Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Contactless Visa Payment cards : Con or Convenient?

2»

Comments

  • #52
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭anvilfour


    Not a NSA agent wrote: »
    Theres a difference between proof of concept and actually working in the real world. Having to chase after fraud isnt something the banks want to do, if they arent worried then obviously they seem to think they have something that wasnt considered.

    Again, it's hardly surprising they would want to downplay this... I certainly agree it's safer than old style magnetic chip cards but this isn't nearly as safe as Chip and PIN implemented properly... it feels like we have taken one step forward, then three steps back.


  • #53
    wrt40
    Closed Accounts Posts: 422 ✭✭wrt40


    At the moment it is not worthwhile for a thief to steal your card to go on a contactless payment spending spree. They are limited to 3 transactions of €15 and they don't even know how many of the 3 transactions have been used. After that point the contactless feature is disabled until you enter your pin. The risk is very high for very, very little reward.


  • #54
    BoatMad
    Registered Users, Registered Users 2 Posts: 13,702 ✭✭✭✭BoatMad


    anvilfour wrote: »
    My point is that end to end encryption isn't going to help much if a scammer has taken over a payment gateway or set one up with bogus details. As I mentioned in any case you wouldn't need to illegally harvest the card data if an unauthorised person had access to the card itself, they can merrily charge your card several times a day until you call the bank and cancel it. Much more difficult if they don't know the four digit PIN.

    anvilfour

    heres a link to the actual academic paper that details the experiment

    http://openlab.ncl.ac.uk/bhci-securityprivacy/files/2015/01/Emms.pdf


    rather then reading something from a popular newspaper that hasn't a clue


    The test involved rigging a dummy point of sale , where by the card number , card name and expiry date could be extracted via the NFC interface as the card was being placed in a dummy chip and pin reader


    The CCV number was then captured by using a camera mounted on the underside of the card


    key thing to note

    (a) The present specification allows the EMV card to allow a reader to extract with little effort the card name and number . in effect this is public data in a lot of cases


    (b) in no case could the data extracted be used in itself to carry out a NFC rogue payment, This is my key point, an end to end NFC payment cannot be made this way


    (c) The CCV number had to captured using the tried and tested camera method , old hat


    The key thing here, is that contactless NFC transactions are actually way more secure then chip and pin and especially cardholder not present transactions



    Card holder not present fraud is the most prelavant type , but the card holder is fully indemnified from such rogue use


    The paper does make a valid point, that EMV NFC cards should really only activated just before use, currently that not possible


    Again the key issue is not that NFC touch transactions are insecure , merely that cardholder not present ones still are, which is why the widespread adoption of 3D secure is being used to stop this


  • #55
    wrt40
    Closed Accounts Posts: 422 ✭✭wrt40


    BoatMad wrote: »
    anvilfour

    heres a link to the actual academic paper that details the experiment

    http://openlab.ncl.ac.uk/bhci-securityprivacy/files/2015/01/Emms.pdf


    rather then reading something from a popular newspaper that hasn't a clue


    The test involved rigging a dummy point of sale , where by the card number , card name and expiry date could be extracted via the NFC interface as the card was being placed in a dummy chip and pin reader


    The CCV number was then captured by using a camera mounted on the underside of the card


    key thing to note

    (a) The present specification allows the EMV card to allow a reader to extract with little effort the card name and number . in effect this is public data in a lot of cases


    (b) in no case could the data extracted be used in itself to carry out a NFC rogue payment, This is my key point, an end to end NFC payment cannot be made this way


    (c) The CCV number had to captured using the tried and tested camera method , old hat


    The key thing here, is that contactless NFC transactions are actually way more secure then chip and pin and especially cardholder not present transactions



    Card holder not present fraud is the most prelavant type , but the card holder is fully indemnified from such rogue use


    The paper does make a valid point, that EMV NFC cards should really only activated just before use, currently that not possible


    Again the key issue is not that NFC touch transactions are insecure , merely that cardholder not present ones still are, which is why the widespread adoption of 3D secure is being used to stop this
    The difference being that with online fraud you can go on a serious spending spree. with contactless payment a thief will get a few cans of Dutch gold at best before having to input the pin.


  • #56
    BoatMad
    Registered Users, Registered Users 2 Posts: 13,702 ✭✭✭✭BoatMad


    wrt40 wrote: »
    The difference being that with online fraud you can go on a serious spending spree. with contactless payment a thief will get a few cans of Dutch gold at best before having to input the pin.


    just to reiterate, the study did not examine the security of NFC end to end payments, i.e. contact less payments. it merely examined the ability to extract cardholder name, card number and expiry via the NFC interface

    at no point was the security of contactless payment tested or proved lacking


  • #57
    wrt40
    Closed Accounts Posts: 422 ✭✭wrt40


    BoatMad wrote: »
    just to reiterate, the study did not examine the security of NFC end to end payments, i.e. contact less payments. it merely examined the ability to extract cardholder name, card number and expiry via the NFC interface

    at no point was the security of contactless payment tested or proved lacking

    Does the requirement of a hidden camera to capture the CCV not show that NFC is secure?


  • #58
    BoatMad
    Registered Users, Registered Users 2 Posts: 13,702 ✭✭✭✭BoatMad


    wrt40 wrote: »
    Does the requirement of a hidden camera to capture the CCV not show that NFC is secure?

    yes that could be argued.

    NFC as in a NFC transaction is extremely secure, even against relay attacks. none o that was tested or compromised in that study


  • #59
    Hotblack Desiato
    Registered Users, Registered Users 2 Posts: 35,481 ✭✭✭✭Hotblack Desiato


    A couple of reasons to dial the paranoia down a notch -

    - Screened wallets are available (stannomillinery for your debit card)

    - Two contactless cards in your wallet render both unreadable. I have a Leap card and it used to work when I held my unopened wallet up to the reader, then I got a contactless debit card and it stopped working. If I kept each contactless card in a different part of the wallet, and opened it, then I could use the Leap card again without taking it out of the wallet.

    - As has been pointed out, reading data off a contactless card isn't the same thing as creating an end-to-end trusted transaction at all.

    - Limit on contactless transactions is 3 in a row, but can be less. It's not 3 per day.

    - If someone wants to track you in a public place, a store, or whatever, it's easier and more reliable to use femtocells or bluetooth to track your smartphone rather than try to use NFC to track your card.

    Scrap the cap!



Advertisement