Feeds

back to article UK supermarket starts contactless payments

Spar is going contactless, attracted by the four pence per transaction the company could save by not asking shoppers for their PINs. The supermarket chain will roll out contactless payment kit to its 2600 stores over the next couple of years at a cost of £700,000, which it intends to recoup from the lower transaction fees that …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Security

Even with asking for a PIN at random, contactless payments will still make my future debit card more attractive to a potential mugger. Not a smart move (and not that the banks would give a shite either way).

10
1
Thumb Down

i have nothing against these contactless payments.

i have an oyster card and think its great, I also have a contactless card from Barclays.

However, it is a credit card, which i do not (and will not) use for payments under maybe £150

Stick this functionality on a debit card, and i might be more interested.

0
0
Go

Huh?

I use a credit card for every purchase that can be made with folding money and pay it off 100% ever month; have done that for over two decades. Don't know your laws but in the good old USofA liability is limited to $50 (many, many people don't know that) as soon as you make notice to the credit card company in writing. THe limiting process starts with a phone call though. And if a bogus charge shows up, which it has more times than I wish to count, call the card company and protest it. They are by law on the card holder's side (really!) and if the debt is not cleared and you can prove reasonably (no too hard ) that the charge isn't yours the card company has to absorbe the cost. A cost which is rolled back to the public through higher interest rates. But if you pay the card off EVERY month (as we all should) the increases doesn't fall on my shoulders. It falls on all those financial wizards who get in over their heads. Praise they tiny money-challenged souls,

Not Flawless, but in over twenty years I've lost exactly zero.

And something else a lot of people don't know on this side of the pond, the little boxes you swipe your debit card across hold the data in a standard, unencrypted .txt file. And as all us frakkin' gurus know, that kind of file can be read with the simpliest of text readers. How brilliant.

Ahhhh I love technoligy. Thank you I'll take mine with a bit of commmon sense please.

0
0

HBoS

I have a contact-only Bank of Scotland credit card and a contactless BoS debit card.

I had the contactless card sent to me entirely unsolicited by the bank, and they didn't make using it optional - a cash machine swallowed my old debit card, which would have still been valid until 2012, because I'd continued to use it.

I've decided never to use the contactless aspect of it. The ability to conduct anonymous cash transactions is something I don't want to give up.

4
0

Same happened to me

i.e the old card got swallowed, but I'd already phoned them to ask them to send me a normal debit card without the RFID chip. It still left me a week without my debit card, but I did get a brand new contact-only card. So even though the roll out was aggressive, it was possible to opt out.

0
0
Unhappy

Unless the banks stop ripping us off

I don't think I'll partake in this, thanks anyway.

I find it difficult to track all the small <£10 transactions that go on my card so I've started using cash.

Providing the banks are upfront and honest with us about our balances, and don't talk to us about floor limits, pending authorisations, and allowing us to go overdrawn and then charging us for the privilege.

Oh, and maybe a handy balance (on request) on the display would be handy, ta.

3
0
Silver badge
Unhappy

Difficult balance

"I find it difficult to track all the small <£10 transactions that go on my card so I've started using cash.'"

I have the opposite problem.

When I come to the end of the month to account for where all my money went, I often wonder what on earth I spent all that cash. Occasionally, I will feed my online statements into GnuCash to get a breakdown of expenses and the cash pot seems rather big and it's difficult to account for it all.

1
0
Pint

I agree

I've come to realise that notes are almost certainly 'worth' less than their total value, if I break a note on less than its full amount the change is quickly frittered away on daft little expenditures which I'd avoid if the coins weren't in my pocket. Furthermore when it comes to buying something of a 'real' amount, over two quid say, I can rarely be bothered to dig through all my change and add it up, so I break yet another note instead. As such I rely on my plastic (debit only, I have a credit card which I never use except on large purchases) because it gets rid of the change factor and I can track every purchase perfectly with online banking.

Contactless payment is certainly the future for small scale purchases, quick and easy. If it is cheaper for the retailer than card transactions hopefully it will penetrate those retail markets which cards have never made it into like many corner shops and maybe even markets - it may even get rid of the "minimum spend for card transactions: five pounds" often seen in pubs!

