back to article NFC SD crew gives up: No one wants our safe bonking tool

The NFC SD consortium - a collaboration attempting to capitalise on the use of removable memory to secure pay-by-bonk transactions - has called it a day seeing that no one wants to secure transactions using a Secure Digital (SD) card. The investment, which NFC Times pegs at €3m, came mostly from Giesecke & Devrient but with € …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Perhaps they are asking the wrong question

    Hands up all those who really WANT NFC at all?

    Ok,

    Hands up who think that NFC is going to be a scammers wet dream?

    Finally

    Hands up those who think that those pushing NFC really don't have No Frigging Clue?

    Answers on the top of a pinhead please.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perhaps they are asking the wrong question

      You forgot: Hands up who thinks they know everything about NFC and banking security because they "know about computers", however in actual fact don't really know anything about either subject.

      Personally: I quite like the idea, I've used it a few times and it's been convenient and fast, however I used to work in banking IT so know quite a bit about how they work. It doesn't bother me any more than any other method of payment.

    2. Horridbloke
      Stop

      Re: Perhaps they are asking the wrong question

      Totally agree. On a related matter I was pretty annoyed to get a replacement credit card with contactless element the other month. I think it uses NFC technology - my smartphone certainly recognised something was there.

      Anyway, the accompanying sheet of people cheefully informed me the limit for unauthenticated contactless payment was £20 - somewhat in excess of the "cup of coffee" purchase scenario these things are supposed to be for. I didn't like this, so using the old card (which upon closer examination turned out also to have the contactless element), the smartphone and a hole punch I located the NFC element and was then able to neuter the new card by cutting in the right place with a craft knife. The card still works fine in Chip-&-PIN readers, so I will be snipping future cards in the same manner.

      1. Horridbloke
        Facepalm

        Re: Perhaps they are asking the wrong question

        "paper", not "people" - I apologise for my substandard post and hope it has not impacted your enjoyment of the internet.

      2. Anonymous Coward
        Anonymous Coward

        Re: Perhaps they are asking the wrong question

        @Horridbloke: The card is not your property, it remains property of the bank - be aware that a bank can refuse to issue you cards if you repeatedly vandalise them.

        1. Horridbloke
          Happy

          Re: Perhaps they are asking the wrong question

          "card is not your property, it remains property of the bank.."

          I'm not going to tell them.

          If at some point in the future a compelling reason arises not to emasculate the card then I'll stop doing it. Until then I will take some responsibility for my financial security.

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps they are asking the wrong question

            I wasn't thinking you'd be telling them, of course you've made sure that any machines you use won't get jammed and that you don't have to use your card at a branch to identify yourself ,etc.

  2. TechnicianJack

    While it seems a good idea on paper, having an SD card NFC system is a problem. Some phones do not have an SD slot, and phones that do often have a small internal memory as they expect you to put your media and apps on removable storage. People would then have to choose between NFC with their bank details or their media. Seeing as lots of phones have SD cards mounted behind batteries etc, swapping between them would be inconvenient and seeing as some credit/debit cards have NFC built into them, a SD card is almost redundant. (Most people will carry their phone and wallet with their cards in).

    Ideally, the phone should have two SD card slots, so users don't have to choose.

  3. o5ky
    Thumb Down

    Why can't they just give us Google Wallet in the UK!

    All I want is to take my phone out on a night out and then not have to worry about taking cards out...

    1. dogged
      Meh

      Really. You want to make a nickable item more nickable.

      Okay.

      If there's an option, I don't want that, please.

  4. Anonymous Coward
    Anonymous Coward

    Ahh, I see a business opportunity

    for a range of NFC blocking wallets, purses, suits and purses.

    Personally, this is a disaster area waiting to happen. I think an awful lot of people are going to lose a little of money with this tech. Any phone that I use/buy will have NFC disabled right from the outset.

    There are probably a whole new generation of scamming hackers just waiting for NFC to become commonplace. Then they will be out if force syphoning a few quid from as many people who are dumb enough to leave this feature enabled as they can.

    1. Wize

      Re: Ahh, I see a business opportunity

      Pockets picked without them even touching you and no way of knowing until you check online, probably a few hours later.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ahh, I see a business opportunity

        @Wize: How do you propose that someone "takes money" or "pickpockets" from an NFC card?

        1. Horridbloke

          Re: "How do you propose..."

          I imagine somebody somewhere is working on it.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Steal" / "scam" etc

            It may be pertinent to point out, that it is necessary to have a merchant account in order to take payments from credit cards.

