The Halifax bank is enrolling unsuspecting customers in trials of a new generation of RFID-enabled bank cards, and trying to keep them in the program even if they have mis-givings about the wave and pay technology. PayWave allows punters to debit their account without having to enter a PIN or sign for goods valued at less than £ …
RFID visa cards
These have been in use here in Singapore for ages already. But, much like londoners with the Oyster card, we're very very used to RFID systems and paying with RFID systems so it's no big deal here.
Oh, neat. They can make it cost you much more than £10 to challenge a fake payment. So very few people will bother going through all the hoops.
Then they point out that very few people are successfully claiming for fake payments, which proves that there are very few fake payments, which proves that the cards are secure.
Once the cards are (by force) generally accepted then they can start bumping the £10 limit up.
A contract is a contract when...
When what? What is in the Small Print? Presumably the act of entering the PIN in on the first transaction means you accept the T's&C's?
Data Protection ?
Arguably, making your data available to an RFID scanner is caught by the Data Protection Act. Therefore your bank require your consent, which can be withdrawn. Worth a punt - banks crap themselves at the mention of the DPA. My DPA complaint to a well-known bank over spamming me with adverts in their online secure messaging system led them to withdrawing it across their entire system.
from a US bog
someone quoted that.... "Unfotunately, Mastercard says that RFID-free cards are no longer available."
These touch and swipe cards are averagely secure, not especially insecure,
there was one proof of concept of a relay attack on an eCredit card, it seems the early ones had pretty loose challenge/response timing windows such that someone could skim data from your card from a 20cm distance ‘in the street’, then use WiFi to route this to an accomplice who was able to do successfully complete an internet purchase. Talking to eID industry representatives, “they are fully aware of the security problems and are making sure that soon this will not be possible”. The big advantage of the eCredit ePayment card is the “tap & pay” , for instant purchases of newspapers, concert tickets (by tapping an active Pop poster in the 'tube) , cups of coffee etcetera. It is likely that the european citizens’ card or a range of Mobile Phones coming in about 2010 will implement the full range of facilities, eID, ePass, eCredit, eHealth entitlement, eEtcetera. I’d say to an ecard owner that now you have the card, you’ve bypassed/survived one of the biggest threats which is RFID scanning mailbags - and crims selectively stealing the RFID enabled letters, be they credit cards or electronic passports.
As to the actual threats that you would now face, they are extremely remote - at present, but will likely grow. I have an HP PDA 4700 with added NFC (13.56MHz) RFID, but I wouldn’t be able to use it (for ethical) hacking till I successfully manage to dump WinCE and load Linux. This has Wifi and enough power to do the relay from a short distance, upcoming Software Radio devices may also be programmed as tools, but again, I’d say you probably have a 5 year ‘usual problem’ timespan before any ‘new problem’ attacks become widespread. Hopefully this timespan will be enough for the CC & eID companies to develop better more robust products. Watch for problems if they drop 13.56MHz NFC and head for EPC Global 900MHz ’supermarket’ RFIDs as they *can* be read at 20 metres. have fun (I believe the apt phrase is "always connected, always on": Internet of things)
.....the shiny Alcan-extra-wide coat please
"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."
I like the way the concerns of people walking around say the tube, with a battery powered, modified (amplified) for larger distance scanning have been addressed! 'Scammers simply won't be bothered to rip these off.'
It's a terrible idea. I could easily set up a shill business as a sandwich shop or whatever, then make my real, tax free, proper incoming scanning cards on the underground/other busy public place all day, and charging say £9 per hit... even just a hit a minute yields me a healthy £540/hour... or £2160 for a 40 hour week.
1) They say that theives and the like dont go for small sums... most londoners will remeber the press stories about the fights between rival gangs over the rights to steal from parking meters (small sums add up).
2) "create a niche market for security firms"
- so lets create a new problem for new services we can pay for to solve it!
A more cynical person would point to the anti-virus industry who have an interest in there always being virus's, so might encourage their development if windows ever became more secure.
What a dangerous idea!
