Bank turns London man into RFID-enabled guinea pig

Crafty sods

Oh, neat. They can make it cost you much more than £10 to challenge a fake payment. So very few people will bother going through all the hoops.

Then they point out that very few people are successfully claiming for fake payments, which proves that there are very few fake payments, which proves that the cards are secure.

Once the cards are (by force) generally accepted then they can start bumping the £10 limit up.

from a US bog

someone quoted that.... "Unfotunately, Mastercard says that RFID-free cards are no longer available."

These touch and swipe cards are averagely secure, not especially insecure,

there was one proof of concept of a relay attack on an eCredit card, it seems the early ones had pretty loose challenge/response timing windows such that someone could skim data from your card from a 20cm distance ‘in the street’, then use WiFi to route this to an accomplice who was able to do successfully complete an internet purchase. Talking to eID industry representatives, “they are fully aware of the security problems and are making sure that soon this will not be possible”. The big advantage of the eCredit ePayment card is the “tap & pay” , for instant purchases of newspapers, concert tickets (by tapping an active Pop poster in the 'tube) , cups of coffee etcetera. It is likely that the european citizens’ card or a range of Mobile Phones coming in about 2010 will implement the full range of facilities, eID, ePass, eCredit, eHealth entitlement, eEtcetera. I’d say to an ecard owner that now you have the card, you’ve bypassed/survived one of the biggest threats which is RFID scanning mailbags - and crims selectively stealing the RFID enabled letters, be they credit cards or electronic passports.

As to the actual threats that you would now face, they are extremely remote - at present, but will likely grow. I have an HP PDA 4700 with added NFC (13.56MHz) RFID, but I wouldn’t be able to use it (for ethical) hacking till I successfully manage to dump WinCE and load Linux. This has Wifi and enough power to do the relay from a short distance, upcoming Software Radio devices may also be programmed as tools, but again, I’d say you probably have a 5 year ‘usual problem’ timespan before any ‘new problem’ attacks become widespread. Hopefully this timespan will be enough for the CC & eID companies to develop better more robust products. Watch for problems if they drop 13.56MHz NFC and head for EPC Global 900MHz ’supermarket’ RFIDs as they *can* be read at 20 metres. have fun (I believe the apt phrase is "always connected, always on": Internet of things)

.....the shiny Alcan-extra-wide coat please

Terrible idea

"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."

I like the way the concerns of people walking around say the tube, with a battery powered, modified (amplified) for larger distance scanning have been addressed! 'Scammers simply won't be bothered to rip these off.'

It's a terrible idea. I could easily set up a shill business as a sandwich shop or whatever, then make my real, tax free, proper incoming scanning cards on the underground/other busy public place all day, and charging say £9 per hit... even just a hit a minute yields me a healthy £540/hour... or £2160 for a 40 hour week.

as usual..

1) They say that theives and the like dont go for small sums... most londoners will remeber the press stories about the fights between rival gangs over the rights to steal from parking meters (small sums add up).

2) "create a niche market for security firms"

- so lets create a new problem for new services we can pay for to solve it!

A more cynical person would point to the anti-virus industry who have an interest in there always being virus's, so might encourage their development if windows ever became more secure.

Another Example...

...of banks taking liberties with customers and their accounts. My Bank (Lloyds TSB) are in the process of changing "partners" on their credit cards from Visa to Mastercard. No consultation, one announcement, then new cards delivered superseding the old ones. (don't know if they're RFID'd or not)

Of course, LTSB have taken care of all the "front end" processes in setting up the new accounts (done without my permission!) but the customer has to do all the donkey work when it comes down to setting up any on-line payments, or existing regular accounts, including setting up a new recipient so I can pay the damn credit card via the on-line banking.

I shudder to think what the possibilities for error in "universal" non-contact payment world are likely to be (not LOW for sure). Hard enough to prove fraudulent use as it is, never mind the possibility of your 'chip' being tracked everywhere you go!

This madness must stop.

Hang on a second...

European Citizens Card? So is Gordy just softening us up for a bigger pan-European ID card...in breaking news, the EU has admitted that a laptop containing details of 700,000,000 Europeans was left in a bar in Brussels.

Bring on the RFID

I for one can't wait for this technology to be rolled out. I'm fed up of having to carry cash with me. Of course these will never totally replace cash and it'll take a while to even begin to do so.

