RFID Gazette

What happens when you lose one? Can the finder/ thief use it to make purchases? Supposedly there are safeguards, but since you can just "tap" your phone at, say, a cashless vending machine, I don't see how that'd stop a thief. I've yet to come across any articles that explain this.

Most people guard their cell phones closely, so it won't be a big issue. Not yet. But since ABI Research predicted back in 2004 that that 50% of phones would have NFC by 2009, it'll become a growing issue. It happens; phones get misplaced or stolen. And if phones become our wallets, isn't that more incentive for some people to steal them? That is, if it's easy to use any stored credits. And will it be easy for a thief to determine what your recent purchases were?

I'm assuming you can have your phone disabled if it gets "misplaced", though you'd have to find a phone elsewhere to make the call. (To whom, exactly? I've not seen any indication that payment credits on NFC phones are handled by credit card issuers or some other organization.)

There's a similar problem for contactless credit cards, since a signature is not required for transactions under $25 for most cards. Sure, these can be easily cancelled, and the transactions removed from a card carrier's credit statement, so the point is moot. But as for a lost NFC phone, I'm guessing that knowledge of what happens is only available to those who have one.

A roundup of recent RFID-related news.

NFC Vending Machine Demo
RFID in Japan has a YouTube video showing someone buying a drink from a vending machine and paying for it with their NFC-enabled cell phone.

RFID Implants For Payment Systems
A nightclub in Barcelona, Spain is allowing patrons to use implanted RFID chips to enter a VIP area and pay for drinks. Said one of the owners of the club:

I know a lot of people have fears about it. Having a radio-transmitting chip under your skin makes you very unique.

Right. So do horns sticking out of your head, which I'll have implanted before an RFID chip.

Dual-Purpose RFID Labels
Checkpoint Systems is introducing an inventory tracking and anti-theft system for retailers. The system uses RFID labels that serves the dual purpose by having two different circuits. This is apparently worrying privacy advocates who feel the system might track customers who mistakenly carry away chips after a purchase.

It's expected that by 2011, there'll be nearly 110M users of contactless payment cards in use in the United States, with purchases totalling nearly US$15B. This will be a rise from nearly 30M cards in 2006, which is far behind many other other countries. The market that card issuers are going after is for small-ticket purchases of typically US$25 or less per transaction. Such transactions will not require a signature, thus supposedly speeding up shopping and possibly luring consumers from other payment methods. These figures do not include payments by mobile phone, which are also expected to grow in the US, thanks to an increasing number of NFC-enabled phones and vending machines.

Six large vending machine companies in the United States plan to outfit their vending machines with  contactless payment technology. The technology will accept MasterCard PayPass cards and key fobs.

An announcement earlier this month from MasterCard and USA Technologies stated that 6,000+ vending machines in the US would allow for contactless payments using NFC-enabled cell phones. Late last year, USA Technologies had announced plans to install contactless card readers on 10,000 vending machines.

Contactless payment technology vendors are hoping to capture the sub-$25.00 per transaction market of vending machines and convenience stores. While there are the two types of contactless payment (card/fob and cell phone), the cell phone method is at a disadvantage since there are currently few NFC-enabled phones in the United States and Canada. Contactless keyfobs and credit cards, on the other hand, have the distinct advantage of being easily distributed.

The use of RFID, particularly NFC (Near Field Communication) at sporting events has been so functionally successful that it's really seems to be catching on. In addition to being used for preventing counterfeit ticket use and for crowd management (seating, gates, etc.), RFID is also being used for payment at concession stands and souvenir shops, either with keyfobs or contactless payment/credit cards. Several sports teams in the NHL and the NBA will now be allowing fans to use the contactless MasterCard PayPass cards to speed up concession stand payments. If you've ever been to a sporting event, you know how long you might wait in line, meanwhile missing the action.

NFC, or Near Field Communication, is a technology that's been in use in Asia and Europe for a few years, allowing consumers with appropriate NFC-enabled cell phones to pay for all manner of self-payment purchases, such as bus fares and movie tickets, or for items from vending machines.

To date, that hasn't really been the case in North America. However, MasterCard and USA Technologies are in the process of pushing out 6,000 vending machines in over twenty American cities. Customers can use an NFC phone for purchases, thanks to the new e-Port technology from USA Technologies.

One thing I see holding back the popularity of such vending machines is the lack of NFC phones, though Nokia is making progress in that regard. Still, ABI Research said back in 2004 that by 2009, about 50% of all cell phones would have NFC. What remains is to see whether consumers become comfortable using such a payment method.

Mobile Payments Initiative
Two organizations have launched a joint initiative for the financial services industry to enable mobile payments. They are looking at two types of payment. One would be for purchases via NFC and other contactless technology. The other would be transfer of funds between the accounts of two consumers. It should be noted that PayPal, the payments processor owned by eBay (who also own the Skype VoIP software company) already allows mobile payments through SMS text messaging.

