I'd expect..
that this is limited to the credit line of the card? If I have a $30k credit line there's no way the card/system could approve a $999,999 transfer?
Researchers from the UK's Newcastle University have outlined how pay-by-bonk cards can be p0wned by a “rogue POS terminal” running on a mobile phone. To be detailed on Wednesday at the 21st ACM Conference on Computer and Communications Security, the attack is said to rely on a “rogue POS terminal” being set up with a pre-set …
It's my understanding that there is also a limit on the maximum amount Visa will pass through their service for your bank to authorise.
Plus this only works for offline transactions, those low value payments where the cost of a small amount of fraud is offset by the speed and convenience of not having to go online every transaction (eg. car park ticket machine). No merchant does this with high value items.
There is a probably a good reason why they haven't tried this out in the real world, as I doubt it'll work. I would still expect Visa to look into it though to see what (if anything) can be changed to prevent this.
No PIN, no need to prove the card is yours, etc.
So the crims are going to steal money from your credit card company (not you, obviously, what with the transaction being fraudulent n'all) but how are they going to hang on to it? Unidentified?
I understand cloning and buying a Porsche - the crims convert to goods and then sell them on. Good luck with that one. But this requires them to get the cash out of the system which takes time. For example, my credit card company, if not them all is fairly tuned up to weird transactions in which case I get an SMS inviting me to confirm.
While I think about it, the last time I tried to pay by bonk in a supermarket without removing the card from my opened wallet, the terminal got confused by the card in the other half of my wallet. When I pay by bonk on London Transport (tube or bus) the system is less sensitive but does require a firm hand, as it were.
So I'd like to know the physical circumstances in which this could work.
but how are they going to hang on to it? Unidentified?
The only way they can do this is if they set up a merchant (described in the article actually). There are quite a few checks and traceability requirements to set-up a merchant nowdays. So "setting it up" is IMHO out of the question.
Things become considerably more interesting if you "own" a merchant. Instead of lifting the cards, you add your remote pay-by-bonk terminals operated by the pawns around the world to the merchant transaction system. Then you lift the money out of the merchant accounts. This is a tall order - you need to "own" that merchant's infrastructure top top bottom - interface for POS, transactions, accounts and banking backend. Not infeasible, but probably too much effort for the payback you are going to get for a normal "pay by bonk pickpocketing" in bars and malls. Now setting up a 1.5m parabolic antenna aimed at the morning queue at one of the London subway stations or drive by skimming of bus queues... That may be worth it...
Nope, this has been "bloody obvious" from the start.
A rogue terminal can do whatever it wants.
So if they set it to £20, and just bonk everyone on the tube, they'll get quite a bit fairly fast and probably get away with it.
The entire security of this system relies on the bank's back-end fraud detection. Which is rubbish and slow.
I wouldn't mind so much on a credit card, because consumers have a legal gap to challenge it before payment.
However, on a debit card this can easily destroy someone - if you run close to the edge, a single denied payment can spiral fast!
Sooner or later this will happen.
So if they set it to £20, and just bonk everyone on the tube, they'll get quite a bit fairly fast and probably get away with it.
I doubt it.
Credit card processors do not immediately release the money. I would say it would be pretty difficult to get the money out before the banks caught on.
While card companies do have moderately responsive systems, even they are not perfect and do sometimes require that you detect the irregular actions. The banks will often turn down the genuine while letting others, shall we say less genuine through. Just look at the hassle if you make a payment with slightly wrong account data. The money is withdrawn faster than you can say hang on a minute. I know that there is a recent attempt to spike those guns but the proof will be in the long term pudding.
Now all I need to do is disable pay by mistake capabilities for the damned cards that I have.
"While card companies do have moderately responsive systems, even they are not perfect and do sometimes require that you detect the irregular actions. The banks will often turn down the genuine while letting others, shall we say less genuine through."
Indeed - and there's a good example of that here. The point of the post is more about Barclaycard themselves being the weak link - but note the two fraudulent transactions mentioned: They'd picked up on the £3 transaction, but thought the £2,000+ transaction was genuine.
To be honest, I wasn't talking about the money being taken from your account. That can, and will, happen.