The security worries of these cards aren't my problem, they're the banks. So long as I make sure no one gets my PIN I'm not liable for any fraudulent transactions, the banks are.

Unseen price hikes

Hmmm,

once this technology is wide spread, we won't even notice that the car parking fee, price of the newspaper, tube fare, etc has increased yet again.

Obviously also plenty of room for dodgy things to occur at Car Boot Sales and as you walk by any number of street hawkers. Lucky heather to a bus load of punters in one trip to the next stop, cheap at only £9.99 a pop.

And when was the last time someone bought a ticket for a concert at less than £10 ?

Along with the price of calls to 0845 and 0870 customer service people to make a complaint !!!!

It makes me wonder just who is doing the skimming on this one.

RE: Terrible idea

Your ambitions are so limited! Me, I'd simply get close to a people smuggler, then get dozens of illegal immigrants to do the scanning for me. We've already seen how the Police have zero effect due to the useless immigration system, most illegals caught committing crimes are back doing the same thing in hours. With a crewmaster running a few dozen illegals with scanners, and half-a-dozen front companies pretending to be legit kiosks, you could quite easily turn all those little £9.99 transactions into millions a year. At worse, a few illegals get deported (very unlikely) whilst I rake in the dough courtesy of the stupid greed of commercial banks.

If I can think this out in a few minutes, do the banks really think all those pro crims haven't already started putting their plans in action?

Its all about the liability

It seems to me that the real issue here is not about the card, it is about the liability for fraudulent losses. If the banks foot the bill and the claim process is easy and cheap then I don't have a problem with contactless cards (assuming that I consented to receive one in the first place) but if they are also shifting the cost of fraud to the consumer then I wouldn't touch one with a 100 linguine pole.

I would be very interested if The Reg could publish a copy of the terms and conditions for these contactless cards.

card numbers

there were initially some problems with people skimmed card details from AMEX cards in america then using them for internet purchases, they stopped this practise by simply giving cards two numbers, one printedr on the card, and a seperate number for the RFID. that way if someone skimmed your RFID number - it would not be accepted online as AMEX could tell there was no way for you to access that number from your card, so it must have been skimmed

a simple solution

"Won't be bothered" Yeah right

"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."

Oh sure. So lining a picket-fence with RFID-ipaqs that lift off £9.99 per pass (remember, you can have many of them) is something people will not be bothered to do?

Maybe we need some proof-of-concept-hack to do this. How about setting up a solution with such scanners for every few meters between the bank, and where the bank manager parks his car. This could prove one out of two things: That his account can be tapped, and that this security of his is like Nessie (often talked about, but rarely seen), or it could prove that he KNOWS the cards ar shite, and won't be using them himself.

Proving that the bank administration hangs onto their old cards, would basically prove that they are lying through their teeth about this being secure enough for "ordinary people".

Both versions are ok with me, aslong as we can shoot this idea down in London, before it can infect the rest of Britain, and more importantly (for me) the rest of Europe.

//Svein

Octopus card in HK

AS a Hong-Kong Chinese Londoner (try saying that quickly 3 times!), I'm also used to the use of RFID cards. Basically, in HK, it started out the same way as the Oyster (because they nicked it off us, bloody Ken Livingstone), being a contactless way to pay for TRAVEL, but then migrated to paying for most convenience or fast food stores e.g. McDs and 7-11.

Personally, I knew the Octopus card idea (the one Ken lifted) would come to London, as it made sense. I haven't heard anyone complain of security problems in HK or Oyster cards here (except big brother tacking), mainly because as soon as you report it stolen, they freeze the card!

although one thing i don't like, is the auto opt-in approach: We should be able to choose whether or not to use it (I just chose to use it).

What I will do .....

I will use cash for all my purchases, and keep my cards in a metal container/ shopping on line should remain relatively fraud free.

Because a 40 hour week would yield £21,600 (not £2,160) ==why play football twice a week if you can get the same reward by hanging around

Monéo in France

In France, we have a system called monéo : Not contactless, but uses the embedded chip in (almost) every credit card issued.

The reader is not wireless, but requires the user to insert the card into the reader.

The monéo account is a pre-payed credit: you charge it up in banks and post offices,up to 100 euros.