<- big problem could be without a regular "balance check" function I could end up spending too much on these

0
2
Bronze badge
Flame

"capacity for fraud is minimal"

Haha. Because Chip&Pin was also completely unbreakable, what with advanced security features like passing card data and the PIN unencypted to monitoring contact points inside a nice roomy box with a constant power supply, or broadcasting them across a busy café from terminals hand-held by untraceable workers pulling night shifts for minimum wages. I'll freely admit I'm no security expert, but I know a phrase that's going to bite you on the arse when I see one.

15
1

The Fault with

Chip and Pin was because the magnetic strip has still not been removed from the cards, thus making them usable in ATM's..

DSG, Halfords, and many other large companys still refuse to use the chip and pin devices, in favor of scanning the strip in the till (that has a chip reader at the end).

The strip needs to get dumped, and we need to go fully chip & pin OR..... Have 2 pin codes, one for Magstripe, one for Chip.

1
0
FAIL

Chip & PIN _is_ secure

It's all the other stuff, ATMs, swipe readers, POS machines etc. that aren't......

http://www.theregister.co.uk/2010/02/12/chip_pin_security_unpicked/

http://www.theregister.co.uk/2009/06/03/atm_trojans/

http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/

1
0
Anonymous Coward

meh

I was recently the victim of credit card fraud despite, or perhaps thanks to, chip and pin.

I'm not an idiot, I took every precaution I could reasonably be expected to take, and someone got my details anyway. The same thing happens to huge numbers of people. Chip and Pin doesn't work.

So now they're telling us that something *less* secure will work fine? I'm not buying it.

Why is wireless cheaper? Either:

a) they cut corners, or

b) they're pushing an agenda to make traceable electronic transactions "sexier" than cash

Well we know b is true, but I suspect that a is also true. Fact of the matter is, if I'm spending less than £15 I use cash. Partly because I'm not an asshole, I don't like making a queue of people wait 2 minutes for my credit card transaction to go through on a box of tic tacs, but also because cash doesn't track back to a particular person whose details can be stolen. As mine have been.

Luckily I have no need ever to set foot inside a Spar convenience store.

13
2

chip and pin

on the tv programme Fake Britain the other day, they did a segment on chip and pin keyloggers. It is rather straightforward to insert a keylogger inline to capture details to remove and download later.

What's worse, it appears that some chip and pin readers are being modded at the factory, before sending to the shops, to include a sim card and device to send details direct to pakistan .

Allegedly found at a major supermarket chain too.

Suddenly i got a bit more nervous about chip and pin.

3
0

Am I missing something?

How is not being asked for your PIN more secure again?

The only reason I can come up with is that it reduces the opportunities for people to determine your PIN...

1
0

I always wondered...

what would happen if you built a contactless payment unit with a huge range and then snagged a tenner off everyone who walked past.

1
0
Thumb Up

well

No doubt some uni kids will do just that and put out a paper on how bad the system is to which the credit card companies will reply with their usual response of "i do what i want" and put out the cards anyway. Then the chavs will use the machine invented by the uni kids to steal your money and the police will use their stock response "can't you morons stop coming to us with your problems, what do you think we are some kinda police force? Now do you have any marijuana on you or not, I have quotas to fill you know" etc.

3
0

ok...

1) The tech used by these readers will only work up to about 50cm max.

2) The money has to go into a merchant account, so you'd get found out in minutes.

0
0

multiple cards

How does it decide which card to use if you've got more than one in your wallet?

3
1
Silver badge
WTF?

You can't beat C.A.S.H.

I move in countries where Cash is King and I have no concerns in leaving digital trails as I go about my business.

Mind you Mastercard and Visa are trying to change this about without too much success.

Few transactions are 'private' these days with card acceptors retaining card numbers and PINs; the governmental authorities use them for unknown reasons and the world's data vacuum, the U.S. Government, sucks up everything EXCEPT cash transactions.