Apple Into RFID?
Not quite. However, they have filed a patent for a wireless home networking system that uses an RFID reader. The system would assume that a variety of devices (laptop, PDA, iPod) would have an RFID tag and the network would automatically configure a network connection for it. [via RFID Update; they have a link to the patent.]

Very exciting application. I heard nothing about this until now. The drawback is that Apple technology has traditionally been very singular, with the company typically not licensing/ authorizing clones. This sounds like a fascinating application, but it might only ever be used for Apple products.

If You Can't Beat'em, Confuse'em:
So IOActive's researcher Chris Paget was told to put off his "clone RFID cards" talk at the Black Hat conference recently, based on the charge that the demonstration would violate HID Global's patents in card readers. Huh? Defeat "enemies" with confusion? I don't even know where to start with this one. The validity of this claim is questionable. Other RFID presentations did continue, however. Still, this is a bad precedent and stinks of bullying.

Late last week, I went to a sub-post office to get and send a money order for a credit card I was accepted for. As I was signing my money order, a young woman paid for a purchase with her credit card. She was surprised when the clerk didn't ask her to sign a receipt, and pointed this out. The woman behind the counter indicated that it wasn't necessary (the younger lady had an RFID credit card, which surprisingly can be used without a signature). She had a puzzled look on her face and chuckled nervously.

I don't blame her; I'm not big on RFID credit cards. But then I thought, what am I going to do if my new card has an RFID chip? Legally, the card belongs to the issuer. Disabling the chip could be considered an act of vandalism. So that leaves two options: (1) don't use the card. (2) get an anti-RFID sleeve/ wallet. Since I want the card, I haven't got much choice, do I?

powered by performancing firefox

Big In Japan
McDonald's restaraunts in Japan will allow customers, later this year, to pay for purchases using NFC-enabled mobile phones. (Nokia is one company that has already rolled out NFC phones to be used for payments.)

Hyundai Adopts RFID
Hyundai-Kia Motors is implementing RFID in their Supply Chain to collect real-time distribution information. They are moving from applied bar code labels. They'll be using UPM Raflatac tags.

Dallas Newspaper To Use RFID
The Dallas Morning News will be the first newsaper to use the RFID-enabled Smart Cart system from Cannon Equipment. The system helps to track cart shipments.

Contactless credit cards that use RFID technology have been growing in numbers over the past two years. With their increased presence comes increased security risks, however. A New York Times article from October 23, 2006 pointed out some of the major security flaws in these contactless credit cards. So what can be done? Ask the Advisor has some answers in their recent article Can Contactless Credit Cards Be Hacked? 5 Tips to Stay Secure. It's worth a read.

Walgreen's Expanding RFID Use
Drugstore chain Walgreen's started an RFID trial project in late 2005, in which 50 of their 5500+ stores took part in. They are now deploying another RFID system, Wireless Asset Net from I.D. Systems, for materials handling vechicles. The system will help control access to these vehicles, which is a requirement of OSHA (Occupational Safety and Health Administration).

RFID Aids Process Improvement
Managing Automation reports on a ChainLink Research survey finding of 275 manufacturers that RFID use is tending towards operational efficiencies. Another important finding of the survey is that many of the companies plan to spend twice as much on RFID in 2007 compared to 2006.

RFID 2007: NFC Contactless Payment Use To Grow
Mohammad Khan, President and founder of ViVOtech, Inc., says that contactless payment has become a worldwide phenomenon, with North America leading. There have been over 18M cards issued in the US and Canada, and over 250,00 POS (Point of Sale) systems accepting those cards. By the end of 2007, there is expected to be 40-50M cards and 400,000 POS systems. Then there's the rest of the world, with several dozen countries already in the middle of trials, and many more millions of cards lauched.

Hybrid RFID: GPS Receivers
Fujitsu Software Technologies has a hybrid tech device that combines an RFID tag with a GPS receiver. The receiver is accurate within 3-5 meters (10-16.5 ft) and the unit sends out a unique ID and geo info to an RFID reader up to 200 meters distant. The device is about US$170. [Nikkei via RFID in Japan]

Contactless Vending Machines
If you live in Dallas, New York or Chicago, that can of Dr. Pepper or Snapple that you're thirsting for can be paid for with your MasterCard contactless credit card. Cadbury Schweppes vending machines are going contactless and will also accept all major credit cards. [via Storefront Backtalk]

Worst RFID Uses?
Just catching up on my RFID reading and came across Gemma Simpson and Jo Best's Top 10: the best, worst... and craziest uses of RFID. I gotta say, pretty much all of these would have made it to my own similar list, with the exception being Dutch bookstore chain BGN, who have already proven the value of their conversion to radio frequency technology.

