As America wakes up to the idea of pay-by-phone the Consumers Union is calling for greater regulation, concerned that proximity payments may not receive any protection at all. Various pay-by-phone operations, based on Near Field Communications technology, are being tested in the US at the moment, with a consortium of US network …
Look, at least regulate the AFC too, then. The Superbowl is skewed enough as it is.
NFC sets up for volume theft
Always-on NFC is exceptionally dangerous.
For a start, the technology is based on the assumption that it cannot be accessed from a distance. Well, as even beginning geeks have discovered with WiFi, it depends on your aerial and receiver - AFAIk the actual max distance is closer to 30 METERS. The aerial is also fairly easy to make, so setting up shop for credit card fraud is not going to be hard.
Secondly, NFC works without you being aware of it - translated: it's uncontrolled. All you need is one rogue vendor scanning and skimming passing cards with a van on a busy shopping street and you have a problem, especially if you couple that with the result of the biggest con-trick ever performed on a paying public: Chip & PIN. Chip & PIN has little to do with your security. It's not just the fact that it all falls back to the magstrip when the chip doesn't work, no, the con trick was shifting payment liability to the end user.
Before Chip & PIN, the CC company had to prove it was you who authorised a payment by providing a resonable simile of your signature. Since Chip & PIN the end user has to prove he/she did not make a transaction (even when there was a fallback to signature mode). In the UK, your liability is thankfully limited by law, but that's not the case in other countries.
To stack something as blatantly unsecure as NFC on top of this is irresponsible, to put it mildly.
And I'd still prefer cash.
Not because the lack of protection, but because it's entirely clear what's happening. You hand over cash, presumably sober and in full possession of your faculties (well, most of the time anyway), and you can, well, feel, the cash passing. I mean, you *know* you just paid.
In fact I tend to quickly count the petty cash in line for the checkout, so I can minimise the number of coins passed back and forth and manage the amount of petty cash I carry, with a convenient side effect that I know down to the last penny how much I'm carrying. That, and not carrying more than necessairy, are good ways to keep spending in check.
With waving contactless stuff around, it's entirely possible you've paid without knowing, maybe for someone else even. It has already happened. That also means someone else might make you pay without you so much as noticing, nevermind consenting. If that's the big plan to make "stand and deliver" safer to life and limb, I'll take the danger, thanks. At least then I'm aware of what's happening and might possibly call for help.
No amount of regulation of NFC is going to deliver us from contactless abuse. That goes for passive cards as much as active devices like phones; for any extra confirmation step there might always be an virulent override stuffed down the device's throat through one wireless interface or another. And then it's just a game of numbers, like a zombie botnet. Recall that spam still pays. The problem is that this is how the thing was designed to work, and there is no protection from that short of not using the thing at all. Especially people in IT should understand *that*, at least.