            1. Horridbloke

              Re: merchant account

              Ever heard of dodgy shop employees? A petrol station in my town was fingered for a number of fraudulent credit card payments a while back. Now I don't know the technical details and obviously those particular guys got caught in the end, but who says they always get caught?

              1. Anonymous Coward
                Anonymous Coward

                Re: merchant account

                @Horridbloke - Those would have been skimmed magstripes sent abroad and used there, not chip and pin or NFC payments. You clearly don't know much about how payment processes work, evidenced by your conspiracy theoryesque "I've cut the card so the nfc doesn't work" and your apparent belief that you can somehow take money from the card.

                1. Horridbloke
                  WTF?

                  @AC 15:45

                  Wrong: in this case the dodgy payments were processed through that business. That was how they happened to get caught (Note that the bored minimum-wager behind the counter is NOT the merchant).

                  While we're at it, what is actually "conspiracy theoryesque" or otherwise inaccurate about the idea that disabling the NFC element disables NFC payment?

            2. Anonymous Coward
              Anonymous Coward

              @Anon 15:30 - merchant accounts

              I suppose you realize that pretty much anyone can get a merchant account. It is not exactly as complicated to get that as it is to, say, become legally recognized as a bank.

              1. Anonymous Coward
                Anonymous Coward

                Re: @Anon 15:30 - merchant accounts

                @Doug S - In order to obtain a merchant account, you have to have a business, you need to have a registered address for that business and you need to discuss your business plan with your bank (and have it approved.) So, yes, anyone who puts in a load of effort can get one, but crucially once you've got one the bank have your name and address, they're highly likely to send the rozzers round if they see any suspicious activity on it. That's the point.

          2. Anonymous Coward
            Anonymous Coward

            Re: "How do you propose..."

            Nice, a brain storming session on how to steal from NFC cards.

            It wont be a nice simple case of recording and replaying the data. That would be too easy. Though you could get some details out the card, like account number, that might be usable in another scam.

            It could be transferred to a temporary account. Just need a country to accept the pay-by-tap but not so strict in who can set one up an account to use them and connect back to a computer in the right country via a mobile phone on 3G and a proxy.

            Or with a NFC reader (probably boosted past the regulation signal strength), a hacked 'writer' (as in something that will look like a card to a reader but can give a custom output) and some sort of radio link, you could put your reader near a busy exit of a train station, wait for a train to arrive, buy yourself a can of coke and a bag of crisps and swipe your dummy device over the reader. Your device picks up what the reader is asking, transfers it, via radio, to your reader. Skim the reply over the lucky passer by and send that back to your device over the shops reader.

            Ok, that only gets you a few pennies and the kit costs more, but its a start.

            And the fun of DOSing a train by sending out too many bad requests to everyone's cards, which should refuse to work next time they try to use it.

            1. Anonymous Coward
              Anonymous Coward

              Re: "How do you propose..."

              @AC 13:00 -

              The account number on your card, chip and pin and NFC are all different, so that stops that approach.

              The second could possibly work, as you're not actually circumventing the security per-se, but any third party bank/payment processor performing this would very quickly be prevented from taking payments from any reputable bank's customers. Not to mention they'd certainly fail their PCI-DSS audit.

              NFC can't just be boosted, it relies upon electromagnetic induction to power the processor in the chip. The best distance it's been got to work over in a lab is about 20cm. There is also the matter of the end-to-end encryption, man in the middle detection and general latency of the link. On top of that, you've somehow got to stay within 20cm of the card of someone for the duration of the transaction.

    2. Roger Stenning
      Thumb Down

      Re: Ahh, I see a business opportunity

      It's already being filled in part; there are a number of wallets with NFC protection, either full Faraday cage-like shells, or wallets containing partial RF shielding. You can even get them through Amazon. I did. Why? Because NFC payment (what they call CPC or Contactless payment Cards) is now on London buses, and I don't want my NFC-enabled cards (that I did NOT request, they just sent me the sodding things) being read by the reader on a bus - I have a perfectly sound Oyster Card for that.

      Frankly, I'm not at all comfortable (understatement of the freaking century) with the idea of NFC or Pay By Bonk. It seems, from all that I've read, to be too open for abuse, manipulation, error, and screw-up: The tech is just not mature enough for these purposes yet, in my view.

      In the mean time, I'll carry on with good old-fashioned cash (dead easy) and Chip'n'Pin cards (requires deliberate authorisation to complete a purchase).

  5. Anonymous Coward
    Anonymous Coward

    All you luddites standing in the way of businesses being able to syphon off your funds easily won't stop progress, even stupid progress like this. Bravo for trying though.