RFID Update has a 3-part series on RFID trends for 2006. Number 10 was "RFID and the Citizen: Passports, Privacy, and Politics". I would have have put this as number 1 myself, in terms of public concern. Their number 1 was "The Industry itself". Each item has a number of links to related articles, and the series is definitely worth a read to get a perspective of what's happening. These types of articles are never easy to write - I know first hand. But here are my 5 issues in RFID (not quite the same type of list).

1. RFID and identification. Should citizens be concerned? Is it all fear-mongering or do we really need RFID citizen cards between Canada and the US?
   
2. The industry itself. How's the industry doing? Can it support RFID IPOs?
   
3. Item-level tagging. I'm referring to the retail industry and the intent of giants such as Wal-Mart to tag everything. A reduction in price for item-level tags should push this application forwards.
   
4. RFID in the pharmaceutical industry. The FDA D-Day, Dec 1st, has come and gone, but in fact, a US Federal Court judge apparently issued an injunction lifting the e-pedigree requirements on certain drugs. The pedigree requirement is a good idea, especially for fighting drug counterfeiting, by the industry has been self-admittedly behind the curve. Will they catch up in 2007? Well, it's been 10 years since an e-pedigree solution was mandated. What's taken so long? (Item-level tagging costs, technological hurdles, etc.)
   
5. RFID in payment systems. Do we need contactless credit cards? Are they secure? And should it be legal for merchants to refuse cash?

Of these, three concern me, but only because of my own personal feelings about them. I've written about them often enough, so I'm not going to repeat myself. You'll notice, though, that I'm talking less about the technology and more about issues.

Bank of America (BoA) is testing out contactless payment fobs provided by Oberthur Card Systems. This particular fob is actually a "sub-card" that would be included in a MasterCard PayPass, and can be popped out and then included in a keychain. This is said to be a first in the US. It's being predicted that alternate form factors will further the adoption of contactless payment.

BoA recently threw out a non-customer who wanted to cash a check drawn on a customer's account. Seems BoA forces non-customers to undergo fingerprinting. The man politely refused, stating that Federal laws mandated the bank to cash checks drawn on their bank. They said that their own rules indicated fingerprinting, but refused to show him proof when he asked. They then ignored him until he left, with a security guard tailing him. Talk about getting right into identification methods.

The Ohio Turnpike is testing MasterCard's NFC-based contactless PayPass payment cards for toll plazas. According to a Telematics Journal report, this is the first toll road in the US to accept payment cards in self-service lanes. It should be noted that other toll roads have used pre-paid contactless cards for several years, though these are not credit card based. RFID in toll road systems have been in use in Toronto, Canada for nearly a decade and are also being tested in Argentina and other parts of South America. The same NFC technology in the PayPass started off in key fobs, which were introduced to consumers to pay for gas at some stations in North America (at least Esso in Canada and Exxon in the US).

Joni Mitchell's famous song Big Yellow Taxi (covered by The Counting Crows) talks about "paving paradise and putting up a parking lot." Well in Philadelphia, they're not discovering paradise, but half of the taxi cabs are making the city more like paradise for riders who don't have cash on them. As long as customers have MasterCard's PayPass contactless payment card or keyfob, they can pay for their fare. The wireless credit and debit card payments technology, supplied by VeriFone Transportation Systems, is actually expected to also help the Philadelphia Parking Authority determine if cabs are serving the entire city or only certain parts. [Digital Transactions via Loftwares]

Now all you have to worry about is actually finding a cab when you need one. While there was no mention of payments by NFC-enabled cell phones, this development in Philly is one more step towards the possible ubiquity of RFID-based mobile + contactless payment options for consumers.

The versatility of smartphones as a consumer tool might escape you consciously until someone spells it out. The fact is that with the right modules (sometimes native, sometimes plug-in), a smart phone or PDA can read barcodes, download video + audio clips from a Bluetooth enabled movie poster, be used to renew special parking meters, secure a hotel room and store a digital room key, function as a loyalty card + coupon generator, pay for movie tickets, buy items from a vending machine, function as a POS (point of sale) unit and, as a result a CRM (consumer relationship management) device.

And there's more functionality, most of which is enabled by radio frequency technology. Storefront Backtalk has a write up about actual case studies. ZDNet UK talks about how mobile operators are pushing for RFID in phones, to the point of willing to work together to achieve this goal. As such, the mobile RFID solutions market is expected to heat up.

According to a Harris Interactive survey, 72% of 2000 people surveyed seem to indicate that fingerprint scans at ATM/ debit machines would make them feel more secure. I have a hard time believing this, and Evan Schuman at Storefront Backtalk says there are reasons to be suspicious of such data because of the way that a question about biometrics was worded.

Fingerprinting still and probably always will have connotations of being arrested, despite the fact that some employers expect it. I still believe that if biometric authentication has to be used for various reasons, with or without RFID, that consumers would rather it be something like voice recognition. Though that has a number of technical issues that need to be resolved, including its usability in public. On the other hand, other recent surveys in other countries suggest that younger people would be all for identification via palm vein scans and even from implanted radio frequency chips.

