If I'm forced to adopt a contactless credit card upon renewal of a card I shall keep it wrapped in baking foil!
Channel 4 News has been bothering contactless bank cards again, and managed to wirelessly extract the customer's name from ANY Visa-branded card within a few centimetres. Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those. However ViaForensics (the company hired …
If I'm forced to adopt a contactless credit card upon renewal of a card I shall keep it wrapped in baking foil!
The security is in the name
Keep the card wrapped in tinfoil and then slowly unwrap it at the tills while mentioning to anyone in earshot how much quicker it is to use than cash.
Easier to make a pouch out of foil and duck tape, that you can slip the card out of quickly :)
However ViaForensics (the company hired by Channel 4 News to do the leg work) has today demonstrated that it can lift the customer's name from any Visa-branded card.
So now you can wirelessly extract details from non-NFC cards?!
Wow, just wow!
I would let the Reg off on this one. It's all about context. The Reg already mentioned "NFC cards". The quote is most probably from a long comment about NFC cards. So they are naturally going to, at some point in the conversation go "Visa cards" etc. They have told you they are talking about those with NFC already about 100 times. ;)
Besides, who would respond to "I'm taking the car to the shops" with "How dare you not take OUR car! You thief!"? Context implies you mean your car without mentioning the ownership already.
But the bank shoveled it down my throat "cos newer is better innit"?
Well the first day that I put it on the wallet I discover that it messes up with the Oyster card.
So currently I have it wrapped in tinfoil and still with the tinfoil it screws with the oyster readers from time to time.
This is a technology nobody asked or needed.
I guess you go to a better class of underground station than I do, I'd never get out my wallet and wave it around the ticket barrier. I wave only the oyster card (kept in my pocket and not wallet between home and the office)
Now that explains something that puzzled me the other day. This chap on the Tube had two of those pocket chains on him on opposite sides of his waist, one attached to his wallet and the other to a separate holder for his oyster card. Maybe the interference thing is common.
Other way round, it's the Oyster card reader doesn't implement the bit of the protocol that allows it to pick one card to listen to. The underlying card system should allow multiple applications to share the same card, so my work ID card which lets me through doors could also be an NFC bank card and a travel card, but not an Oyster card despite them notionally being the same spec...
It is not just the oyster card reader the one that gets messed up, the card readers in the datacentre also get confused.
I carry now 4 wireless cards incompatible with each other.
And yeah vendors will never implement the latest version of the protocol, nor implement properly the old version.
Jumping the gun and selling new technology nobody asked for is "cool".
What's the betting: ICO will stamp their little feet, rollover, play dead and do nothing about it.
nah, they'll wait for Visa to tickle their tummy a bit first before they do nothing about it.
This technology might not have been asked for, but there's a reason why it's being deployed: because it helps the banks, it was never for our benefit as customers.
Remember: if your card is skimmed, the onus is on you to prove the card was used fraudulently, rather than on them to protect you. It's an increasing of the shift in liability from the banks to you.
Also, is it *any* Visa branded card or *any WIRELESS* Visa branded card? I don't see how they could skim the details off non-wireless cards.
"Remember: if your card is skimmed, the onus is on you to prove the card was used fraudulently, rather than on them to protect you."
No, it's explicitly written into law that the burden of proof is on the bank.
Can you provide a link for this statement?
It may come in handy at some point in the future...
Aaaand. Has that ever stopped them before?
Anon, for obvious reasons. :P
But the "proof" the bank provides, whilst deemed sufficient by the court, is actually bollocks. The EMV card specification has several documented holes.
@AC 0850 - Cite sources for both your claims.
with this kind of news story out there. The banks issued the dodgy tech by which the consumer was scammed.
Whenever I run MY contactless card through, the name given is "NOT PROVIDED".
Apparently the UK is too drunk to read earlier than usual this Friday. Sorry, one up button per customer, I did my best.
I don't want this, EVER.
Tin Foil it will be if I ever have to take one of these pieces of crap, that's even more hassle than simply GETTING MY WALLET OUT..
