Contactless Visa Payment cards : Con or Convenient?

anvilfour

Just received my latest Contactless Visa card from my bank (TSB) and have a few reservations from the Security point of view.

I hope this relates sufficiently to InfoSec to appear in this category, if not apologies to mods in advance.

For those who don't know, the 'contactless' card allows you to make up to 3 transactions a day of 15 Euro each without necessarily entering your PIN.

This of course means in the wrong hands, someone could potentially steal up to 45 Euro from you every day until either the bank's failsafes kick in or you cancel the card.

The Guardian has posted quite a sympathetic article which says that fraud with these is quite rare (although admittedly they haven't been round long enough for us to gather any meaningful data.) Also very few people had chosen to opt out of this type of card.

Back in November of last year a fairly major flaw with the cards was discovered which allows unlimited amounts to be charged provided the card terminal is set to a foreign currency e.g someone steals your card then nips across to London for a spending spree.

Instructables have an excellent how to guide on taking a soldering iron to the card to disable the radio antenna. However for the time being my current card is working so there's no particular need.

I would love to hear people's thoughts on this - is it being needlessly paranoid to want to opt out of this? Is it even feasible to ask to have the old style card?

anvilfour

Found this excellent article in the Independent, briefly summarised as follows:

- From October of this year the spending limit will be increased to 30 Euro.
- Take up has been very low in Ireland, 80% of all transactions can be confined to just 10 retailers e.g McDonalds.
- The NTA is considering using these in place of LEAP cards.

Update : My learned colleagues have suggested that since I always withdraw cash from the bank at the end of the month leaving only the bare minimum in the current account, you could just leave your card at home to avoid it being stolen...! Why didn't I think of that?

BoB_BoT

The bank recently sent me out 3 replacement debit cards with contactless payment feature on them, will give the instructibles a go on severing the antenna.

Personally, I think it's a con. It leaves open too many risks for spoofers or people passing by with mobile scanners. There's always a way to scam.

anvilfour

BoB_BoT wrote: »

The bank recently sent me out 3 replacement debit cards with contactless payment feature on them, will give the instructibles a go on severing the antenna.

Personally, I think it's a con. It leaves open too many risks for spoofers or people passing by with mobile scanners. There's always a way to scam.

Wise words Bob, I'm particularly concerned about how much easier is to scam. You can always check terminals and ATM's for signs of tampering but there's no practical way to stop people bringing a mobile phone near you, which could have malicious software installed!

TheChizler

My feeling is that if someone can get their hands close enough to you to get in range of your card they're close enough to pickpocket your wallet and just get the €45-€90 in cash that a lot of people carry anyway.

duffman13

You do know there is an opt out option of contactless? Personally I love the convenience of it but if these scams ever become anyway prevelant I may rethink my approach. At the moment I've heard or seen nothing to suggest they are a risk.

anvilfour

duffman13 wrote: »

At the moment I've heard or seen nothing to suggest they are a risk.

Maybe read my original post where I link to a study to show that unlimited amounts can be charged to them just by downloading an app to a mobile phone?

It's also not immediately obvious if opting out is possible. I plan to call my bank on Wednesday, will keep you all posted.

duffman13

anvilfour wrote: »

Maybe read my original post where I link to a study to show that unlimited amounts can be charged to them just by downloading an app to a mobile phone?

It's also not immediately obvious if opting out is possible. I plan to call my bank on Wednesday, will keep you all posted.

Well having some experience of working in the fraud department in a large bank (not any more) I havent seen or heard anything in relation to an actual theft on a card due to this technology. As I said I am just going on my experience and we would regularly liase with other European banks around potentail new scams.

I am not sure about your bank but I know up till recently it was a quick phone call to request a new card without the contactless technology. From speaking to friend in PTSB it seems the reason for the roll out was due to customer demand. Apparently it wasnt something they initially wanted to roll out but had to follow the lead of AIB and BOI due to customers requesting it.

anvilfour

duffman13 wrote: »

Well having some experience of working in the fraud department in a large bank (not any more) I havent seen or heard anything in relation to an actual theft on a card due to this technology. As I said I am just going on my experience and we would regularly liase with other European banks around potentail new scams.