Baseball's Oakland A's are moving to Fremont, California and a new US$500M high-tech ballpark. Not only will fans be able to to watch instant replays, order food and drink, and communicate with friends over a wireless network, they'll be able to download online tickets to their cell phones, which will be validated with RFID readers at the stadium. [PC World via Loftware]

Since the Soccer World Cup earlier this year, a number of other sports including cricket, football, NASCAR racing, golf, and hockey are using RFID in numerous capacities. This includes game use (soccer: to settle goal decisions), asset management (NASCAR: track tires), ticketing and concession payments, seat management, etc. There have even been a few soccer teams suggesting that their star players be implanted with radio frequency chips.

In an increasing trend towards mobile use of RFID, NFC-enabled cell phones are being used in trials in France and other European countries as means of electronic payment. In these trials, the technology follows the EMV (EuroPay MasterCard Visa) payment protocol and allows consumers to make debit-based purchases of up to 150 Euros at select merchants. In 2004, ABI Research predicted that 50% of mobile phones would use NFC by 2009. A credit card usage report indicated that in 2003, electronic payments had overtaken paper payment in some countries. It remains to be seen whether consumers will embrace this form of payment, but companies like Wireless Dynamics are making it easier with their SDiD RFID minicards that can be use with any smartphone/ PDA having mini-SD memory/ module slots.

The ability to skim information discreetly off of the RFID chip in contactless credit cards is causing a stink, thanks to a big NY Times article recently, and eliciting questions that either credit card companies either have ignored or never asked themselves during the design phase. One important issue is secure use, another is credit card selection when a consumer is carrying more than one contactless card.

Of course, there is a way that these cards could be made more secure, but it would require more technology and another generation of cards before they're widely available. Biometric techniques are already being used for access control and identity verification, such as in e-passports. Several forms are in use, including fingerprints,  palm vein scans, retinal scans, and voice recordings. (DNA biometrics is infeasible, at least at present.) From a consumer perspective, most of these techniques are invasive, with maybe the exception of voice recordings.

People are used to recording their voice, so voice biometrics may be a method for solving both issues: secure use and card selection. During a transaction, the customer would be prompted to select the card they'd like to use and recite their name.

Problem is, this isn't a guaranteed solution, as there are technical issues that might hamper its use. For example, if you are in a very noisy shopping mall during Xmas holiday rush, voice authentication may not work unless your mouth is close to the merchant scanner's microphone - which leads to issues of hygiene. The other problem, and more serious, is what if someone uses a recording of someone's voice? Ambient background noise would be expected during a purchase (except online), but with cheap/ free audio editors, that's not difficult to add. And if there is no cashier to verify that a person using a card is actually speaking instead of replaying a recording, then security isstill an issue.

This is, of course, something that all voice biometrics systems will have to deal with, but biometrics tech is costly, and if a merchant is "forced" to use it, there's another source of inflation for our cost of living. But what really worries me, though, is whether these sorts of flaws will lead to the thinking that we "have to" use something more invasive such as retinal scans or palm vein scans just to buy our groceries. Because if cold, hard cash and notes are eliminated, that's the direction we'll have to head down to "protect" consumers from security issues of contactless credit cards. Even if it's as simple as the idea that your contactless credit card requires your fingerprint to be recorded.

Bruce Schneier, a writer for Wired Magazine, has his own blog that has a short post about the ability to skim information off the RFID chip on new contactless credit cards. This is a post worth reading for the comments by readers. Many of the commenters echo my feelings about contactless credit cards and the supposed time-savings they offer, not to mention their security flaws. One commenter, Nicholas, says that you gain almost nothing since while you don't have to take your credit card out of your wallet, you do have to take your wallet out of your pocket. In other words - whoop-de-do. And even that little bit of time savings may not last. A bit further down the post, reader Daniel asks what happens when people start carry two or more of these cards. How will store scanners know which card to charge?

These contactless credit cards are expected to become popular for small transactions, so security issues aside, the likelihood that consumers will carry more than one, is increased. A merchant's RFID reader would thus detect more than one card in your pocket, unless you use an anti-RF sleeeve or wallet.

If you don't use a sleeve (but you should - always use protection), that means you have to remove the desired card from your wallet/ purse. If you do use sleeves, then you still have to remove the right card - not just from your wallet but also from its sleeve. Where exactly is the time saving in that?

These are more reasons why I've said for some time that contactless credit cards are stupid idea that only benefit the issuing companies and the merchants, not the consumer. And they're presently more of a risk to carry than regular credit cards. But since they're probably here to stay, wrap that rascally card with an anti-RF sleeve - something issuing companies should already be doing for you.

