back to article ALL Visa cards blab punters' names - not just Barclaycards

Channel 4 News has been bothering contactless bank cards again, and managed to wirelessly extract the customer's name from ANY Visa-branded card within a few centimetres. Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those. However ViaForensics (the company hired …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Tin Foil

    If I'm forced to adopt a contactless credit card upon renewal of a card I shall keep it wrapped in baking foil!

    1. Anonymous Coward
      Anonymous Coward

      wireless credit cards

      The security is in the name

      Wireless=open

      Or

      Wireless=hackable

    2. Anonymous Coward
      Anonymous Coward

      Re: Tin Foil

      Keep the card wrapped in tinfoil and then slowly unwrap it at the tills while mentioning to anyone in earshot how much quicker it is to use than cash.

    3. Anonymous Coward
      Anonymous Coward

      Re: Tin Foil

      Easier to make a pouch out of foil and duck tape, that you can slip the card out of quickly :)

  2. GettinSadda
    Alert

    Wow!

    However ViaForensics (the company hired by Channel 4 News to do the leg work) has today demonstrated that it can lift the customer's name from any Visa-branded card.

    So now you can wirelessly extract details from non-NFC cards?!

    Wow, just wow!

    1. Anonymous Coward
      Facepalm

      Re: Wow!

      I would let the Reg off on this one. It's all about context. The Reg already mentioned "NFC cards". The quote is most probably from a long comment about NFC cards. So they are naturally going to, at some point in the conversation go "Visa cards" etc. They have told you they are talking about those with NFC already about 100 times. ;)

      Besides, who would respond to "I'm taking the car to the shops" with "How dare you not take OUR car! You thief!"? Context implies you mean your car without mentioning the ownership already.

  3. John Sanders
    Unhappy

    I did not ask for a wireless card

    But the bank shoveled it down my throat "cos newer is better innit"?

    Well the first day that I put it on the wallet I discover that it messes up with the Oyster card.

    So currently I have it wrapped in tinfoil and still with the tinfoil it screws with the oyster readers from time to time.

    This is a technology nobody asked or needed.

    1. Anonymous Coward
      Anonymous Coward

      Re: I did not ask for a wireless card

      I guess you go to a better class of underground station than I do, I'd never get out my wallet and wave it around the ticket barrier. I wave only the oyster card (kept in my pocket and not wallet between home and the office)

    2. Matt Bryant Silver badge
      Facepalm

      Re: I did not ask for a wireless card

      Now that explains something that puzzled me the other day. This chap on the Tube had two of those pocket chains on him on opposite sides of his waist, one attached to his wallet and the other to a separate holder for his oyster card. Maybe the interference thing is common.

    3. Vulch

      Re: I did not ask for a wireless card

      Other way round, it's the Oyster card reader doesn't implement the bit of the protocol that allows it to pick one card to listen to. The underlying card system should allow multiple applications to share the same card, so my work ID card which lets me through doors could also be an NFC bank card and a travel card, but not an Oyster card despite them notionally being the same spec...

      1. John Sanders
        Unhappy

        Re: I did not ask for a wireless card

        It is not just the oyster card reader the one that gets messed up, the card readers in the datacentre also get confused.

        I carry now 4 wireless cards incompatible with each other.

        And yeah vendors will never implement the latest version of the protocol, nor implement properly the old version.

        Jumping the gun and selling new technology nobody asked for is "cool".

  4. Anonymous Coward
    Anonymous Coward

    Chocolate Fireguard time again

    What's the betting: ICO will stamp their little feet, rollover, play dead and do nothing about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chocolate Fireguard time again

      nah, they'll wait for Visa to tickle their tummy a bit first before they do nothing about it.

  5. Pete Spicer

    This technology might not have been asked for, but there's a reason why it's being deployed: because it helps the banks, it was never for our benefit as customers.

    Remember: if your card is skimmed, the onus is on you to prove the card was used fraudulently, rather than on them to protect you. It's an increasing of the shift in liability from the banks to you.

    Also, is it *any* Visa branded card or *any WIRELESS* Visa branded card? I don't see how they could skim the details off non-wireless cards.

    1. Anonymous Coward
      Anonymous Coward

      err

      "Remember: if your card is skimmed, the onus is on you to prove the card was used fraudulently, rather than on them to protect you."

