RFID visa cards
These have been in use here in Singapore for ages already. But, much like londoners with the Oyster card, we're very very used to RFID systems and paying with RFID systems so it's no big deal here.
The Halifax bank is enrolling unsuspecting customers in trials of a new generation of RFID-enabled bank cards, and trying to keep them in the program even if they have mis-givings about the wave and pay technology. PayWave allows punters to debit their account without having to enter a PIN or sign for goods valued at less than …
Oh, neat. They can make it cost you much more than £10 to challenge a fake payment. So very few people will bother going through all the hoops.
Then they point out that very few people are successfully claiming for fake payments, which proves that there are very few fake payments, which proves that the cards are secure.
Once the cards are (by force) generally accepted then they can start bumping the £10 limit up.
Arguably, making your data available to an RFID scanner is caught by the Data Protection Act. Therefore your bank require your consent, which can be withdrawn. Worth a punt - banks crap themselves at the mention of the DPA. My DPA complaint to a well-known bank over spamming me with adverts in their online secure messaging system led them to withdrawing it across their entire system.
someone quoted that.... "Unfotunately, Mastercard says that RFID-free cards are no longer available."
These touch and swipe cards are averagely secure, not especially insecure,
there was one proof of concept of a relay attack on an eCredit card, it seems the early ones had pretty loose challenge/response timing windows such that someone could skim data from your card from a 20cm distance ‘in the street’, then use WiFi to route this to an accomplice who was able to do successfully complete an internet purchase. Talking to eID industry representatives, “they are fully aware of the security problems and are making sure that soon this will not be possible”. The big advantage of the eCredit ePayment card is the “tap & pay” , for instant purchases of newspapers, concert tickets (by tapping an active Pop poster in the 'tube) , cups of coffee etcetera. It is likely that the european citizens’ card or a range of Mobile Phones coming in about 2010 will implement the full range of facilities, eID, ePass, eCredit, eHealth entitlement, eEtcetera. I’d say to an ecard owner that now you have the card, you’ve bypassed/survived one of the biggest threats which is RFID scanning mailbags - and crims selectively stealing the RFID enabled letters, be they credit cards or electronic passports.
As to the actual threats that you would now face, they are extremely remote - at present, but will likely grow. I have an HP PDA 4700 with added NFC (13.56MHz) RFID, but I wouldn’t be able to use it (for ethical) hacking till I successfully manage to dump WinCE and load Linux. This has Wifi and enough power to do the relay from a short distance, upcoming Software Radio devices may also be programmed as tools, but again, I’d say you probably have a 5 year ‘usual problem’ timespan before any ‘new problem’ attacks become widespread. Hopefully this timespan will be enough for the CC & eID companies to develop better more robust products. Watch for problems if they drop 13.56MHz NFC and head for EPC Global 900MHz ’supermarket’ RFIDs as they *can* be read at 20 metres. have fun (I believe the apt phrase is "always connected, always on": Internet of things)
.....the shiny Alcan-extra-wide coat please
"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."
I like the way the concerns of people walking around say the tube, with a battery powered, modified (amplified) for larger distance scanning have been addressed! 'Scammers simply won't be bothered to rip these off.'
It's a terrible idea. I could easily set up a shill business as a sandwich shop or whatever, then make my real, tax free, proper incoming scanning cards on the underground/other busy public place all day, and charging say £9 per hit... even just a hit a minute yields me a healthy £540/hour... or £2160 for a 40 hour week.
1) They say that theives and the like dont go for small sums... most londoners will remeber the press stories about the fights between rival gangs over the rights to steal from parking meters (small sums add up).
2) "create a niche market for security firms"
- so lets create a new problem for new services we can pay for to solve it!
A more cynical person would point to the anti-virus industry who have an interest in there always being virus's, so might encourage their development if windows ever became more secure.
You have to admit, the idea of technology that can take payment without your consent is dangerous. Take the Oyster card, that's a good implmentation because the readers are so low powered, they fail to register the card about 1 time in 10 :) It's also a closed system, so the worst someone could do is send a fake station signal deducting extra money from your card.
I think the banks have missed a trick with this idea, the system shouldn't rely on a £10 limit to make fraud pointless, it should be the customer that sets the amount of money that's available on the Paynwave section and the screens should have flashed up the remaining balance at the end. If someone wanted to opt out, they simply leave that balance at £0.