Honey We Shrunk the Contactless Payment Key Fob
Texas Intruments is offering a new contactless payment chip inlay [PCB007] about the size of a postage stamp, as well as an oval-shaped inlay antenna. Both products are compatible with MasterCard PayPass contactless payment systems, and open up the possibility of very small form factor payment keyfobs and wristbands. PayPass compatible wristbands were given away by MasterCard Worldwide recently to fans at the New York Giants' Giants Stadium. Texas Instruments recently gave up buying RFID inlays to manuffacture their own.

China Approves Savi Technology
The SRRC (State Radio Regulation Committee) in China has approved Savi Technology's active RFID tags and readers , which operate at 433.92 Mhz (ISO 18000-7) for use in the country. [via FCW] Savi was acquired recently by Lockheed Martin.

Cricket Welcomes RFID
Cricket is the latest sport to use radio frequency technology, in this case for event ticketing for the Rajasthan Cricket Association. The RFID tags used are from NXP (formerly Philips Semiconductors), the readers from Gemini. [via The HIndu Business Line]

Last year, Wireless Dynamics Inc. (WDI) introduced their SDiD cards, which provide NFC (Near Field Communication)  RFID capabilities in an SD (Secure Digital) card form factor. These standard sized SD cards can be used in the SD memory/ module slots of various smartphones, PDAs and other mobile devices for contactless payments. ACG Identification Technologies, also a player in the NFC RFID market, has signed a deal to distribute WDI's SDiD card. WDI also offers NFC reader/ writers in mini-SD card form. Both types of SD cards operate on HF (High Frequency) protocols and are targeted to "public transport, financial transactions, and access control," amongst other uses.

[additional sources: More RFID]

Years ago, when the first RFID contactless payment cards made their appearance, I wrote several editorials in various local + regional weeklies about why society would always need cash. Fifteen years later, I'm of that opinion still, and more strongly than ever, especially in light of the fact that respectable researchers have shown that some of the current breed of contactless credit cards have security flaws.

Reader RFBase rightly points out that consumers are not responsible if someone else commits fraud on their cards. Cardholders may not be responsible, but that doesn't mean it might not affect their credit rating. We all know how (in)accurate credit reports have been in the past. What's more, someone pays for the cost of fraud, and that probably means that interest rates go up, or yearly card memberships do. Or both. Or the products themselves go up in price. Basically, most of the benefit of using contactless payment cards is to the technology supplier and possibly to the merchant. This seems to be a re-occurring theme in some applications of RFID: the consumer, from their point of view, gets very little extra benefit that they actually care about.

Then there's things like contactless transit passes now. What if I don't want a whole month's worth of credit? Why would I want a piece of plastic for a two-way trip, especially if I rarely use transit? Contactless payment cards, in some cases, force you to commit to a certain expected transaction amount - possible more than you intend to spend.

But these aren't the only reasons to not move to a completely cashless society. Here's a concrete example of why I don't believe in moving to a cashless society. I went shopping yesterday and a young army cadet was selling poppies for Veterans/ Memorial Day. I always donate, even when I already have several already on my person. I had less than a dollar in change, but I contributed that. Now what if we never carried cash anymore? I know that debit/ ATM cards have moved us closer to that state, but we still have cash and we can still make small donations that matter. It would be ridiculous to expect that charitable organizations should pay for the technology required so that they might still take donations in a cashless society.

[Commentary] When small-ticket vendors start accepting contactless payment, it makes me wonder what it does to the cost of living. I have a hard time believing that USA Technologies' decision to install OTI (On Track Innovations) contactless card readers on 10,000 of their vending machines is a good thing for the average consumer. I'm of the same opinion for the drive to capture the sub-$25.00-per-transaction market of small merchants and convenience stores - places where profit margins are already tiny, and the market is competitive. [I.e., I'm not picking on USA Technologies in particular.]

This technology obviously isn't free, and the likelihood that it costs more than regular vending machines is high. That means the product being sold is going to have to increase in price at some point. So how is that a good thing for customers? And let's not forget that criminals already target various isolated places by installing fake debit or credit card readers. What happens when they do the same for contactless payment cards. Researchers have already shown that some of the current generation of contactless (credit) cards (and e-passports) are susceptible to security flaws.

If it ain't broke, don't fix it.

MasterCard was awarded the honors of 2006 Frost & Sullivan Company of the Year for its PayPass contactless payment technology. The technology is being used in the new contactless credits cards from Mastercard. [via Contactless News]

MasterCard was one of the companies listed in a recent NY Times article about the findings of two US researchers regarding the security flaws in 20 contactless credit cards tested. The researchers found that not only could they "skim" important information off the cards while they were still in their envelopes, they could do so with a homemade reader, which cost US$150 to make. They also determined that a smaller reader could be made for only $50 and read information through a mailbox, from a distance of a few feet.

Several credit card companies have claimed that any information skimmed off the cards tested cannot be used successfully to make purchases. Although the whole issue begs the question of why the cards are not mailed with an anti-RF sleeve to at least give them impression that they are protecting consumers from all possibilities of fraud.