When Barclays tried to foist one of these cards on me last year, replacing my debit card with a contactless one, it was quite difficult to reject. Nobody seemed to understand my concern, and the half dozen people I had to go through all said "Well, you don't have to use it if you don't want to..."
In the end the only alternative they could offer was the Debit card they give to customers they don't quite trust, which has to have every transaction verified by the bank before it will authorise. I suppose there's a sort of symmetry there - I don't trust them, so they don't trust me. Thanks a lot, Barclays.
Same here, back in February the only alternative they would offer me, without contactless, was an "Electron" card (sounds cool, isn't). So I switched banks to one that gave me a choice.
Wonder how this'll work over here. Most bankcards (debit, that is) don't even bother putting our name on the card. Whenever I swipe one of those, I end up being called "EL CLIENTE". Oooh!!
viaForensics are pretty dumb not to have realised that this isn't a failure of any NFC or Non-NFC card. At the very least I would have expected them to test this with some other retailers, and they would have found the exact same scenario would have failed. But being selective with your facts should never get in the way of a good story I suppose.
It is the COMPLETE failure of AMAZON (and their acquirer) to process payments correctly. They should be passing the CVV/CVC with the transaction but dont because they probably dont want to have to go through expensive PCI-DSS certification (and the additional hassle of encrypting everything).
What AMAZON should be doing is EITHER checking the CVV/CVC and/or check the address of the customer using AVS (address verification). That way the goods can (or should) only ever be delivered to the cardholder address.
Again AMAZON fail because they still allow you to deliver to an alternative address. Issuers want retailers to deliver to their home address and if a retailers fails to deliver to a cardholders address then the issuer has chargeback rights. In all of the cases demonstrated so far it would be the Retailer/Merchant who would lose out when the cardholder sees a fraud on their account.
Unfortunately the way this has played out is there is some massive failure with all Visa cards when in fact its a very risky (and somewhat arrogant) position that Amazon have taken to ignore the procedures that have been put in place by schemes/issuers over the years to combat this type of fraud.
Amazon = Fail.
And yes, most if not all debit and credit cards (non-nfc) contain the card holders name, expiry date and card number on the chip and magstripe (but you cant sniff the cvc because that is printed on the back of the card) . That is the reason why its used with AVS checking.
I am available for hire by channel 4 if needed :o)
I disagree to some extent.
I really want to be able to have the goods sent to my work address, because that is where I will be during the 9-5 time period when couriers and Royal Mail deign to deliver physical goods.
If I don't do that, then I won't get my goods until the following weekend when I am able to go to the 'local' depot or sorting office and queue for a couple of hours.
Even if I was at home that day, half the time couriers just shove the 'You weren't in' card through the letterbox and run away. Presumably because the box was never loaded on the van.
They don't all do that as often with corporate premises.
I would however much prefer it if the invoice were to be posted separately to the cardholder address, as Amazon imply, rather than stuffed in with the goods.
Totally agree with Richard the 12th.
Getting items delivered to work there is less chance of your fragile electronic goods being hoofed over a 6 foot fence, or even just abandoned on your doorstep (had that happen before!).
Couriers / Royal Mail deliver during working hours. During working hours I'm working. Therefore delivery to my place of work is a real bonus (I've actually gone through with a purchase before and cancelled it at the last screen as they demanded that the item only be delivered to the billing address!).
Invoice to the billing address is fair enough (and they usually show the invoice/billing address, although it is in the box with the item sent to the delivery address anyway).
Sigh... You cant have your cake and eat it to.
The retailer can verify your home address with your bank. That's a fair indication of where you want goods delivered to because you everyone in the chain can guarantee that the goods with proof of delivery have been delivered to the cardholders address. No fraud possible unless your mum/dad/brother/sister are ripping you off.
How exactly do Amazon know that your work address is actually valid and isn't the address of A.N.Fraudster ?
Answer THEY (Amazon) DONT. They are taking a big risk. The fact that they dont do any kind of CVC/CVV checking indicates they are even more lax in their security. But they dont care. Because they know cardholders will go whining (and blaming) to their bank. No ones blames the retailer.