You have to admit, the idea of technology that can take payment without your consent is dangerous. Take the Oyster card, that's a good implmentation because the readers are so low powered, they fail to register the card about 1 time in 10 :) It's also a closed system, so the worst someone could do is send a fake station signal deducting extra money from your card.
I think the banks have missed a trick with this idea, the system shouldn't rely on a £10 limit to make fraud pointless, it should be the customer that sets the amount of money that's available on the Paynwave section and the screens should have flashed up the remaining balance at the end. If someone wanted to opt out, they simply leave that balance at £0.
...of banks taking liberties with customers and their accounts. My Bank (Lloyds TSB) are in the process of changing "partners" on their credit cards from Visa to Mastercard. No consultation, one announcement, then new cards delivered superseding the old ones. (don't know if they're RFID'd or not)
Of course, LTSB have taken care of all the "front end" processes in setting up the new accounts (done without my permission!) but the customer has to do all the donkey work when it comes down to setting up any on-line payments, or existing regular accounts, including setting up a new recipient so I can pay the damn credit card via the on-line banking.
I shudder to think what the possibilities for error in "universal" non-contact payment world are likely to be (not LOW for sure). Hard enough to prove fraudulent use as it is, never mind the possibility of your 'chip' being tracked everywhere you go!
This madness must stop.
A bit worried...as I bank with Halifax :(
For an example of broken RFID 'security' (yup this includes oyster cards):
Hang on a second...
European Citizens Card? So is Gordy just softening us up for a bigger pan-European ID card...in breaking news, the EU has admitted that a laptop containing details of 700,000,000 Europeans was left in a bar in Brussels.
Bring on the RFID
I for one can't wait for this technology to be rolled out. I'm fed up of having to carry cash with me. Of course these will never totally replace cash and it'll take a while to even begin to do so.
The security worries of these cards aren't my problem, they're the banks. So long as I make sure no one gets my PIN I'm not liable for any fraudulent transactions, the banks are.
Unseen price hikes
once this technology is wide spread, we won't even notice that the car parking fee, price of the newspaper, tube fare, etc has increased yet again.
Obviously also plenty of room for dodgy things to occur at Car Boot Sales and as you walk by any number of street hawkers. Lucky heather to a bus load of punters in one trip to the next stop, cheap at only £9.99 a pop.
And when was the last time someone bought a ticket for a concert at less than £10 ?
Along with the price of calls to 0845 and 0870 customer service people to make a complaint !!!!
It makes me wonder just who is doing the skimming on this one.
What's the traditional money-laundering cash business?
Short shelf-life of stock, very variable sales, a lot of waste.
You could easily add 10% to the business income without anyone noticing, and who'd make a fuss about flowers that didn't get given to their wiife?
Of course, being an ex-florist might get you a job with the revenue/
RE: Terrible idea
Your ambitions are so limited! Me, I'd simply get close to a people smuggler, then get dozens of illegal immigrants to do the scanning for me. We've already seen how the Police have zero effect due to the useless immigration system, most illegals caught committing crimes are back doing the same thing in hours. With a crewmaster running a few dozen illegals with scanners, and half-a-dozen front companies pretending to be legit kiosks, you could quite easily turn all those little £9.99 transactions into millions a year. At worse, a few illegals get deported (very unlikely) whilst I rake in the dough courtesy of the stupid greed of commercial banks.
If I can think this out in a few minutes, do the banks really think all those pro crims haven't already started putting their plans in action?
Its all about the liability
It seems to me that the real issue here is not about the card, it is about the liability for fraudulent losses. If the banks foot the bill and the claim process is easy and cheap then I don't have a problem with contactless cards (assuming that I consented to receive one in the first place) but if they are also shifting the cost of fraud to the consumer then I wouldn't touch one with a 100 linguine pole.