I am not sure about your bank but I know up till recently it was a quick phone call to request a new card without the contactless technology. From speaking to friend in PTSB it seems the reason for the roll out was due to customer demand. Apparently it wasnt something they initially wanted to roll out but had to follow the lead of AIB and BOI due to customers requesting it.

I have just spoken with TSB and they have told me that they only have contactless cards, so it looks like I'll just have to stick to my old card for as long as possible, then leave my old one at home!

It's a shame as it would have been nice to have an opt out option but then again I use the card so rarely out and about it won't make too much difference.

BoatMad

Contactless is brilliant , I use it everywhere I can , the news the value is increasing to 30 is great , as that covers my fuel spend

As for security , the tin foil hats are out in force again I see. NFC is very difficult to scam

anvilfour

BoatMad wrote: »

Contactless is brilliant , I use it everywhere I can , the news the value is increasing to 30 is great , as that covers my fuel spend

As for security , the tin foil hats are out in force again I see. NFC is very difficult to scam

Did you read the original article I posted? Any NFC equipped smartphone is capable of becoming a payment terminal and funds can be stolen. In the wrong hands it's a race against time between you calling your bank and those who can charge up to 45 Euro to your card (or 90 come October) even without the potential to charge unlimited amounts.

By all means take your chances with your money but I think I'll be taking a scalpel to mine!

PrzemoF

Just thinking: what's the NFC range with a powerful external device or a directional antenna? Could it be used to track a customer entering a shop through a gate?

I just read some details from my forced-upgrade card using this [1] and galaxy S4. The amount of information that can be read is surprising (expiry date anyone?)...

[1] https://f-droid.org/repository/browse/?fdfilter=bankomat+card+infos+2&fdid=at.zweng.bankomatinfos2

TheChizler

Unless you had a load of highly customised synchronised directional antennae dotted every few metres around the shop I doubt you'd be able to get much accuracy, if you can detect it all. Much easier to follow their phone signal. But why? I'd be more realistically worried about CCTV cameras following you around the shop (or something like Google Glass), at the till they could potentially read the card number and expiry date as well as your name (which is all that's transferred in the data transaction) as well as the CVV2 on the back which potentially allows basically unlimited transactions. Much easier to do this with a zoom lens than build an expensive system which you have to get close to use.

PrzemoF

I don't want to track the person - I thought about info like "customer X entered the shop". Why? I.e. someone with this card spend here XXX euro last month and it's worth to send a personal shop assistant to that person. Also looks like my card is storing some transaction log (I don't know how detailed - it's empty now), so there is even more info to be extracted.

P.S. That would be probably illegal anyway as it's probably collection of personal data - there are a few IDs reported by the card.

TheChizler

Oh I getcha. I suppose they would have that data anyway from the till? I could be wrong but I don't think your card number would count as personal data (I think!), so as long as your name etc. isn't recorded that should be ok from a data protection POV, there are specific laws that govern financial data though, so they might apply.

Impetus

anvilfour wrote: »

Found this excellent article in the Independent, briefly summarised as follows:

- From October of this year the spending limit will be increased to 30 Euro.
- Take up has been very low in Ireland, 80% of all transactions can be confined to just 10 retailers e.g McDonalds.
- The NTA is considering using these in place of LEAP cards.

Update : My learned colleagues have suggested that since I always withdraw cash from the bank at the end of the month leaving only the bare minimum in the current account, you could just leave your card at home to avoid it being stolen...! Why didn't I think of that?

The low take-up in IRL may be explained by the fact that it is one of the most expensive countries in the world to live in, and has probably the smallest contactless payment ceiling of EUR 15. Very few supermarket checkouts total at 15EUR or less per customer.

Also the system is not reliable or clearly marked. I arrived at Dublin airport yesterday, rented a car (which took 40 minutes in pig-inefficient Avis, in dirty Dublin airport - a national embarrassment), and when I got to the one "motorway services area - you shouldn't have to exit a motorway to get service or rest" in the country off interchange 14 on the E20, the contactless system was broken. From what the sales agent said, it seemed to be either a nation-wide problem with contactless on that day or a problem with their payment service provider. No motorway toll booth in Ireland - the most obvious place for contactless, low value payment transactions, takes contactless. There is also the matter of the high charges Irish banking racketeers impose on debit card transactions.

the_syco

On the one hand, I like the contactless convenience, but on the other hand it'd be easy to scam if the correct items where bought at the correct times.