...of banks taking liberties with customers and their accounts. My Bank (Lloyds TSB) are in the process of changing "partners" on their credit cards from Visa to Mastercard. No consultation, one announcement, then new cards delivered superseding the old ones. (don't know if they're RFID'd or not)
Of course, LTSB have taken care of all the "front end" processes in setting up the new accounts (done without my permission!) but the customer has to do all the donkey work when it comes down to setting up any on-line payments, or existing regular accounts, including setting up a new recipient so I can pay the damn credit card via the on-line banking.
I shudder to think what the possibilities for error in "universal" non-contact payment world are likely to be (not LOW for sure). Hard enough to prove fraudulent use as it is, never mind the possibility of your 'chip' being tracked everywhere you go!
This madness must stop.
I for one can't wait for this technology to be rolled out. I'm fed up of having to carry cash with me. Of course these will never totally replace cash and it'll take a while to even begin to do so.
The security worries of these cards aren't my problem, they're the banks. So long as I make sure no one gets my PIN I'm not liable for any fraudulent transactions, the banks are.
once this technology is wide spread, we won't even notice that the car parking fee, price of the newspaper, tube fare, etc has increased yet again.
Obviously also plenty of room for dodgy things to occur at Car Boot Sales and as you walk by any number of street hawkers. Lucky heather to a bus load of punters in one trip to the next stop, cheap at only £9.99 a pop.
And when was the last time someone bought a ticket for a concert at less than £10 ?
Along with the price of calls to 0845 and 0870 customer service people to make a complaint !!!!
It makes me wonder just who is doing the skimming on this one.
Short shelf-life of stock, very variable sales, a lot of waste.
You could easily add 10% to the business income without anyone noticing, and who'd make a fuss about flowers that didn't get given to their wiife?
Of course, being an ex-florist might get you a job with the revenue/
Your ambitions are so limited! Me, I'd simply get close to a people smuggler, then get dozens of illegal immigrants to do the scanning for me. We've already seen how the Police have zero effect due to the useless immigration system, most illegals caught committing crimes are back doing the same thing in hours. With a crewmaster running a few dozen illegals with scanners, and half-a-dozen front companies pretending to be legit kiosks, you could quite easily turn all those little £9.99 transactions into millions a year. At worse, a few illegals get deported (very unlikely) whilst I rake in the dough courtesy of the stupid greed of commercial banks.
If I can think this out in a few minutes, do the banks really think all those pro crims haven't already started putting their plans in action?
It seems to me that the real issue here is not about the card, it is about the liability for fraudulent losses. If the banks foot the bill and the claim process is easy and cheap then I don't have a problem with contactless cards (assuming that I consented to receive one in the first place) but if they are also shifting the cost of fraud to the consumer then I wouldn't touch one with a 100 linguine pole.
I would be very interested if The Reg could publish a copy of the terms and conditions for these contactless cards.
there were initially some problems with people skimmed card details from AMEX cards in america then using them for internet purchases, they stopped this practise by simply giving cards two numbers, one printedr on the card, and a seperate number for the RFID. that way if someone skimmed your RFID number - it would not be accepted online as AMEX could tell there was no way for you to access that number from your card, so it must have been skimmed
a simple solution
"[Apacs] believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters."
Oh sure. So lining a picket-fence with RFID-ipaqs that lift off £9.99 per pass (remember, you can have many of them) is something people will not be bothered to do?
Maybe we need some proof-of-concept-hack to do this. How about setting up a solution with such scanners for every few meters between the bank, and where the bank manager parks his car. This could prove one out of two things: That his account can be tapped, and that this security of his is like Nessie (often talked about, but rarely seen), or it could prove that he KNOWS the cards ar shite, and won't be using them himself.
Proving that the bank administration hangs onto their old cards, would basically prove that they are lying through their teeth about this being secure enough for "ordinary people".
Both versions are ok with me, aslong as we can shoot this idea down in London, before it can infect the rest of Britain, and more importantly (for me) the rest of Europe.
I'm not an expert on debit card history, but wasn't the chip and pin (fairly) recently developed so even if you managed to steal a card it's effectively useless. Now mugging for debit cards is worthwhile again, before you've been to the police and got a crime number and then called up the bank they could have rattled up £100 in "small" charges, hundereds of copies of the Sun for all their partners and illegitimate children, and if a cunning clothes retailler adopts the scheme they could rake in a fourtune in illegal card purchases if they make Burberry knock-off hats for £9.99.
Whereas before when a Debit card was stolen it was effectively useless, not it'll be usable by any Half-Wit on the street. Lots x £10 is greater than None x Everything you've got (covered generally by fraud protection).