I would be very interested if The Reg could publish a copy of the terms and conditions for these contactless cards.
there were initially some problems with people skimmed card details from AMEX cards in america then using them for internet purchases, they stopped this practise by simply giving cards two numbers, one printedr on the card, and a seperate number for the RFID. that way if someone skimmed your RFID number - it would not be accepted online as AMEX could tell there was no way for you to access that number from your card, so it must have been skimmed
a simple solution
"Won't be bothered" Yeah right
"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."
Oh sure. So lining a picket-fence with RFID-ipaqs that lift off £9.99 per pass (remember, you can have many of them) is something people will not be bothered to do?
Maybe we need some proof-of-concept-hack to do this. How about setting up a solution with such scanners for every few meters between the bank, and where the bank manager parks his car. This could prove one out of two things: That his account can be tapped, and that this security of his is like Nessie (often talked about, but rarely seen), or it could prove that he KNOWS the cards ar shite, and won't be using them himself.
Proving that the bank administration hangs onto their old cards, would basically prove that they are lying through their teeth about this being secure enough for "ordinary people".
Both versions are ok with me, aslong as we can shoot this idea down in London, before it can infect the rest of Britain, and more importantly (for me) the rest of Europe.
I'm not an expert on debit card history, but wasn't the chip and pin (fairly) recently developed so even if you managed to steal a card it's effectively useless. Now mugging for debit cards is worthwhile again, before you've been to the police and got a crime number and then called up the bank they could have rattled up £100 in "small" charges, hundereds of copies of the Sun for all their partners and illegitimate children, and if a cunning clothes retailler adopts the scheme they could rake in a fourtune in illegal card purchases if they make Burberry knock-off hats for £9.99.
Whereas before when a Debit card was stolen it was effectively useless, not it'll be usable by any Half-Wit on the street. Lots x £10 is greater than None x Everything you've got (covered generally by fraud protection).
I am not the card
So the card approves these transactions, and I am PRESUMED to have authorized it?
So my kid, wife, cleaner, etc. can use the card without needing any pin number or signature from me, and I am assumed to be OK with this?
Oyster cards are bought for the approved purpose, you wanted to use the transport and bought the card especially. There is also manual top up available, and a 90 quid limit, letting you cap the losses if the card is used by someone else. And you know the service the card is used for because it's an Oyster card. And there's no cross leakage of information because the Oyster card doesn't have same ID as the card used to buy food, or the card used to pay for pr0n.
But this card, you don't control the services it's approved for, don't have to approve each use of those services. And it's a single ID whose transactions can be mined.
Chip & Pin : Each instance of each service has to be approved with pin. Owner has full control, but even so they worry about getting the pin nicked.
Oyster: The service transport is approved, after that each instance of it's use doesn't have to be approved. Safeguard is a 90 quid cap. ID doesn't permit data mining.
This: No instances of any service have to be approved as long as they're less than 10 quid each instance. No verification of carrier as bank account owner done. Forced on people who don't want it. Has a single ID that can be read everywhere.
So yes it's a bad thing.
Octopus card in HK
AS a Hong-Kong Chinese Londoner (try saying that quickly 3 times!), I'm also used to the use of RFID cards. Basically, in HK, it started out the same way as the Oyster (because they nicked it off us, bloody Ken Livingstone), being a contactless way to pay for TRAVEL, but then migrated to paying for most convenience or fast food stores e.g. McDs and 7-11.
Personally, I knew the Octopus card idea (the one Ken lifted) would come to London, as it made sense. I haven't heard anyone complain of security problems in HK or Oyster cards here (except big brother tacking), mainly because as soon as you report it stolen, they freeze the card!
although one thing i don't like, is the auto opt-in approach: We should be able to choose whether or not to use it (I just chose to use it).
What I will do .....
I will use cash for all my purchases, and keep my cards in a metal container/ shopping on line should remain relatively fraud free.
Because a 40 hour week would yield £21,600 (not £2,160) ==why play football twice a week if you can get the same reward by hanging around
"They say that theives and the like dont go for small sums".
Banks do. Where's the difference?
Pin on first use
The article says you need to enter your pin on the first use, so if you don't like the idea then never "activate" it you're ok.
Until they make it mandatory or something.