      No, it's explicitly written into law that the burden of proof is on the bank.

      1. pcsupport
        Happy

        Re: err

        Can you provide a link for this statement?

        It may come in handy at some point in the future...

        1. Anonymous Coward
          Anonymous Coward

          Re: err

          http://en.m.wikipedia.org/wiki/Chip_and_PIN

          1. Anonymous Coward
            Anonymous Coward

            Re: err

            But the "proof" the bank provides, whilst deemed sufficient by the court, is actually bollocks. The EMV card specification has several documented holes.

            1. Anonymous Coward
              Anonymous Coward

              Re: err

              @AC 0850 - Cite sources for both your claims.

      2. Anonymous Coward
        Anonymous Coward

        Re: err

        Aaaand. Has that ever stopped them before?

        Anon, for obvious reasons. :P

    2. Tom 13

      Any real court will quickly put the onus back on the bank

      with this kind of news story out there. The banks issued the dodgy tech by which the consumer was scammed.

  6. Charles 9

    Weird.

    Whenever I run MY contactless card through, the name given is "NOT PROVIDED".

    1. Gannon (J.) Dick
      Pint

      Re: Weird.

      Apparently the UK is too drunk to read earlier than usual this Friday. Sorry, one up button per customer, I did my best.

  7. Scott 67
    FAIL

    This technology is absolute bollocks

    I don't want this, EVER.

    Tin Foil it will be if I ever have to take one of these pieces of crap, that's even more hassle than simply GETTING MY WALLET OUT..

    1. teacake

      Re: This technology is absolute bollocks

      When Barclays tried to foist one of these cards on me last year, replacing my debit card with a contactless one, it was quite difficult to reject. Nobody seemed to understand my concern, and the half dozen people I had to go through all said "Well, you don't have to use it if you don't want to..."

      In the end the only alternative they could offer was the Debit card they give to customers they don't quite trust, which has to have every transaction verified by the bank before it will authorise. I suppose there's a sort of symmetry there - I don't trust them, so they don't trust me. Thanks a lot, Barclays.

      1. PaulWizard

        Re: This technology is absolute bollocks

        Same here, back in February the only alternative they would offer me, without contactless, was an "Electron" card (sounds cool, isn't). So I switched banks to one that gave me a choice.

  8. Daniel B.
    Happy

    Wonder how this'll work over here. Most bankcards (debit, that is) don't even bother putting our name on the card. Whenever I swipe one of those, I end up being called "EL CLIENTE". Oooh!!

  9. sugerbear
    FAIL

    NOT Visa failing - It's AMAZON failing.

    viaForensics are pretty dumb not to have realised that this isn't a failure of any NFC or Non-NFC card. At the very least I would have expected them to test this with some other retailers, and they would have found the exact same scenario would have failed. But being selective with your facts should never get in the way of a good story I suppose.

    It is the COMPLETE failure of AMAZON (and their acquirer) to process payments correctly. They should be passing the CVV/CVC with the transaction but dont because they probably dont want to have to go through expensive PCI-DSS certification (and the additional hassle of encrypting everything).

    What AMAZON should be doing is EITHER checking the CVV/CVC and/or check the address of the customer using AVS (address verification). That way the goods can (or should) only ever be delivered to the cardholder address.

    Again AMAZON fail because they still allow you to deliver to an alternative address. Issuers want retailers to deliver to their home address and if a retailers fails to deliver to a cardholders address then the issuer has chargeback rights. In all of the cases demonstrated so far it would be the Retailer/Merchant who would lose out when the cardholder sees a fraud on their account.

    Unfortunately the way this has played out is there is some massive failure with all Visa cards when in fact its a very risky (and somewhat arrogant) position that Amazon have taken to ignore the procedures that have been put in place by schemes/issuers over the years to combat this type of fraud.

    Amazon = Fail.

    And yes, most if not all debit and credit cards (non-nfc) contain the card holders name, expiry date and card number on the chip and magstripe (but you cant sniff the cvc because that is printed on the back of the card) . That is the reason why its used with AVS checking.

    I am available for hire by channel 4 if needed :o)

    1. Richard 12 Silver badge

      Re: NOT Visa failing - It's AMAZON failing.

      I disagree to some extent.

      I really want to be able to have the goods sent to my work address, because that is where I will be during the 9-5 time period when couriers and Royal Mail deign to deliver physical goods.