So the card approves these transactions, and I am PRESUMED to have authorized it?
So my kid, wife, cleaner, etc. can use the card without needing any pin number or signature from me, and I am assumed to be OK with this?
Oyster cards are bought for the approved purpose, you wanted to use the transport and bought the card especially. There is also manual top up available, and a 90 quid limit, letting you cap the losses if the card is used by someone else. And you know the service the card is used for because it's an Oyster card. And there's no cross leakage of information because the Oyster card doesn't have same ID as the card used to buy food, or the card used to pay for pr0n.
But this card, you don't control the services it's approved for, don't have to approve each use of those services. And it's a single ID whose transactions can be mined.
Chip & Pin : Each instance of each service has to be approved with pin. Owner has full control, but even so they worry about getting the pin nicked.
Oyster: The service transport is approved, after that each instance of it's use doesn't have to be approved. Safeguard is a 90 quid cap. ID doesn't permit data mining.
This: No instances of any service have to be approved as long as they're less than 10 quid each instance. No verification of carrier as bank account owner done. Forced on people who don't want it. Has a single ID that can be read everywhere.
So yes it's a bad thing.
AS a Hong-Kong Chinese Londoner (try saying that quickly 3 times!), I'm also used to the use of RFID cards. Basically, in HK, it started out the same way as the Oyster (because they nicked it off us, bloody Ken Livingstone), being a contactless way to pay for TRAVEL, but then migrated to paying for most convenience or fast food stores e.g. McDs and 7-11.
Personally, I knew the Octopus card idea (the one Ken lifted) would come to London, as it made sense. I haven't heard anyone complain of security problems in HK or Oyster cards here (except big brother tacking), mainly because as soon as you report it stolen, they freeze the card!
although one thing i don't like, is the auto opt-in approach: We should be able to choose whether or not to use it (I just chose to use it).
Think about it - you're on a normally-crowded train, bus or tube, and your Tap'n'Pay is in your pocket.
You get squished into the corner, and your pocket is pushed up against a poster for something...
Or you're walking along one of the narrow corridors in the tube, and happen to get too close to a poster...
- And you immediately get charged for it!
In France, we have a system called monéo : Not contactless, but uses the embedded chip in (almost) every credit card issued.
The reader is not wireless, but requires the user to insert the card into the reader.
The monéo account is a pre-payed credit: you charge it up in banks and post offices,up to 100 euros.
The system works on a similar principle: You charge your standard credit card with up to 100 euros, then use it to make small purchases without having to use the PIN code or countersigning. If you loose the card, you loose up to the 100 euro credit inserted on the card. If you do not want to use it, do not charge it, and the card still works as a classic visa if you pay and punch in your PIN code.
The bastard is that the banks, after your first monéo credit, start charging you a couple of euros per month for the privilege...
Mine's the biker jacket covered in ally foil...
If your bank does send you one of these, just pop it in the microwave for two seconds on high. Not sure what it'll do to the magstripe, but it'll fry the rfid nice and good.
The other alternative that I've heard is discharging an instant camera flash through a wire cool around the card.
i don't know what technology these swipe-happy cards like oyster use, but as i've got 2-3 already in my pocket, they go snafu all the time, obviously they don't like being in close contact with other similar cards. I've changed my oyster 3 times this year. How amusing will it be having to change your bankcard every other month too!
A possible improvement- up to £10 a transaction goes un-pin-requested BUT there's a maximum of £50 non-pin-requested per day. And you can't take cash- from ATM or cashback in shops- out on a non-pin-requested transaction, which means that any further transaction locations can be recorded by the banks. Which should aid the police when they go to administer the sternly-worded warning and slap on the wrist.
And as someone pointed out above, an AMEX style system with non-RFIDed information for online purchases would be a great idea too.
While I can't imagine the average chav-in-the-street would be able to rig up some sort of an RFID-enabled kiosk as detailed above, I reckon that most Reg readers could.
This rollout is only going to lead to trouble. Reg readers, unite to screw up this ridiculously insecure technology before it costs you your hard earned beer tokens!
IIRC the original limit touted for contactless payments was £50
The security of it depends on how it has been implemented. If it is a wireless interface on the EMV chip then the security on it will be the same as for Contact payments with the obvious issue of a high powered reader walking around the tube.
The EMV encryption key uses RSA and is being progressively extended in size related to estimated time required to break by brute force.