The system works on a similar principle: You charge your standard credit card with up to 100 euros, then use it to make small purchases without having to use the PIN code or countersigning. If you loose the card, you loose up to the 100 euro credit inserted on the card. If you do not want to use it, do not charge it, and the card still works as a classic visa if you pay and punch in your PIN code.

The bastard is that the banks, after your first monéo credit, start charging you a couple of euros per month for the privilege...

Mine's the biker jacket covered in ally foil...

Mondex?

Time to get a lead lined wallet ...

What ever happened to the Mondex scheme where the payment card was pre-charged with money up to a limit the user was happy with?

Possible improvement?

A possible improvement- up to £10 a transaction goes un-pin-requested BUT there's a maximum of £50 non-pin-requested per day. And you can't take cash- from ATM or cashback in shops- out on a non-pin-requested transaction, which means that any further transaction locations can be recorded by the banks. Which should aid the police when they go to administer the sternly-worded warning and slap on the wrist.

And as someone pointed out above, an AMEX style system with non-RFIDed information for online purchases would be a great idea too.

While I can't imagine the average chav-in-the-street would be able to rig up some sort of an RFID-enabled kiosk as detailed above, I reckon that most Reg readers could.

This rollout is only going to lead to trouble. Reg readers, unite to screw up this ridiculously insecure technology before it costs you your hard earned beer tokens!

Only a tenner? Tesco let you take £60 of fuel without pin

IIRC the original limit touted for contactless payments was £50

The security of it depends on how it has been implemented. If it is a wireless interface on the EMV chip then the security on it will be the same as for Contact payments with the obvious issue of a high powered reader walking around the tube.

The EMV encryption key uses RSA and is being progressively extended in size related to estimated time required to break by brute force.

If a mobile reader had enough time to connect to the card, break the encryption key and then read the Pin Block (yes EMV cards hold your pin number and a value that represents the trust ability of it. If trustability is high then it might only initiate a connection to the banks main records 1 in 10 times, if low it may always do it. You can generally tell when it does it if you visit the same shop regularly as you will soon notice the speed difference between the 2 routes to PIN acceptance)

The dual interface chips were new technology around 4 years ago.

Before that the chips held an unencrypted string of characters.

If you visit a self service petrol pump you may notice that there is no Pin Pad connected to the reader/screen. EMV allows pinless payments through the contact interface. So if mugged for my Debit Card I would be more worried about how many tanks of fuel (Tescos allow up to £60 per transaction) the mugger can get before the bank block the card than how many £10 transactions.

Information

Money is information. The physical money you may ,or may not, have in your pocket is just a token; I promise to pay the bearer on demand the sum of 'X'.

Money is information. Most money exists as a pattern of ones and zeros magnetically encoded on any number of hard drives, tape drives, mass storage devices.

Money is metaphyisical. Pay and wave is the next logical step to waving goodbye to your money.

Your money? Surely the Banks money? I know mine is.

Tin foil wallet please.

Pret a Manger

Re: I am not the card

You're utterly correct. But it seems to me that this system is already in place with Chip+PIN. It always spooks me out when you use a Chip+PIN card in Pret a Manger and they don't ask for a PIN. Something about it just feels "not right". That aside, what does RFID offer that Pret a Manger's Chip+PIN solution doesn't?

Re: Mondex...

"What ever happened to the Mondex scheme where the payment card was pre-charged with money up to a limit the user was happy with?"

They trialed it when I was at Aston University ten years ago. No-one used it because the of the fannying around involved in charging up the card. And, the perception of mondex was "lose your card, lose your money" compared to the perception debit/credit cards where it's more like "lose your card, tell the bank, don't lose your money". It was dropped within a couple of years.

Whoa there, commenters - you're forgetting something...

And that something is the recieving retailler portion. It's all very well you all saying that you could knock up a skimming system (assuming you've bypassed the crypto system on the card) and then read £10 from passing strangers but in to what exactly?

A legit terminal connection will be needed to download the "cash" in to your merchant account at the bank (emulating that you are a real card reader playing back the victim waving his card on your unit) so that'll need it's security system broken off. Then we have the fact that to get one of these terminals you're going to have to go to the bank and get yourself all set up as a retailer ("know your customer" regualtions apply).