For example, if someone replicated the a bar called HolySaxophone, to a registered device called HolySaxophones, and got someones details, multiple charges of a shot may not be as easy to determine if you spent it or not. Also harder for you to claim otherwise, and thus more of a chance of the organisation getting away with it.

As for scanning, put a small NFC reading phone into a wristband, and all you have to do is to dance with a number of random people.

In the spy movies, the hacker has to stay near the mark to copy their security card details. With this technology, a pretty lady could easily scan every mans wallet whilst never leaving the dancefloor, and no-one would cop it, as no-one will stop a pretty woman grabbing your waist.

If the nightclub had a 400 limit, 300 of these could probably be male. Charging each of them for a shot or a pint costing €6, and it's €1800. It being a nightclub where contactless charging is done, I cannot see it being flagged too easily if each person got several drinks over the course of the night. €5000-€7000 would be in the petty thief range. Nightclub CCTV I find is usually fairly crap, add the low lighting, and the perpetrator won't get caught.

Same trick, but as part of a larger scale organisation, and the card details could be stored for later fraud on a larger scale. Depending on the amount of info it gives, could it escalate to ID fraud? How much info does the cards give?

BoatMad

TheChizler wrote: »

Unless you had a load of highly customised synchronised directional antennae dotted every few metres around the shop I doubt you'd be able to get much accuracy, if you can detect it all. Much easier to follow their phone signal. But why? I'd be more realistically worried about CCTV cameras following you around the shop (or something like Google Glass), at the till they could potentially read the card number and expiry date as well as your name (which is all that's transferred in the data transaction) as well as the CVV2 on the back which potentially allows basically unlimited transactions. Much easier to do this with a zoom lens than build an expensive system which you have to get close to use.

Irrelevant , you are indemnified by the credit card company , where a pin isn't used and you claim a fraudulent transaction has occurred.

BoatMad

Impetus wrote: »

The low take-up in IRL may be explained by the fact that it is one of the most expensive countries in the world to live in, and has probably the smallest contactless payment ceiling of EUR 15. Very few supermarket checkouts total at 15EUR or less per customer.

Also the system is not reliable or clearly marked. I arrived at Dublin airport yesterday, rented a car (which took 40 minutes in pig-inefficient Avis, in dirty Dublin airport - a national embarrassment), and when I got to the one "motorway services area - you shouldn't have to exit a motorway to get service or rest" in the country off interchange 14 on the E20, the contactless system was broken. From what the sales agent said, it seemed to be either a nation-wide problem with contactless on that day or a problem with their payment service provider. No motorway toll booth in Ireland - the most obvious place for contactless, low value payment transactions, takes contactless. There is also the matter of the high charges Irish banking racketeers impose on debit card transactions.

The primary issue in my experience has been shop assistants that don't understand what is a contactless card. I've had to stop several transaction that could be done contactless from being done conventionally

BoatMad

the_syco wrote: »

On the one hand, I like the contactless convenience, but on the other hand it'd be easy to scam if the correct items where bought at the correct times.

For example, if someone replicated the a bar called HolySaxophone, to a registered device called HolySaxophones, and got someones details, multiple charges of a shot may not be as easy to determine if you spent it or not. Also harder for you to claim otherwise, and thus more of a chance of the organisation getting away with it.

As for scanning, put a small NFC reading phone into a wristband, and all you have to do is to dance with a number of random people.

In the spy movies, the hacker has to stay near the mark to copy their security card details. With this technology, a pretty lady could easily scan every mans wallet whilst never leaving the dancefloor, and no-one would cop it, as no-one will stop a pretty woman grabbing your waist.

If the nightclub had a 400 limit, 300 of these could probably be male. Charging each of them for a shot or a pint costing €6, and it's €1800. It being a nightclub where contactless charging is done, I cannot see it being flagged too easily if each person got several drinks over the course of the night. €5000-€7000 would be in the petty thief range. Nightclub CCTV I find is usually fairly crap, add the low lighting, and the perpetrator won't get caught.

Same trick, but as part of a larger scale organisation, and the card details could be stored for later fraud on a larger scale. Depending on the amount of info it gives, could it escalate to ID fraud? How much info does the cards give?