If a mobile reader had enough time to connect to the card, break the encryption key and then read the Pin Block (yes EMV cards hold your pin number and a value that represents the trust ability of it. If trustability is high then it might only initiate a connection to the banks main records 1 in 10 times, if low it may always do it. You can generally tell when it does it if you visit the same shop regularly as you will soon notice the speed difference between the 2 routes to PIN acceptance)
The dual interface chips were new technology around 4 years ago.
Before that the chips held an unencrypted string of characters.
If you visit a self service petrol pump you may notice that there is no Pin Pad connected to the reader/screen. EMV allows pinless payments through the contact interface. So if mugged for my Debit Card I would be more worried about how many tanks of fuel (Tescos allow up to £60 per transaction) the mugger can get before the bank block the card than how many £10 transactions.
Money is information. The physical money you may ,or may not, have in your pocket is just a token; I promise to pay the bearer on demand the sum of 'X'.
Money is information. Most money exists as a pattern of ones and zeros magnetically encoded on any number of hard drives, tape drives, mass storage devices.
Money is metaphyisical. Pay and wave is the next logical step to waving goodbye to your money.
Your money? Surely the Banks money? I know mine is.
Tin foil wallet please.
If transactions are limited to 10 pounds then that is already an acknowledgement of the increased risk. If there was no change in risk why not let these things work for hundreds of pounds as with normal cards? Conversely if a risk is acknowledged, why allow any transaction? 10 pounds is a lot of money for some people - I notice the bank didn't offer Pete 10 pounds compensation, for example.
As already pointed out, I know my PIN and can keep it secure. When that is proxied by this technology it takes me out the loop. That is bad. For the sakes of liability, however, what's the betting that the bank would keep the customer firmly IN the loop?
These are risk decisions for the customer - ie those to whom the money belongs - to make, not the bank.
Re: I am not the card
You're utterly correct. But it seems to me that this system is already in place with Chip+PIN. It always spooks me out when you use a Chip+PIN card in Pret a Manger and they don't ask for a PIN. Something about it just feels "not right". That aside, what does RFID offer that Pret a Manger's Chip+PIN solution doesn't?
"What ever happened to the Mondex scheme where the payment card was pre-charged with money up to a limit the user was happy with?"
They trialed it when I was at Aston University ten years ago. No-one used it because the of the fannying around involved in charging up the card. And, the perception of mondex was "lose your card, lose your money" compared to the perception debit/credit cards where it's more like "lose your card, tell the bank, don't lose your money". It was dropped within a couple of years.
My prox card for work, if you hold it up to the light, you can see the brains. Just apply a hole punch, and it's gone. I also disabled it once by accident punching a small hole in the edge, because I nicked the antenna.
As long as you can swipe the magnetic strip and don't mind doing so, there's your security. As a bonus, you can thread a string through the brain-hole and use it for a tether.
And that something is the recieving retailler portion. It's all very well you all saying that you could knock up a skimming system (assuming you've bypassed the crypto system on the card) and then read £10 from passing strangers but in to what exactly?
A legit terminal connection will be needed to download the "cash" in to your merchant account at the bank (emulating that you are a real card reader playing back the victim waving his card on your unit) so that'll need it's security system broken off. Then we have the fact that to get one of these terminals you're going to have to go to the bank and get yourself all set up as a retailer ("know your customer" regualtions apply).
Now, of course it's not beyond the wit of man to create a dodgy retailer account specifically for the purposes of general-purpose fraud and use that infrastructure to set up this situation, since let's face it - redeeming a few thousand £10 transactions isn't a well priced risk if this is your sole fraud income - however this is putting the bar pretty high.
I'm not going to sit down and work out a crypto protocol which would tie the transaction time, retailler ID and amount in to a checksummed block (e.g. SHA-1 HMAC) but you will realise that this is eminently do-able.
Layer on top of that the algorithmic fraud dectection system which already exist for the credit card industry and I'm feeling pretty relaxed about this whole thing.
So what happens if you lose your card or worse, wallet?
How many transactions under £10 would someone be able to get away with before you notice your card is and remember what the phone number is to report your card missing?
CD's, magazines, travel, food... all without having to enter a pin?
I think the banks are being negligent here, but no doubt they'll blame us for losing our cards or being pickpocketed.
That's the real danger here.
I don't have much against the tech, as long as it's backed by good fraud protection, which has already been well-honed for debit cards (I've had to use it, so I know).
