back to article PHONE me if you feel DIRTY: Yanks and 'Nadians wave bye-bye to magstripe

Whenever I dump my load, I don’t feel the need to swipe. Swiping is far too dirty for me. I’d rather just lightly touch, lift up my trousers and walk away. Having slipped the touch-and-go debit card back into my wallet and collected my load of clothes shopping that I had dumped at the till – why, what did you think I was …

Page:

  1. John Tserkezis

    Ironically, here in Australia, some have blabbered trying to make NFC on cards disabled by default, and only available if you specifically ask.

    They claim that card fraud has jumped up with the advent of NFC, because it doesn't need any verification for less than AU$100.00. Of course, this only applies to stolen cards for the short time the original owner doesn't realise it's gone. Thieves can still squeeze a fair amount of stuff in that time though.

    It doesn't help that the scaremongers talk of pocket swiping with NFC. But that only applies to close proximity of the cards, meaning the wallet has to be thin, and the pants have to be tight. Feel free to make fun of THAT demographic...

    1. Richard 12 Silver badge

      The usable range is longer than you think

      Sure, using most of the certified CE-marked readers, the range is only about 5-10cm

      Using a high-powered antenna package, you can get several metres - this is used in other RFID systems, eg automated warehousing to count widgets on a pallet.

      However, 5cm is still easily enough to swipe a few hundred cards while on public transport or walking down a busy street.

      5cm thick trousers are somewhat less common than casual plate armour.

      To some extent, one protection is to fill your wallet with many contactless cards so they all clash.

      Or chain mail. That probably works too!

      1. DaveDaveDave

        Re: The usable range is longer than you think

        The hard part of stealing contactless payments isn't triggering the cards, but collecting on the money without getting caught. You'd need access to some legitimate seller's account at the very least, but you've also got to get paid before anyone notices their money was nicked.

    2. Anonymous Coward
      Anonymous Coward

      They claim that card fraud has jumped up with the advent of NFC, because it doesn't need any verification for less than AU$100.00. Of course, this only applies to stolen cards for the short time the original owner doesn't realise it's gone. Thieves can still squeeze a fair amount of stuff in that time though.

      It takes the better part of a second for a stolen RFID ident to travel to places where the limit is higher. As a matter of fact, AUD 100 is roughly £45, which makes it 50% higher than the UK limit so expect lots of people travelling to Oz who will never actually get there.

      The massive problem with NFC is that you can pay without knowing it. I am sure this is intentional by shops (makes impulse buy that much more likely), but as I have said (many times) before, if a credit card company voluntarily limits its own ability to get you into debt (which is where they make your money) you ought to start wondering why - here is that "why".

      Even with a mag swipe you have some idea where you had the card in your hands to pay, ditto with a PIN, with RFID you do not and payments can be kept low enough not to show up on your bill, so you better get a wallet with shielding.

      And, of course, RFID and CHIP do bugger all against Internet theft which must have taken over physical cloning years ago as it's so much less risk for the crims. I haven't checked, but given that databases are stolen with embarrassing frequency I reckon it must have happened years ago.

      It doesn't help that the scaremongers talk of pocket swiping with NFC. But that only applies to close proximity of the cards, meaning the wallet has to be thin, and the pants have to be tight

      In lab conditions you get to about 2 meters, in real life it's about 1 meter if you want a reliable one-shot read. You seem to confuse the deliberately bad receivers in the card terminals with actual limits of the radio technology in question. Indeed, in the early days of RFID it did happen often that people were paying who were still queueing and thus paid for someone else's goods (pretty much how thieves would like it).

      By the way, leather or fabric does nothing to shield RFID, so good luck trusting your leather wallet and trousers. As far as RFID is concerned, you're naked...

      1. Credas Silver badge

        1) The crims aren't going to be able to clone the chip, so usable copies of your card aren't going to be flying around the world within seconds of a theft;

        2) The ability to make devices able to communicate with the NFC element over distances of a couple of metres is irrelevant to the question of whether inadvertent payments are possible; the readers in payment terminals (deliberately) only work over ranges of a few centimetres.

        1. Dan 55 Silver badge
          Pirate

          In Spain you're getting one whether you like it or not and if you don't like it you can go to another bank where they do the same. When you activate the card you get NFC, there's none of this "put your PIN in the first time when you pay by NFC to allow NFC payments without PIN in the future".

