Untrusted by me for over a decade.
Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security. The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date …
Untrusted by me for over a decade.
Amazon orders (as distinct from Marketplace orders) are only paid for when the goods dispatch.
Most retailers do this by pre-authorising the charge using CVV at the time of order and then charging at the time of dispatch, but Amazon have always run the much simpler system of storing the credit card details and only charging the account at dispatch.
That does mean that Amazon can't use CVV authorisation, because they aren't allowed to store the CVV information until they're ready to use it.
I suspect that Amazon eat their own chargebacks (and pay a lower handling fee to the CC companies) and have their own anti-fraud measures, rather than using CVV or 3-D Secure.
I think it has a lot to do with Kindle sales using 3G/wifi personally - few people know the CVV and it doesn't encourage impulse buys. The laughingly easy to compromise "Verified By Visa" won't work with the Kindle browser either so eating the chargebacks is probably a lot cheaper for them.
Also Richard is spot-on about when they charge the card - that happens when the order clears packing and not before, no pre-auth on any Amazon orders.
Amazon have a race condition on Kindle purchases, when my card expired I downloaded from the store sucessfully but then got an email asking me to register a new card.
Under PCI you actually are allowed to store the security codes up to the point of auth and this time period has never been specifically defined, at least not in earlier versions of the DSS. However, I do agree that the standards around the protection and hanlding of the security codes make it more desireable to not handle them at all, from a compliance stand point.
What drives customers to sites like Amazon is the convenience of making a purchase with saved details, being able to ship to a work address or pick up from a collection point.
What makes it convenient for fraudsters is that stolen credit cards get more mileage and goods mules don't have to be burned that often as the collection points rarely validate the photo ID, so false ID works most times and the home address is not exposed.
While the fraud rates remain low, the cost of fraud can be passed on whilst keeping prices competitive. A recent figure from another on-line retail vendor was <1% of transactions were fraudulent and about 80% of these were detected and stopped before shipping. (Simple measures like contacting the card holder before shipping if systems picked up anomalies.)
With figures like that, there is little incentive for a business to lock down too much and make the customer experience dificult, but a lack of CVV2 check is inexcusable.
what's always bugged me about CVV2 is having the number printed on the card. Why not send the authorisation number to the cardholder like an (unchangeable) PIN#?
People forget PINs.
All the CVV is supposed to do is to make it impossible to use a card for CNP transactions by using the card number from a "kerchunk-kerchunk" machine style impression or from swiping the magstripe.
The chip has different card numbers for Chip and PIN and NFC transactions.
Of course. I forgot cashpoints were a massive failure shortly after their introduction and were withdrawn never to be tried again.
I've already said I don't want contactless anything, so will maintain my previous stance.
I have not asked for it, I don't want it.
It's totally within your rights to do so, but I have to ask:
What are you reveling in your shunning of new technology on a tech web site?
new =/= (useful, reliable, trustworthy...)
I presume you haven't noticed that some other articles on El Reg highlight *problems* with technology ? Particularly, problems that the profit-takers are happy to sweep under the carpet ?
As the Native American saying goes, "Only an idiot tests the depth of the water with both feet..."
>>I have not asked for it, I don't want it.<<
No, me neither, but when I contacted my credit card provider (Virgin) and asked for a card without contactless tech I was told they couldn't do it, all new cards have it built in. So you might not want it, but you're going to have a hard time avoiding it.
Anyone know whereabouts on the card it is? Surely a quick bite in the right place would disable it permanently...
From what I can tell, the chip is the same one as the chip'n'pin one, the aerial runs around the outer edge of the card. Presumably cutting a notch into it, or cutting the corner off would inactivate it if it cut through the aerial. I wouldn't recommend trying it though.
There is some pretty good info about cards here:
I would echo Loyal Commentater's caution about tampering with a card - you do not own your card and the bank are perfectly within their rights to not issue you a card if you are caught tampering with it.
@Jimbo 6 - Yes, but just because something is new and works without wires (which seems to be the main problem) doesn't mean that the people who have designed it don't know what they're doing. There seem to be a lot of people commenting on The Reg who "know" a lot more about subjects than the experts who work in those fields professionally. Guess what? Usually they don't know more, they just know about a vastly simplified version of said subject, but believe that they know everything about it.
I'm sure the designers have been quite professional in producing a system that is beneficial to the bottom line of the payment processing industry, they people who pay them. I'm less convinced they've designed a system that's beneficial to the cardholder. If it reduced the risk of fraud then I'm sure they'd be telling us about it, but they aren't.
@AC It does reduce risk of fraud and APACS do tell about it, just because you don't look in the correct places for this info, doesn't mean that it's not being put out there.
DId that, works well to stop it.
I have a barcley card, debit (barcleys) and debit (barcleys business) and they all came as paywave. All have the antenna cut.
Now however, in a change of heart - maybe people complained, they will let me request a full non-paywave debit card on the personal account, but not the business. If I did use it, I'd still have to ask for a receipt all the time, because I need to prove what I used the card for!
