"Why buying coffee with your iPhone matters"

[A-Polly]

http://redtape.msnbc.com/2011/01/buying-...anger.html

Apologies if this is a re-post; I didn't see anything about this article yet but often miss things.

Apparently Starbucks now allows payments made with mobile devices; the author used his iPod Touch. Some tidbits:

First, I'll tell you why I was pleasantly surprised with the Starbucks experience. Then I'll tell you why the credit card industry has a lot to fear from mobile payments, and most specifically from Apple.

...

Meanwhile, Apple has applied for several patents that suggest it has big plans for iPhone payments, perhaps turning iTunes into a new kind of stored-value payment system that could rival both PayPal and the credit card associations.

"The thing about Apple is they could do a system like PayPal, but they also have a physical device in people's hands," Litan said. They also have millions of loyal customers who already trust the firm with dozens of small payments every month. "They have a big advantage," she said.

[Numo]

Very interesting article - another source of revenue for Apple? I like the term "Gadget Payment."

[Michael]

Having a bar code on my smart phone wouldn't bother me, but the whole notion of a Near Field Communication chip where my smart phone would send messages to receivers is troublesome to me.

Just how far would those near fields be? Would it be possible for somebody to set up a system that collects payments from any smart phone with a chip that happens to pass by? Surely this has been considered and will be "prevented," but if it's possible to break the security on such a system, it will be broken.

[Numo]

The fact that you are leaving an electronic trail of transactions that could be used to track your movements on any given day is also kind of disturbing.

[graylocks]

Michael wrote:
Just how far would those near fields be? Would it be possible for somebody to set up a system that collects payments from any smart phone with a chip that happens to pass by? Surely this has been considered and will be "prevented," but if it's possible to break the security on such a system, it will be broken.

within the last week i heard a discussion on the radio in which someone sat in a room and culled information from RFID chips walking by with a readily available or make-able device. i only listen to NPR or consumer advocate Clark Howard so that had to be the source.

[Filliam H. Muffman]

The US is behind other countries in using phones for payments. You could buy something from a vending machine with a phone in Japan in 2007. They had network connections to some vending machines in 2001 but you needed a special account to enable purchases.

[GGD]

Ammo wrote:
The fact that you are leaving an electronic trail of transactions that could be used to track your movements on any given day is also kind of disturbing.

That's pretty much true already unless you use cash. Seems like in every missing persons case, first thing they look for is Credit Card, ATM Card, and Cell Phone records.

[jdc]

My chase ATM card already has a little chip in it that can be read at CC readers at Home Depot. All I do is wave the card and poof.

[graylocks]

jdc wrote:
My chase ATM card already has a little chip in it that can be read at CC readers at Home Depot. All I do is wave the card and poof.

that's exactly the kind of card the discussion i heard was referring to.

[Doc]

So long as the user links only to a gift card, and if the app encrypts your account info both on your phone and while communicating with the server to updates balances, make debits, etc. that's not too bad.

I wouldn't link such an app to a credit card.

graylocks wrote:
within the last week i heard a discussion on the radio in which someone sat in a room and culled information from RFID chips walking by with a readily available or make-able device. i only listen to NPR or consumer advocate Clark Howard so that had to be the source.

The guy who is doing that "trick" is usually only skimming names from RFID chipped credit cards, although he can often get card numbers as well. At present the whole rig is not very subtle and he has to get within an inch or two of his target's wallet. With the right equipment he could get more info and with amplification he could even do it from a few feet away, but that'd probably be noticeable.

It's kind of odd to me that the responses that I've read from security professionals usually admit that it's possible to do this stuff, but then say that it's unlikely that you'll be ripped off this way because it's easier to buy a list of valid card numbers than it is to skim them from a crowd. Yep. What a great way to reassure people!

I'm also a bit perturbed that skimming can be used for other nefarious deeds like long-distance probing for the RFID off of people's passports to target American citizens for theft, kidnapping, murder, terror-acts...

What's scary is that the way technology is advancing, next year he'll probably be able to do the same trick from 10 feet away with an iPhone and an antenna shaped like a walking stick. And if the iPhone isn't powerful enough to decrypt every bit of info that it snags from a credit card, it will be able to almost instantly uplink the info to a botnet for decryption.