      If I don't do that, then I won't get my goods until the following weekend when I am able to go to the 'local' depot or sorting office and queue for a couple of hours.

      Even if I was at home that day, half the time couriers just shove the 'You weren't in' card through the letterbox and run away. Presumably because the box was never loaded on the van.

      They don't all do that as often with corporate premises.

      I would however much prefer it if the invoice were to be posted separately to the cardholder address, as Amazon imply, rather than stuffed in with the goods.

      1. Anonymous Coward
        Anonymous Coward

        Re: NOT Visa failing - It's AMAZON failing.

        Totally agree with Richard the 12th.

        Getting items delivered to work there is less chance of your fragile electronic goods being hoofed over a 6 foot fence, or even just abandoned on your doorstep (had that happen before!).

        Couriers / Royal Mail deliver during working hours. During working hours I'm working. Therefore delivery to my place of work is a real bonus (I've actually gone through with a purchase before and cancelled it at the last screen as they demanded that the item only be delivered to the billing address!).

        Invoice to the billing address is fair enough (and they usually show the invoice/billing address, although it is in the box with the item sent to the delivery address anyway).

        1. sugerbear
          FAIL

          Re: NOT Visa failing - It's AMAZON failing.

          Sigh... You cant have your cake and eat it to.

          The retailer can verify your home address with your bank. That's a fair indication of where you want goods delivered to because you everyone in the chain can guarantee that the goods with proof of delivery have been delivered to the cardholders address. No fraud possible unless your mum/dad/brother/sister are ripping you off.

          How exactly do Amazon know that your work address is actually valid and isn't the address of A.N.Fraudster ?

          Answer THEY (Amazon) DONT. They are taking a big risk. The fact that they dont do any kind of CVC/CVV checking indicates they are even more lax in their security. But they dont care. Because they know cardholders will go whining (and blaming) to their bank. No ones blames the retailer.

          I sincerely hope that Amazon and their acquirer are getting a good kicking over this one.

          1. Tom 13

            Re: Sigh...

            I don't give a shit what's easy for banks to verify, I want my goods delivered WHERE I CAN PICK THEM UP. Otherwise their cards are useless. I setup a specific mailing address for deliveries because I CAN'T get deliveries at work and am not home during normal delivery hours even for the non-governmental delivery services. Companies involved in selling things need to adjust to the same realities the rest of the world lives in. Given that they can check my Cxx, that's fine.

            Oh, and even though I don't have one, I'd still put the bonk fail on the banks. They shouldn't have been processing the requests from Amazon without one of the two, preferably the Cxx.

        2. Neil Lewis
          Thumb Down

          Re: NOT Visa failing - It's AMAZON failing.

          There's a sensible reason why many companies insist on shipping only to the billing address. It helps prevent a stolen card (or stolen details) being used by a third party to get valuable goods delivered to themselves while billing you for them. Presumably you'd recognise that as a good idea if you stopped to think about it...

          1. Tom 13
            FAIL

            @Neil Lewis

            Yes, that line of thinking worked SO well when Paul Allen got ripped off earlier this week.

          2. Anonymous Coward
            Anonymous Coward

            Re: NOT Visa failing - It's AMAZON failing.

            To be fair to Amazon, someone cloned my card (outside Amazon) and registered it against a different amazon account to mine, with a delivery address that wasn't one of my "listed delivery addresses". Amazon closed that fake account, cancelled its orders, and emailed me to tell me to talk to my credit card company way before even the card companies fraud detection kicked in.

    2. BristolBachelor Gold badge

      Re: NOT AMAZON failing - It's Visa failing.

      I don't know the full ins and outs of it, but from what I've picked up:

      Amazon do not charge your card until they actually dispatch the items to you (I think if they charge you before they do that, then they fall foul of the consumer credit act, which forbits companies from charging you credit for something they haven't done for you yet).

      However, the Visa regs say that they are not allowed to store the CVV code. So even if you typed it into their website, they wouldn't still have it when they charge your card, and so couldn't use it.

      It seems that some companies get around it; sort of; They either charge you immediately (I think that falls foul of the consumer credit act?) or by telling Visa that they are going to charge your card (but actually not) to verify the CVV code, but then when they actually place the payment, they don't check the CVV code.