This will be an ideal way to sneak in price hikes. However, we already have that danger with recurrent credit card/bank withdrawals. I had a utility overdraw from an auto-pay account once, and it was such a nightmare getting the money back that I have not done an auto-pay since. Once someone has your money, it's tough to get it back.
I'm with Clarence 100% - I think this is a brilliant step forward and I can't wait until I can go totally cashless. Contrary to what everyone on the TV seems to be telling me, I think using cards as much as possible actually puts me more in control of my finances as I can check my statement online and know exactly where my money is going. With cash, it just disappears into the ether unless you're diligent about getting and saving receipts (I'm certainly not).
I'm not too bothered about the security issues as even when the purchase is under £10, you still occassionally have to enter a PIN and Halifax have agreed to compensate me in the event of fraud. This is a trial, after all, and I'm sure that one thing Halifax are keen discover is how exposed this technology is to fraud.
Personally i think this Pete guy is a little OTT and frankly I'm surprised to be reading about something so trivial on the register.
I've been issued one of the new Wave and Pay cards by Halifax and the only thing that's holding me back is the lack of places to use it! Very few shops in London have the scanners. And even worse, most retail workers have no idea what this crazy wave and pay thing is all about. I try to use it every chance I get but shopkeepers look at me like I've lost my mind when I wave my wallet in front of the scanner to make a payment. On a couple of occassions of I've removed the card from my wallet to wave it in front of the scanner, and the shop attendant has actually taken the card from me and plugged it in the chip and pin reader! Infuriating.
Also, like most Londoners I've now got several RFID cards: Oyster, debit card, work cards.. and they don't like to play nice with each other. I like to keep all the cards in my wallet and just slap it on the readers in the tube ticket hall or on the way into work, but I've got to keep my oyster in one side of the wallet, one work card in the other, another work card has to be kept out of the wallet and the wave and pay, well I haven't quite worked out what to do about that one yet.
I seem to recall that the pin for first use is for EACH RETAILER. Thus, if you buy a coffee in the local coffee dive every morning you don't need to re-authenticate each time. However someone stealing your card could NOT just take it to any old supermarket and get a bagel.
However....I do agree that this is a pile of crap.
1) many £10 can easily wipe out my account. heck, right now with payday coming soon....about 3 would do it.
2) what if I get a bit too close to the till when someone else is paying for something?
3) with a "passive" chip like in a card, there is NO control. At least in something like a phone I imagine they could make a "RFID pay chip ON/OFF" like they do for Bluetooth and IR.
Gordon would love to ban cash - if we had to use traceable plastic/chips he could see where every red cent was being spent, and tax the bits that the Evil Empire has missed, and small cash traders would no longer be able to fly beneath the tax radar.
Me I'm joining this years 500,000 in the exodus from UK
As Sconzey says, 2 seconds in the microwave should cure the RFID but I would suggest the tin foil wallet as well.
Perhaps 2 seconds in the microwave for passports and ID cards as well? If they might fail "naturally", we should just help them and nobody will know the difference...
Question for retailers is - how much will the banks charge you for people paying this way? At the moment small businesses are charged about 30p per transaction for debit cards - which is why many small shops, etc have a minimum value for card purchases (against the T&Cs) - how much profit on a newspaper, etc will the banks take?
I think the wood-for-the-trees thing here is that this is ALL about banks moving down the food chain, and making a land-grab to finally replace cash for small transactions. You can almost here them salivating at the idea of all the money they can make off of that: micropayments, rental of scanners to retailers...
Pigs, snouts, trough...
The card should only accept payment requests signed with a (per till) retailer cert, which is in turn signed with a bank cert (etc).
Payment credentials are in turn one-shot and only useful for one transaction on the same till.
That way, a miscreant could listen and spoof the signals all they want, but wouldn't get ever be able to fake a transaction. The main risk (as with any pinless system) as that the card will be pinched and used for multiple $10 transactions (to buy phonecards or something) until the owner realises and reports it. The banks should be expected to take this hit.
Is the protocol for this new service published?
I guess there's now a market for foil-lined wallets in which to keep the cards. Put a pouch on it suitable for a passport as well, or probably better to have a matching but separate one for that and a single credit card.
There's probably a market for a tame RFID reader/zapper as well, use it on your passport, credit cards, any clothing you buy (lest it has a tag woven in it), deactivate the lot!
One way to remove the possibility of remote scanning of the card whilst it's in your pocket is to simply add a switch or button to the card. Keep the card dead until the button is pressed, then let it do it's stuff then stop working when the button is released.