Now, of course it's not beyond the wit of man to create a dodgy retailer account specifically for the purposes of general-purpose fraud and use that infrastructure to set up this situation, since let's face it - redeeming a few thousand £10 transactions isn't a well priced risk if this is your sole fraud income - however this is putting the bar pretty high.

I'm not going to sit down and work out a crypto protocol which would tie the transaction time, retailler ID and amount in to a checksummed block (e.g. SHA-1 HMAC) but you will realise that this is eminently do-able.

Layer on top of that the algorithmic fraud dectection system which already exist for the credit card industry and I'm feeling pretty relaxed about this whole thing.

Government to ban cash next

Gordon would love to ban cash - if we had to use traceable plastic/chips he could see where every red cent was being spent, and tax the bits that the Evil Empire has missed, and small cash traders would no longer be able to fly beneath the tax radar.

Me I'm joining this years 500,000 in the exodus from UK

Belt and Braces

As Sconzey says, 2 seconds in the microwave should cure the RFID but I would suggest the tin foil wallet as well.

Perhaps 2 seconds in the microwave for passports and ID cards as well? If they might fail "naturally", we should just help them and nobody will know the difference...

What's the traditional money-laundering cash business?

Sun bed studio.

No stock, low running costs and no-one knows how many people have been there.

AC

So

So , did these wankers provide a RFID shielded case when you did not wish to use this wave to pay facility ?

Missing the point?

I think the wood-for-the-trees thing here is that this is ALL about banks moving down the food chain, and making a land-grab to finally replace cash for small transactions. You can almost here them salivating at the idea of all the money they can make off of that: micropayments, rental of scanners to retailers...

Pigs, snouts, trough...

Not hard to secure

The card should only accept payment requests signed with a (per till) retailer cert, which is in turn signed with a bank cert (etc).

Payment credentials are in turn one-shot and only useful for one transaction on the same till.

That way, a miscreant could listen and spoof the signals all they want, but wouldn't get ever be able to fake a transaction. The main risk (as with any pinless system) as that the card will be pinched and used for multiple $10 transactions (to buy phonecards or something) until the owner realises and reports it. The banks should be expected to take this hit.

Is the protocol for this new service published?

New Wallets All Round

I guess there's now a market for foil-lined wallets in which to keep the cards. Put a pouch on it suitable for a passport as well, or probably better to have a matching but separate one for that and a single credit card.

There's probably a market for a tame RFID reader/zapper as well, use it on your passport, credit cards, any clothing you buy (lest it has a tag woven in it), deactivate the lot!

Security

One way to remove the possibility of remote scanning of the card whilst it's in your pocket is to simply add a switch or button to the card. Keep the card dead until the button is pressed, then let it do it's stuff then stop working when the button is released.

Won't stop the card being nicked or lost but then with a lost card and signature you can get away with a lot (just damage the chip, most shops still use signatures if they can't read the chip on chip-and-pin cards).

Don't tag me.

Cattle have been tagged with RFID chips so they can be tracked and inventoried. What's do the authoritarian bastiges want us good people to be? Cattle? Their cattle even? They can stuff it the chip....

@ Michael Langer

True, but the Easylink cards can be picked up on a pay as you go system. They do not contain personal information and (like most Oyster cards) do not link information on a back end database with user details. Unless you register your details with the card number of course. This is one of the things I have always liked about the Easylink system. It is inherently relatively secure as the card is not directly linked to the owner's bank and even if the RFID IS intercepted/relayed it will amount to no greater loss than the amount transferred to the card already. And given that if you lose or accidentally wipe out your Oyster/Easylink card you will lost that value anyway most people tend not to top up with vast amounts of credit.

supermarket petrol

my local tesco has pay at pump option on their garage forecourt. Stick your card in & you can buy £60 fuel, no pin needed.

I don't see how this is different, except it uses the dreaded RFID. Luddites!

BTW, the cards issued by banks and the associated services they provide actually belong to the bank, they can do what they like with them. If you don't like it, switch banks.

I'm wrong!

There *is* a man-in-the middle attack.

Sam (the shopkeeper) sends a payment request to Bill. Bill has a deactivated card and a transciever, which connects by a datalink to his accomplice, Fred, who's in a busy place. Fred forwards the request to a card in Sue's bag, gets the response and sends it to Bill's device, which sends it through. Sue gets debited and Bill gets the $10 swag.

