Monday, November 10, 1997 - 04:25:17 MET The following is from http://www.mobil.com/speedpass/ Note that I've only quoted the parts I think are relevent to a security discussion... ---begin quote--- How does Mobil Speedpass work? Speedpass uses an electronic system located in the pump to "talk" with a miniature radio-like device (a transponder). Together, these electronic devices provide "instant" access to gasoline by automatically charging fuel purchases to the credit card you've selected. The technology is similar to the state-of-the-art technology successfully used by many tollways. What happens if my Speedpass is lost, stolen or damaged? Treat it just like a credit card. Immediately notify our Service Center at 1-800-459-2266. Tell us your name or Speedpass number. And we'll cancel your old Speedpass and send you a new one right away. You should write down your Speedpass number (8 digits on tag) and keep it in a safe place. Is there a pin code with my Mobil Speedpass? No. Can other people intercept the transmission of my credit card number? No. The Speedpass system operates on a dedicated transponder identification code. Your credit card code remains outside the Speedpass signal system, maintaining the confidentiality of that information and protecting your account from unauthorized use. ---end quote--- I see several options, none seem too secure: 1) "dedicated transponder identification code" (dtic from now on) is sent in the clear. Anyone who can listen and re-transmit can get free gas. 2) Speedpass and the gas pump negotiate DH key exchange and use DES/RC5/IDEA/Whatever. Anyone who can impersonate a gas pump can gain access to dtics and get free gas. 2) Gas pumps have an RSA keypair, and all of the speedpasses know the public key. The dtic is encrypted to the gas pump's key along with some random data. Anyone who can compromise the gas pump's private key (including service station operators/employees?) can imitate a gas pump and get dtics, with which to get free gas. The third option seems pretty secure at first, until you realize that it's like putting all of your eggs in one basket and giving thousands of people physical access to the basket. Anybody know how they are actualy doing it? Is there some more secure way I haven't thought of? -Some anonymous guy with no 'nym