Feeds

back to article Marks & Sparks accused of silently bonking punters over the tills

High-street socks'n'frocks chain Marks and Spencer is accused of quietly taking money from shoppers' contactless bank cards at the tills. The accusations come from Radio 4's Money Box listeners, who called in to report that M&S had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to pay …

COMMENTS

This topic is closed for new posts.

Page:

xyz
Bronze badge
Devil

Thought this might happen...

sooo... given that "It is possible that the terminals used by M&S were hugely overpowered if they were reading cards at 40cm, or that they fail to implement the EMV standard properly" should one be wary of Rom/Alb/anians at bus stops with suspiciously large batteries next to them?

13
7

Re: Thought this might happen...

@xyz: "should one be wary of Rom/Alb/anians at bus stops with suspiciously large batteries next to them?"

Only if one is a racist. The technical point is a fair one, but the issue is surely about being wary of *anyone* at a bus stops with suspiciously large batteries next to them. Their country of origin is irrelevant.

23
12
Anonymous Coward

Re: Thought this might happen...

Agreed

Did they learn nothing from the passport RFID fiasco ?

5
0
Anonymous Coward

Re: Thought this might happen...

Yes but some nationalities seem to be so much more competent at using the technology!

9
3
xyz
Bronze badge
Devil

Re: Thought this might happen...

As you say, I'm second to none in admiring the abilities of certain groups who seem to have an ability to grasp a tech concept, design and construct a solution for it in no time, release working systems and readily make money out of those systems. Anyway, to respond to anyone who may have been offended at my initial remark, regarding Eastern Europeans, my GF (from Tanzania) thought it was quite funny.

6
4
Anonymous Coward

Re: Thought this might happen...

Former M&S Employee

The tills at ours were underpowered Windows server boxes. When they "upgraded" 40% of the tills died for 2 days.

On a side note, when contactless was first used at M&S, there was a bug in the system (I assume this has now been patched) where if you attempt to pay by chip and pin, cancel it and then pay by contactless, the transaction would go through (in a fashion) without charging the customer.

1
0

Re: Thought this might happen...

What fiasco? The passport chip is designed to be open and read. All it contains is a copy of the data page and photograph. The passport office even has an app for that.

0
2
Anonymous Coward

Re: Thought this might happen... @deadlift

Here you go.

http://www.zdnet.com/rfid-e-passport-security-at-risk-govt-1339315886/

0
0
Anonymous Coward

Re: Thought this might happen...

Or this:

http://www.guardian.co.uk/technology/2006/nov/17/news.homeaffairs

0
0
Silver badge

Re: Thought this might happen...

> Only if one is a racist.

Curious, I didn't realise that Albanians and Romanians were racially distinct peoples.

I think you may have meant 'xenophobe", but of course that isn't as damning an indictment, nor illegal.

1
2

Re: Thought this might happen...

If you are not wary of Romanians or other eastern Europeans then you are a fool.

If you allow your hip and trendy "I'm not a racist, I randomly kiss Albanians at Bus Stops" brainwashing to influence your actions not just your words then you will get pick pocketed or card skimmed or all sorts of different scams by dubious people.

2
3
Anonymous Coward

Re: "Oh dear, the sky is falling, better run to and fro waving arms in the air"

In order to take payments from a payment card one requires a merchant account.

To get one of these you must be a legitimate business and be vetted by a reputable bank.

0
1
Bronze badge

And yet the credit card companies are still being allowed to refuse any request to provide a card without NFC functionality built in. The most I managed was to get it removed from my debit card.

This really does need to change IMO.

17
0
Anonymous Coward

I'm pretty sure if you can work out where the coil is you can break the wire and stop the NFC chip from being energised.

3
1
Bronze badge

Drill

I'd imagine a well positioned 8mm hole will disable the functionality nicely. Assuming that is that the NFC chip is in a different location to the payment chip.

0
2
Go

Very easily

I nobbled the contactless elements in my credit cards using a craft knife a few months back. Chip and PIN payments were not affected. The NFC-capable phone came in handy to confirm an element was present and to confirm afterwards that it was dead.

9
0
Bronze badge
Coat

Re: Very easily

Sorry but if you came in to pay for something and you had a hole in the credit card, I would be very suspicious it would be a fake (And then get fired for being annoying).

1
1
Happy

Re: Very easily

For what it's worth my card doesn't have a blatant hole, it's a barely-visible nick. Besides, the vendor doesn't handle the card for Chip & Pin payments.

7
1
Bronze badge

Re: Very easily

Sorry but if I went into your store and you came close enough to my card to notice a 1mm hole (you don't need 8mm) in my credit card I would be suspicious that you were up to no good.

It is no longer the shop staff's job to determine if a card is fake or not, that is up to the electronics.

2
1
Bronze badge

I have a Natwest credit card without NFC, and a Barclaycard with. I don't like it either, how will it work when it's widespread and you are expected to prove you agreed to pay?

1
0
Silver badge

It's no good drilling out or microwaving or otherwise destroying electronic components on credit cards. The card issuers have already cottoned on to this practice.