Rather relies on card range being long enough. One security measure would be to only allow transactions where the card response is in a very short timeframe.

Is Oyster vulnerable this way?

Chip & Pin

I was working on Chip & Pin in 1987, it was viable then, A number of secret services (funniest parcels I ever sent, Addressed - 'The XXXXX Secret Service, 133 the crescent, XYZ town XYZ country) nope sorry I don't remember the address, Shell & the French Health service thought so, but the Credit card companies didn't.

I'm lost, why do they think this is a good idea? Fraud is going to be endemic.

Tin foil wallets already available.

Banks emptying your pocket, who would of thought it?

a Hammer and magnet please

with these tools -every one of these cards I get will mysterously stop functioning

: )

And Mifare is / will be cracked

It is especially concerning that many of these cards are based on Mifare and it is only a question of time before the Mifare classic (1k and 4k) are cracked.

See

http://www.hackaday.com/2008/01/01/24c3-mifare-crypto1-rfid-completely-broken

The RNG is apparently only 16 bits and the key is 48 bits. Thus not long yet.

The Mifare Ultralight is completely cracked

http://www.boingboing.net/2008/01/15/dutch-rfid-transit-p.html

There is considerable dicussion about these cards and the apparent lack of security in the Netherlands. (Also in use for Public Transport cards).

Mifare DESFire cards are stronger.

Which RFID is being used by the banks here?

To all the people who think someone else will pay

There have been a few responses here along the lines of "I won't have to pay if these cards are skimmed for cash".

So, if the banks start losing money on this, where will they get it back? Yes, you. One of the reasons interest charges are so high on CCs is that fraud is just another cost of business to be passed to the customer.

If retailers are somehow found to be liable, who's going to pay? Yes, you. Prices will go up to compensate.

So, switch off your complacency; you'll end up forking out if this all goes wrong.

It is the 21st century Pete......

Reg reader "Pete" sounds like something of a luddite to me. Cash is dead, deal with it.

"I don't even use a debit card for retail transactions" - Really? Do you know you are far more protected against unscrupulous traders with your debit card than with completely untraceable cash?

In my opinion, this type of contactless technology is finally a true replacement for cash (why do I need a PIN to buy a can of Coke in Tesco?). Though it probably wouldnt hurt to line my wallet with a bit of tin-foil.

Back to square one

HANG ON!!! Weren't we all forced over to chip and pin so everything was more secure in case our cards GOT stolen, this paywave thing is back to square one surely. Yes it is limited to £10 transactions MAX, but someone will find a way to eliminate that limit and abuse the sysem.

Waste of time, what was chip and pin for if they are going to take a step back with this system!!??

@heystoopid:

You could always build a little faraday cage for the card... LOL!!

Multiple purchases

I'd be far more concerned about multiple purchases than people skimming details. Currently, with chip and pin, I have to insert my card into a reader and put in the pin, i only do this once, so i know i've only been charged once.

If all i have to do is wave my card in the vague direction of a reader, whats to stiop it being picked up more than once. I move my card over a reader to pay for a coffee, then, to put it back in my pocket, i have to move it back again.

If you're talking about tapping a poster to charge for something, what do i do if i accidentally tap it twice? At least in a shop i can have the transaction reversed, assuming i spot it.

Never use the Halifax

This is the same place which, when my sister tried to pay off her student overdraft and close her account, told her: "You owe us £x." £x > overdraft. Sis != impressed.

Sis asked why. Halifax said, "You owe us £x." Sis said, "Yes, but my overdraft is £y, so where did the extra £z come from?" Halifax said, "You owe us £x." No bank managers, account managers, head office or phone calls could say anything more informative than: "You owe us £x." Loop until bored.

Eventually sis said, "I'm paying you £y which is what I owe you, and that's all you're getting until you tell me why I owe you the extra £z." Halifax said, "OK, make it hard on yourself" and blacklisted her credit rating with all UK banks. Deep joy. Hence no-one in our family will now ever consider using the Halifax again.

What if...

Two points of no concern to anyone here...

1) If you're able to collect Passport info from a distance (as has been done, at least according to the fine pages of The Register), what is to keep a legitimate business who has all the bank connections, to not setup a reader to reach out and touch someone's wallet as they pass by the news stand or other kisok? Though the limit would be 10 pounds, if they only took a few pence it might go unnoticed.