Won't stop the card being nicked or lost but then with a lost card and signature you can get away with a lot (just damage the chip, most shops still use signatures if they can't read the chip on chip-and-pin cards).
True, but the Easylink cards can be picked up on a pay as you go system. They do not contain personal information and (like most Oyster cards) do not link information on a back end database with user details. Unless you register your details with the card number of course. This is one of the things I have always liked about the Easylink system. It is inherently relatively secure as the card is not directly linked to the owner's bank and even if the RFID IS intercepted/relayed it will amount to no greater loss than the amount transferred to the card already. And given that if you lose or accidentally wipe out your Oyster/Easylink card you will lost that value anyway most people tend not to top up with vast amounts of credit.
my local tesco has pay at pump option on their garage forecourt. Stick your card in & you can buy £60 fuel, no pin needed.
I don't see how this is different, except it uses the dreaded RFID. Luddites!
BTW, the cards issued by banks and the associated services they provide actually belong to the bank, they can do what they like with them. If you don't like it, switch banks.
There *is* a man-in-the middle attack.
Sam (the shopkeeper) sends a payment request to Bill. Bill has a deactivated card and a transciever, which connects by a datalink to his accomplice, Fred, who's in a busy place. Fred forwards the request to a card in Sue's bag, gets the response and sends it to Bill's device, which sends it through. Sue gets debited and Bill gets the $10 swag.
Rather relies on card range being long enough. One security measure would be to only allow transactions where the card response is in a very short timeframe.
Is Oyster vulnerable this way?
I was working on Chip & Pin in 1987, it was viable then, A number of secret services (funniest parcels I ever sent, Addressed - 'The XXXXX Secret Service, 133 the crescent, XYZ town XYZ country) nope sorry I don't remember the address, Shell & the French Health service thought so, but the Credit card companies didn't.
I'm lost, why do they think this is a good idea? Fraud is going to be endemic.
Tin foil wallets already available.
Banks emptying your pocket, who would of thought it?
It is especially concerning that many of these cards are based on Mifare and it is only a question of time before the Mifare classic (1k and 4k) are cracked.
The RNG is apparently only 16 bits and the key is 48 bits. Thus not long yet.
The Mifare Ultralight is completely cracked
There is considerable dicussion about these cards and the apparent lack of security in the Netherlands. (Also in use for Public Transport cards).
Mifare DESFire cards are stronger.
Which RFID is being used by the banks here?
There have been a few responses here along the lines of "I won't have to pay if these cards are skimmed for cash".
So, if the banks start losing money on this, where will they get it back? Yes, you. One of the reasons interest charges are so high on CCs is that fraud is just another cost of business to be passed to the customer.
If retailers are somehow found to be liable, who's going to pay? Yes, you. Prices will go up to compensate.
So, switch off your complacency; you'll end up forking out if this all goes wrong.
Reg reader "Pete" sounds like something of a luddite to me. Cash is dead, deal with it.
"I don't even use a debit card for retail transactions" - Really? Do you know you are far more protected against unscrupulous traders with your debit card than with completely untraceable cash?
In my opinion, this type of contactless technology is finally a true replacement for cash (why do I need a PIN to buy a can of Coke in Tesco?). Though it probably wouldnt hurt to line my wallet with a bit of tin-foil.
HANG ON!!! Weren't we all forced over to chip and pin so everything was more secure in case our cards GOT stolen, this paywave thing is back to square one surely. Yes it is limited to £10 transactions MAX, but someone will find a way to eliminate that limit and abuse the sysem.
Waste of time, what was chip and pin for if they are going to take a step back with this system!!??
I'd be far more concerned about multiple purchases than people skimming details. Currently, with chip and pin, I have to insert my card into a reader and put in the pin, i only do this once, so i know i've only been charged once.
If all i have to do is wave my card in the vague direction of a reader, whats to stiop it being picked up more than once. I move my card over a reader to pay for a coffee, then, to put it back in my pocket, i have to move it back again.
If you're talking about tapping a poster to charge for something, what do i do if i accidentally tap it twice? At least in a shop i can have the transaction reversed, assuming i spot it.
A long while ago now, my mother mistakenly used one of my cheques to pay for the house insurance. I got a letter saying that there was not enough funds in my account to cover the cheque, and that the letter telling me would cost me £25.00.