Last year, my local supermarket introduced PINless chip-based payments in addition to the old magnetic swipe. My card, issued by my bank, had both magnetic stripe and chip. Since I didn't like the idea of payments being able to be taken from my card without a PIN or other authentication, I fried the chip.

Then I found that the smartcard terminals wouldn't accept the card from a magnetic swipe. Apparently my card was "pipped" or "tagged" as having a chip, and the terminal wouldn't accept the magnetic swipe since it preferred to use the chip. Result: I had to explain to my bank that the card had been damaged, and wait for two weeks while they sent me a new card.

So you simply don't have the choice. If your card comes with a chip, and the terminal is equipped to read a chip, that's what you WILL use, like it or lump it. Obviously the magnetic swipe is only there for legacy terminals without chip capability.

So now I just use cash when I go shopping.

2
0

PINless at the supermarket?

Who the H! thought that was a good idea?

Besides pickpockets, of course...

Which Supermarket was it, anyway?

(In case I ever come across it in my travels)

1
0
Silver badge

Well lapdancers for one....

Surely they'd think it a good idea.

0
0
Silver badge

@Steven Roper

NFC cards have two chips. One for the standard chip&PIN, and a separate one at the other side of the card for the NFC contactless payment. A stripe reader will indeed refuse to read the strip on a chip&PIN card, it's a security measure to minimize fraud due to card copying. It has nothing to do with the NFC pay-by-bonk functionality.

If you "fried the chip" by zapping it in a microwave or something similar you probably fried both chips. All you really needed to do was cut the antenna strip for the NFC chip, leaving the chip&PIN one intact.

2
1

I did this too

I think the only way is to request one without RFID.

If we all did this the world may be a better place.

0
1
Anonymous Coward

Design fault

Surely with any sort of contact-less card there should at least be a button that enables the NFC chip?

6
0
Bronze badge

Billing twice certainly shouldn't be possible. The process flow of a payment is well known, and the till shouldn't issue multiple receipts any more than it would accept two successive Chip-and-PIN payments for the same goods.

How many people have had the person operating the till say something has gone wrong, pull out what looks like a receipt and chuck it away? Then you have to make sure you look at that transaction on your statements to make sure it went through properly.

I have had this several times. so in my opinion these things are more likely till operator error / bad training. Maybe not, but it seems more likely to me that it reading a card 40cm away if they are built to the standard.

7
2
Silver badge

Agreed. Cashier error is extremely commonplace and is a far more likely cause of the issue. The NFC spec isn't terribly complex and I find it hard to fault the tech when Humans are known to be extremely error prone.

0
3
Bronze badge

ANy normal system wouldn't allow for cashier error like that (I would easily expect M&S to be on a normal system). If there are goods awaiting payment and a payment is made (by whatever means) then the transaction is completed and the only way of double charging would be to re-scan all the items in again.

The operator doesn't get the opportunity to scrunch up a receipt and ask for payment again. There would be no outstanding transaction to pay against.

The only way I could see this happening (although it definitely shouldn't) is that the C&P has gone off to get authorised and in the meantime the coil is still active (or reactivated) and takes payment via NFC before the confirmation from the bank has been returned.

However that seems very unlikely.

0
0
WTF?

Being billed twice

every time that I have had an error in any payment by chip+pin I have been given the erronious till recipt without having to ask if you donot get the reciept chalenge it there and then not maybe 3or4 weeks later when you get your statement.

1
1
Anonymous Coward

Err...

I heard that episode of Moneybox and there was a single customer complaining that she tried to enter her card into the PED and brushed her purse with an other card past the PED. She noticed at once that it said it has been paid by contactless.

She claimed that she had brushed her purse past the PED, but this isn't really that credible, you have to hold your card and keep it pretty much still. The PED can detect movement and a present and remove motion and not take a payment. I suspect she held her purse against the PED and kept it there, but was to embarrassed to say so.

As for range, it doesn't matter if the PED has too powerful a transmitter, because the transmitter in the card has to be uprated to make a distance change. NFC only works over about 20cm in a lab and with my experiments at home on my contactless cards, I can only detect them with my phone about 1cm away at the most, even then the card has to be in the correct orientation wrt the phone.

4
4
Anonymous Coward

Re: Err...

The distance the card can transmit is a function of the magnetic field it is exposed to (NFC uses magnetic induction between the coil in the reader and the coil in the card). The stronger the field the further the transmission.

Your phone, which will often be kept in your pocket near to cards with magnetic strips, will only generate a relatively weak magnetic field and thus the transmission from the card will also be weak.

If the NFC readers in M&S are using a stronger field than that specified then it may be reading cards further than 20cm.

2
0
Anonymous Coward

Re: Err...

I think you're getting mixed up with RFID, which is a function of the induced field. NFC is much more complex than that and had powered transmitters (with power regulators).

0
0
Bronze badge

true scale of the problem?

With a million transactions of all kind, 100 misapplied NFC transactions in the same period although a significant error in each customer's case is quite a small percentage overall.

Perhaps a bigger sticker on the NFC reader to remind people not to get their cards close unless they mean it. Like there used to be a warning near tills not to put your magnetically striped cards near the machine that disabled the security tag.