So they want to do 'tap a poster to buy tickets'?
Think about it - you're on a normally-crowded train, bus or tube, and your Tap'n'Pay is in your pocket.
You get squished into the corner, and your pocket is pushed up against a poster for something...
Or you're walking along one of the narrow corridors in the tube, and happen to get too close to a poster...
- And you immediately get charged for it!
Chip and Pin
Actually, so far as I understand it, one of the major benefits for banks in switching to Chip and Pin is that it pushes liability back to the customer.
Someone's using your card without your consent? You must have given them your PIN. Nothing to do with us.
Monéo in France
In France, we have a system called monéo : Not contactless, but uses the embedded chip in (almost) every credit card issued.
The reader is not wireless, but requires the user to insert the card into the reader.
The monéo account is a pre-payed credit: you charge it up in banks and post offices,up to 100 euros.
The system works on a similar principle: You charge your standard credit card with up to 100 euros, then use it to make small purchases without having to use the PIN code or countersigning. If you loose the card, you loose up to the 100 euro credit inserted on the card. If you do not want to use it, do not charge it, and the card still works as a classic visa if you pay and punch in your PIN code.
The bastard is that the banks, after your first monéo credit, start charging you a couple of euros per month for the privilege...
Mine's the biker jacket covered in ally foil...
Time to get a lead lined wallet ...
What ever happened to the Mondex scheme where the payment card was pre-charged with money up to a limit the user was happy with?
Not to worry...
If your bank does send you one of these, just pop it in the microwave for two seconds on high. Not sure what it'll do to the magstripe, but it'll fry the rfid nice and good.
The other alternative that I've heard is discharging an instant camera flash through a wire cool around the card.
i don't know what technology these swipe-happy cards like oyster use, but as i've got 2-3 already in my pocket, they go snafu all the time, obviously they don't like being in close contact with other similar cards. I've changed my oyster 3 times this year. How amusing will it be having to change your bankcard every other month too!
A possible improvement- up to £10 a transaction goes un-pin-requested BUT there's a maximum of £50 non-pin-requested per day. And you can't take cash- from ATM or cashback in shops- out on a non-pin-requested transaction, which means that any further transaction locations can be recorded by the banks. Which should aid the police when they go to administer the sternly-worded warning and slap on the wrist.
And as someone pointed out above, an AMEX style system with non-RFIDed information for online purchases would be a great idea too.
While I can't imagine the average chav-in-the-street would be able to rig up some sort of an RFID-enabled kiosk as detailed above, I reckon that most Reg readers could.
This rollout is only going to lead to trouble. Reg readers, unite to screw up this ridiculously insecure technology before it costs you your hard earned beer tokens!
Only a tenner? Tesco let you take £60 of fuel without pin
IIRC the original limit touted for contactless payments was £50
The security of it depends on how it has been implemented. If it is a wireless interface on the EMV chip then the security on it will be the same as for Contact payments with the obvious issue of a high powered reader walking around the tube.
The EMV encryption key uses RSA and is being progressively extended in size related to estimated time required to break by brute force.
If a mobile reader had enough time to connect to the card, break the encryption key and then read the Pin Block (yes EMV cards hold your pin number and a value that represents the trust ability of it. If trustability is high then it might only initiate a connection to the banks main records 1 in 10 times, if low it may always do it. You can generally tell when it does it if you visit the same shop regularly as you will soon notice the speed difference between the 2 routes to PIN acceptance)
The dual interface chips were new technology around 4 years ago.
Before that the chips held an unencrypted string of characters.
If you visit a self service petrol pump you may notice that there is no Pin Pad connected to the reader/screen. EMV allows pinless payments through the contact interface. So if mugged for my Debit Card I would be more worried about how many tanks of fuel (Tescos allow up to £60 per transaction) the mugger can get before the bank block the card than how many £10 transactions.
Money is information. The physical money you may ,or may not, have in your pocket is just a token; I promise to pay the bearer on demand the sum of 'X'.
Money is information. Most money exists as a pattern of ones and zeros magnetically encoded on any number of hard drives, tape drives, mass storage devices.