          So I cut the antenna in mine and tested it with the NFC feature on my phone (the only time I've used it). I ain't paying, or having my cards stolen, or getting cloned without me putting my PIN in, thankyouverymuch.

          Icon may contain sharp blades.

        2. Anonymous Coward
          Anonymous Coward

          The idea is that a crim will use a higher-powered antenna (perhaps hidden in a sleeve) attached to an otherwise-legit unit that makes the thief for all purposes look just like a merchant. They aim, blast the NFC card, and walk away before the mark has any idea what happened.

          I think this is one reason the card companies are more enthused about Apple Pay and now Android Pay. First, they can't be skimmed without you noticing. Most times, you have to turn on the phone, and IIRC both of them require you to use a security sequence. Also, both are using tokenization systems like the Chips, meaning the numbers being transmitted are nonces, anyway, useless for a replay attack even if this number were stored and the database hacked.

        3. Rich 11 Silver badge

          Credas, I honestly wonder why the bank's PR department bothered employing you.

      2. P. Lee Silver badge

        re: protecting your NFC cards

        I keep mine multiple ones together - myki, credit and debit. That normally foxes the legal readers (I'm not sure about the illegal ones - I'm just a bit hopeful) as you have to take them out of your wallet rather than just swiping the side of your wallet against something.

        1. Neil Barnes Silver badge
          Flame

          Re: re: protecting your NFC cards

          I have to agree with the above posts: no doubt I will be considered a stone-age relic, but when I make a payment I want the physical act of *making* a payment, not some vague 'wave this at that and hope the right thing happened'. I don't insist on cash, but I do insist on a pin entry.

          I can't help noticing that in *every* case where technology has been introduced to 'make it simpler for me to pay' the benefit has been more to the seller than to me. Perhaps I'm just not the target demographic.

          1. Bleu

            Re: re: protecting your NFC cards

            Probably not (the target demographic). Neither am I. I can use my phone for payment, from years ago, never do.

            I finally bought one of the Japan Rail system cards, to save a few yen on a stamp rally (you collect stamps at different stations, but they are always outside the wickets).

            I always keep its 'charge' as low as possible, because one can be sure that they do something with the accumulated capital.

            Actually, I should look more closely into that.

            Otherwise, I always use, I don't know the english, multi-trip tickets (not commuter pass, workplaces too irregular, 11 for the price of 10) or cash.

            Other places, sometimes the card is cheaper than a paper ticket, sometimes more expensive. Always only a few yen. The railways are scrupulous about the rounding.

            When I occasionaly use the NFC card, I never charge into the wicket without checking that I have enough to enter, it is so irritating when using a physical ticket, when someone who only uses a card, barges in to one of the few wickets that take physical tickets (they all take NFC in and around here), doesn't have enough 'charge' and blocks the gate.

    3. jockmcthingiemibobb

      I sorted out my latest credit card. Hold card to bright light, melt hole through induction loop. Problem solved.

  2. Malcolm Weir Silver badge

    Mr D... you are sadly mistaken if you think us N'Americans have adopted chip-and-pin. The whole "remembering the pin" thing is apparently too complex for the average user, so all those chip-enabled cards actually implement "chip and signature", presumably so that thieves are not inconvenienced by the change, only those who try to create fake cards.

    1. Anonymous Coward
      Anonymous Coward

      The whole "remembering the pin" thing is apparently too complex for the average user

      Ah. Finally an explanation why they still don't have sensible gun licensing laws. I knew we were missing something :)

      1. Anonymous Coward
        Anonymous Coward

        I dare say that in most of the states, they're more than sensible. Nanny states excluded.

    2. Dan 55 Silver badge
      WTF?

      How do you get money out of ATMs then?

      1. Charles 9 Silver badge

        "How do you get money out of ATMs then?"

        Chips are only being applied to credit cards (actual ones) at the moment.

        1. Dan 55 Silver badge
          WTF?

          You can't get a cash advance with a credit card out of an ATM with a PIN?

          1. Blake St. Claire

            > You can't get a cash advance with a credit card out of an ATM with a PIN?

            Sure, with a hefty fee attached.

        2. Gene Cash Silver badge

          > Chips are only being applied to credit cards (actual ones) at the moment.