Travel Agents, after being given authorisation cards, can have charges reversed 4 months later, as can other merchants.

I might be involved in high tech industry but you can't beat CASH!

5
0
FAIL

Security risks are at a minimum? REALLY?

As per title, I'm not sure I believe that at all. Wasn't it El Reg that rightly pointed out the serious iffiness of Paywave type mechanisms on the basis that you can potentially get 9 transactions approved before you're prompted for a PIN with a card you've filched? And I can't help but notice that this article is talking about a £15 limit, rather than the £10 that Paywave was originally pushed with.

I'm reasonably ok with paying for stuff by card *because* there's some form of security to ensure it's me using the card. Remove that security and I may as well be using cash.

1
0

Problem?

If you find fraudulent transactions on your account, just call the bank, tell them what has happened, they will refund your money and send you a new card+pin.

The legal burden of proof is on the bank to prove that you are lying and not for you to prove to the bank.

0
0
MnM
Pirate

Wot no Marks and Sparks?

I did what I was told, and didn't get a combined barclaycard/oyster lifetracker. Well, the scheming sheisters have thought of that. Try having an oyster and a barclaycard in the same wallet - one interferes with the other. What they didn't realise is that 9 out of 10 bus drivers, when presented with an apparently broken oyster card, let you on anyway. Free, incognito bus travel, courtesy of MnM! I thank you

1
0
Go

Cash costs

It boils down to cash handling - having works in a very busy bar and cashing up at the end of the night, we were impressed if a till was correct (+/-) to £5 - multiple that by the 6 tills we had and it soon adds up. Not to mention the security (and therefore cost) required to look after cash floats, etc.

Personally, I hate having using cash - working in London, aside from buying a newspaper, I always use a card to pay for everything and it is much easier/convenient/better (I've lost count of the amount of small change that falls out of pockets, etc.)... yes there will be problems, and fraud, but at the end of the day, I think I'll loose less cash to the sofa

1
3
Thumb Up

Love it.

I use it all the time with my barclays debit card in Eat and Pret (only places that I know who use it). Love it. It's made sandwich shopping like sex. In and out in 30secs without any faffing about.

2
2

TheOtherJola

Huh?

How is it easier to track smaller payments in cash?

At least small card payments are tracked automatically on a statement.

0
0
WTF?

Drive-by scanning?

What's to stop someone taking a scanner with a £14.99 purchase on it and going around pointing it at random people's pockets until they find someone with a contactless card?

Would I even know if the guy who just walked by me scanned the card in my pocket?

7
1
FAIL

I doubt it

Firstly there's going to have to be a network backing it up, the equivalent of visa or mastercard, so to get access to said network will require registration, a merchant account, upfront fees and probably even a certain scale of transactions to make it viable. So your portable scanner and funds will be traceable directly to you.

Second, even if you make it past that, there will have to be a method of challenging transactions, as there is for all other forms of 'plastic'. So when you review your balance sheet (which as a responsible consumer you should occasionally) you can challenge the transaction and such a pattern will probably be quickly spotted and the fraudulent 'merchant' would be kicked off the network and the payments refunded.

Third surely these work on a fairly short range, all the rfid/contactless systems I've ever come across seem to need to be within a couple of inches at the most to work. So this bloke would have to wander round prodding peoples pockets to get in range.

Finally it probably wouldn't be all that hard to add a pressure sensor switch to the cards (a little piezo wafer maybe?) so that a force would have to be applied at the same time for the transaction to go through?

So yes there maybe be less 'direct' security but systems security can be implemented to mitigate this.

1
0
Gold badge

Distance is an illusion

The imaginary protection offered by the lowered transaction fee should have given you a clue that not all is well - the whole idea of credit cards is to get you into a situation where you don't pay off in full. The moment the industry "voluntarily" restricts its own ability to do so you should wake up because something stinks.

And it does:

1 - the actual distance you can read these cards from is close to 30 meters. All it takes is a better antenna.