You do business with a company whose name you can't spell?
Amazon as a merchant have the choice to enforce CVV2 checks or not - it is at their liability (not the customer) if they don't and the card transaction turns out to be fraudulent. This is *their* choice as offered by the card companies.
This is not an issue with Amazon, or any other retailer who decide to take the risk (at *their* cost) of not enforcing CVV2 checks (usually because they see a better trolley-to-order conversion ratio by not enforcing it).
This is a failure of Barclays to produce any kind of security in their hardware. Plain and simple.
Nothing is 100% secure and nothing ever will be. Nobody expects it to be, it just has to be "good enough".
Having seen the way banks have treated customers who have had Chip&Pin cards cloned by shoddy hardware which has been compromised (supplied by who? Yep that's right, the card companies) then I won't go near NFC. Not a chance.
Until the cosy little relationships between banks/police/law changes then the onus will ALWAYS be on the customer to "prove" they are not lying cheating scum. The bank will say - its all secure, not us and what do you do then? Police (much use that they ever were) will say fuck off to your bank.
I find it amusing that anyone would trust banks, especially the egregious Barclays who are hardly squeaky clean mmm?
Remember John Munden?
Here is the court report on the case: http://www.alikelman.com/jobhbos.pdf
Note, in particular the summations on Page 12 and 13.
It's also worth pointing out that it is now law that banks have to prove in court that fraud is on the part of the customer (it wasn't then) but that this is actually what happened in this case.
@John Naismith - There is absolutely no evidence that any Chip and PIN card has ever been cloned. Unless you can demonstrate some? In which case, please cite sources.
No, Job was a different case involving the Halifax making dodgy claims that customers must be crooks because the technology is infallible.
In the Munden case, the judgement (on appeal) went against the Halifax.
Which is why internet, NFC and banking is a problem. It opens up a world of compromise which simply wasn't there before.
The question is, does not participating reduce the compromise risk?
The Munden case, while pretty poor, was 20 years ago, things have changed a lot in that time.
As for Job - Did you read the summation? It's pretty damning of Job.
Channel 4 did point out in the report that other banks (HSBC and Natwest from memory) encrypt the details and so their cards weren't susceptible to the same attack, which you seem to have completely ignored in your article.
It seems to me a clear design fault. The data should not be decryptable without a PIN being entered. Apparently however the system is designed so that requiring a PIN for transactions is optional, which is a stupid and obvious weakness IMO.
Did CH4 discover if the numbers being served were the number as printed on the card and/or included in the magstripe. While I don't think it's ideal for the card to share any unencrypted info, I understand that the numbers on the physical card, magstripe, chip'n'pin and NFC section of the card are all different. If the number shared is the NFC section's, it's going to require the manufacture of an NFC chip in order to exploit this, which I suspect it a lot more difficult than one might think.
I don't get this...two stories and a link between them that serves only to make the first story more significant?
I was pretty suprised at the demonstration by C4. The reporter has his wallet on the table and the security guy just put his mobile on top of it for a second. This was sufficient for the reporter's credit card details to be slurped by a custom android app the security guy had on his phone. The details collected were his name and the long number on the front of the card. They then created a fake account in amazon with a different home address than the reporters and bought stuff. As far as I recall the fake amazon account didn't even use the same name as the reporter.
In essence the issues this report highlighted:
1. Barclays have not secured the NFC component of their cards. This is a very stupid error and something that anybody with experience of contactless cards is aware of. I wouldn't be suprised if the egg heads were overrulled by the PHBs on this one.
2. Amazon allowed the creation of a second account with a different home address and name with the nicked credit card. This means that amazon are not even doing the most basic of checks to ensure the card details correspond to the customer details.
Basically it seems to me both companies have done a cost analysis and worked out its cheaper for customer to be ripped off and them to refund them than to deal the issue properly.
Business as usual then.
How are Amazon to know that this is a fake account? It could be that CC number was not connected to any existing Amazon account so they would have no way to tell. Even if it was connected to an existing Amazon account would you prevent a family having separate accounts on the same CC or someone having an account for work use with a different address? Just because the same CC is used for more than one account does not automatically mean it has been stolen even if the names and addresses are different.
By verifying the goddam CVV, like they're supposed to have been doing all along.
So if you are Mr Jones of Exeter, and someone places an order using your card number with the details of Miss Smith of Newcastle, you actually expect a retailer to say "oh well it *could* be legitimate, let's send that Fondleslab2" ? You might not care as Amazon are picking up the tab, but if they allowed this and *you* had to pay, you'd be pretty pissed off, I believe.
If the CC number was not connected to any existing Amazon account, then the *initial* transaction (at least) should be subject to a 'Code 10' check (i.e. the customer must enter the address *exactly* as it is on the bank statement, and the retailer verifies this with the bank before the goods are sent. Mismatch = possible fraud. This does not prevent the retailer from accepting a different *delivery* address.)
"Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely. This may come as a shock to you, but your family do NOT have the right to use your credit/debit card, any more than they have the right to write (and sign) a cheque in your name. At my former job (games + peripherals, mail-order: ergo, highly sellable down the pub), we were endlessly having to tell wives that they are not allowed to use their husband's card details. If you trust your spouse (or your kids) with your credit card, it's a simple enough process to get them a *separate* card, payable on your account, but with their name on it (& if the kids are at a different address - off at college, presumably - registered to their address).
""Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely."
Why? This is a PITA. Some credit card companies issue additional cards against the primary card holder's account with exactly the same 16-digit card number, start date, expiry date and even CVV2 number - Tesco Visa I'm looking at you. Which means on the few websites which do check for this then my wife can't use her credit card if I have an account on the site too e.g. Paypal. Thankfully many credit card companies, Barclaycard included, issue additional cards against the primary card holders account with a different 16-digit number.
Barclays sent me a replacement Visa card in February with contact-less tech. Called them up and asked for a non contact-less card instead, was told they can't do that, but could give me an electron card without contact-less instead!!
When asked why I didn't want the contact-less card I pointed out I worked in info sec, dabble in electronics and also a radio ham (No beard, sorry) and the technology was unsafe (if I can read my details from the cards, so can criminals). I was then issued with the usual propaganda:
Cards can only be read from a few centimetres away - No, that's a limitation of the reader, not the card.
Transactions are limited to £10/£15 - Only if details are used to make "contact-less" payments, not if used elsewhere.
Bank would cover any fraud so I wouldn't be liable for any fraudulent transactions - Yeah that's great, and they are very good at doing that promptly (having been screwed over by a large high street phone supplier handing my bank details (via direct debit forms) over to some con artist) but that doesn't cover my inconvenience having my life disrupted whilst I have to deal with it and wait for new cards etc. I would much rather not expose myself to the risk thank you very much.
Even had the cheek to ask "Wouldn't you like the convenience of being able to walk into a coffee shop and just swipe to pay?" What's so inconvenient about typing in 4 numbers?
End result, having banked with them for > 30 years, I changed banks.
According to a colleague, who banks with someone else, when issued with contact-less cards recently, he rang up and they have the option of non contact-less cards. Shame mine couldn't do that.
I received a contact-less card from BoS a couple of years ago, called the number printed on the associated literature and at first I was also told they couldn't change it.
I hadn't actually read the small print yet - started to as I was explaining my security objections on the phone and read I could go to my local branch and request a normal card. Read it out to the CS agent , who probably put me on hold for a bit, but in the end I did get a normal card.
So err, yeah, read the small print, don't just listen to the guy/girl on the phone.
Having said that, I'm entirely willing to believe Barclays would offer no such option.
I was trying to keep it short :) I had spoke to bod on phone who couldn't help, he booked me an appointment with a chap at the local to where I work branch, as he wasn't able to do anything to help. Bloke I'm booked with rings up in advance as he was a business manager and was rarely at that branch so couldn't understand why I was booked to see him. Spent about half hour going through the points above on the phone (he was the chap who asked "didn't I want the convenience..."). He couldn't help either (other than to say he didn't believe they did it) so I went to see the personal banker at the branch. He rang through several departments and eventually said the best they could do was offer me the electron. He also said that it was exactly the same as a Visa, good job I double checked before taking him at his word!!. So no option, or at least none that three separate employees could give me. As I understand it from what I was told from each person, this is all down to how in bed with each other Barclays and Visa are. The other banks don't have the same special relationship :)
@Paul - The cards are NFC, not RFID, they cannot be read from more than a few centimeters.
Also, even if they could be read, what happens? You need a bank issued reader and a merchant account for the money to go into. This means that the bank has your name and address and a lovely breadcrumb train heading all the way to your door.
NFC is simply a modified version of RFID, one thats supposed to employ shielding to restrict the range. That's all well and good for standard readers, but it's essentially radio, therefore equipment can be built (and probably already exists) to talk to them at a greater distance. As for "bank issued reader", well I got mine from Ebay (I don't think they are a bank??). You can pick up a standard reader for about £50 and be able to read the card, or, as the article sugests, an NFC equiped smartphone ;)
Ok, NFC is modified RFID but RFID which uses induction to power it, hence the distance limits.
Also, you may have a reader, but then what? Where does the money go?
I think you may be missing the point, I'm not reading "money" from the card, I'm reading the card holders name, long card number, start date and expiry date. That is then enough information to be used elsewhere, such as say Amazon. Did you miss the article and skip straight to the comments?
Where does liability rest with these transactions? I understood that several banks/ card issuers used the Verified by Visa registration to move liability from them to the customer, is this in the same boat?
As with all card transactions, the law explicitly states that the bank has to prove that the customer is the source of the fraud.
There is money to be made by someone who produces a tin foil lined wallet - perosnally I don't carry my Barclaycard anywhere since they give me the new type.
Just keep the card near to your (non-nfc) mobile phone. The signal of the phone will swamp the card.
All Amazon's fault this one.
Have you never heard the phrase "keep it under your hat" ?
@sugerbear. How does that work then?