          Nope, I've got an email that a chipped replacement for my Chase *DEBIT* card is coming in the mail this week.

      2. John Bailey

        "How do you get money out of ATMs then?"

        Wiv a sledge hammer..

      3. Bleu

        Some people

        seem to have done well at getting money from ATMs with construction or earth-moving equipment, mechanical shovels and the like.

      4. grumpyoldeyore

        How do you get money out of ATMs then?

        Like this? https://www.youtube.com/watch?v=fafCK6j8hx4

    3. Anonymous Coward
      Anonymous Coward

      The PIN will come later and is already an option for those of us planning to travel abroad and need it. That doesn't require new hardware beyond what's already going out. For right now, the Credit Card companies are content for the moment with preventing replay attacks using hacked databases (Target, Home Depot) or the PIN Pad switcheroo.

    4. s2bu

      PIN

      Not all. My Target credit card not only doesn't have a magstripe at all, but it's only chip+PIN. No signature accepted at all.

      1. Charles 9 Silver badge

        Re: PIN

        They must expect you to use it ONLY at Target. Target happens to be one of the few places that have turned on their Chip readers (Walmart is another).

  3. Evil Auditor Silver badge

    Cruel and unusual punishment

    Swipe cards for hotel rooms, that is. And no, they never - NEVER - open the door on first attempt. A few months ago, in a HK hotel, I had to get a newly written card each day. Until I figured that the occasional proximity of the card to my magnetic money clip rendered the card unreadable. Not that both were even in the same pocket.

    1. Fred Dibnah

      Re: Cruel and unusual punishment

      Door card in same pocket as phone usually equals unreadable card. Also, hotel door cards are actually quantum devices, as they have three states:

      1. Doesn't open the door

      2. Turned over and doesn't open the door

      3. Turned over again and does open the door.

      USB plugs are another example.

      1. RoboticRabbit

        Re: Cruel and unusual punishment

        Actually I believe USB plugs are 4 dimensional. Probably the same holds true for door cards.

      2. willi0000000

        Re: Cruel and unusual punishment

        USB plugs are merely spin ½ devices . . . they have to be turned over twice to turn them over once.

    2. Cameron Colley

      Re: Cruel and unusual punishment

      One hotel I stayed at I had to ask for two new cards in the same day and a new one on two subsequent days. I didn't keep the cards near my phone and while they were kept in the same pocket as my wallet they weren't toughing the magstrips on either of my cards and there's nothing magnetic in my wallet.

      I've a feeling (backed up by Mythbusters) that the whole mobile phone causing issues (with magstrips and NFC and other RID) is a myth anyhow -- I just think that many people keep their various cards near their phones and that the cards are prone to failure and the two are unconnected.

      1. Martin an gof Silver badge

        Re: Cruel and unusual punishment

        I've a feeling (backed up by Mythbusters) that the whole mobile phone causing issues (with magstrips and NFC and other RID) is a myth

        The magnetic cover on my phone definitely wrecked the door card at a hotel recently. Fortunately at that particular hotel they'd given us two cards per room anyway.

        That hotel chain expected you to put the key card in a holder inside the room in order to switch the electrics on. One only gave us one card per room which was really *really* convenient when I need to leave the room to get something from the car and leave the children in the room. In the dark. That was until I tried an old work ID card that I keep for scraping the ice from the car. Turns out the electrics switch is purely mechanical :-)

        We were on a road trip and stayed at four different hotels in the same chain. Two used mag stripe cards, one used RFID cards and the last used keys - real metal turn-in-the-lock keys. Fantastic.

        M.

  4. Anonymous Coward
    Anonymous Coward

    Money clip? How 1970's :)

    1. Evil Auditor Silver badge
      Happy

      So are magstripe cards!

  5. firu toddo
    Happy

    Door Access?

    Pah! I spit on your two cards. Right now, for one organisation, I have a magswipe card for the outer office door, two different pins for inner electronic locks. An RFID card for some other doors, another RFID token for some other doors, a mechanical lock code for some other doors and a pin for the other RFID token the get into another building.

    The staff canteen is cash only.

    1. TRT Silver badge

      Re: Door Access?