I sincerely hope that Amazon and their acquirer are getting a good kicking over this one.
I don't know the full ins and outs of it, but from what I've picked up:
Amazon do not charge your card until they actually dispatch the items to you (I think if they charge you before they do that, then they fall foul of the consumer credit act, which forbits companies from charging you credit for something they haven't done for you yet).
However, the Visa regs say that they are not allowed to store the CVV code. So even if you typed it into their website, they wouldn't still have it when they charge your card, and so couldn't use it.
It seems that some companies get around it; sort of; They either charge you immediately (I think that falls foul of the consumer credit act?) or by telling Visa that they are going to charge your card (but actually not) to verify the CVV code, but then when they actually place the payment, they don't check the CVV code.
As for Amazon failing because they let me buy things for people and get them sent to that person (possibly without even knowing their address), how is that a fail? Or considering the people who have more than 1 "registered" address (e.g. my parents' address, and whatever hotel I happen to be living in this week/month for work).
The COMPLETE AND UTTER fail of the Visa (mastercard/amex/jcb, etc.) system is that I have to give someone the number to buy something, but that same number can be used by anyone an unlimited number of times to buy anything. They then tell us that we should shred our receipts so people don't see the number, but we still have to give the number every time we use the card!
There's a sensible reason why many companies insist on shipping only to the billing address. It helps prevent a stolen card (or stolen details) being used by a third party to get valuable goods delivered to themselves while billing you for them. Presumably you'd recognise that as a good idea if you stopped to think about it...
I don't give a shit what's easy for banks to verify, I want my goods delivered WHERE I CAN PICK THEM UP. Otherwise their cards are useless. I setup a specific mailing address for deliveries because I CAN'T get deliveries at work and am not home during normal delivery hours even for the non-governmental delivery services. Companies involved in selling things need to adjust to the same realities the rest of the world lives in. Given that they can check my Cxx, that's fine.
Oh, and even though I don't have one, I'd still put the bonk fail on the banks. They shouldn't have been processing the requests from Amazon without one of the two, preferably the Cxx.
Yes, that line of thinking worked SO well when Paul Allen got ripped off earlier this week.
To be fair to Amazon, someone cloned my card (outside Amazon) and registered it against a different amazon account to mine, with a delivery address that wasn't one of my "listed delivery addresses". Amazon closed that fake account, cancelled its orders, and emailed me to tell me to talk to my credit card company way before even the card companies fraud detection kicked in.
Does any bank allow you to register your work address with them, and allow the AVS to succeed with either your home or work postcode? If this is allowed, then it would be handy for those with one fixed place of work , how many people work out of multiple offices?
You're not that far off. I've had the pleasure (if you can call it that!) of working with various payment gateways over the years and there's no excuse for Amazon not to check the CVV (aka CV2, Security Code, and a few other acronymns)
When the card details are taken, the merchant (eg Amazon) can send them to the payment gateway and request an authorisation (which charges the card), or a pre-authorisation/shadow (which effectively reserves the money but doesn't take it from the account, but does all the same checks as an authorisation step), so this bit you pretty much got right. They could also pass a request to authorise say £1, and then immediately afterwards cancel that authorisation (so it wouldn't even show up on a statement as it would never hit the overnight batch processing step), just to check that the card details are valid (but of course this wouldn't check that you had enough funds to actually pay for the order when it ships).
It's perfectly fine for the merchant to request a shadow, passing the CVV and card details at the time the order is placed, and getting an authorisation code that can later be passed back to the payment gateway and in almost 100% of cases will successfully charge the card (commonly referred to as "fulfillment") at that later date, with the usual time limit being 30 days (the ones that fail tend to be cards that expire before the period is up, or are registered lost/stolen by the card holder prior to authorisation). After 30 days are up, or the fulfillment step fails, the norm is to simply send a new authorisation request with the card details, with or without the CVV - if the initial check was done then the CVV will still match the card, so really there's no need to do it again as that check had already been done.
