Announcement

Collapse
No announcement yet.

Best Buy "TAG"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Best Buy "TAG"

    I don’t know if anyone else has seen this but if I were a best buy customer I would honestly be upset about this. A few people I know were sent an e-mail stating that they had been automatically enrolled in the "Tag" program and would be receiving their tag in the mail. Basically what this is, is a sticker with an rfid tag of some kind with their account information in it. The suggestion from Best Buy is to put this sticker on your cell phone so that you can just wave your phone over the reader in their stores to pay for purchases, and that for any purchase under $50 they don’t require a signature. My first reaction to this is that this is just a huge security issue since customers don’t even have a choice about whether or not they can enroll in this program.
    The Best Buy page provides the following in their FAQ about security concerns on the Tag website.

    "The PayPass™ feature uses special security technology and typically, at the checkout when you tap your tag it must be within an inch or two of the "contactless symbol" on the payment reader"
    https://www.rzmctag.com/

    To some people security is not a concern and so they sign up for credit cards that come with RFID tags, but it seems to me to violate a customer’s desire for security by simply sending them the tag with no choice. Obviously you can choose not to use the tag, and those who have this concern don’t have to, and can probably destroy the tag. I just think that, especially with a technology such as rfid that has had questions raised before, that a company should be obligated to ask its customers before just signing them up.

    I was just wondering if anyone else had seen these and had any thoughts about it. Im mostly curious about how good the "encryption" is on the card that would prevent someone from just scanning the card and making a copy with another rfid tag. I know there are technologies that prevent this, but it just seems like a risk that shouldn't just be pushed onto customers without their permission
    Not every problem, nor every thesis, should be examined, but only one which might puzzle one of those who needs argument

  • #2
    Re: Best Buy "TAG"

    Originally posted by facon12 View Post
    I don’t know if anyone else has seen this but if I were a best buy customer I would honestly be upset about this. A few people I know were sent an e-mail stating that they had been automatically enrolled in the "Tag" program and would be receiving their tag in the mail. Basically what this is, is a sticker with an rfid tag of some kind with their account information in it. The suggestion from Best Buy is to put this sticker on your cell phone so that you can just wave your phone over the reader in their stores to pay for purchases, and that for any purchase under $50 they don’t require a signature. My first reaction to this is that this is just a huge security issue since customers don’t even have a choice about whether or not they can enroll in this program.
    The Best Buy page provides the following in their FAQ about security concerns on the Tag website.

    "The PayPass™ feature uses special security technology and typically, at the checkout when you tap your tag it must be within an inch or two of the "contactless symbol" on the payment reader"
    https://www.rzmctag.com/

    To some people security is not a concern and so they sign up for credit cards that come with RFID tags, but it seems to me to violate a customer’s desire for security by simply sending them the tag with no choice. Obviously you can choose not to use the tag, and those who have this concern don’t have to, and can probably destroy the tag. I just think that, especially with a technology such as rfid that has had questions raised before, that a company should be obligated to ask its customers before just signing them up.

    I was just wondering if anyone else had seen these and had any thoughts about it. Im mostly curious about how good the "encryption" is on the card that would prevent someone from just scanning the card and making a copy with another rfid tag. I know there are technologies that prevent this, but it just seems like a risk that shouldn't just be pushed onto customers without their permission

    RFID chips are what microwave ovens are for.

    xor
    Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

    Comment


    • #3
      Re: Best Buy "TAG"

      Originally posted by facon12 View Post
      I was just wondering if anyone else had seen these and had any thoughts about it. Im mostly curious about how good the "encryption" is on the card that would prevent someone from just scanning the card and making a copy with another rfid tag.
      Encryption? Surely, you jest. The chips used in these cards are too small and too underpowered to have encryption. http://tv.boingboing.net/2008/03/19/...-an-rfide.html

      Originally posted by facon12 View Post
      I know there are technologies that prevent this, but it just seems like a risk that shouldn't just be pushed onto customers without their permission
      Get used to it. There are a number of cards, including MasterCard and Visa that have this technology, and none use encryption. I carry all my credit and ATM cards in a shielded wallet that blocks RF to specifically prevent this kind of attack. http://www.difrwear.com/product-display.php
      Thorn
      "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

      Comment


      • #4
        Re: Best Buy "TAG"

        Originally posted by Thorn View Post
        I carry all my credit and ATM cards in a shielded wallet that blocks RF to specifically prevent this kind of attack. http://www.difrwear.com/product-display.php
        I own one of these as a wallet and another for my passport, and gave them to family for traveling abroad as a gift near the end of 2008. You just need to remember to put your wallet and passport holder in the "dish" when walking through the metal detectors in airport security.