      At my place of work, you have to have a swipe card for almost everything. Main building is coded as a G swipe. Want to get into the other block? You need a B swipe. To get into the secure animal facility, you need an X swipe. For the lift lobby, you'll need an L swipe. And if you're going to the toilet, better make sure you have an R swipe.

      1. Keven E

        Re: Door Access?

        ...better make sure you have an R swipe.

        Impressive!

    2. Evil Auditor Silver badge

      Re: Door Access?

      Are you sure that you actually work there and are not just part (i.e. guinea pig) of a neo-kafkaesque experiment?

  6. Baudwalk

    "the Joliet-standard verbal password"

    The Rock Ridge extensions were much more reliable.

    But of course only worked on some systems (glass doors).

    1. Anonymous Coward
      Anonymous Coward

      Re: "the Joliet-standard verbal password"

      > The Rock Ridge extensions were much more reliable.

      Personally, I like to Gordon Freeman extension to open up recalictrant doors.

  7. Phil Miesle

    chip and WTF

    Slight nuance: Visa/Mastercard/etc are requiring terminals to do chip-and-signature. However, that does not preclude individual banks from supporting chip-and-pin ... and fortunately most terminal devices will support PIN signatures since EMV became standard throughout the civilised world quite some time ago.

    Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins.

    And of course even here in the civilised world, our cards have magstripes with info on them as a "backup" entry method. We can of course only be saved by a Jobsian device.

    1. Phil O'Sophical Silver badge

      Re: chip and WTF

      Visa/Mastercard/etc are requiring terminals to do chip-and-signature

      By which they mean those etch-a-sketch terminals with a stylus that produces a squiggle bearing no resemblance whatsoever to my signature?

      1. stucs201

        Re: etch-a-sketch

        More like the world's worst magna doodle.

      2. Anonymous Coward
        Devil

        Re: chip and WTF

        /quote

        By which they mean those etch-a-sketch terminals with a stylus that produces a squiggle bearing no resemblance whatsoever to my signature?

        /quote

        Ha. I only ever make an X* on those things.

        * they typically won't accept simply a '.'

        Edited to say that the next time i have to use one, I'm going to pretend I'm a kid coloring....and black out the entire display.

      3. Adam 1 Silver badge

        Re: chip and WTF

        > etch a sketch/magna doodle/etc

        Spare a thought for us lefties. The string the pen is connected to is always too short for holding the pen at a comfortable angle, so they usually get something that resembles a three year olds first attempt to write their name.

    2. James O'Shea Silver badge

      Re: chip and WTF

      "Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

      Here in Deepest South Florida lots of small businesses are now requiring Official Gubmint Pic ID be shown for every charge above $25, 'cause they don't have the new card readers, 'cause the new readers cost too damn much. http://www.mypalmbeachpost.com/news/business/deadline-for-new-chip-credit-cards-looms-but-are-r/nnnqP/

    3. captain_solo

      Re: chip and WTF

      "Trick is that small businesses will just keep accepting only magstripe, since the change-over cost has been made too prohibitive for their margins."

      The problem with this is that the "liability shift" being implemented in Oct. offloads the costs of a security breach from the issuing bank to the small business if they don't spring for the new kit and the card is compromised - basically whoever's payment network tech is "lower" gets stuck with the bill. So the potential cost of not upgrading is likely much greater especially since the swipe card will be the low hanging fruit as even a chip/signature card is harder to counterfeit than the old school cards. That shift wasn't mentioned in this article, but its the reason we are seeing a rollout of these devices actually happening in the States. The banks would have been fine with it, but the millions of POS terminals that required capital investment by a variety of large and small businesses were slow on the uptake, hence the boot in the arse. Mastercard actually said they were hoping it wouldn't actually end up shifting liability around, but would instead drive fraud out of the system...I guess we'll see.

  8. Banksy

    Redundancy

    The only good point I can think of for magstripe is as a back up method of your payment being accepted in the event of a problem with the chip on your card or some other tech snafu.

    1. thomas k

      Re: Redundancy

      But isn't having a "back up" magstripe sort of defeating the purpose of switching to chip-and-whatever?

      1. Charles 9 Silver badge

        Re: Redundancy

        ONLY for those terminals that won't take chips. Otherwise, the regs state that if you swipe a chip card, the pad's supposed to prompt you to use the Chip instead.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019