2) How well do these various RFID enabled cards do in a microwave? Try a non-valuable CD or DVD for a few seconds and enjoy the show.

Curious

Calm down

I think most people are over-reacting due to a very limited understanding of how RFID works. There are several types of RFID that work at different ranges - true one of these types is high powered and works at a range of metres, but the majority of the implementations are based on the fact that "contactless" is barely true.

Oyster cards are a case in point. I approach the barriers on the tube, and they don't open. It only works when I bring the card within 10mm of the reader - in fact when it's inside a wallet, it can be hit and miss as to whether it works at all.

Assuming we get the same implementation, I think you can forget about walking too near to a cash register and accidentally paying for someone's wallets. Let's take the panic out of the situation and remove the RFID emotion at the same time.

Disclaimer - I work for a bank in the IT department

A piece of the action

Well, at least we can actually act about this.

If Barclays send me a new RFID enabled card I shall take it to the bank and cut it up with a pair of scissors, after explaining to them why I am doing so. I shall ask them to either reactivate my previous card, or provide a non-RFID card, or move to another bank, which is not too hard these days to do.

Halifax != trustworthy

This is the same bank who somehow allowed some scumbag in the Netherlands to spend bug sums of money on her Halifax debit card at gas stations all over Europe - when the card was actually 'safe and sound' in her wallet here in London.

So much for security.

The transactions continued to flow in days and days after she alerted them, racking up a bill of some £1,600.

Granted she did eventually have all the transactions reversed out, but her card was frozen for a couple of weeks, preventing her from performing any transactions herself - not to mention the sheer stress of having a sum that big stolen directly from your own bank account!

Personally, its not the risk of 'scanning' I am worried about with these contactless cards - I think thats a minimal risk. I reckon the real risks are much closer to home - for a start £10 is a big deal for pick-pocketing miscreants - you can make a whole lot of £10 transactions at various retailers over a day before the card gets locked, and that buys you a whole bunch of ciggies, booze and stuff.

What's the point?

I can see the advantage of having chip and pin cards over the old days of writing a cheque. I recall the anger on people's faces when, queing at a supermarket checkout on a Saturday afternoon, the person at the front would pull out their cheque book to pay for their shopping.

Chip and PIN is good for 4 reasons:

1 - Its quick.

2 - It shows that the card was present

3 - It shows that I was present

4 - It shows that I knew what I was buying.

RFID is shit because:

1 - Its not much quicker than C&P

2 - It only proves that the card was somewhere near an RFID reader.

This is just a ridiculaous example of implementing something because its possible rather than because its genuinely needed. Banks forcing it on consumers against their will is just bad business practice.

There is a key difference between ID cards and RFID cards being forced upon us. That being that if the government male our lives difficult to live without ID cards we'll all end up begrudginly using them, we have very little choice.

If however a commercial institution, like bank, pushes stuff on us we can just walk away and / or make life really difficult for them: Like resorting to writing cheques again.

Paris because she's also quite pointless.

Stop the paranoia!

Okay - a few things to sort out!

Firstly - stop talking about 'pickpockets' etc. The money is not on the card, ready to be taken by anyone who then disappears - it's just a number - like any payment card but just for contactless payments. This cannot be read, written to a magstipe and used in an ATM (the current popular fraud happening in Europe) as the number is a contactless only number. Contactless payment cards cannot be cloned (due to security keys on the cards) so even if someone has the card number etc - the card effectively signs the transaction (with those keys) to authorise it. Additionally, the payment has to be made to a registered merchant (name, address, company details etc). If any fraud happens, the payments are withheld from the merchant and they get nothing. As far as I know, I've not heard of any fraud from dodgy merchants for Chip+PIN - mainly shoulder surfing + steal card, or dodgy reader and make up a mag-stripe card for an ATM.

Double transactions/inflated transactions? Not going to happen. All the readers are certified to work in a standard way - including not doing double transactions and displaying the transaction value on the display, along with a beep etc to inform of a transaction. Failure to check the amount on the screen is correct is just as possible with Chip and Pin as with cheques or even cash! Remember my first point - using dodgy readers is going to get them noticed (every card appearing twice in their transactions is likely to start the fraud flags waving in the banks?). And again, dodgy readers have been used for Chip+PIN (to generate mag stripe cards which are then used in ATM machines on the continent) - so it's no different in that respect.