You have on obviously no idea how the cryptology on the NFC system works. You cannot just " record " the signal ".

Firstly the fake reader would have to preciously duplicate a credit card end to end transaction. Secondly it would have to regenerate identical cryptography data

It can be done in theory in a lab, but nobody has done it in the real world on a end to end NFC transaction.

Not to mention you're not liable for such fraud anyway

BoatMad

anvilfour wrote: »

Wise words Bob, I'm particularly concerned about how much easier is to scam. You can always check terminals and ATM's for signs of tampering but there's no practical way to stop people bringing a mobile phone near you, which could have malicious software installed!

It's actually virtually impossible to scam as it's very difficult to actually complete a fraudulent end to end NFC transaction. To my knowledge no one has been successful.

BoatMad

anvilfour wrote: »

Maybe read my original post where I link to a study to show that unlimited amounts can be charged to them just by downloading an app to a mobile phone?

It's also not immediately obvious if opting out is possible. I plan to call my bank on Wednesday, will keep you all posted.

No that's not what happened. What happened was fake mobile phone terminal was created that captured correct authorisations from the card. However tbis not an end to end trust , it didn't interface to the credit card companies security system.

It's a lab test , not a real one

Anyway your protected from such fraud as you arnt liable

BoatMad

anvilfour wrote: »

Did you read the original article I posted? Any NFC equipped smartphone is capable of becoming a payment terminal and funds can be stolen. In the wrong hands it's a race against time between you calling your bank and those who can charge up to 45 Euro to your card (or 90 come October) even without the potential to charge unlimited amounts.

By all means take your chances with your money but I think I'll be taking a scalpel to mine!

You completely misunderstood the article. They successfully got the card to authorise a payment to a fake terminal , but they did not complete an end to end NFC transaction , ie they did not interface the terminal to the credit card payment security system.. None in the real world has done a fraudulent NFC end to end transaction.

Anyway you are protected. From such fraudulent activity by the card issuer.

Not a NSA agent

I would love to use it more often but a lot of places have a 10 euro limit on card transactions so you have to be in the range of 10-15 euro and I stopped trying when the people behind the tills acted as if I was attempting to perform some sort of witchcraft.

Once it becomes more widespread we may begin to see any flaws and scams but people are quite paranoid by it at this time.

BoatMad

Not a NSA agent wrote: »

I would love to use it more often but a lot of places have a 10 euro limit on card transactions so you have to be in the range of 10-15 euro and I stopped trying when the people behind the tills acted as if I was attempting to perform some sort of witchcraft.

Once it becomes more widespread we may begin to see any flaws and scams but people are quite paranoid by it at this time.

I've found many shop assistants don't know how it works , haven't been trained and just say " oh that doesn't work ". I have actually shown some how to process a touch transaction correctly in some instances.

anvilfour

BoatMad wrote: »

No that's not what happened. What happened was fake mobile phone terminal was created that captured correct authorisations from the card. However tbis not an end to end trust , it didn't interface to the credit card companies security system.

It's a lab test , not a real one

Anyway your protected from such fraud as you arnt liable

I don't really feel much comforted by the fact that this proof of concept hasn't fully been exploited yet, I am trying to prevent it from happening in the first place- the fact that it hasn't been processed by a payment provider is neither here nor there, card providers process fraudulent transactions every day!

In any case in the wrong hands, someone can charge unlimited amounts using a foreign payment provider, don't believe me feel free to mail me your card, I will give it a go when in UK next week!

As for claiming for fraud have you ever actually done this? My gf had to wait nearly four months to be reimbursed for a fraudulent paypal transaction, we don't have a magic crock of gold to live on for when people steal from us!

😀

anvilfour

BoatMad wrote: »

Irrelevant , you are indemnified by the credit card company , where a pin isn't used and you claim a fraudulent transaction has occurred.

That's a theoretical IOU, as I said before the actual claim process is quite laborious in my experience, plus I don't have a spare 50 quid to live off whenever someone feels like stealing from me.