What would be really scary would be tills taking payment from someone who wasn't buying anything...

0
5
Anonymous Coward

re: Paula from London

Paula from London is not credible the PEDs at M&S are hardly that much more than 40cm apart and the PED just won't debit a card contactless if there is a card in the slot.

2
6
Anonymous Coward

Re: re: Paula from London

While I don't doubt the theory that it shouldn't be possible to read a card from more than a few centimeters away from the reader there have been numerous credible projects on the 'net and various respected news sites that indicate it's possible to read RFID/NFC cards from significantly larger distances. If you're calling a Pin Entry Device a PED then you're in the trade and you should be aware of them too if you're going to comment on the security of devices.

Power levels in PEDs are programmable, card skimmers are credible, and NFC card payments scare the bejesus out of me as I have no doubt that the banks will deny it's possible to get ripped off unless you are complicit or negligent. Five contactless payments in a day before having to use your PIN is all well and good but that's £100 a day at the current transaction limit and it'd make my finances very tricky indeed if someone managed to gain access to my card and maxed it out with contactless payments.

So all in, Paula may have made a mistake but to say she's not credible is insulting.

10
1
Anonymous Coward

Re: re: Paula from London

NFC is not the same as RFID. It works in a different way, you can get RFID to work over silly distances, but NFC is very limited because it uses magnetic induction not radio frequency.

2
3
Anonymous Coward

Re: " Five .. in a day ... before having to use your PIN"

This is not how it works. The user will be expected to enter the PIN at random and at least every 5 transactions.

0
0
g e
Silver badge
Black Helicopters

Don't forget the conspiracy angle

That VISA reckon they can skim a coupla billion to get interest on before being forced to refund/fix it.

2
0
Unhappy

nfc annoying

The pay points at our local car park have been 'upgraded' to accept nfc.

So if you put a wireless card in it uses it automatically rather than ask you for a pin.

Only take about twice as long to authenticate, grr

1
0
Anonymous Coward

Re: nfc annoying

If you put a card in it will read the chip on the card, it won't go wireless unles you just hold the card against it.

In both cases the PIN can be optional for small accounts, there's nothing new in that.

0
3
Anonymous Coward

Re: nfc annoying

Why the downvote? Apart from me typoing "accounts" for "amounts" my post was factually correct...

0
0
Anonymous Coward

Bonking

Bonkers!

1
0
Flame

Get some NFC Card Sleeves damned fast!!!

NFC Card issuers should be DAMNED ashamed for not providing full RF sleeves for ALL NFC cards; I had to buy some of Amazon marketplace because my negligent bank did not provide one for my debit card, and I was wary, for good reason!

Beware the cards have to be fully in RF sleeves, because an NFC tester at work noticed that if they are not fully in my sleeves, they can still activate!

Criminals will cotton on to this damned fast!

The NFC card issuers who don't provide RF sleeves should be sued for negligently enabling 'drive by' theft!

No excuses!!!

6
1
Silver badge
Paris Hilton

Re: Get some NFC Card Sleeves damned fast!!!

Is that the new tinfoil?

3
2
Anonymous Coward

One possible issue.

Take you average woman with a "handbag" the size of a small suitcase.

She plonks it down on the till, say to the left of her shopping., next to the adjacent till (in many stores this is very easily as they are often bunched together in banks). Whips out card. to pay for her goods. Meanwhile another card sat in her handbag, happily pays for goods at the next till.

This does not require a huge distance, less than >50cm is quite obtainable, especially if the card reader is in front of the till.

7
2
Anonymous Coward

Re: One possible issue.

The NFC cards simply do not and cannot work over more than a cm or two in the real world. If they did, there would be all sorts of problems of the type you suggest, the fact that there are no credible reports of this happening suggest it's not the case. In particular consider the amount of people who go past NFC turnstyles each day and have a wallet with both NFC debit card and an oyster card in it, without cross charging to other turnstyles, or interfering with their own cards or other's use of the turnstyles.

0
10
Anonymous Coward

Re: One possible issue.

The NFC cards simply do not and cannot work over more than a cm or two in the real world

It depends on the NFC implementation in the terminal. This is not really the first report of uncontrolled charging - Starbucks had quite a few incidents like this as well when they introduced NFC. The short distance is a function of deliberately poor design of the terminal transceiver stage so you need to be close, but it's not exactly hard to "upgrade" that for someone with criminal intent (or even accidental).

The best sign that credit card companies know this too is the NFC transaction limit. They're not normally shy in getting you into debt.

3
0
Anonymous Coward

Re: One possible issue.

> do not and cannot work over more than a cm or two

Do not usually? Fair enough.

Cannot? I have no confidence that statement.

0
0
Facepalm

Another severe lack of common sense?

I would imagine the customers that this effected had their purses/wallets in their hands whilst fiddling with the chip n' pin terminal. However, this is not the lack of common sense I am referring to.

More that when the NFC payment standard was designed, why was it not specified that there should simply be a confirmation dialogue? Is anything more than a wand waving motion too much for the average consumer to be burdened with?

Surely this would have prevented potential fraudsters as well.

6
1

Page:

This topic is closed for new posts.