US retail kingpins swoon: Nobody bonks like Google does US retailers reckon Google will end up dominating the pay-by-bonk/eWallet business, sidelining PayPal and bypassing operator-backed ISIS simply because the Google Wallet juggernaut is unstoppable. More than half of the 225 retailers surveyed at the National Retail Federation's annual shindig reckon Google will inevitably …
"Fraud rates in Europe have dived since the introduction of EMV. Greater use of the PIN does put its security at risk, but the chip is effectively impossible to copy, so the thief needs to lift the card too, unless the fraud is committed in a country without EMV."
What about the man-in-middle attack reported last year (arbitrary pin can be used for purchases at an EMV terminal with a stolen card) rendering security put in place by such a system rather moot? OK granted it does require physical access to the card.
[quote]What about the man-in-middle attack reported last year (arbitrary pin can be used for purchases at an EMV terminal with a stolen card) rendering security put in place by such a system rather moot? OK granted it does require physical access to the card.
[/quote]
That attack doesn't work on all card, only where issuers dont have the correct rules in place on their auth platform. It certainly doesn't work on ATM's (where the PIN is sent online) nor does it work in countries that only support online PIN. And if the issuer issuer checks the CVR correctly (Which is signed by the chip and verfified by the issuer) then you certainly cannot bypass the PIN.
With Google system it means I do not have to carry around the dozen or so cards that I carry. Presuming everyone allows their loyalty scheme cards to be run through Google wallet. Plus theoratically they could come with even more security on top with finger print, facial, voice cognition all possibilities.
This post has been deleted by its author
If someone steals a credit card they must also obtain the PIN number... 2 Factor security.
If someone steals a phone with NFC they have everything they need... 1 Factor security. Or is there another level which I haven't yet read about........
I have only ever seen people swipe/bonk these telephones on Youtube and I never see anyone using a password or alternative security factor .... Or are the PIN numbers on the SIM cards part of the package.
I am being lazy and should read up on the matter but since the El Regtards love to flex their keyboards....
You are right when it comes to cards there is only 1 factor security most of the time with the pin number only be asked randomly, there also a 15 pound spending limit and apparently some sort of intelligence system that spot unusual activity on the card.
In phones yes you have to unlock them, through I question how many people actually got passwords protected lock screens turn on their devices, any figures for this.
Other security measures, some passive may also become possible, such as facial recognition, finger print scanner built into the phone, Apple bought a finger print scanner company last year that is developing this technology, randomly asking for a pin number issue by your bank, even having to reenter your Google account details, will all come in the future.
My neighbour did not realise she had NFC enabled on any of her cards - did not remember ever having been told.
Went into a shop and bought something about £25.00. Handed over her card, and without asking, touching or putting in a pin, the till printed out a slip for payment of £20, £5.00 to pay. She was most perturbed by this, as am I.
There was no "bonk" involved - the card just happened to pass near the machine.
The limit was supposed to be £15. I found it had gone up to £20, with no advice or discussion.
The bill was for £25, and so not valid for NFC. I had never heard that it can take a part payment.
I do not like NFC, I do not trust it, and I do not trust the banks, but there appears to be no way to avoid it. I have spoken to several banks with whom I have accounts, and they all say there is no choice - if you want a card, it WILL have NFC enabled, for whatever amount they say.
With NFC, a new era of fraud is about to arrive. How long will it be before you can download frequencies off of a .torrent to pay for things. I think the banks know this, and the banks want this. NFC will be one hell of an excuse for a banks lack of liability for consumer fraud, and to put in place another security measure to eventually charge you for. As we have seen, the banks desperately need a new scapegoat to ride, because bailout money won't be available for at least another 20 years. Banks need overhead, and they need it now.
No, it's not a conspiracy, it's just good business. And like most business, ethics aren't involved.
is that everyone wants a share of it:
the payment processors (Visa, Mastercard)
the carriers (AT&T, Verizon, etc)
the phone OS companies (Apple, Google, Microsoft)
the phone OEMs (Apple, Samsung, Motorola, etc)
the wildcards (Paypal, Square, etc)
There simply isn't enough money for everyone to get a cut, unless it becomes a lot more expensive to pay via NFC than with a credit card - and if that happens the merchants will refuse to support it.
So we're at a stalemate while everyone is trying to go it alone or partner up with someone else in various alliances, or waiting to see what happens before trying to swoop in and undercut everyone else.
The biggest problem, of course, is that it doesn't solve a problem anyone has. Why do I want to pay with my phone rather than something in my wallet? If I want to pay via NFC (I don't, but let's assume I'm ignorant of security and wish to do so) then why shouldn't I have an NFC enabled credit/debit card and bonk my wallet against the reader instead of my phone? What exactly is the advantage of bonking my phone, other than some geek points if you're with the right crowd?
The idea behind using your phone to 'bonk' is that it removes the need for a wallet entirely. In a (bank's) perfect world, NFC is everywhere, everyone owns an NFC enabled phone and cash is not required (therefore neither is your wallet). I don't necessarily agree, but this is the 'advantage' of NFC payments on a phone.
Also, if you have more than one card, bonking your wallet against a terminal isn't the best idea as you can't really be sure which card will be charged.
Obviously share peoples' security concerns but in practice contactless payment is extremely handy. Bought a sandwich in M&S the other day and a lot easier just to wave the card than fiddle about with PINpad for three quid. If it were integrated into your phone then eventually would no longer have to remember car keys, door entry card...
It is, of course, your privilege to think that, but single-factor security is multi-factor breach for anyone that gets hold of it. I'll keep multiple cards, the "lack of ease" of putting in a PIN every time, and a keyring with many keys (some of which don't fit anything I still own - I don't know that it would actually baffle a thief, but it doesn't help them) and carkeys that don't easily identify the make of car I drive.
I'll not be using NFC anytime soon, thanks.
But the easier thing there isn't the contactless aspect, but the dropping of the requirement for entering a pin (which obviously has the trade-off of security). If you instead just had to swipe the card through a reader, it would still be much quicker than using a pin reader machine, even though it wouldn't be contactless.
In the US we don't have to bother with the PIN or signature for small transactions. I don't know the current limits on debit card transactions that don't require a PIN, but for credit cards I don't need to sign for anything under $50. Just swipe my card on the reader, the salesperson never needs to touch it. That takes away a lot of the convenience argument for small transactions using NFC, at least in the US.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
