to a gas pump near you, however. ExxonMobil plans to adopt the policy at many stations that use the Speedpass payment system.

The article also shatters the myth that SpeedPass technology is safe and secure.

But a Speedpass can easily be abused if stolen. So some Exxon and Mobil stations will start using ZIP code authorization, although the company will not identify the stations or the schedule.

Now that companies are starting to require zip codes (which aren’t nearly secure enough) there is no need for “pass” technology at all. If you have to wave your card, then enter a code, your no faster than swiping your card, then entering a code. So what’s the point anymore?

As a side note … zip codes are notoriously insecure. A pin number is far more secure because the thief is less likely to know your pin than your zip code. Especially if you’ve been specifically targeted by the thief.

Unfortunately, there is one credit card company that actually refuses to allow a passcode to make purchases with “pass” technology.

In contrast, MasterCard specifically forbids merchants from requiring ZIP codes, except at unattended devices such as gas pumps, or for orders placed by phone, mail, or Internet.

So MasterCard doesn’t care about security for their clients … great. Guess which company makes the debit cards for my bank. That’s right, MasterCard does. Now I’m really glad I canceled that card.

12 Responses to “If You Use SpeedPass, SpeedPay, Or PayPass … Beware Of The Risks.”

  1. [...] read more | digg story [...]

  2. [...] no brainer for most consumers, but the population continues to be sucked into this scheme….read more | digg [...]

  3. Paul said

    I thought I was the only one who got scared when they saw that commercial

  4. Host said

    Me too Paul. I still have to explain the commercial to people when I talk about it. The lamb-like people always give the same reaction … “I never thought of it like that.”

  5. [...] complete no brainer for most consumers, but the population continues to be sucked into this scheme.http://needsofthemany.blogono.com/2008/03/10/test/Population risk – Glossary Entry – Genetics Home ReferenceThe proportion of individuals in the [...]

  6. Anonymous said

    “…illustrates how easy it is to steal someone’s identity.”

    No. Credit card theft and identity theft are completely different. Completely.

    “Being the recent victim of identity theft as a result of my bank’s negligence, I was enraged…”

    Again, drama queen, you misunderstand what identity theft means. You were not the victim of identity theft in this example.

  7. Casey said

    To anonymous above …

    Please read posts before you start commenting on them. I never described my experience with ID theft in this post. I had only mentioned that I’d recently been the victim of such. I know full well what identity theft is … unlike you dimwit.

    ID theft and credit card theft is one in the same. It does not matter how your identity is compromised … only that it was.

    To help you better understand that they are the same, and to deflate your ego, here’s the dictionary’s definition of identity theft …

    Identity Theft:

    The fraudulent appropriation and use of someone’s identifying or personal data or documents, as a credit card.

    Now that you’ve been pwn3d, and proven wrong, go find a hug. It is you who is being the “drama queen.”

  8. Amy said

    I don’t know too many people that own an ‘elephant’ per say as a pet?? So I assumed as well that the sheer size of the animal(i.e; identity theft perhaps/) and OBVIOUSNESS of such that it was a parody. Reminds me of the Mrs. Nesbaum scene, in the old movie ‘The Jerk’ w/ Steve Martin. Where these Gang GUYS are using MRS. Nesbaum’s MC. to buy gas… Nevertheless,as implicated in the above article we just have to always have to use our noodle & know before new technology hits the Retailers…that there is already someone who is /has cracked that code. This is great for the OEM’s& BANKERS! So we ARE on our own.. & should be quick on our feet! Again Steve Martin comes to mind with his plot to keep the ‘Gang Guys’/thieves at the gas pump whilst waiting for the cops to show, with his “you are our 100th customer of the day & makes them wait for their FREE Pot Holder :)
    My sincere Thanks to the author of the above artcile ! Good thinkin! lincoln! I shall contact WAMU ASAP!

  9. Enigma said

    They hacked your bank account but how does one hack one’s wife? Oh she’s a robot? Stepford wife. Sweet!

    And as for security, how is Speedpay or any of these quickie methods any different than swiping the card old school style at a self checkout or even a normal checkout for that matter? No different than the way its been since the invention of the magnetic strip on a card. If someone physically steals yours card, you’re just a screwed now as you would have been in 1970’s.

    • Host said

      Not entirely. The Speedpay options do not allow for any kind of authorization to confirm you are the owner of the card. Therefore, there is less work to use one. The funniest part is how the retailers are starting to require you to input your pin number now even with the RFID technology. Making it totally useless.

      Look up Mythbusters silenced on RFID in Google. The video is worth all the gold in the world.

  10. James said

    I know that this is a little bit late, but I would encourage you to weigh the risks versus the benefits.

    The benefits are obvious here. You’re saving time — potentially a lot of time, with no need to sign or enter a pin or swipe a card or receive an optional receipt or hand over anything at all to the cashier. Sure, it’s not life changing, but then it is more convenient.

    But the risks haven’t changed at all, really. I’ll direct you first to the MasterCard PayPass security blurb at http://www.mastercard.com/us/personal/en/aboutourcards/paypass/security.html

    Consider that you can -only- use PayPass for small purchases until you need to use your PIN.

    Consider further that to wirelessly steal your PayPass card somebody needs to build an RFID reader that can successfully decrypt the incredibly well encrypted data.

    Consider further that you never need to hand your card over to somebody who can copy the magnetic data without being seen.

    Consider further that to steal a regular card you can just snap a high resolution digital photo of a card, figure out where this person lives, then go online and order a huge purchase from a website that doesn’t require the 3 digit security code from the back of the card.

    And finally, you still have the Zero Liability protection, so in the enormously unlikely event that your data is stolen, it’s just a hassle and not a financial problem.

    And if somebody steals your whole card there’s nothing PayPass will do to help them anyway. All they have to do is say “Credit” when asked “Credit/Debit” and even if it’s a debit-only card, generally you still only have to sign and never have to enter a pin. And who -ever- checks to see if signatures are the same?

    PayPass has been out for years, and despite the amount of attention possible security issues have received, nobody can point to a specific instance where PayPass technology was at fault for a security problem.

    Yes, the commercial had an unintended double meaning, but there’s absolutely no call to be “outraged.” If anything, there’s call to carefully consider your position and if you don’t like it, politely request that your bank take back a the card, as you did.

    But as a final thought: A great deal has been said about how PayPass makes the card -more- secure than a regular card, so I can understand the confusion at the bank. It’s almost like you called them up and demanded to know why your new card had a hologram on it and a PIN associated with it and that you want a card without these free security features.

  11. Sam Brickell said

    This is all excellent. So easy to do better than this technology.

Sorry, the comment form is closed at this time.

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: