RFID Possible Major Issue

[yitbos96bb]

Quote:

Originally Posted by M5ward

Agree! I don't think I will attach a credit card to the room key anymore. There was a chip scanner group working at a mall in Philly not too long ago. I carry all my cards (RFID and other) in a (supposedly) protective card case. It also helps protect magnetic strips...or so I like to think. We usually always use cash or gift cards anyway.

I wouldn't trust those cases all that much. I've seen some interesting demos at some hacker cons...

[sachilles]

PCI compliance is sidestepped, as its not a direct credit card transaction. It's merely a "room charge". Credit card transaction doesn't occur until you check out/check in. If you can't access credit card info from the pos, it likely isn't a PCI issue.

[doconeill]

If it can result in fraudulent charges that the customer may dispute with the credit card company, it could still be a PCI issue. But it's the credit card companies themselves that allow no-verification transactions up to a certain amount, which varies from vendor to vendor.

[kia5711]

So we don't HAVE to link a credit card to it correct? We're still able to pay for purchases with cash/debit/credit card at the store/restaurant?

We're planning our first trip and this is just adding to my list of stress

[lockedoutlogic]

Quote:

Originally Posted by kia5711

So we don't HAVE to link a credit card to it correct? We're still able to pay for purchases with cash/debit/credit card at the store/restaurant?

We're planning our first trip and this is just adding to my list of stress

absolutely...no problem

disney just encourages/embraces the room charge concept...supposedly for your "convenience" and "guest demand"...

they also use those reasons for every single decision...good or bad.

but anyone with a functioning ganglion knows that its for their benefit...i'll give you the two most obvious reasons:

1. Terminal Charges: the retailer (traditionally...american banks now seem to think they have the right to pass it on to us - even if we are deducting form our own money) pays a charge each time it processes a transaction through the network - the visa/mastercard and amex being the most widely used...
By using the room charge system - they "pool" your charges, then run it en masse...saving money on the aggregate

2. because a card with mickey mouse on it is not subconcsiously linked to YOUR money. people spend more on the roomie charges - big shocker. If you have to continually flash a visa logo...eventually the reality that you're getting big fat, interest bearing bills in 30 days sets in...and you ease back.
A cute mickey card - you don't...


now it will be a cute mickey wristband...for lots of tshirt, hats, stationary and iphone cases that will look quite silly back in wisconsin at the end of the week.

[sachilles]

Quote:

Originally Posted by doconeill

If it can result in fraudulent charges that the customer may dispute with the credit card company, it could still be a PCI issue. But it's the credit card companies themselves that allow no-verification transactions up to a certain amount, which varies from vendor to vendor.

It's not a PCI issue. Card holder data is sidestepped in the whole process. The non-verification transaction is to the room charge, not directly to the credit card. That is the the beauty of it. As mentioned above, your charges are pooled on your lodging folio. You then sign off on the whole charge at your front desk, likely on your reg card when you check in.

PCI compliance merely regulates card security. You may be thinking of the merchants credit card agreement which dictates the rules of credit acceptance. An RFID bracelet is no different than a kttw card, it's merely different media.
If a Cm could pull your un-truncated credit card number from the system, then you'd have a PCI issue.

[sachilles]

Quote:

Originally Posted by yitbos96bb

I wouldn't trust those cases all that much. I've seen some interesting demos at some hacker cons...

Its false security. Anyone resourceful enough to build a skimmer is resourceful enough to acquire the info before it even becomes attached to your account/folio. There is no doubt a box full of the rfid bracelets waiting to be issued at any of the resort front desk areas. The bracelet likely has the code printed on the bracelet. An unscrupulous CM could just as easily hand that info over to a crook for a few bucks while no one is looking.
Ultimately there isn't a going to be a lucrative market for items that are going to be stolen. I doubt there is a band of gypsies that is acquiring cases of cheeseburgers from Pecos bill's using stolen rfid tags, then selling them on the black market.
Retail items may have some limited resale. Since these tags will be for lodging guests, I'm guessing a large majority of items will be sent back to their room and are not taken from the store by the buyer. Shipping to your resort accommodations provides a validation step.
So ultimately the big worry is worrying about gate admission and other experiences that the bracelet would gain you access to, and that will likely have other validation. I belt you'll find the bracelets will have some visual fraud detection features so gate workers have a better chance to see false ones.
You also find that you probably won't be able to load a gift card using the bracelet along with any other value transfers.
So I'm not saying it can't be done, but the risk versus the reward for it seems like it will be less of an issue than one might think. Crooks will take the path of least resistance that gives the largest gain. There are likely better opportunities to defraud folks in such a broad concentration of tourists, with less folks watching than a place like Disney.

[doconeill]

Quote:

Originally Posted by sachilles

Its false security. Anyone resourceful enough to build a skimmer is resourceful enough to acquire the info before it even becomes attached to your account/folio. There is no doubt a box full of the rfid bracelets waiting to be issued at any of the resort front desk areas. The bracelet likely has the code printed on the bracelet. An unscrupulous CM could just as easily hand that info over to a crook for a few bucks while no one is looking.

Several problems with this.

1) Attempting to use an RFID code that has not been activated will raise red flags

2) Attempting to use an RFID code that does not have charging privileges will raise red flags

3) The majority of the RFID codes will have a limited lifetime, and if obtained in advance the lifetime won't be known

4) Other information about the purchaser might be available at the POS terminal.

Much better to hang out at a retail location, pick someone that just made a purchase that fits the requirements, and skim.

An "unscrupulous" CM could probably just as easily associate an additional RFID code to the account. Or for that matter, they already have your CC and personal information, which is TONS more valuable to a thief.

It IS possible to cover the device in a material that would greatly reduce the range at which it can be read. Not perfectly though.

[sachilles]

Quote:

Originally Posted by doconeill

Several problems with this.

1) Attempting to use an RFID code that has not been activated will raise red flags

2) Attempting to use an RFID code that does not have charging privileges will raise red flags

3) The majority of the RFID codes will have a limited lifetime, and if obtained in advance the lifetime won't be known

4) Other information about the purchaser might be available at the POS terminal.

Much better to hang out at a retail location, pick someone that just made a purchase that fits the requirements, and skim.

An "unscrupulous" CM could probably just as easily associate an additional RFID code to the account. Or for that matter, they already have your CC and personal information, which is TONS more valuable to a thief.

It IS possible to cover the device in a material that would greatly reduce the range at which it can be read. Not perfectly though.

1-3 are all valid points but aren't what I was suggesting a crook would do.
Example would be for the crook to ask for the rfid's of a few guests checking in on that day. Adding another rfid tag to an account that was then used for fraud would track back to who assigned it to the account getting them in hot water.
Pci compliance will mean that very few people will have your full credit card info other than those that actually touch the card. Of course that is a risk any place you use your credit card. Ultimately that has nothing to do with the RFID technology. PCI compliance for a merchant the size of disney must be tested by external sources on a regular basis to make sure certain folks have access to non-encrypted credit card info as well as resisting outside threats.
My point is simply that there are low-tech ways to compromise the rfid technology, and one need not HAVE to skim the rfid's to compromise your account. Loss from folks gaming the rfid system will be no greater than the current KTTW key system. It is just different media.
In order to game the rfid system, you need to skim the rfid. Re-create the rfid, package it for use, then buy stuff in a way that can't be tracked and do it in the span of time someone is at the resort. As you pointed out, using one of somebody that isn't checked in or have active charging privileges will generate a red flag. What is going to be worth stealing that warrants that cost/risk?
I do not see where any identity theft issue can come from getting a guests RFID tag, do you?

[lockedoutlogic]

I just have to say...i love this thread.

real things...technology, security, operations, and potential problems...

yes...there are problems all over WDW...and discussion isn't to just harp on them...somewhere deep down we all hope they are addressed & solved.

So much better than "How magical is Wishes?" and "Tell me about POR"

those have been covered 3.6 million times


ok...carry on

[*NikkiBell*]

The more and more I think about this, the less likely I want to attach a card to the band. I usually use a debit card and Disney GCs when I go down, but the convenience of the band was luring. I guess I'll find out soon when I head down in a few weeks.

[doconeill]

Quote:

Originally Posted by *NikkiBell*

The more and more I think about this, the less likely I want to attach a card to the band. I usually use a debit card and Disney GCs when I go down, but the convenience of the band was luring. I guess I'll find out soon when I head down in a few weeks.

Hmm...that brings up another thought. But the way these threads have gone lately, a disclaimer:

I HAVE NO INFORMATION THAT THIS IS THE CASE, OR THAT DISNEY HAS EVEN THOUGHT OF THIS

Now that that is out of the way...

What about a "loadable" feature on the bands? Rather than using a gift card, you could have the ability to load $20 or whatever onto the band to use much like a gift card.

Speaking of which, what I'd REALLY like is some sort of gift card-like feature for my kids, where I can do something like put $20 on the card but have a "leeway" for a bit more, so that they don't have a problem when they are a couple dollars short...but I'd want to be able to "unload" the remainder.

Or, for that matter, (RFID/PIN code issues aside) give them a room charge privilege with a similar limit.

[sachilles]

Depends a little on their lost property laws. The tech is there. Some states will not allow you to "re-load" a gift card, only issue a new ones (banking regulation hurdle, but most states are coming around on this issue). Honestly, that would be a feature I'd be worried the most about skimmers. If the state does not allow re-loading, you'd either have to issue a new bracelet, or you could conceivably add a removable "charm" for the bracelet with gift card functionality(using mag stripe tech or rfid). Allowing children to be able to freely charge to a room can be an adventure for the parents and the CM helping them decipher. If they allow a credit card backing, and you choose a debit card, you really are asking for some pain if you allow your child to charge to it. Of course that is a parenting issue, rather than a tech issue.

[doconeill]

Quote:

Originally Posted by sachilles

Depends a little on their lost property laws. The tech is there. Some states will not allow you to "re-load" a gift card, only issue a new ones (banking regulation hurdle, but most states are coming around on this issue). Honestly, that would be a feature I'd be worried the most about skimmers. If the state does not allow re-loading, you'd either have to issue a new bracelet, or you could conceivably add a removable "charm" for the bracelet with gift card functionality(using mag stripe tech or rfid). Allowing children to be able to freely charge to a room can be an adventure for the parents and the CM helping them decipher. If they allow a credit card backing, and you choose a debit card, you really are asking for some pain if you allow your child to charge to it. Of course that is a parenting issue, rather than a tech issue.

My point is if I can place independent limits on the child charges (like my $20+overage idea), then it shouldn't be an adventure. Especially if they give me the itemized list by name.

[lockedoutlogic]

Quote:

Originally Posted by *NikkiBell*

The more and more I think about this, the less likely I want to attach a card to the band. I usually use a debit card and Disney GCs when I go down, but the convenience of the band was luring. I guess I'll find out soon when I head down in a few weeks.

I would suggest that you never use a debit card at WDW...there are too many false charges and mistakes there on any given day to not make it worthwhile...