If the BERR (probably not called than any more, used to be DTI before that) guidelines still stand, merchants shouldn't charge before shipping goods but they did allow for up to 28 days from charging to shipping. The DSR may have different rules, but I've forgotten most of it bar the cancellations/refunds sections which are pretty much burned into my brain!
The PCI DSS rules also allow the storage of the CVV until the order has been fufilled, so it's also again perfectly acceptable to hang on to that number until the order has shipped and charge the card using it at the time of shipping, and then discarding it. I don't know of any companies that do hang onto it though, and if they do it should be stored securely well away from the card details it goes with, with a lot of controls in place to prevent anyone pulling the data together.
Unless payment gateways have changed radically in the past couple of years, I seem to remember that unless the CVV is passed to a gateway with the card number, expiry, and address numerics (the interbanking payment system is so out of date that it still can't handle letters, only numerics are passed around, most payment systems take the whole address but strip out just the numbers when passing the details to the banks for verification), then the address numerics aren't checked either - so a lack of passing CVV should also mean that Amazon have no idea if the card is even registered at the address given by the buyer.
Given that Amazon aren't even checking the CVV number it sounds like they've pretty much crippled most of their chances of detecting the common fraud attempts, so either must have a lot of other fraud checks in place (maybe along the lines of a centralised database of known problem addresses/numbers, and/or matching usage patterns associated with known previous fraudulent users during the checkout), or have decided that the amount of money they lose in chargebacks is less than the amount they'd have to pay to implement CVV/AVS properly.
And I don't care if I get downvoted for doing so. I don't ever use that facility, and I don't want to.
I will upvote you, you're a bit of a nutter, but also a bit of a legend when the machines take over.
A word of caution: They're not your cards, they belong to the bank (check the smallprint, somewhere) if you get caught doing this you may well find that you end up with an Electron, or no card at all.
And they may find they end up with one less customer. I don't care. Banks are ten a penny.
If they are ten a penny, why haven't you moved to another already?
Coop aren't sending out contactless cards (as yet).
Neither are Santander (who I've moved to). I've also heard NatWest give the user the option. Personally totally agree with drilling the antenna, and would have done it myself but I felt I needed to make some form of statement (yes, incy wincy in terms of how bank views me) which is why I moved.
I do not care if the merchant or the bank is at fault here.
The point is that a wireless bank card will "talk" with whatever reader is on proximity whether you want or not. Encrypted or not it will talk without my permission. That means that if someone manages to decode my card's data they can make payments on some faulty merchant, thanks to a stupid bank.
I do not want that, I did not asked for that, and I swear to god that I'll build some form of sleeve that will stop the card from working wirelessly.
I still remember when the banks refused to encrypt the data in the magnetic bands decades ago because they had to update the ATMs and it was too expensive for them.
So somebody walks past you, scans your wallet and then send your name to the accomplice who can then stop you with "Good morning (your real name here)". Makes social engineering so much easier when you start with "proof" that you know the target.
Is that even needed?
I don't have a contactless card, but from what I have seen from people using it for transactions less than £10, you just swipe without giving a name.
What is to stop someone walking around with a swipe machine with an upgraded signal, getting everybodys contactless card to give them £9.99?
(Excuse my ignorance on these matters).
@AC 0821 - What stops them is the requirement for the money to have somewhere to go. You may have a merchant machine, but it's useless if it's not linked to a bank's systems and a merchant account. If you have a merchant account and machine linked to it (usually bank supplied) they know who you are, where you live, what your business is and they have profiles of the amounts of money that are usually spent at your business. You will get caught, even if individuals don't notice that they've had small amounts of money taken from them.
Anybody who stops me with "Good morning (your real name here)." that I don't immediately recognize is more likely to generate a call to the coppers than get more info from me. For my roomie, it'll be even worse. I haven't met a stranger yet who pronounces her name correctly from only a script.
A contactless terminal can authorise without a PIN for transactions <£10, but there is a chance that it will ask for the PIN. I'm not sure if it is the card, the terminal, or the bank that controls this, but I'd guess it is the card. If the PIN isn't provided, I'd hope that the card locks into PIN-required until it is provided.