2 - the real reason they got you to use Chip & PIN, transfer of liability. YOU will have to prove it wasn't you who made a transaction. This means a LOT of hassle for a small amount, although I can imagine passive harvesting resulting in much greater withdrawals later (assuming the RFID happily broadcasts all the relevant data to clone the card - unsure). The switch of liability to the customer was the main reason behind Chip & PIN, not your security.

You should never, ever forget that the goal of a CC card company is making money, NOT to keep you safe. They much rather have someone defrauding you and you not noticing than to present you with a really safe solution. That's also why the security model hasn't really been updated in 2 decades, conveniently sweating assets with sunk costs..

3
0

@Fred flintstone

Wrong on both counts.

1) Paywave type cards are specifically designed so that they can't be used at distance, partly for security partly because you don't want every card in a queue at a shop trying to respond.

2) The bank has the burden of proof for fraudulent transactions - this has always been the case but was specifically written into law late last year (it may have been early this year.)

So: Nice conspiracy theories, but they don't stand up to even basic examination.

0
2
Thumb Down

RFID does not use RF

Banking cards and Passports are often refered to as RF ID parts. Here the RF is a misnomer. The cards do not use radio fields but magnetic fields. The communicatoin is done by transformer couplings (this is also how the readers power the cards). Magnetic fields do not travel in the way electromagnetic fields travel, hence you will start to struggle to communicate at a distance of more than 10 cm with these cards.

(NFC works the same way, hence "Near-Field Communicatoin")

1
1
Anonymous Coward

No RF in RFID? Say what?

What makes you think it doesn't? Did you read the standard lately? Ever opened an RFID reader? What colour is the sky in your world?

It's not exactly difficult to read these cards from more than 10cm. 10 metres (that's one hundred (numbers 100) times as much for the math impaired) with passports has been done well before the people got to 66m with active tags.

By the by that 10cm, as an absolute, was a US state department claim. That got disabused pretty quickly. As a government shill you're a bit behind the times.

1
0
Silver badge

What?

Not that many people have them?

I've had a contact-less VISA with built in Oyster since 2009... And they just sent me a contact-less debit card too.

Never used the damn things! Never seen anywhere to use them!

The Oyster looked and sounded handy for 2 seconds until I read the blurb and discovered it wouldn't give me any more integration than taping a normal Oyster card to my old credit card, and as I prefer not to give all my info to TfL I didn't really want to set up auto top-up from my credit card thank you very much. I'll stick to my topped up by cash only Oyster which was given to me by a friend.

Now that's anonymous data :-)

0
0
Anonymous Coward

Now that's anonymous data?

It still has a history attached of everywhere you've been since you bought the thing, unless they guarantee somewhere it's limited to some period of time. That significantly narrows it down already; even without name attached, it could come in quite handy for plod if they find it on your person.

Over in the Netherlands the taxman puts a minimum of seven years on the time of paper trail is to be kept, for your every move is now a taxable transaction. And the will-be-nationally-rolled-out oyster-equivalent card makes it all but impossible to keep your name off of it in practice, even with the so-called "anonymous" card. You're limited to coins in some, not all, top-up automatons, and of course you can't go to a counter somewhere. The very idea. The government has repeatedly shown no interest whatsoever in correcting that lie^Wminor non-problem.

Not entirely surprising as it turns out the whole thing hasn't cost 130M EUR to date, but over a billion--they "forgot to mention" a couple preparatory expenses earlier on that didn't get labeled with the project's branding. That's this fallen christian cabinet for you.

0
0
Thumb Down

DO NOT WANT!

It's a homing beacon. A tracking device in your pocket. The more of these damn things they give us, the worse. Shopping centres etc... already read contact-less ID chips you may have about you. It will be worse if they can ID you by yours when you come to pay.

1
0
WTF?

Why has it taken this long?

And what is all the fuss about?

Contactless payment is the norm in Japanese convenience stores, and transactions are so much smoother because of it. I'm frankly amazed it's taken this long to get going over here.

And for the AC above who doesn't like causing unnecessary queues - there'd be even less of them if we didn't have to fumble around with coins for a pack of chewing gum.

Bring it on.

0
3
Flame

You're the sort of idiot who waits...