    1. Jay Holmes

      Not quite sure you are on the correct website if you are calling people luddites, but hey ho will treat it as a crap attempt at humour!

      I have no problem with the whole NFC pay by bonk system as long as the security side of things is investigated seriously.

      Up to £20 payments that dont have to be authorised is no good, is there a limit on these before some authentication is required, therefore stopping the criminal element from taking too much, because you know where theres a will theres a way and the fuckers will find it!

      I think the maximum for unathorised transactions in one go should be £5, and every 4th payment in a day should have to be authorised so the maximum someone could take before you noticed would be £15, (instead of £60, although I wouldnt be happy about losing £15 I could handle it easier than £60 whilst it was investigated!) because the last £5 you would have to authorise. Therefore if you havent made any payments that day you would definitly investigate where your money has gone!!

      Thats just one idea, while doesnt do anything about the inherant (sp) security issues, does put the user in more control.

      1. Anonymous Coward
        Anonymous Coward

        @Jay...

        Every n th payment does require a PIN to be entered (although using your card at an ATM or on a normal chip and pin PED zeros the count.) N is a low number controlled by the card's chip.

        You can argue the payment limit either way, personally I don't think that a fiver is a particularly useful amount of money, the banks seem to agree with me, although you differ.

        1. Jay Holmes

          Re: @Jay...

          Thanks for the reply to be honest I havent read enough about how the payments are taken or how many payments you can make before you need to make an authorised payment.

          The arguement regarding payment limits however is subjective, for example if the limit is £20 and every 4th payment is authorised, potentially if some enterprising criminal figures out a way of scamming these payments (and with the way banks deal with security its at least plausible) thats potentially £60 gone before you realise. If the limit is only £5, then its only £15 before you realise which although not great is a lot easier for people to manage. The £5 argument is because the whole idea was (if I remember correctly) was you wouldnt need to authorise payments for small payments ie cup of coffee.

          But then if your raking in the cash I suppose you can afford £20 for a brew lol

          1. Anonymous Coward
            Anonymous Coward

            Re: @Jay...

            As far as I am aware, the card will ask for a PIN to be input earlier if transactions are more expensive, but I'm not 100% sure on that, I've certainly heard it talked about.

  6. Dave, Portsmouth
    FAIL

    I Like The Idea...

    I think we should go in that direction, but it needs a major brand behind it to make it take off. The problem isn't the phones, it's the lack of readers / publicity about the readers. I've had a combined Oyster / Credit Card / Wireless payments for ~ 5 years, but I've still never seen anywhere that takes it. That's not to say I haven't shopped anywhere that takes it - just that it's never been obvious to me that it's an option.

    So they can put it wherever they like in my phone, but I'll be left in the same position as now where I don't use it because I don't know where I can use it.

    So, sod the technology, make the existing bank card version work first.

  7. Anonymous Coward
    Anonymous Coward

    Not just network operators versus platform owners

    As the article author states. If it was just those two, they could probably come to some agreement.

    But the payment processors want to make sure they get their cut, and that it is at least as large (if not larger) than they get from credit/debit transactions today. This is why they want to link NFC to individual credit/debit cards, rather than phones, and are pushing retailers to install NFC capable readers - not because they care if anyone actually uses NFC, they just want to stop Square or Paypal from installing NFC readers that would cut them out.

    The network operators think that since they're already billing people monthly, they should add all the transactions to that monthly bill and cut the payment processors out. This is why they want to link NFC to the SIM.

    The platform owners, Apple and Google, already have banking/credit card information for many millions of people via their app stores, and would be happy to take that cut instead of the payment processors as well. Not to be left out, the Android OEMs, especially big ones like Samsung, no doubt believe that they deserve this revenue instead of Google. This is why these guys want to install NFC in the device, not the SIM.

    The payment processors and their overlords, Visa and Mastercard, can also play the merchants and consumers off each other. The merchants want to pay lower processing fees, and consumers want the freebies that go with their credit (cash back/miles) and debit (higher interest rates, no fee accounts) cards. Can't have both, so while merchants may try to push NFC if they can get lower fees, they'll have to offer something to consumers to make up for losing their freebies.

    There are just way too many corporations and interests fighting each other who each want all or most of the revenue pie. It is made even worse that one of the players owns this market and will lose their current revenue stream if NFC is adopted in a way that's outside their control. They'll do anything and everything to make sure that doesn't happen. NFC has no chance against all this, even if the very real security issues of a "near field" protocol that can be easily read from 10+ feet away with less than $100 of equipment didn't exist.

This topic is closed for new posts.

Other stories you might like