        People are being provided with a technology that is supposed to make purchasing easier, with fewer moving parts for breakdown with each transaction. (Receipts still involve moving parts.) They put consumer credit scores at risk, and when theft occurs with cloned RFID, the credit card companies will either stop using this technology, change the technology, or push the burden of responsibility for theft of RFID onto the consumer that "allowed the tag to get stolen/copied."

        Comment


        • #5
          Re: Best Buy "TAG"

          I just ordered and RFID safe wallet yesterday.

          As for Best Buy, I think it's a really bad idea for them to be opting consumers into such a service. I'm sure they're thinking is that they're safe because they'll be including a letter explaining everything, which no one will read.
          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

          Comment


          • #6
            Re: Best Buy "TAG"

            Originally posted by facon12 View Post
            I don’t know if anyone else has seen this but if I were a best buy customer I would honestly be upset about this. A few people I know were sent an e-mail stating that they had been automatically enrolled in the "Tag" program and would be receiving their tag in the mail. Basically what this is, is a sticker with an rfid tag of some kind with their account information in it. The suggestion from Best Buy is to put this sticker on your cell phone so that you can just wave your phone over the reader in their stores to pay for purchases, and that for any purchase under $50 they don’t require a signature. My first reaction to this is that this is just a huge security issue since customers don’t even have a choice about whether or not they can enroll in this program.
            You are right that this should not be happening without the customer's prior consent. I am surprised this does not violate some law pertaining to use of customer information. I see it as a way of taking advantage of consumer ignorance - most people have no idea about the vulnerabilities associated with RFID. If I get one of those things in the mail, I will promptly destroy it. It would not make things more convenient for me anyway because 1) I am not sticking crap like that on my phone and 2) it's not like I can get out of Best Buy with a purchase of less than $50
            "Why is it drug addicts and computer afficionados are both called users? " - Clifford Stoll

            Comment


            • #7
              Re: Best Buy "TAG"

              Originally posted by Thorn View Post
              Encryption? Surely, you jest. The chips used in these cards are too small and too underpowered to have encryption. http://tv.boingboing.net/2008/03/19/...-an-rfide.html
              I assumed this was the case and there was no encryption, but I figured it best to at least ask first as I am not the most informed about rfid. The thing that confuses me the most about their decision to do this is that they actually suggest you put this sticker/tag on your cell phone. I am very careful with my wallet and phone, but I am much more likely to set my phone down for a moment where someone might be able to get close to it than my wallet. Also if I lose my phone, I have to get my card info changed adding one more frustrating step to an already annoying situation.
              Not every problem, nor every thesis, should be examined, but only one which might puzzle one of those who needs argument

              Comment


              • #8
                Re: Best Buy "TAG"

                Originally posted by facon12 View Post
                I assumed this was the case and there was no encryption, but I figured it best to at least ask first as I am not the most informed about rfid. The thing that confuses me the most about their decision to do this is that they actually suggest you put this sticker/tag on your cell phone. I am very careful with my wallet and phone, but I am much more likely to set my phone down for a moment where someone might be able to get close to it than my wallet. Also if I lose my phone, I have to get my card info changed adding one more frustrating step to an already annoying situation.
                The "encryption" in this case is that there is no customer name and account number on the stick-on card. However, the name and account number coded into the RFID tag is still in cleartext. It has to be, because the card readers that use the MasterCard PayPass® RFID technology only read cleartext.

                There has been at least one RFID/credit devices that does use encryption, namely the ExxonMobil Speedpass. However, the tags used in these devices are rather large in comparison to the RFID circuitry used in the cards. Furthermore, the encryption level is only 40-bit, and was broken in 2005 by a research team from Johns Hopkins University.