Money is metaphyisical. Pay and wave is the next logical step to waving goodbye to your money.
Your money? Surely the Banks money? I know mine is.
Tin foil wallet please.
Acknowledgement of risk
If transactions are limited to 10 pounds then that is already an acknowledgement of the increased risk. If there was no change in risk why not let these things work for hundreds of pounds as with normal cards? Conversely if a risk is acknowledged, why allow any transaction? 10 pounds is a lot of money for some people - I notice the bank didn't offer Pete 10 pounds compensation, for example.
As already pointed out, I know my PIN and can keep it secure. When that is proxied by this technology it takes me out the loop. That is bad. For the sakes of liability, however, what's the betting that the bank would keep the customer firmly IN the loop?
These are risk decisions for the customer - ie those to whom the money belongs - to make, not the bank.
its time, for one of those things, that nobody bothered thinking through!
seriously, this is a card fraudsters wet dream... Whilst I do like the just plain cool angle, this is going to cause so many security problems its not funny.
Pret a Manger
Re: I am not the card
You're utterly correct. But it seems to me that this system is already in place with Chip+PIN. It always spooks me out when you use a Chip+PIN card in Pret a Manger and they don't ask for a PIN. Something about it just feels "not right". That aside, what does RFID offer that Pret a Manger's Chip+PIN solution doesn't?
"What ever happened to the Mondex scheme where the payment card was pre-charged with money up to a limit the user was happy with?"
They trialed it when I was at Aston University ten years ago. No-one used it because the of the fannying around involved in charging up the card. And, the perception of mondex was "lose your card, lose your money" compared to the perception debit/credit cards where it's more like "lose your card, tell the bank, don't lose your money". It was dropped within a couple of years.
Microwaves are too high-tech
My prox card for work, if you hold it up to the light, you can see the brains. Just apply a hole punch, and it's gone. I also disabled it once by accident punching a small hole in the edge, because I nicked the antenna.
As long as you can swipe the magnetic strip and don't mind doing so, there's your security. As a bonus, you can thread a string through the brain-hole and use it for a tether.
Not as bad as it may sounds..
its worth noting that if you do use your debit/credit card for contactless payments - these systems will still ask for your PIN number once at least once in every 10 transactions.
So the banks are limiting their liability for a lost card to under £100
Whoa there, commenters - you're forgetting something...
And that something is the recieving retailler portion. It's all very well you all saying that you could knock up a skimming system (assuming you've bypassed the crypto system on the card) and then read £10 from passing strangers but in to what exactly?
A legit terminal connection will be needed to download the "cash" in to your merchant account at the bank (emulating that you are a real card reader playing back the victim waving his card on your unit) so that'll need it's security system broken off. Then we have the fact that to get one of these terminals you're going to have to go to the bank and get yourself all set up as a retailer ("know your customer" regualtions apply).
Now, of course it's not beyond the wit of man to create a dodgy retailer account specifically for the purposes of general-purpose fraud and use that infrastructure to set up this situation, since let's face it - redeeming a few thousand £10 transactions isn't a well priced risk if this is your sole fraud income - however this is putting the bar pretty high.
I'm not going to sit down and work out a crypto protocol which would tie the transaction time, retailler ID and amount in to a checksummed block (e.g. SHA-1 HMAC) but you will realise that this is eminently do-able.
Layer on top of that the algorithmic fraud dectection system which already exist for the credit card industry and I'm feeling pretty relaxed about this whole thing.
New opportunites in wallet production?
Methinks I'll be getting a lead-lined wallet soon - if it helps? I'm not up on RF tech. Or would a Faraday caged wallet be better.
If found, please return to...
So what happens if you lose your card or worse, wallet?
How many transactions under £10 would someone be able to get away with before you notice your card is and remember what the phone number is to report your card missing?
CD's, magazines, travel, food... all without having to enter a pin?
I think the banks are being negligent here, but no doubt they'll blame us for losing our cards or being pickpocketed.