Payments News has an embedded YouTube video demonstrating the privacy holes in contactless credit cards. The video is by the same researchers that found that they could read credit card numbers and expiration dates off of the RFID tags on 20 contactless credit cards directly through their mailer envelopes. Their research was covered in the New York Times a few days ago. Note that it's rather difficult to tell what's going on in the video.

Earlier this year, other security researchers in Europe and elsewhere found that they could also skim information from an RFID tag in an e-passport and use them to trigger an explosive. The US and several countries in Europe started issuing ICAO-compliant e-passports in August. Both the credit cards and the passports have spawned a mini-industry in protective sleeves and wallets, which work on the principle of a Faraday Cage that blocks RF signals.

With the number of contactless credit cards distributed to consumers increasing, researchers are raising awareness of potential privacy issues in two documents, Vulnerabilities in first-generation RFID-enabled credit cards (NY Times, PDF, 15 pgs) and RFID payment card vulnerabilities technical report (NY Times, PDF, 6 pgs). These are part of an NY Times article (free registration required for just the article, not the PDFs). [via Payments News] I'm summarizing the NY Times article and adding a bit of commentary.

A test mentioned in the NY Times article indicated that researchers could read information from a contactless credit card from inside an envelope. The info culled contained the cardholder's name, expiration date, and even card number from the 20 different contactless cards they tested. This is despite the fact that several financial institutions suggest that their cards are encrypted. Now you're thinking that you have to have special equipment to read the cards. Apparently the researchers built one from an old computer and radio components. It cost them US$150 to make, and they figure they can reduce the cost to $50, and be smaller besides.

So if your mail carrier drops off your new credit card, and someone steals it from your mailbox, they can cull the information from the card. When they're done, they could then place the unopened envelope back in your mailbox. Credit card companies claim that there are additional safeguards, and "that threat really doesn't exist." Well, let's hope so. Since you can purchase products and services online without having to sign for them, fraud is easier online. However, none of the cards tested transmitted the additional "card validation number" which is sometimes needed for online purchases.

Then there's the issue of read distance. It's generally believed that contactless cards only have a read range of a few centimeters. Researchers are claiming that the range can be extended to up to a foot in some instances, so "skimmers" may even be able to read through a mailbox (provided it's not metal).

These are fairly surprising findings (more in the NY Times article), but not unlike the claims made for e-Passports. Several security experts from high-prestige universities are shocked by the findings, with one claiming credit card companies have crossed the line. The credit companies in turn are claiming that the information transmitted is basically useless, especially since there are other safeguards in place.

Obviously, either one party (the researchers) is exaggerating or the other party (financial institutions) is lying. If you do have or plan to get a contactless credit card, protect its information with one of the now multitudinous anti-RF sleeves or wallets available.

Speculation, experience, and an informal survey of people who have used some form of RFID technology suggest to me that RF tech that focuses on consumer benefit without mentioning "RFID" will likely have a higher adoption rate than tech that does not. For example, a number of gas stations in North America have giant posters touting the "tap to pay" and "pay faster" benefits of contactless payment smart cards or key fobs. These posters do not mention RFID technology; the consumer benefits are played up. No muss, no fuss, no controversy, unless someone starts it first.

If you are interested in a more detailed treatment, Research and Markets has a report available  for purchase that is based on a study conducted to track consumer response to RFID.

Imagine being able to do all or most of your banking transactions on the go, using an Internet-connected mobile communication device such as a smart phone or PDA. Yodlee's Yodlee Mobile service lets banks and other financial institutions offer mobile banking to their customers. The service allows a customer to check balances, view transactions and check for fraud alerts. Additional services extended from Yodlee MoneyCenter allow for other fairly standard transactions, but on the go: bill payment and fund transfer. Peter Hazlehurst, senior vice president of product development said:

By allowing consumers to access and manage their accounts from anywhere, financial institutions can extend their brand and increase the value and frequency of customer communications.

Couple this with an RFID-enabled cell phone to make payments for transit, parking meters, movie theaters, etc., and you may never have to stand in line at a bank again.

[via Payments News]

The November 2006 issue of Consumer Reports suggests that consumers use only those debit cards that have a Visa or MasterCard logo (although the advice probably applies to credit cards and to RFID-enabled smart cards). What's more, you should pick cards carefully. The article has five tips (bold text theirs, other text mine.)

1. Know your liability for fraud. Don't wait to report a lost or stolen debit card. The longer you wait, the more likely you are to be responsible for fraudelent activity. (Visa and MasterCard have a zero-liability policy, but with certain conditions.)
2. Limit fraud exposure. Use a debit card that requires a PIN code for transactions. They are considerably more secure than those that just require a signature.
3. Avoid ATM fees. Why pay fees you don't have to? Try to minimize your card use on payment networks that cost you extra.
4. Beware merchant charges. Same as with #3: why pay extra?
5. Don't fret about the rewards. The rewards are not always what they appear to be. Make sure that you understand the conditions of all the rewards.