On a related note, I have made a small incision at the top of my new contactless card, will let you guys know how it goes!

anvilfour

TheChizler wrote: »

Unless you had a load of highly customised synchronised directional antennae dotted every few metres around the shop I doubt you'd be able to get much accuracy, if you can detect it all. Much easier to follow their phone signal. But why? I'd be more realistically worried about CCTV cameras following you around the shop (or something like Google Glass), at the till they could potentially read the card number and expiry date as well as your name (which is all that's transferred in the data transaction) as well as the CVV2 on the back which potentially allows basically unlimited transactions. Much easier to do this with a zoom lens than build an expensive system which you have to get close to use.

You're assuming some kind of passive system would be needed, if you adapted your mobile phone into a payment terminal and "bumped" into a few people on the tube, you could just keep going until you're lucky... For a Scammer even bumping into one person correctly an hour would make it worth the bother.

anvilfour

Further to my last post it seems there are some slips inside which you can encase your card to reduce the chance of fraud from a malign payment terminal:

One example:

http://www.koruma.co.uk/product-eng-5-RFID-Blocking-contactless-card-protector-horizontal-.html

Another here:

http://www.amazon.co.uk/BLOCKING-PAYPASS-PROTECTOR-PROTECTION-PACK/dp/B00HZLX9QO/ref=sr_1_3?ie=UTF8&qid=1435651189&sr=8-3&keywords=rfid+card

Of course this won't protect from a pickpocket who can simply remove the card from the slip and go on a spending spree to the tune of 45 Euro a day until you call the bank and cancel the card...

BoatMad

anvilfour wrote: »

I don't really feel much comforted by the fact that this proof of concept hasn't fully been exploited yet, I am trying to prevent it from happening in the first place- the fact that it hasn't been processed by a payment provider is neither here nor there, card providers process fraudulent transactions every day!

In any case in the wrong hands, someone can charge unlimited amounts using a foreign payment provider, don't believe me feel free to mail me your card, I will give it a go when in UK next week!

As for claiming for fraud have you ever actually done this? My gf had to wait nearly four months to be reimbursed for a fraudulent paypal transaction, we don't have a magic crock of gold to live on for when people steal from us!

😀

I have worked in NFC technology, you and others don't understand the payment and authorising process

Firstly , you can't just " capture " an NFC signal and simply " replay " the NFC link is merely a data transfer mechanism between two micro processor , running quite sophisticated encryption and security algorithms.

Secondly there is an end to end transaction from the card to the card issuer and back before money is transferred ( I'm simplifying here )

Hence they" lab" experiment is just that. The card completed a proper have shake with the terminal , that still a million miles from accessing the card issuers system and completing a fraudulent transaction .

BoatMad

anvilfour wrote: »

Further to my last post it seems there are some slips inside which you can encase your card to reduce the chance of fraud from a malign payment terminal:

One example:

http://www.koruma.co.uk/product-eng-5-RFID-Blocking-contactless-card-protector-horizontal-.html

Another here:

http://www.amazon.co.uk/BLOCKING-PAYPASS-PROTECTOR-PROTECTION-PACK/dp/B00HZLX9QO/ref=sr_1_3?ie=UTF8&qid=1435651189&sr=8-3&keywords=rfid+card

Of course this won't protect from a pickpocket who can simply remove the card from the slip and go on a spending spree to the tune of 45 Euro a day until you call the bank and cancel the card...

My god, tin foul hat stuff. You can't scam an NFC card by just " listening " to it, it's encrypted and uses rolling codes etc.

BoatMad

anvilfour wrote: »

That's a theoretical IOU, as I said before the actual claim process is quite laborious in my experience, plus I don't have a spare 50 quid to live off whenever someone feels like stealing from me.

On a related note, I have made a small incision at the top of my new contactless card, will let you guys know how it goes!

I've had 4 fraudulent transactions in 20 years of continuous online usage. 3 were blocked by the card back office fraud software. One I reported and was re credited to my account in 24 hours.

PayPal is different , sometimes it's quick and sometimes it's not. I've never had a fraudulent paypal transaction as I mainly pay directly using my card.

anvilfour

BoatMad wrote: »

My god, tin foul hat stuff. You can't scam an NFC card by just " listening " to it, it's encrypted and uses rolling codes etc.

Please read the article, proximity is all that's required. Hence "contactless" - are we learning yet?