      As for Amazon failing because they let me buy things for people and get them sent to that person (possibly without even knowing their address), how is that a fail? Or considering the people who have more than 1 "registered" address (e.g. my parents' address, and whatever hotel I happen to be living in this week/month for work).

      The COMPLETE AND UTTER fail of the Visa (mastercard/amex/jcb, etc.) system is that I have to give someone the number to buy something, but that same number can be used by anyone an unlimited number of times to buy anything. They then tell us that we should shred our receipts so people don't see the number, but we still have to give the number every time we use the card!

      1. Anonymous Coward
        Anonymous Coward

        Re: NOT AMAZON failing - It's Visa failing.

        You're not that far off. I've had the pleasure (if you can call it that!) of working with various payment gateways over the years and there's no excuse for Amazon not to check the CVV (aka CV2, Security Code, and a few other acronymns)

        When the card details are taken, the merchant (eg Amazon) can send them to the payment gateway and request an authorisation (which charges the card), or a pre-authorisation/shadow (which effectively reserves the money but doesn't take it from the account, but does all the same checks as an authorisation step), so this bit you pretty much got right. They could also pass a request to authorise say £1, and then immediately afterwards cancel that authorisation (so it wouldn't even show up on a statement as it would never hit the overnight batch processing step), just to check that the card details are valid (but of course this wouldn't check that you had enough funds to actually pay for the order when it ships).

        It's perfectly fine for the merchant to request a shadow, passing the CVV and card details at the time the order is placed, and getting an authorisation code that can later be passed back to the payment gateway and in almost 100% of cases will successfully charge the card (commonly referred to as "fulfillment") at that later date, with the usual time limit being 30 days (the ones that fail tend to be cards that expire before the period is up, or are registered lost/stolen by the card holder prior to authorisation). After 30 days are up, or the fulfillment step fails, the norm is to simply send a new authorisation request with the card details, with or without the CVV - if the initial check was done then the CVV will still match the card, so really there's no need to do it again as that check had already been done.

        If the BERR (probably not called than any more, used to be DTI before that) guidelines still stand, merchants shouldn't charge before shipping goods but they did allow for up to 28 days from charging to shipping. The DSR may have different rules, but I've forgotten most of it bar the cancellations/refunds sections which are pretty much burned into my brain!

        The PCI DSS rules also allow the storage of the CVV until the order has been fufilled, so it's also again perfectly acceptable to hang on to that number until the order has shipped and charge the card using it at the time of shipping, and then discarding it. I don't know of any companies that do hang onto it though, and if they do it should be stored securely well away from the card details it goes with, with a lot of controls in place to prevent anyone pulling the data together.

        Unless payment gateways have changed radically in the past couple of years, I seem to remember that unless the CVV is passed to a gateway with the card number, expiry, and address numerics (the interbanking payment system is so out of date that it still can't handle letters, only numerics are passed around, most payment systems take the whole address but strip out just the numbers when passing the details to the banks for verification), then the address numerics aren't checked either - so a lack of passing CVV should also mean that Amazon have no idea if the card is even registered at the address given by the buyer.

        Given that Amazon aren't even checking the CVV number it sounds like they've pretty much crippled most of their chances of detecting the common fraud attempts, so either must have a lot of other fraud checks in place (maybe along the lines of a centralised database of known problem addresses/numbers, and/or matching usage patterns associated with known previous fraudulent users during the checkout), or have decided that the amount of money they lose in chargebacks is less than the amount they'd have to pay to implement CVV/AVS properly.

    3. Colin Miller

      Re: NOT Visa failing - It's AMAZON failing.

      Does any bank allow you to register your work address with them, and allow the AVS to succeed with either your home or work postcode? If this is allowed, then it would be handy for those with one fixed place of work , how many people work out of multiple offices?

  10. TRT Silver badge

    I've drilled the aerial out of my cards.

    And I don't care if I get downvoted for doing so. I don't ever use that facility, and I don't want to.

    1. Shakje

      Re: I've drilled the aerial out of my cards.

      I will upvote you, you're a bit of a nutter, but also a bit of a legend when the machines take over.

    2. Anonymous Coward
      Anonymous Coward

      Re: I've drilled the aerial out of my cards.

      A word of caution: They're not your cards, they belong to the bank (check the smallprint, somewhere) if you get caught doing this you may well find that you end up with an Electron, or no card at all.

