Visa finds a home inside a Nokia Visa and Nokia have signed a deal to embed Visa functionality in the NFC-touting Nokia 6212 Classic, enabling US owners to upload their Visa accounts onto the handset as well as transferring money between handsets over the wireless network. Visa and Nokia have worked together before, on NFC deployments and trials, but the 6212 …
No specific talk of utilising Single Wire Protocol (SWP) in the Visa / Nokia handset... If this is based on the device running a NFC application then the hackability of the device app is pretty high..
For transactions like this NFC needs to integrate with the SIM via the agreed standard (SWP)...
Paris - Because she can afford to loose a few $ from having her Nokia NFC hacked..
Am I the only one who see's this as an utterly bonkers idea? Ability to send cash from one phone to another? sheesh phone pilfer's dream isn't it! Least with you plastic if it gets nicked you have your phone to call the credit card co to stop them. Silly idea imho.
.. and based on my experience, they almost surely won't.
Correct way:
1. NFC phone detects NFC POS terminal.
2. Terminal establishes SSL link to phone
3. Terminal sends transaction details (receipt line items, total, tax, unique transaction ID, time and date, etc)
4. Phone asks user to accept this transaction
5. Users enters their pass phrase, allowing the phone to access their keyring, phone uses their private key to cryptographically sign the transaction certificate
6. Terminal sends the transaction certificate to visa, which has the phones public key on file, verifies it is user X, and debits their account
The above process is completely secure, could be setup online in minutes after you loose your phone and buy a new one. Old phones could be deativated. Transactions would be unique, so they could not be re-run or have the amount changed. The phone would store a complete record for upload to Quicken or whatever. Both parties could verify the others identity, and it would all be cryptographically secure.
Now here is how they will actually implement it:
1. Nokia gives you a private key, which they will keep a copy of, so that the government, cell phone operator, and of course Nokia can decrypt your transactions.
2. The private key will be stored in some public area of your phones memory, and probably accessable by remote bluetooth buffer overflow
3. Credit card terminals won't be upgraded to NFC, so you will still have to use your phone as a chip-and-pin device anyway.
4. Any nearby ease dropper could sniff your unencrypted credit card number right out of the air
5. Terminals won't transmit the amount, or any other details to your phone, and there will be no unique transaction ID. Waitresses will be able to up the amount later, or put in a fat tip after you've agreed to a lesser amount
6. Your phone will be able to be scanned by just about anyone with an RFID sniffer, probably handing over your birthdate, social security number, credit card info, and mother's maiden name.
7. As soon as anyone defrauds you in any of the above ways, credit card companies will insist that you actually committed the fraud, since their super-new "crypto-tech" is obviously "unbreakable".
8. Some security researcher will try to publish a paper detailing how insecure it all is, but his paper will be supressed by judicial gag-order, then he will be caught, shot, excommunicated, and sent to Gauntanamo for immidiate re-education through sustained water boarding.
Visa... its everywhere you want to be.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