Nothing tries my patience more than people who comment on threads I've started without reading the linked articles through! What is the point of having a discussion otherwise?

hots

anvilfour wrote: »

Further to my last post it seems there are some slips inside which you can encase your card to reduce the chance of fraud from a malign payment terminal:

One example:

http://www.koruma.co.uk/product-eng-5-RFID-Blocking-contactless-card-protector-horizontal-.html

Another here:

http://www.amazon.co.uk/BLOCKING-PAYPASS-PROTECTOR-PROTECTION-PACK/dp/B00HZLX9QO/ref=sr_1_3?ie=UTF8&qid=1435651189&sr=8-3&keywords=rfid+card

Of course this won't protect from a pickpocket who can simply remove the card from the slip and go on a spending spree to the tune of 45 Euro a day until you call the bank and cancel the card...

? Sure if the pickpocket has the card they can go on a spending spree upto whatever they want? It's all covered by the bank anyway (have gone through the process, also for Paypal fraud, about 6 weeks out of pocket).

If you're that worried stick it in one of these slip things and you're got a better functioning card with no more risk than a normal one.

anvilfour

hots wrote: »

? Sure if the pickpocket has the card they can go on a spending spree upto whatever they want? It's all covered by the bank anyway (have gone through the process, also for Paypal fraud, about 6 weeks out of pocket).

If you're that worried stick it in one of these slip things and you're got a better functioning card with no more risk than a normal one.

I've actually decided to make a small incision on the card, am going to test it..

I don't know about you but I don't have a pot of gold to draw on to be without money for 6 weeks... last time as I said it took my partner four months to get her money back.

Each to their own, as long as it's your own money you're risking.., just not my cup of tea!

BoatMad

anvilfour wrote: »

I've actually decided to make a small incision on the card, am going to test it..

I don't know about you but I don't have a pot of gold to draw on to be without money for 6 weeks... last time as I said it took my partner four months to get her money back.

Each to their own, as long as it's your own money you're risking.., just not my cup of tea!

There is a name for un-reasoned fear of technology , it's called " Luddism "

Ps the NSA is reading your mind , by satellite , I sell tin foill hats for 10 euros.

BoatMad

anvilfour wrote: »

Please read the article, proximity is all that's required. Hence "contactless" - are we learning yet?

Nothing tries my patience more than people who comment on threads I've started without reading the linked articles through! What is the point of having a discussion otherwise?

Listen mate , I'm an electronics engineer with 20 years software experience , some in point of sale and several years in Rf smart cards

You CANNOT duplicate a contactless transaction by listening to a NFC data transfer and some how " replaying " it. You must participate in the end to end ONLINE protocol which includes several layers of encryption and security algorithms.

I read and I understand your original article. It did not actually do an end to end NFC transaction. It merely acted as a rogue Payment terminal , and only completed. Part of the steps required to authorise an NFC payment

Quite frankly , stop reading populist science articles when you don't understand the underlying engineering

anvilfour

BoatMad wrote: »

Listen mate , I'm an electronics engineer with 20 years software experience , some in point of sale and several years in Rf smart cards

You CANNOT duplicate a contactless transaction by listening to a NFC data transfer and some how " replaying " it. You must participate in the end to end ONLINE protocol which includes several layers of encryption and security algorithms.

I read and I understand your original article. It did not actually do an end to end NFC transaction. It merely acted as a rogue Payment terminal , and only completed. Part of the steps required to authorise an NFC payment

Quite frankly , stop reading populist science articles when you don't understand the underlying engineering

I love it when people don't read the original article and then try to justify it after the fact too.

You admit yourself that someone can set up a rogue payment terminal and then say that this isn't a serious issue because no scammer ever could apparently set up a rogue payment gateway to compliment it... like that has never happened before.e. See also here. Also here for one hack of a payment gateway which was undiscovered for years. Sigh.

So, hopefully you can see now that lacking access to a payment gateway to link to a malign terminal is really no problem for a scammer.

Why not use your years of Engineering experience, read the article, and say something that shows you have fully understood the implications of this study?

In your own time of course... mate

SpaceTime

In this day and age every transaction should be "pushed" from a smartphone app.

There's absolutely no reason why we need to be granting access to accounts based on trust. Most of us are carrying a powerful computer in our pockets all the time with full internet connectivity.