      1. TRT Silver badge

        Re: I've drilled the aerial out of my cards.

        And they may find they end up with one less customer. I don't care. Banks are ten a penny.

        1. Anonymous Coward
          Anonymous Coward

          Re: I've drilled the aerial out of my cards.

          If they are ten a penny, why haven't you moved to another already?

          Coop aren't sending out contactless cards (as yet).

          1. PaulWizard

            Re: I've drilled the aerial out of my cards.

            Neither are Santander (who I've moved to). I've also heard NatWest give the user the option. Personally totally agree with drilling the antenna, and would have done it myself but I felt I needed to make some form of statement (yes, incy wincy in terms of how bank views me) which is why I moved.

  11. John Sanders
    Unhappy

    I do not care whose fault it is, and that is not the point!

    I do not care if the merchant or the bank is at fault here.

    The point is that a wireless bank card will "talk" with whatever reader is on proximity whether you want or not. Encrypted or not it will talk without my permission. That means that if someone manages to decode my card's data they can make payments on some faulty merchant, thanks to a stupid bank.

    I do not want that, I did not asked for that, and I swear to god that I'll build some form of sleeve that will stop the card from working wirelessly.

    I still remember when the banks refused to encrypt the data in the magnetic bands decades ago because they had to update the ATMs and it was too expensive for them.

  12. Anonymous Coward
    Anonymous Coward

    Stuff the payment fraud, what about the identity theft

    So somebody walks past you, scans your wallet and then send your name to the accomplice who can then stop you with "Good morning (your real name here)". Makes social engineering so much easier when you start with "proof" that you know the target.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stuff the payment fraud, what about the identity theft

      Is that even needed?

      I don't have a contactless card, but from what I have seen from people using it for transactions less than £10, you just swipe without giving a name.

      What is to stop someone walking around with a swipe machine with an upgraded signal, getting everybodys contactless card to give them £9.99?

      (Excuse my ignorance on these matters).

      1. Anonymous Coward
        Anonymous Coward

        Re: Stuff the payment fraud, what about the identity theft

        @AC 0821 - What stops them is the requirement for the money to have somewhere to go. You may have a merchant machine, but it's useless if it's not linked to a bank's systems and a merchant account. If you have a merchant account and machine linked to it (usually bank supplied) they know who you are, where you live, what your business is and they have profiles of the amounts of money that are usually spent at your business. You will get caught, even if individuals don't notice that they've had small amounts of money taken from them.

      2. Colin Miller

        Re: Stuff the payment fraud, what about the identity theft

        A contactless terminal can authorise without a PIN for transactions <£10, but there is a chance that it will ask for the PIN. I'm not sure if it is the card, the terminal, or the bank that controls this, but I'd guess it is the card. If the PIN isn't provided, I'd hope that the card locks into PIN-required until it is provided.

    2. Tom 13

      Re: Stuff the payment fraud, what about the identity theft

      Anybody who stops me with "Good morning (your real name here)." that I don't immediately recognize is more likely to generate a call to the coppers than get more info from me. For my roomie, it'll be even worse. I haven't met a stranger yet who pronounces her name correctly from only a script.

  13. Graham Marsden
    Unhappy

    Meanwhile...

    ... there's also the fact (a "known issue") that Barclays Visa Debit "wave and pay" cards won't work with certain types of mobile payment terminal.

    I found this out last October when I took a payment which appeared to go through successfully, but I didn't notice until later that the Merchant Copy of the payment slip said "Declined" instead of "Pin Verified" meaning I lost £28 (fortunately it wasn't more!)

    Now I have to put through payments with these cards as "Cardholder not Present" as it's the only way to get them to work properly.

  14. Confuciousmobil
    Paris Hilton

    Wow! Channel 4 has exposed that people's names can be obtained. They neglected to mention how easy it is to take payments from NFC cards but I don't suppose people are worried by that so long as its just money people are taking, not their names....

    1. Anonymous Coward
      Anonymous Coward

      Go on...

      How do you take money from one then?

  15. Greg J Preece

    I don't get why people are surprised by this. It's a chip, in your card, that allows your payment details to be grepped wirelessly, and you thought that was a good idea??

    1. Anonymous Coward
      Anonymous Coward

      Yes

      Because no-one would ever see my name and card number (sometimes account number and sort code as well) by merely looking at the card and recording the data wirelessly (with a camera) when I get it out to pay at a shop.

