If You Use SpeedPass, SpeedPay, Or PayPass … Beware Of The Risks.
Posted by Casey on March 10, 2008
Quite frankly, I can’t believe that I have to explain how insecure SpeedPass, or other similar programs, really are. This should be a complete no brainer for most consumers, but the population continues to be sucked into this scheme. Hell, even the commercial advertisements for this technology illustrates how easy it is to steal someone’s identity can be stolen with this product. To prove my point I would like to present:
Exhibit A – MasterCard’s PayPass Commercial
When I first saw this commercial I was outraged. However, everyone around me offered up only words of praise for such a cute commercial. The idea that a pet would take your card, go into town, and buy you all these things to make you feel better received a near unanimous reaction that the commercial was “cute.” It was cute after all, but the commercial said something very different to me. While others saw merely the “cute” factor of this advertisement, I saw the horrific truth of what MasterCard was telling me. They were saying that even an animal could steal your card without you knowing it, go into town, visit several retail establishments, spend your money without your permission, and no one would dare stop them from stealing from you.Recently, my wife and my bank accounts were hacked into when hackers hit my bank. I had to cancel all of my debit cards, and order new ones. Being the recent victim of identity theft as a result of my bank’s negligence, I was enraged when they finally sent my new debit card (which I had to order twice thanks to more negligence). When I opened the envelope containing my new card I noticed there was more things to read than usual when getting a new card. My eyes zeroed in on the word “PayPass.”
Apparently WAMU has started issuing debit cards with PayPass as a standard feature, and failed to notify me. The paper with my card provided a very convenient list of what fast food establishments accept PayPass … very comforting to know that I would be able to buy a meal for a thief if they stole my card. To make matters worse, engraved in bold type on my shiny new debit card was the word “PayPass.” So not only do I have to worry about the fundamental lack of security by the PayPass system itself, but I had to worry about the fact that any criminal who stole/found my card would instantly know that it was PayPass ready. Which is like offering free money to criminals right from my wallet. When a thief sees PayPass on a card, they instantly know they can use it at accepting locations without the fear of being asked for ID, or having to input a code to verify their identity. At the very least the bank could have exercised some common sense, and kept the PayPass feature a secret between me and the bank.
I immediately called WAMU to ask if this was a standard feature they have just added to their debit cards. When the CSA answered the phone I explained that I would like a debit card without PayPass capability. Her response was that I could use PayPass to pay for tolls on the road. I live in Las Vegas … we don’t have any toll roads. What we do have in Vegas is the nation’s highest rate of identity theft. Finally, a little surprised by my request, she said she’d ask if I could get a card without PayPass. After being on hold for about 8 minutes she came back and told me that a manager was on the line, and would help me out. Now I’m not stupid. I know damn well they had a good ‘ol conversation about how crazy I was before getting on the line with me.
The manager informed me that they did have a debit card without PayPass capability, and she could issue me one. Now my question is why wouldn’t they give me the option of which card I wanted if they have both? I smell conspiracy. Anyway, she was fairly cold towards me, and clearly irritated that she would have to humor such a paranoid as myself. After some time she asked me to confirm that I would like a debit card without PayPass. I responded by saying I wanted a card without PayPass because it was the most insecure thing I’ve ever seen, and I was just the victim of identity theft as a result of WAMU’s lack of security. She said nothing, and never addressed the security issue with PayPass at all. I would have expected that WAMU would have at least instructed their employees to deflect such criticism, but nothing was said. Which probably means she knows how insecure PayPass really is. To WAMU’s credit, they ordered me a new card without PayPass.
I’ve talked about the dangers of “pass” technology several times on my show, and tonight was no different. When I got home from work I decided to look up stories related to the lack of security with pass technology, and found quite a bit … which was expected.
I found this article from 2005 talking about how to get free gas using someone else’s SpeedPass.
The end result is a hardware system that can extract the 40-bit digital signature from any SpeedPass token without first knowing the signature, given just two challenge-response transactions. A token can handle eight transactions per second, so acquiring the data is essentially instantaneous and, because it’s RF, doesn’t require physical possession of the token. A few hours of computation on a special-purpose parallel processor, which costs a few kilobucks, suffice to crack the crypto and produce the signature.
The researchers project that some engineering and a touch of Moore’s Law can increase the range to a few feet, stuff the machinery into an iPod-size case, and shrink the cracking time to a few minutes. The attack scenarios include sniffing SpeedPass tokens at a valet parking station (just wave the victim’s keyring near your pocket) and walking the length of a subway car or mall holding a neatly wrapped package containing a big antenna.
The SpeedPass system’s fraud-detection logic trips on excessive purchases, impossible locations, or atypical usage. However, if you harvest a few thousand tokens and use each one exactly once, you can probably get free gas for a long, long time.
As someone who lives in the city that hosts the annual hackers convention … this isn’t good.
This article illustrates, in more detail, the research Johns Hopkins University did on compromising the technology.
I also found this blog post where the author describes his experience of having his SpeedPass card stolen, and used in the exact manner I most fear.
Apparently SpeedPass fraud is so extensive in some places that new laws are going into place to require SpeedPass users to input a code to authenticate their identity.
If you pull up to the self-service gasoline pumps in some Boston neighborhoods, or use a credit card to buy aspirin at the local Walgreens drugstore, don’t be surprised if you’re asked for your ZIP code.
It’s an effort to fight credit card fraud at gas stations and retail stores.
ZIP-code authorization may be coming to a gas pump near you, however. ExxonMobil plans to adopt the policy at many stations that use the Speedpass payment system.
The article also shatters the myth that SpeedPass technology is safe and secure.
But a Speedpass can easily be abused if stolen. So some Exxon and Mobil stations will start using ZIP code authorization, although the company will not identify the stations or the schedule.
Now that companies are starting to require zip codes (which aren’t nearly secure enough) there is no need for “pass” technology at all. If you have to wave your card, then enter a code, your no faster than swiping your card, then entering a code. So what’s the point anymore?
As a side note … zip codes are notoriously insecure. A pin number is far more secure because the thief is less likely to know your pin than your zip code. Especially if you’ve been specifically targeted by the thief.
Unfortunately, there is one credit card company that actually refuses to allow a passcode to make purchases with “pass” technology.
In contrast, MasterCard specifically forbids merchants from requiring ZIP codes, except at unattended devices such as gas pumps, or for orders placed by phone, mail, or Internet.
So MasterCard doesn’t care about security for their clients … great. Guess which company makes the debit cards for my bank. That’s right, MasterCard does. Now I’m really glad I canceled that card.
12 Responses to “If You Use SpeedPass, SpeedPay, Or PayPass … Beware Of The Risks.”
Sorry, the comment form is closed at this time.