The point is that most would be picked up by the account holder before the criminals could draw the money from their merchant account (which would be weeks later). The bank would quite quickly, with so many reports, realise the criminal is committing fraud, and put the account on hold.
I have absolutely zero faith in their fraud detection - in any case they have a vested interest in not stopping a fraudulent payment reaching your account.
A few years ago I had a Barclaycard nicked in Thailand. I reported it within the hour, yet two months later on my statement were three transactions for 20 quid or so that were clearly made after I'd reported it. They removed them after I called, but it took an hour and having to reexplain the circumstances to do so. So even with the total clarity of a cut off time and two months to work it out, they still didn't catch the dodgy transactions. Perhaps cynically, the message I took from that was that they couldn't care less how they racked up the account balance if they could get away with it.
I'm honestly not surprised that this attack is possible; the NFC card payments without any authentication have always looked to me like an accident waiting to happen.
"he flaw could see crims set up a merchant somewhere in the world and then launch attacks in different locations"
Last time I've tried get merchant account bank demanded fair amount of identity documents as well as lots of other paperwork, I'd imagine these rules dictated by Visa/MC/AmEx and would be pretty much the same everywhere in the world. So yeah, good luck getting one.
Got a new Visa card from my French bank. It had pay-to-bonk enabled so, without much hope, I asked if it could be disabled. To my considerable surprise the response was "Mais oui.". <click>, <click>, sign this. Job done.
I asked if they had many people asking, the response was "No, mostly just our British customers. It causes problems on the Tube, apparently."
This works well but a shop assistant might get worried about the visibly mutilated card. The job can be done more discreetly by making a small nick with a craft knife, though this really needs an nfc-capable phone to confirm the card really has been snipped.
It's probably a good idea to make a test purchase afterward to verify the card's normal chip & pin function still works - have an alternative payment method just in case.
the lovely young lady behind the counter at my local bank office looked at me funny when I told her I didn't WANT a pay-by-bonk enabled card. (Unfortunately they don't provide any other. And even force me to use the new card well before the expiry date of the old one. Without warning me. The only option is to turn "contactless payment" off on the website and trust them on their pretty blue eyes it won't actually work)
Heh, my millwright uncle had no problems with the magstripe technology, he says a day at work around any heavy motors degausses them pretty effectively. His maximum life on card readability was about two weeks once.
We'll have to see how chip & pin and NFC fare under that environment.
I have received the following reply from MBNA on the matter...
Thank you for contacting us {Horridbloke}. I appreciate your concerns however rest assured that Contactless technology has been extensively tested to ensure the absolute security of your account. This is a new development in the card industry that lets you make a payment for retail purchases without entering a PIN or signing to authorise the transaction wherever you see the Contactless acceptance symbol. Paying with a Contactless card is just as secure as paying by Chip and PIN because it is based on the same secure technology as Chip and PIN, it only works when you hold the card up to the terminal (within 4 cm), so you can’t accidentally pay for someone else's shopping and occasionally you will be asked to make a normal Chip and PIN transaction instead of a Contactless one. There is nothing wrong with your card; this is a security check to limit fraud and would likely occur if you made multiple Contactless transactions within a short time period. For additional security when you are sent your Contactless card you must first make a Chip and PIN transaction. This is just to make sure it’s got to the right person and to enable it to work. In addition, you are still covered for any fraudulent activity on your card just as with Chip and PIN transactions, providing you let us know as soon as you notice any unrecognised transactions on your statement. All our cards now come with Contactless functionality and are perfectly secure. Contactless offers many benefits, but if you don’t want to use it in this way you don’t have to. We are unable to issue a card without Contactless functionality however you can continue to make your payments by Chip and PIN if you prefer. If you log on to the website. Click on the tab "Account Home" and you can select the tab "View all transactions" and you will be able to see any transactions in current activity if you wish to monitor your account. Many thanks.
I guess I'll carry on using the craft knife.
"This is a new development in the card industry that lets you make a payment for retail purchases without entering a PIN or signing to authorise the transaction wherever you see the Contactless acceptance symbol."
This sentence quite clearly says that all contactless transactions are by definition unauthorised. Good to know.