      1. Greg J Preece

        Re: Yes

        Look after your stuff better...

        And if you weren't paying attention, what they've got now is more than previously. What happens when they break the whole thing open? "Oh, it's just all my important data being slurped from inside my jacket by some guy on the other side of the train. What's the big moan?"

        1. Anonymous Coward
          Anonymous Coward

          Re: Yes

          These cards only work over about 20cm in a lab, more usually 10cm max in real life. The myth of someone sitting at the entrance to a shopping centre and harvesting everyone's details, is just that: A myth.

          1. Haku

            Re: Yes

            "The myth of someone sitting at the entrance to a shopping centre and harvesting everyone's details, is just that: A myth."

            I think the same things were said about RFID in passports etc., then people started seeing how far away they could actually read them, some guy managed to read them at over 200 feet with $2,500 of hardware.

            http://www.networkworld.com/news/2010/072910-black-hat-rfid-passports.html

            1. Anonymous Coward
              Anonymous Coward

              Re: Yes

              NFC is fundamentally different from RFID, in that the transmitter in the card is actively powered from an induced current from the reader. The reader can't induce a current that far away, probably more than 20cm, admittedly, but not that far. Crucially, though the transmitter in the card won't transmit above its design and subsequently they don't work over more than about 10-20cm.

              1. Richard 12 Silver badge
                FAIL

                Re: Yes

                10-20cm is more than enough in any kind of busy environment.

                That's further away than pickpockets work, with the added bonus of not having to actually touch the mark.

                It's quite normal for someone to come that close on a bus or train, even a nearly empty one (eg aisle seats) and normal for people to be that close on the high street, in a shopping centre etc.

                Here's a game for you to play:

                Next time you go out shopping in somewhere busy (New York in Lincolnshire doesn't count), try to count the number of people who come within 20cm of your wallet or handbag during the journey there and back and the actual shopping experience.

                So, given that you could clone the name and card numbers of all those people, you've got rather a lot of data you could sell to overseas criminal gangs - or use on any online retailers that's not checking CVV!

                In a single day you could get hundreds if not thousands of valid name/CCN pairs with no risk of being detected whatsoever. Flog 'em to some gan to use, and you've got yourself a pretty penny with no risk.

                I can see this kind of fraud becoming rather popular over the next few years. Well done banks, you've only gone and broken it again!

              2. Richard 12 Silver badge
                FAIL

                @ Anon: NFC is RFID

                Also, it's a shame to see someone so taken in by marketing.

                These are in fact the same technology.

                Have a Wikipedia article (it's not outright wrong)

                NFC is simply the branding of a set of RFID standards aimed at this kind of 'cash' and 'ID' usage.

              3. Charles 9

                Re: Yes

                So couple a high-powered directional transmitter with a highly-sensitive directional receiver. The transmitter pumps enough power to reach the chip and power it while the receiver picks up the faint transmission.

  16. JetSetJim

    App details

    While there are plenty of NFC reader apps in the marketplace, none of them seem to be able to read my bank cards beyond saying they're made by Infineon. Anyone know of an app where you can have a rummage around in the data on your own card?

    1. Tyson Key
      Go

      Re: App details

      If you've got a PCSC-compliant smartcard reader (you can obtain contactless-only ones for ~£30 - and contact-only ones are even cheaper), and access to a (virtual) machine running Linux, then you can easily read data from EMV cards using extremely easy to find Open Source tools.

      Obviously, the EMV specifications are freely-available to the public; and all EMV-based cards will happily provide at least some plain-text data related to what's embossed or printed on the face of the card.

      1. JetSetJim

        Re: App details

        I was thinking more of the "app" that ViaForensics stuck on the off-the-shelf phone with NFC capability.

  17. theloon
    FAIL

    If I wanted to display my name walking down the street I would print it on a fecking t-shirt

    RFI wallets all round it seems.

    1. The Baron
      Happy

      Re: If I wanted to display my name walking down the street I would print it on a fecking t-shirt

      Ah! At last, an explanation for the surprising number of people called Calvin round my way.

  18. Anonymous Coward
    Anonymous Coward

    JetSetJim ......

    Try google next time ..... ;-)

    I quote from the viaForensics blog .... "Recently viaForensics developed a proof of concept mobile app running on an Android device that was capable of reading data from contactless credit cards by simply placing the device on or near the card. "

  19. Anonymous Coward
    Anonymous Coward

    Still...