I hate the idiot people who stand there in a queue, get all the way to the front, watch their goods being scanned and THEN and only THEN think of getting their wallet/purse out of their pocket and counting individual penny coins until they find they haven't got enough and start again with the 2p coins... Or sometimes paw through a pile of random driving licences and loyalty cards to find a valid payment card that they want to use today.

(I have to say, this is mainly but not exclusively women)

Has nobody thought of preparing their payment WHILE they are in the queue instead of standing their wasting oxygen for everyone else who'd like to get back to whatever they were doing before they had to enter a shop.

If you're buying a chewing gum, you know how much it costs, just have a look for those coins before you get to the till you nitwit.

1
0
FAIL

Chip & Pin was never a secure option

And neither will Wireless transactions!

I have only ever been questioned ONCE using my wifes Card and PIN

She has NEVER been questioned using my card & PIN

and why was I questioned??

Because the sales guy at a scrap yard noticed that I wasn't a Mrs !!

Nobody else ever looks at the card I stick in the machine.

FAIL! because Wireless Transactions WILL FAIL!

0
0
Anonymous Coward

Fail? Pray tell how.

There's companies, like various parasites at the fringes of "mobile services" or those "selling special access" to open-source software download links, that make good money out of scamming users into "buying a product" only the small print says they're buying a monthly subscription that lasts for a year and will renew if they don't cancel fifty weeks in advance, or something to that tune. If people even notice the few-quid charge they're often too blase to contest it, especially when not realising that it's not one-off charges.

Now imagine a card that gives everyone and his dog the potential to do exactly that to an endless stream of passers-by, don't even have to take the card out of the pocket. And they don't even come with paper statements to show what's happened. You can just hear the drip-drip of the companies involved and their parasitic hangers-on salivating in anticipation.

I predict, with enough push, this will be another roaring success... for the "owners" of the revenue streams. That's not the card holders, make no mistake. They are where the money comes from.

1
0

I've seen this fail

I was in a coffee shop with two people in front on me. The guy second in line leaned over, wallet in hand, to get a serviette. The machine beeped. The guy at the front asked how much and the person at the till said " you've already paid with your Barcleycard". He said "I don't have a Barcleycard".. The guy second in line said "I do". He had paid with out knowing. Try challenging that when the bill comes through. My Barcleycard went straight in the shreader

5
0
FAIL

Ha!

Its worse than that....

"Hi, this is my wifes card, is it OK if I use it"

"Yeah; sure; as long as you have the PIN"

And that was in places I'd never shopped in before!!!!!!! Security my arse...

0
0

So where is the big advantage?

TBH, I am a bit puzzled by all this bru-ha-ha surrounding contactless payments integrated in credit/debit cards. You still have to have your card with you, you still have to present it at the check-out/till. They will still ask you for your pin - just not every time. The major difference is that, instead of inserting the card in the card reader for the sensor to read it, you are going to wave it within a few centimetres of the sensor. I really can't comprehend what is the big progress. Take the current system, ask people for their PIN at random, not on every transaction, limit it to £15 per transaction - and it's exactly the same. Without rolling out a completely new set of equipment/infrastructure. I'll be darned if I understand where is the big progress.

Another thing that I find a bit of a paradox is that with all this chip+pin - there was less of an incentive for a street mugger to get your cards - as they became less and less useful on their own - as the chip+pin implementation was covering more and more premises. Definitely less useful then being mugged for good old fashion cash. Now we are turning a full circle - and getting mugged for your cards may just become attractive again. They could (at least try and) use the stolen cards - no signature or pin required (at least for a few transactions, anyway). The cards would have value even to a low tech would-be mugger. How funny history can be sometimes.

0
0
Big Brother

What a great idea?

Even better, why not scrap cash altogether! We could just have a tiny RFID chip implanted into our right hands, no need then to even carry a card, just wave your hand over the till. The check out would verify our identity, and we could confirm our acceptance of the transaction with a finger print. No need for a government database, or ID database, people would flock to have their details taken for the huge convenience. Known criminals or illegals would find it very difficult to do much. Win win for everyone!