Distance - generally you're looking at 1-2cm for a transaction. Whilst academics may claim greater distances - doing it in a lab is one thing - doing it in a real environment with people moving around is something very different (and again, remember the first point about merchants). More than 1 card in the field, and it'll refuse the transaction. People will have to get very cosy to get close enough (and if you're really paranoid, just get a metal lined wallet) - and again, they cannot clone the card, so reading your details is worthless.

Finally - the amount of money to be lost. There's a £10 per-transaction limit imposed, with a requirement to revert to standard Chip+PIN after a set number (10?) of transactions (a normal Chip+PIN transaction will reset this counter, so many people may not notice). This covers theft of the card and subsequent purchasing of low value items. Oh, and the cards can be blocked as with normal cards, so reporting them stolen will help reduce the risk of fraudulent use.

So in effect, out of all this you could be looking at a potential £100 loss on the card- but considering it's a credit-only thing, that's a small proportion of most people's credit limits. Compare this to normal credit cards being used for low value purchases in crowded places (ie. easy shoulder surfing) along with pickpockets taking your card - immediate £300+ from an ATM. If you manage to do something like the old Shell garage fraud with a dodgy chip+PIN reader, you may be able to get PIN and card details without the person knowing - create a mag stripe card and start taking out £300+ per day until their credit limit is exceeded or they get their statement.

I see contactless as reducing the use of PIN, making PIN more secure (as it'll probably be in higher value so possibly less crowded places), whilst limiting potential theft to a reasonably low value (which should be covered by your bank etc).

How hard is it to type in your PIN

It takes seconds to do so why the need for this new system anyway? It seems like they are solving a problem that doesn't really exist but introducing ones that do along the way!

I don't like RFID!

I don't like the idea of RFID simply because it's a unique identifier(UID) and it responds to a transmitter.

In my opinion, RFID has the potential to make 1984 look like Woodstock.

Don't I have the right to walk or drive around the UK without the potential for those in authority to know where I was at what time? I'm not talking about breaking the law, I'm talking about my right as a human being to enjoy some freedom.

Criminals are 'tagged' so that authority can know where they are at a given date and time.

RFID allows each of us to be tagged in a similar manner if we are not careful.

Don't believe me? Consider this:

You use your credit card, with RFID to buy a pair of trainers, your new trainers also contain a RFID chip. Now, your UID (credit card) is associated with the trainers. Although your bank has stated that your card's RFID will only operate within 20cm of a scanner, there is no law in place that says your trainers should also do so. After all, the main purpose of the trainers RFID tag was for stock control, yet it was not deactivated when you brought them. Now, unknown to you, you have an item of clothing that will identify you uniquely every time you walk through a scanner.

Imagine the same for cars. Sure you get situations on motorways where average speed cameras are active. But imagine a case where, through the use of RFID scanners, your route could be traced and the time taken from A to B is known. If your time between A and B is less than the official time taken you automatically get a fine and points on your license.

By now, no doubt some of you are thinking that what I'm describing to far too draconian for our government to enforce.

I urge you to think again!

Clandestine means may help find a criminal but it does little to deter them. You really think a bunch of pissed and stoned teenagers are able to think well enough to stop them from kicking the shit out of someone because they think they will be nicked?

You really think that a twat that thinks that a jihad against the west is a good idea will be frightened by the prospect of RFID? Bollocks, they will have the intelligence to remove RFID tags.

What I'm saying is I want freedom, and I don't want arseholes who threaten that to be used as an excuse to constrain me.

Is a slave that does not know he's a slave still a slave? YES!

The new pickpocket

So thieves can load card debit software onto PDAs and pull a small amount of cache from you by waving it near your pocket? Brilliant!

Here's my legal money making scheme - Sell a disabling plastic clip for each type of RFID vulnerable card. There's no expensive RF adsorption technology involved. It just has small hole where you insert a spinning drill bit.

Farady cage wallet

Already on the market http://www.thinkgeek.com/gadgets/security/8cdd/

They also have a version for you passport if you have one of the new rfid versions

@RFID Cards

> These have been in use here in Singapore for ages already. But, much like

> londoners with the Oyster card, we're very very used to RFID systems and

> paying with RFID systems so it's no big deal here.