    There is still no word if the information obtained from the card is enough to make a fraudulent payment and that one has successfully been made.

  20. Anonymous Coward
    Anonymous Coward

    > to make a fraudulent payment

    The ability to make a fraudulent payment would depend on the merchant's aquirer not verifying one or both the following for a CNP (Cardholder Not Present) transaction :

    (1) The digits in the billing address

    and/or

    (2) The CVV2

    1. Anonymous Coward
      Anonymous Coward

      Card number

      I was under the impression that the card number given up by the NFC card different to the number embossed on the card? The point being that if you manage to obtain this number, you still can't do a CNP transaction.

  21. Anonymous Coward
    Anonymous Coward

    i.e. if they verify just one of the above, then the ability to make fraudulent use of the card would be limited.

  22. Anonymous Coward
    Anonymous Coward

    Re: Card number

    I was also under the impression that NFC transaction value was limited.

    1. Charles 9

      Re: Card number

      Even so, the term "nickel-and-diming" springs to mind. Simply make a bunch of little transasctions which then add up.

      1. Anonymous Coward
        Anonymous Coward

        Re: Card number

        Yes, you may get away with it for a few weeks, but banks do have sophisticated anti-fraud systems which would pick up a merchant carrying out this sort of activity and the Rozzers would be dispatched aid in resolution of the issue.

        1. Anonymous Coward
          Anonymous Coward

          Re: Card number

          >but banks do have sophisticated anti-fraud systems

          What he said. Plus cardholder would simply need to request a chargeback for all and any fraudulent charges to be null and voided. Then it would be up to the banks and their insurers as to how heavy handed they came down on the merchants and/or acquirers concerned.

  23. William 6
    Meh

    changed address

    Loads of places take your payment without notifying you that your address did not pass AVS and the bank processes it without query.

  24. Anonymous Coward
    Anonymous Coward

    Anybody heard of TRACK1...?

    Don't really know what all the fuss is about here... for years your names were available encoded on the TRACK1 of the Magntic Stripe of your cards - this is the NFC equivalent of this field.

    This is media hype! The vast majority of Contactless Cards use Dynamic Card Verification Values which ensure that (in the unlikely event data is wirelessly sniffed from the card) any attempt to create a cloned transaction is fruitless...

    1. Richard 12 Silver badge
      Facepalm

      Re: Anybody heard of TRACK1...?

      Yup. I assume you're of the opinion that this simply doesn't matter in the slightest? Mastercard and Visa appear to disagree enough to try to keep it vewwy qwiet.

      Name and CCN is enough to make a transaction in many countries around the world, and even in the EU it's still often enough to make an online or phone transaction.

  25. Anonymous Coward
    Anonymous Coward

    Re: Anybody heard of TRACK1...?

    Actually - most of the Issuers that do a "proper" job of Issuing and Implementing Contactless provide the Contactless Application a completely separate PAN. If (for whatever reason) a transaction is received by the Card Management System that is formatted as anything other than a Contactless Transaction using the Contactless PAN the Transaction is simply declined and a Customer Service Representative normally contacts the cardholder to investigate and possibly issue another card if appropriate.

    Anyway - regardless of this - even if people do capture a workable PAN, Expiry Date and Customer Name - they will not have the CVV2/CSC2 with which to Process a successful Customer Not Present or PAN Key Entered Transaction - any Acquirer processing this transaction will automatically be on a sticky wicket when it comes to the Fraud/Dispute/Chargeback Case subsequently raised.

    I stand by my original comment - this is pure media hype. Stick to ramping fuel and pasties...

  26. Anonymous Coward
    Anonymous Coward

    Also to the moron that tried to process a £28 contactless transaction...

    The floorlimit is £20 quid in the UK - anything higher will prompt you to dip the chip...

    There is a know issue at certain coffee chains where they [the terminals] cannot format correct the Contactless EMV Data correctly resulting in the Card Declining the transaction.

  27. HeyMickey

    Sony are just as bad as Amazon

    A recent experience with the PlayStation Network shows that Sony don't even check the CVV - I entered the wrong number by mistake, and the transaction authorised anyway - and this was the FIRST use of this card on the PSN!

This topic is closed for new posts.

Other stories you might like