Re: Unseen price hikes
That's the real danger here.
I don't have much against the tech, as long as it's backed by good fraud protection, which has already been well-honed for debit cards (I've had to use it, so I know).
This will be an ideal way to sneak in price hikes. However, we already have that danger with recurrent credit card/bank withdrawals. I had a utility overdraw from an auto-pay account once, and it was such a nightmare getting the money back that I have not done an auto-pay since. Once someone has your money, it's tough to get it back.
Another Vote in Favour
I'm with Clarence 100% - I think this is a brilliant step forward and I can't wait until I can go totally cashless. Contrary to what everyone on the TV seems to be telling me, I think using cards as much as possible actually puts me more in control of my finances as I can check my statement online and know exactly where my money is going. With cash, it just disappears into the ether unless you're diligent about getting and saving receipts (I'm certainly not).
I'm not too bothered about the security issues as even when the purchase is under £10, you still occassionally have to enter a PIN and Halifax have agreed to compensate me in the event of fraud. This is a trial, after all, and I'm sure that one thing Halifax are keen discover is how exposed this technology is to fraud.
Personally i think this Pete guy is a little OTT and frankly I'm surprised to be reading about something so trivial on the register.
I've been issued one of the new Wave and Pay cards by Halifax and the only thing that's holding me back is the lack of places to use it! Very few shops in London have the scanners. And even worse, most retail workers have no idea what this crazy wave and pay thing is all about. I try to use it every chance I get but shopkeepers look at me like I've lost my mind when I wave my wallet in front of the scanner to make a payment. On a couple of occassions of I've removed the card from my wallet to wave it in front of the scanner, and the shop attendant has actually taken the card from me and plugged it in the chip and pin reader! Infuriating.
Also, like most Londoners I've now got several RFID cards: Oyster, debit card, work cards.. and they don't like to play nice with each other. I like to keep all the cards in my wallet and just slap it on the readers in the tube ticket hall or on the way into work, but I've got to keep my oyster in one side of the wallet, one work card in the other, another work card has to be kept out of the wallet and the wave and pay, well I haven't quite worked out what to do about that one yet.
I seem to recall that the pin for first use is for EACH RETAILER. Thus, if you buy a coffee in the local coffee dive every morning you don't need to re-authenticate each time. However someone stealing your card could NOT just take it to any old supermarket and get a bagel.
However....I do agree that this is a pile of crap.
1) many £10 can easily wipe out my account. heck, right now with payday coming soon....about 3 would do it.
2) what if I get a bit too close to the till when someone else is paying for something?
3) with a "passive" chip like in a card, there is NO control. At least in something like a phone I imagine they could make a "RFID pay chip ON/OFF" like they do for Bluetooth and IR.
Government to ban cash next
Gordon would love to ban cash - if we had to use traceable plastic/chips he could see where every red cent was being spent, and tax the bits that the Evil Empire has missed, and small cash traders would no longer be able to fly beneath the tax radar.
Me I'm joining this years 500,000 in the exodus from UK
Belt and Braces
As Sconzey says, 2 seconds in the microwave should cure the RFID but I would suggest the tin foil wallet as well.
Perhaps 2 seconds in the microwave for passports and ID cards as well? If they might fail "naturally", we should just help them and nobody will know the difference...
Cost to merchants
Question for retailers is - how much will the banks charge you for people paying this way? At the moment small businesses are charged about 30p per transaction for debit cards - which is why many small shops, etc have a minimum value for card purchases (against the T&Cs) - how much profit on a newspaper, etc will the banks take?
What's the traditional money-laundering cash business?
Sun bed studio.
No stock, low running costs and no-one knows how many people have been there.
So , did these wankers provide a RFID shielded case when you did not wish to use this wave to pay facility ?
Missing the point?
I think the wood-for-the-trees thing here is that this is ALL about banks moving down the food chain, and making a land-grab to finally replace cash for small transactions. You can almost here them salivating at the idea of all the money they can make off of that: micropayments, rental of scanners to retailers...
Pigs, snouts, trough...