Something like what PayPal does only open standards and with NFC as the interface would make sense.

It could be a very secure and safe alternative to debit and credit cards.

Push the transaction to the retailer without any need to share vulnerable details like credit card numbers.

In my opinion credit cards are a completely ridiculous and outdated approach to payments.

TheChizler

anvilfour wrote: »

You're assuming some kind of passive system would be needed, if you adapted your mobile phone into a payment terminal and "bumped" into a few people on the tube, you could just keep going until you're lucky... For a Scammer even bumping into one person correctly an hour would make it worth the bother.

Well I was primarily responding to someone's question about tracking someone about a store.

anvilfour

TheChizler wrote: »

Well I was primarily responding to someone's question about tracking someone about a store.

I see what you mean, as you say CCTV/Google Glass would be very handy!

TheChizler

BoatMad wrote: »

Irrelevant , you are indemnified by the credit card company , where a pin isn't used and you claim a fraudulent transaction has occurred.

I'm pointing out that a video dependent system would be much more practical and economical way to capture card info, than brushing up really close to people, whether you'll be successful using that information is another matter. Correct me if I'm wrong but surely fraudulent transactions where the card information is captured via NFC or what have you would be indemnified by card companies also? As in as long as the pin wasn't used in the transaction the company will refund you. Once the 'hacker' has your data they're going to use it the exact same way to try to commit fraud, whether they saw your card number or got the details wirelessly.

jimmycrackcorm

anvilfour wrote:

You admit yourself that someone can set up a rogue payment terminal and then say that this isn't a serious issue because no scammer ever could apparently set up a rogue payment gateway to compliment it... like

Do you understand the difference between an end to end NFC transaction and one where credit card numbers are visible in plain sight anyway being captured by fraudulent terminals.

The scam not so long ago where people swapped credit card terminals for dummies that captured the information was only enabled by being able to use the card details either online or where chip and pin isn't used.

anvilfour

TheChizler wrote: »

I'm pointing out that a video dependent system would be much more practical and economical way to capture card info, than brushing up really close to people, whether you'll be successful using that information is another matter. Correct me if I'm wrong but surely fraudulent transactions where the card information is captured via NFC or what have you would be indemnified by card companies also? As in as long as the pin wasn't used in the transaction the company will refund you. Once the 'hacker' has your data they're going to use it the exact same way to try to commit fraud, whether they saw your card number or got the details wirelessly.

What you're saying is true up to a point... if a hacker used a rogue payment terminal or a camera to capture your card information, you are just as likely to become a victim of fraud... the difference I suppose is that you can protect yourself against one a lot more easily than the other e.g by refusing to let the card leave your sight you reduce the chance of it being run through a "skimmer" but you can't be sure it's not near a NFC enabled Smartphone which is harvesting your details.

In addition, as mentioned before, with a regular Chip and PIN card if you have physical access to it, this won't do much good to your average mugger without the PIN whereas with Contactless they can go on a spending spree at your expense.

It's true that theoretically you would be refunded any money which is proven to be stolen from you fradulently... if anyone has 50 quid or so they don't mind losing the use of for several weeks (or 200 for several months in my gf's case) good luck to you, just not my cup of tea.

anvilfour

jimmycrackcorm wrote: »

Do you understand the difference between an end to end NFC transaction and one where credit card numbers are visible in plain sight anyway being captured by fraudulent terminals.

The scam not so long ago where people swapped credit card terminals for dummies that captured the information was only enabled by being able to use the card details either online or where chip and pin isn't used.

My point is that end to end encryption isn't going to help much if a scammer has taken over a payment gateway or set one up with bogus details. As I mentioned in any case you wouldn't need to illegally harvest the card data if an unauthorised person had access to the card itself, they can merrily charge your card several times a day until you call the bank and cancel it. Much more difficult if they don't know the four digit PIN.

jimmycrackcorm

anvilfour wrote:

My point is that end to end encryption isn't going to help much if a scammer has taken over a payment gateway or set one up with bogus details. As I mentioned in any case you wouldn't need to illegally harvest the card data if an unauthorised person had access to the card itself, they can merrily charge your card several times a day until you call the bank and cancel it. Much more difficult if they don't know the four digit PIN.