Upon raising a stink at my (now ex) bank branch I was informed that all banks do not check the signatures of any cheque under £500.00. And no, I couldn't have my money back (the cheque was later cleared when my wages went in) or the £25.00 charge. - This is just more of the same, a way for banks to reduce their overheads and increase their profit margin - and you all get the privilege of paying for it. Funnily enough, I now don't have a bank account. Period. With anyone. Cash all the way because I don't trust any business (I've read their histories - frightening stuff)
I had a customer try to pay by credit card for a $8 transaction. He forgot his pin details, and tried to put it in for 5 minutes. Then he decided to maybe use the cash he had anyway. RFID would help for that dumbass customer.
But I would never accept RFID because I don't trust the salespeople to only charge once for something.
"I'm with Clarence 100% - I think this is a brilliant step forward and I can't wait until I can go totally cashless. "
If entering a pin number is so difficult, why isn't Proton a success? I can think of many features I'd like on a credit card, but "Card should automatically authorize itself" was not one of them.
I don't see why authorization of a payment should be taken out of my hands like this?
What happens when someone sticks up a sign, 'entering of this McDonalds car park costs 2 quid', and it automatically snarfs your card details by RFID as you enter. Did you read the sign? No? Doesn't matter, the money will automatically be taken from you. Trying taking McDonalds to court if you don't like it or take your bank to court to prove it was an unfair contract.
Chris Hamilton. What happens when Tescos debits your card for a coke you didn't buy? Or debits a price higher than shown on the shelf? You are not your card.
This is the same place which, when my sister tried to pay off her student overdraft and close her account, told her: "You owe us £x." £x > overdraft. Sis != impressed.
Sis asked why. Halifax said, "You owe us £x." Sis said, "Yes, but my overdraft is £y, so where did the extra £z come from?" Halifax said, "You owe us £x." No bank managers, account managers, head office or phone calls could say anything more informative than: "You owe us £x." Loop until bored.
Eventually sis said, "I'm paying you £y which is what I owe you, and that's all you're getting until you tell me why I owe you the extra £z." Halifax said, "OK, make it hard on yourself" and blacklisted her credit rating with all UK banks. Deep joy. Hence no-one in our family will now ever consider using the Halifax again.
To avoid the problems of getting your card nicked and having many little £10 transactions amassed before you can report it, why not have a daily spend limit of £30 or something by using this method, and once you reach that you have to input the PIN at the terminal to approve the next transaction? Once done, this resets the limit again, and you're free to spend up to another £30 or whatever it's set at.
If you never spend anywhere near £30 a day using this payment method, then you'll never hit this limit anyway. If you do happen to hit it once, no problem, enter PIN and you're good to go again.
The beauty of this is you can set the limit at a level that you spend at or are happy with the risk at - maybe 50p for some of you out there. Personally, a tenner a day would probably do me.
As has been pointed out, one of the main things chip and PIN has going for it is a card is useless without the PIN so, while they _could_ try and torture it out of you, people would be less likely to mug you for you card. Now, it seems, banks want to give every piece of scum on the street reason to mug you for your wallet again.
I couldn't give a flying fuck who pays the £100 that was stolen from the account -- I just don't want mugging to become more profitable again.
As a customer of Halifax I'll look out for this, and if I see the slightest hint of them sending me this crap I'll change banks, end of story.
Two points of no concern to anyone here...
1) If you're able to collect Passport info from a distance (as has been done, at least according to the fine pages of The Register), what is to keep a legitimate business who has all the bank connections, to not setup a reader to reach out and touch someone's wallet as they pass by the news stand or other kisok? Though the limit would be 10 pounds, if they only took a few pence it might go unnoticed.
2) How well do these various RFID enabled cards do in a microwave? Try a non-valuable CD or DVD for a few seconds and enjoy the show.
A few points:
You may be able to get a response from a card with non-legit equipment, but who is going to be able to convert that into a transaction at the bank? Only legit merchants, who aren't going to risk defrauding people left right and centre, because the bank has their name and address.
The article didn't mention, but you are also required to enter your PIN randomly (I've got one of these cards because I work for a bank who are trialling the service) currently we are looking at about 1 in 10 transactions being PIN auth'd. If a single terminal cancels all or most of the transactions that require a PIN it will be automatically disabled, and presumably the Rozzers called in.
Contrary to, what seems to be, popular belief the banks really don't want to fuck all their customers, this isn't about moving liability onto the customer, it's just something that is accepted as a good idea.
Having said all this, there is no way that cash is going away for many many years.
I think most people are over-reacting due to a very limited understanding of how RFID works. There are several types of RFID that work at different ranges - true one of these types is high powered and works at a range of metres, but the majority of the implementations are based on the fact that "contactless" is barely true.