Of course, using an RFID-enabled smart card reduces a lot of the security problems listed above, and you can always carry a protecting sleeve to increase privacy protection.

[via Payments News]

Innovision Research & Technology Group has a free white paper, Smart ticketing for mass transit - the new global oportunity created by low-cost contactless ticketing (PDF, 14 pgs). The paper is about the financial benefits of contactless technology to mass transit, for fare payment. [via Security Park]

Contactless ticketing and fare payment smartcards are taking off as niche applications of radio frequency technology. In addition to various bus and subway fare payment trials in Europe (Poland) and Asia, China's Guangshen Railway company recently ordered 125 million contactless tickets. Innovision Research also offers mass transit ticketing solutions. A recent offering is their tiny Jewel RFID chip, which can be used for disposable contactless ticketing.

Dr. Katherine Albrecht, co-author of Spychips and founder/ director of CASPIAN, weighed in last week with a comment on an article from this site from earlier this year: RFID vs Christian Right? Her comment, which just came to my attention, clarifies her actual viewpoint about RFID, and that she's never actually equated RFID in its present form with "the mark of the beast", despite what some writers suggest. She says in her comment

... that modern databases and communications  technologies, coupled with POS data-capture equipment and sophisticated  ID and authentication systms make it theoretically possible to require a biometrically associated number or mark to make purchases.

She also points out the signficance of such a payment system to Christians, "who have been mandated by their faith not to participate in such payment systems." This is much different than her being attributed to calling RFID "the mark of the beast." She also points out the inherent right that anyone of any faith should have regarding privacy. See the orginal VoIP Now article, which misquotes her, for Dr. Albrecht's full commentary.

Hitachi and KDDI Develop Miniature RFID Tag
A miniature RFID chip, designed for use with Bluetooth-enabled mobile phones, has been developed by Hitachi Ltd and KDDI Corporation. The chip, dubbed the Muchip, can hold 38 digits of information and is used in tandem with the Muchip RFID Reader. [JCN Network via The RFID Weblog]

Low-Cost Temperature Sensitive RFID Trackers
Pharmacies and distributors that need to keep track of the drug supplies in their cold chain have a new option. Intelligent Devices Inc. has an RFID temperature tracker designed specifically for pharmaceutical Cold Chain Distribution. More details at Temp Sensor. Other temperature-sensitive RFID tags have been brough to market recently by companies that include Savi Technology and LogicaCMG.

DoD-Compliant RFID Labelling Solution
Looking for a DoD (US Department of Defense)-compliant RFID solution? Avery Dennison is offering a solution that includes software, a scanner, and optional labelling systems. More details at Thomas Net.

Zebra To Share RFID Patents
Zebra Technologies recently spent US$10M to acquire over 200 RFID patents from BTG. Their plan is to add these to the RFID patent pool they helped co-found, known as the RFID Consortium.

Several sports have been implementing RFID in innovative ways in the past couple of years. The list at least includes golf, NASCAR car racing and soccer, whose World Cup had the largest sports implementation of radio frequency technology.

It's not just sports but sports stadiums who are getting in on RFID use. According to Contactless News, a dozen baseball stadiums are accepting MasterCard's PayPass contacless RFID smartcard, which was originally being used only at select gas stations and McDonald's restaurants in the US. Recently, New York Giants football stadium gave away free Paypass wristbands loaded with $25 credit.

PDC, Precision Dynamics Corporation, will be promoting their Smart Band RFID Wristband at a waterpark association symposium on Oct 20-21, Orlando, Florida. The wristband is waterproof and can be used both for keyless entry into hotel rooms and lockers, as identification, and for cashless POS payment. Get more details at More RFID. Great Wolf Lodge in Niagara Falls uses RTLS RFID wristbands from MICROS Systems. RTLS (Real Time Location Systems) is an area of growth for RFID.

Free Contactless Payment Systems For US Merchants
NAB (North American Bancard) is giving away RFID contactless payment systems to 3000 retailers, small and midsize, in 20 large US cities. The systems use VIVOtech readers and VeriFone terminals, and payment is made with a contactless credit card, such as the 17 million issued by banks like J.P. Morgan Chase and others. Supported cards include MasterCard PayPass and American Express ExpressPay, as well as cards by Discover and Visa. Read RFID Journal for more details.