My point is that if you're concerned about NFC use then you should be even more worried about credit card ones, especially in retail environments where some terminals don't have much protection from people seeing the pin you are entering.

anvilfour

jimmycrackcorm wrote: »

My point is that if you're concerned about NFC use then you should be even more worried about credit card ones, especially in retail environments where some terminals don't have much protection from people seeing the pin you are entering.

Hi Jimmy,

You make a very valid point about terminals being of concern.

Found an excellent guide from the Smart Card Alliance here on end to end encryption and pointing out the Achilles heel is still the magnetic strip which is found on many cards.

However signing transactions with a "digital cryptogram" as outlined here would only be any use if someone was trying to snoop on the transaction... if they have a malicious payment terminal connected to a relevant payment gateway you would have an end to end encrypted fradulent transaction.

A good analogy might be a phishing website made to take after Paypal which has its own SSL certificate. Some poor schmuck could visit the website and enter their card details unaware they're giving it to a scammer... but the traffic between their computer and the website would still be encrypted. The flaw isn't with the encryption, it's just the scammer is working both ends.

I try not to use my card in shops unless I have no other choice but do need to leave the house with it to go to the bank to get out cash at end of the month...!

BoatMad

SpaceTime wrote: »

In this day and age every transaction should be "pushed" from a smartphone app.

There's absolutely no reason why we need to be granting access to accounts based on trust. Most of us are carrying a powerful computer in our pockets all the time with full internet connectivity.

Something like what PayPal does only open standards and with NFC as the interface would make sense.

It could be a very secure and safe alternative to debit and credit cards.

Push the transaction to the retailer without any need to share vulnerable details like credit card numbers.

In my opinion credit cards are a completely ridiculous and outdated approach to payments.

Absolutely , agree. However visa and the like do not want to hand control to apple and the like, that's the issue

BoatMad

anvilfour wrote: »

I love it when people don't read the original article and then try to justify it after the fact too.

You admit yourself that someone can set up a rogue payment terminal and then say that this isn't a serious issue because no scammer ever could apparently set up a rogue payment gateway to compliment it... like that has never happened before.e. See also here. Also here for one hack of a payment gateway which was undiscovered for years. Sigh.

So, hopefully you can see now that lacking access to a payment gateway to link to a malign terminal is really no problem for a scammer.

Why not use your years of Engineering experience, read the article, and say something that shows you have fully understood the implications of this study?

In your own time of course... mate

The summary of that article. ( not of course published in a scientific journal that I can find ) is

The UK Cards Association trade body said: ‘While this complex fraud may be theoretically feasible in a laboratory, it hasn’t been attempted in the real world and absolutely no money has ever been lost as a result.
‘There are robust security checks in place at every single stage of a payment – by the retailer’s bank, the card scheme and the customer’s bank – which monitor, and stop, suspicious transactions. Consumers can be assured they are legally protected from any fraud losses and will never be out of pocket.
‘Contactless cards are extremely safe – borne out by the negligible fraud losses of less than 1p for every £100 spent over the first half of 2014.’

There is that enough

anvilfour

BoatMad wrote: »

The summary of that article. ( not of course published in a scientific journal that I can find ) is



There is that enough

Sorry not sufficient... it's been a regular of pretty much every developer or corporation that when proof of concept is discovered that it hasn't actually been used to attack people in the so-called "real world" - so I suppose we should be disappointed that the researchers here didn't also set up a sham payment gateway and steal from real people?

It is true that fraud for these types of cards is rare but then again this payment method itself is relatively rare. If every smartphone can become a malicious terminal, then every card is potentially very vulnerable.

Not a NSA agent

anvilfour wrote: »

Sorry not sufficient... it's been a regular of pretty much every developer or corporation that when proof of concept is discovered that it hasn't actually been used to attack people in the so-called "real world" - so I suppose we should be disappointed that the researchers here didn't also set up a sham payment gateway and steal from real people?

It is true that fraud for these types of cards is rare but then again this payment method itself is relatively rare. If every smartphone can become a malicious terminal, then every card is potentially very vulnerable.

Theres a difference between proof of concept and actually working in the real world. Having to chase after fraud isnt something the banks want to do, if they arent worried then obviously they seem to think they have something that wasnt considered.