                Best Buy encourage the sticker being placed on the back of the cell phone as a matter of convenience. Look at it this way: A customer is very likely to have their phone with them, it's easier for most people to grab their phone, rather than dig a card out of a wallet, and this use -as with any card- guarantees payment for the merchant. On top of all that, again with most credit cards, the security falls entirely on the customer. What makes this worse is that the customer doesn't understand the technology, and has no concept of how their information is vulnerable.
                Thorn
                "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                Comment


                • #9
                  Re: Best Buy "TAG"

                  Originally posted by Thorn View Post
                  Best Buy encourage the sticker being placed on the back of the cell phone as a matter of convenience. Look at it this way: A customer is very likely to have their phone with them, it's easier for most people to grab their phone, rather than dig a card out of a wallet, and this use -as with any card- guarantees payment for the merchant. On top of all that, again with most credit cards, the security falls entirely on the customer. What makes this worse is that the customer doesn't understand the technology, and has no concept of how their information is vulnerable.
                  Have you seen some womens purses? You could lose and infant in some of those.

                  xor
                  Last edited by xor; January 17, 2010, 10:42.
                  Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                  Comment


                  • #10
                    Re: Best Buy "TAG"

                    Read an interesting article the other day that BB is getting into a pissing match with Mastercard over the contactless payment thing. This may be related.

                    Also read that if you use the contactless system without a PIN, it costs the retailer less in charges from master card than if you swipe/sign. it's the same on the back end, it just seems like they want to push the less secure solution more.

                    I'll see if I can find the article again and post it here. Until then, this post is just conjecture.
                    Never drink anything larger than your head!





                    Comment


                    • #11
                      Re: Best Buy "TAG"

                      On a related note, I wonder how these guys would freak out if you waved a proxmark or other RFID cloner past their reader and played back the details of your 'tag'.

                      That would be worth filming
                      Never drink anything larger than your head!





                      Comment


                      • #12
                        Re: Best Buy "TAG"

                        Originally posted by renderman View Post
                        Read an interesting article the other day that BB is getting into a pissing match with Mastercard over the contactless payment thing. This may be related.

                        Also read that if you use the contactless system without a PIN, it costs the retailer less in charges from master card than if you swipe/sign. it's the same on the back end, it just seems like they want to push the less secure solution more.

                        I'll see if I can find the article again and post it here. Until then, this post is just conjecture.
                        Heh, my wife's mastercard debit card won't work as a debit card at best buy. You have to run it as a credit card or the system won't take it.

                        Comment


                        • #13
                          Re: Best Buy "TAG"

                          I stopped shopping at BestBuy when I went to kiosk to look-up a part number and the BestBuy said to purchase it through the kiosk and pick it up at the counter. No sooner did the red flag in my head go off and the kiosk's Internet Explorer conviently auto-filled in the entire Name,Address,CC# etc with another customer's data. I did a quick looksy and found that it had auto-saved dozens of customer's personal/payment information. I pointed out the issue and the answer from Best Buy, "Is that a problem?".

                          My CC used to have a chip, then it met Mr. Microwave and then mr. Scalpel. I know have a hole in my card.

                          My passport is in a Shmoocon RFID wallet (thanks Bruce!) and I keep it in my hand when I go through the magnetometer. So, far TSA has never questioned me further after I say "It's the RFID blocker in the wallet"

                          BTW, I've got half a dozen or so RFID sample tags in my bag and a naked Exxon mobile speedpass just for giggles.


                          Just as planned from 2007: http://www.rfidjournal.com/article/a...view/3422/1/1/

                          Comment


                          • #14
                            Re: Best Buy "TAG"

                            Originally posted by beakmyn View Post
                            I keep [My passport] in my hand when I go through the magnetometer
                            interstingly... i, too, refuse to surrender my passport at any time and for any reason other than border control. i won't give the passport to local merchants and the like (a common request in other countries, especially when attempting to buy SIM cards or other data services*) and even get irked when security flunkies attempt to make passengers place their passport on the x-ray belt.

                            i've seen some places where the policy is absolutely vicious... demands shouted over and over and passengers pushed back through the machine and made to hand it over, etc. in many of these airports there have been crowds and the additional ordering around of people has caused even more confusion and amid the bluster people get separated from their bags (no huge risk, hard to walk off with the wrong bag) and sometimes even documents (much scarier risk... at least one time i was claiming my things and a little white dish slid down next to my carry-on with someone else's passport in it. i could have quietly lifted it and strolled off. unknown how far i would have gotten... but still fucking freaky to me)

                            i now leave my passport in my back pocket at all times. i had one of the very last non-RFID passports (i'm so happy about that, i must say) so the wallet issue doesn't take place with me. but yeah... even taking my passport out in public for anything other than a Border Agent doesn't sit right with me.



                            * i keep a blurry photocopy for that purpose, which i've tweaked in photoshop to make even more blurry in a few places so they have to ask "uh... how exactly do you spell your name?" and maybe i'll mumble and steer them in a less than ideal direction. there is a whole story behind this from our first trip to Malaysia. ask me later.
                            "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                            - Trent Reznor

                            Comment

                            Working...
                            X