China Tests IP-XTM RFID Technology
A radio frequency technology called IP-XTM is being tested in several sectors in China. The technology, whose platform is provided by iPico, allows RFID tags to be authenticated even when objects they're attached to are moving at high speeds (up to 240 kph). IP-XTM is expected to save millions of dollars logistics, supply chain management and other processes. [via China Tech News]

RFID To Be In Japanese Driver's Licenses
The US and Australia aren't the only places pushing for ubiquitous RFID-enabled identification cards, including driver's licenses. All Japanese driver's licenses will be getting RFID tags. This migration will start as early as Jan 2007 and be complete by 2008, depending on the prefecture. [via RFID in Japan]

RFID has been spawning a lot of innovation. One of the newest is Jewel, a tiny chip which has been designed for disposable radio frequency-enabled tickets. While I personally don't like the idea of unnecessary waste - an issue that other RFID projects have tried to resolve - this chip has been approved by ITSO (Integrated Transport Smartcard Organisation). IER, who make contactless labels and devices for transit and other companies will be licensing the chip from Innovsion Research to use in their applications, particularly for mass transit. [additional sources: Contactless News]

However, given that there seem to be so many vendors offering transit solutions, and many contactless-payment projects for transit all over the world, it makes me wonder what citizens of neighboring countries will do. Tourism might actually suffer if cities don't consider a failsafe method of fare payment for short-term visitors. Which is why I still maintain that cash will be useful for a long-time yet.

Item-level RFID for retail applications is expected [RFID News] to have a good year in 2007 says AbsoluteSKY, Inc., of Montreal, Canada. The company is already working on applications with "four major retailers", with announcements pending. AbsoluteSKY announced a deal with Universal Surveillance Systems earlier this year for "retail RFID products" that would help retailers track product in real-time. Real-time location systems (RTLS) seem to be increasingly of interest to retailers and other businesses.

Another RFID application area expected to enjoy growth [IDTechEx] is in the use of smart cards and key fobs for payment systems. Key fobs are already in use in many countries. Some North American gas stations have been using contactless key fobs for "quick payment" lanes for years now. Smart cards are not only being used for payment systems but also for government ID, health cards, and driver's licenses in a number of countries, including Australia. China alone is expected to issue nearly a billion smart cards to adults over the next two years. Additionally, banks like Chase in the US have been distributing RFID-enabled credit cards with increasing frequency. In fact, a recent Ipsos Insight survey indicates contactless credit cards would be used by over 100 million Americans.

In terms of hardware, the RFID reader market is expected to be worth [RFID Update] over US$1 B by 2010, according to a VDC (Venture Development Corporation) report (PDF, 2 pages) issued last week. More than 80% of the market is for fixed-position readers, with the rest going to handheld units and modules integrated with other hardware such as label printers. This considerable difference between fixed and portable RFID readers is expected to continue, as readers will be embedded in also sorts of stationary equipment, desktops, cabinets, etc., in numerous near-future applications. The gap will decrease slightly, however.

The Guangshen Railway Company in China has contracted [RFID News] Confidex to supply 125 million RFID-enabled contactless tickets for railway passengers. This is considered to be one of the largest single orders for RFID tags ever, for transit use or otherwise. This system does not use the tags produced by the Chinese company Hyan Microelectronics in partnership with American company Paralec.

Other recent contactless transit projects include one in Poland, which the city of Warsaw awarded to a subsidiary of OTI Global. In Paris, a contactless payment trial began earlier this year which allows commuters to pay transit fares using their RFID-enabled cell phones. A similar phone-based transit payment trial is taking place in Korea.

The first North American trial of NFC (Near Field Communication) just completed [Payments News] in Atlanta, Georgia, at the Philips Arena. Several companies were involved, including CIngular, Nokia, NXP (formerly Philips Semiconductors), and others. Actual consumer participants were 150 season ticket holders of Atlanta Thrashers and Atlanta Hawks sporting events.

The NFC trial received positive feedback [RFID Journal] from participants, and consisted of several components: a contactless Visa card from Chase bank; a Cingular Wireless account, Nokia 3220 phones, NXP chips, and Vivotech readers. Participants had an easy means of commenting on their experience, whether good or bad, and the data implies the trial was a success.

This is just one of a growing number of RFID/ NFC trials in sports stadiums around the world. While soccer seems to be taking the lead in this regard, NASCAR, football, hockey and basketball are starting to follow suit. In fact, this Sunday Sep 10, the New York Giants' Giants Stadium will be passing out free contactless payment cards loaded with a $25 credit.

New York Giants fans will be given a treat this Sunday Sept 10 when Giants Stadium hosts the Indianapolis Colts. MasterCard will give away a contactless payment wristband based on the latter's Paypass RFID technology. Each wristband will be loaded with a $25 credit, good for purchases at concession stands. This is different than the PayPass-enabled wrist watch offered by Taiwan's CCB bank.

Sports stadiums around the world seem to be embracing various forms of RFID technology. Although unlike the World Cup soccer event earlier this year in Germany, there appears to be no use of the wristbands for security measures. (Some teams are actually considering implanting an RFID chip into their more valuable players.) Giants Stadium has had PayPass-enabled concession stands for a year, but previously used a card form.