Same here in Malaysia. We've been using the Touch 'N' Go payment system on tolls (turnpikes for those living stateside) and public transport systems for aeons now (yay for unified systems- one card to pay for them all!), and Visa's RFID-based Wave system has already officially launched here.

Also, I don't see why the Londoners are making such a big fuss about being issued ID cards. We have them here for over 40 years now, and apart from some hilarity that ensued (i.e. cloned cards being discovered on illegal immigrants, cards being issued to the wrong person, erroneous entry on the card), nothing bad has happened to any of us.

New market opportunity

Anybody interested in my new range of lead-lined wallets, please form an orderly queue right here...

When I get my RFID card...

I'm going to do just what the BOFH did - drill a hole in it and make it a non-RFID card.

I'm already switching from Barclays for the inconvenience that "PinSentry" has caused (and I'm still not convinced about its security over the old authentication method).

re: Possible nightmare scenario

Again, hysteria with no factual basis.

1.) The merchant gets their money after a period - not instantaneously - holding a gun to their head won't get you any cash from the proposed fraud at a tube station - it'll just be a good-old plain armed robbery of cash on the premises. The period is there for stopping fraud/chargebacks, and for 'clearing' purposes.

2.) Due to the way readers work, they don't work with 2 readers/cards in the field. So, putting a dummy reader on top of an Oyster reader would stop the Oyster one working - and no-one would get through. Rather than your '30 minutes or so' time frame, you're looking at 30 seconds. Oyster gives far, far greater throughput than paper tickets, and any issue/hold-ups with them get noticed VERY quickly.

3.) So whilst Oyster users wouldn't get through - your reader wouldn't work either, as the field from the Oyster reader would interfere.

4.) You're relying on people using the Barclays combined Oyster/PayWave card - as that's the only card which will work with both readers. If someone has a separate PayWave card and an Oyster card, they'll need to only present the Oyster card - otherwise they'll have the same issue with 2 cards in the field at once and it won't work.

5.) RFID readers aren't stickers you can stick to things. They're large, physical readers, requiring something to drive them and significant power requirements. Not something you can stick onto some Oyster readers without someone behind you (or the TFL staff around) noticing. Whilst you can get RFID tags which are small stickers, there are nothing other than dumb cards and require a reader to power them - just like any contact less/RFID card.

6.) Swapping someone's card for a fake is possible - just as it is currently possible with Chip+PIN/ATM cards. The only difference is that you don't need a PIN but for contact less transactions you're limited to about £100 max loss (as you can only do about 10 contact less transactions without having done a Chip+PIN transaction). If the waitress shoulder surfs the PIN entry (how many waitress places cost < £10?), then it's a standard Chip+PIN issue - keep your PIN and your card safe. It's not a contact less risk.

Dumb bank staff

"Bank staff, having verified Pete's identity, were not immediately able to work out why the card had been retained.."

As an ex-employee of Halifax, the staff would have been able to see from their records the old card's cancellation date and that it had been replaced. Shows the 'bank' that now likes to employ dumb staff, but for customers of the Halifax, don't worry, they've all been on training courses and are experts!

As for the frustration of your reader getting a normal card, it's on par with my attempt to try and get my Internet banking access closed down which they said could not be done as "... I may want to use it in the future." This rule was quickly reversed when I breached their Ts & Cs by publishing my login details online.

NFC mobiles

The card stuff here is only a precursor to an NFC application loaded onto your SIM card. Actually there it makes more sense because you can popup a java app to let you confirm the payment. You also have many other control possibilities, along with a current log of your transactions. And real tap and buy off posters will only happen when you have this facilty. It doesn't stop it being inherently insecure, especially if stolen, but it gives you better control of it whilst it's in you possession.

Big brothers first name is - Halifax

So, contactless paying

scam artists swiping a tenner everytime your trousers goes past a waist height scanner.

This is not permission to board a tube train (Oyster), this is raw cash; of course its different -what was the fools name who said that? take him to the stocks now.

Records of exactly when and where you have been - its a doddle to register the card ID's location as you walk past, not even bothering to tell the punters or go to the hassle of asking them................

....................................................hhhmmmmmm is big brother's first name Halifax?