Except that.........................you're on your way people!

And the Antichrist causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:

And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.

Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six. Rev 13:16-18 KJV

3
1
Anonymous Coward

Yay for astroturfing RFID

There's no reason you couldn't go chip-no-pin. In fact, it was tried, and it flopped. The upshot of this re-try with added "look ma no touchy!" is that with a rogue terminal it's still good chances to rip lots of people off that merely walk by. I'm tempted to try just to prove the point.

And there's the problem of privacy, same as with chip&pin, or magstripe&pin, or take an impression of embossed numbers and sign, or any other system to date, really. Each transaction leaves a paper trail containing amount, retailer, you, date and time down to the second, and place. And it'll keep for years. And leaky paper trails are a good source of income for criminals too. Dumster diving for cc slips was good pickings before databases accessible over the internet full of cc numbers proved to be even more profitable.

Fix that privacy thing and come up with some real security instead of this make believe crap and I'll consider using an electronic system beyond getting cash from some cash dispenser then parcelling that out over a couple of weeks. Or maybe not. Cash I can count easily and, quite literally, keep my spending in hand. Electronic payments, not so much.

It's all about control, and YOU the consumer, aren't allowed to have it. Ha ha!

1
0
WTF?

Meh

I've had a PayWave contactless card from Halifax for a good few years but I've not see a contactless reader, until the other day in Subway. I asked if I could use it, but was told they didn't know how to and I had to do chip and pin.

0
0
Anonymous Coward

Minority Report

Does the image of walking through a shopping centre and being targetted by advertising screens that read the card in your pocket come to mind for anybody else? (Admittedly in minority report it was eye scans but still)

0
0

What takes time with C & P

Is not the putting in the card or the PIN, it is waiting for the transaction to authorise. Although I notice at some places where the majority of transactions are under £20 (like McDonalds) it is instant suggesting a 'floor-limit' is in place. Does this then mean that any transaction under £15 will not be authorised unless there is a PIN request?

Dodgy types will use stolen cards, when they get refused or a PIN is required they will simply fudge it or run.

1
0
Grenade

mcd

Yes there is a floor limit for Credit Card transactions under X GBP, the card will be authorized (with PIN stored ON-CARD) even if there is no internet connectivity to the till! Debit Cards are different and need to perform a balance query before auth. Would never recommend you eat their filth, however :)

0
0

pain in the arse

the chip in my barclays debit card interferes with the one in my oyster, meaning i have to take my oyster out of my wallet to use, most annoying

0
0

It is all PR

Pin was essential for security. Now it isn't.

0
0

Fsck Barclays

As well as sharing the fraud concerns of other commenters, what about tracking? Why were we all worried about the RFID tag on our passports but now we're not bothered when it's on our credit cards we carry every day? Do we really think these aren't going to be used to record our movements? After all, shopping centres are already tracking you through your mobile.

Barclays sent me one of these cards when my debit card came up for renewal. I couldn't reject it via internet banking so I phoned them up. The gentleman on the phone told me he was required to explain to me the benefits of the contactless system, and then having done so (and me still wanting rid of it) told me he couldn't cancel it. So I went into my local branch. The cashier told me she was required to explain to me the benefits of the contactless system, and then having done so told me she couldn't cancel it, and I'd have to see the manager. The manager told me he was required to explain to me the benefits of the contactless system... in each case they said "You don't have to use it." Surely it's a cornerstone of good IT security to not leave a feature in place that you don't use, when you've no idea or control over what it's doing. Barclays told me that if I didn't want the contactless system they had to cancel both my old (still valid) debit card and the new contactless one, leaving me without a card for a week while a new non-contactless debit card arrived. The new one apparently does not work everywhere my previous debit card did, and is generally given to customers who cannot be trusted. Surprise surprise as soon as I got the new second-class-citizen-who-can't-be-trusted debit card, the interest rate on my Barclaycard credit card shot up. So, then, fuck Barclays. After 20 years I'm off.

1
0

Page:

This topic is closed for new posts.