Oyster cards are a case in point. I approach the barriers on the tube, and they don't open. It only works when I bring the card within 10mm of the reader - in fact when it's inside a wallet, it can be hit and miss as to whether it works at all.
Assuming we get the same implementation, I think you can forget about walking too near to a cash register and accidentally paying for someone's wallets. Let's take the panic out of the situation and remove the RFID emotion at the same time.
Disclaimer - I work for a bank in the IT department
Well, at least we can actually act about this.
If Barclays send me a new RFID enabled card I shall take it to the bank and cut it up with a pair of scissors, after explaining to them why I am doing so. I shall ask them to either reactivate my previous card, or provide a non-RFID card, or move to another bank, which is not too hard these days to do.
This is the same bank who somehow allowed some scumbag in the Netherlands to spend bug sums of money on her Halifax debit card at gas stations all over Europe - when the card was actually 'safe and sound' in her wallet here in London.
So much for security.
The transactions continued to flow in days and days after she alerted them, racking up a bill of some £1,600.
Granted she did eventually have all the transactions reversed out, but her card was frozen for a couple of weeks, preventing her from performing any transactions herself - not to mention the sheer stress of having a sum that big stolen directly from your own bank account!
Personally, its not the risk of 'scanning' I am worried about with these contactless cards - I think thats a minimal risk. I reckon the real risks are much closer to home - for a start £10 is a big deal for pick-pocketing miscreants - you can make a whole lot of £10 transactions at various retailers over a day before the card gets locked, and that buys you a whole bunch of ciggies, booze and stuff.
I can see the advantage of having chip and pin cards over the old days of writing a cheque. I recall the anger on people's faces when, queing at a supermarket checkout on a Saturday afternoon, the person at the front would pull out their cheque book to pay for their shopping.
Chip and PIN is good for 4 reasons:
1 - Its quick.
2 - It shows that the card was present
3 - It shows that I was present
4 - It shows that I knew what I was buying.
RFID is shit because:
1 - Its not much quicker than C&P
2 - It only proves that the card was somewhere near an RFID reader.
This is just a ridiculaous example of implementing something because its possible rather than because its genuinely needed. Banks forcing it on consumers against their will is just bad business practice.
There is a key difference between ID cards and RFID cards being forced upon us. That being that if the government male our lives difficult to live without ID cards we'll all end up begrudginly using them, we have very little choice.
If however a commercial institution, like bank, pushes stuff on us we can just walk away and / or make life really difficult for them: Like resorting to writing cheques again.
Paris because she's also quite pointless.
Okay - a few things to sort out!
Firstly - stop talking about 'pickpockets' etc. The money is not on the card, ready to be taken by anyone who then disappears - it's just a number - like any payment card but just for contactless payments. This cannot be read, written to a magstipe and used in an ATM (the current popular fraud happening in Europe) as the number is a contactless only number. Contactless payment cards cannot be cloned (due to security keys on the cards) so even if someone has the card number etc - the card effectively signs the transaction (with those keys) to authorise it. Additionally, the payment has to be made to a registered merchant (name, address, company details etc). If any fraud happens, the payments are withheld from the merchant and they get nothing. As far as I know, I've not heard of any fraud from dodgy merchants for Chip+PIN - mainly shoulder surfing + steal card, or dodgy reader and make up a mag-stripe card for an ATM.
Double transactions/inflated transactions? Not going to happen. All the readers are certified to work in a standard way - including not doing double transactions and displaying the transaction value on the display, along with a beep etc to inform of a transaction. Failure to check the amount on the screen is correct is just as possible with Chip and Pin as with cheques or even cash! Remember my first point - using dodgy readers is going to get them noticed (every card appearing twice in their transactions is likely to start the fraud flags waving in the banks?). And again, dodgy readers have been used for Chip+PIN (to generate mag stripe cards which are then used in ATM machines on the continent) - so it's no different in that respect.
Distance - generally you're looking at 1-2cm for a transaction. Whilst academics may claim greater distances - doing it in a lab is one thing - doing it in a real environment with people moving around is something very different (and again, remember the first point about merchants). More than 1 card in the field, and it'll refuse the transaction. People will have to get very cosy to get close enough (and if you're really paranoid, just get a metal lined wallet) - and again, they cannot clone the card, so reading your details is worthless.
Finally - the amount of money to be lost. There's a £10 per-transaction limit imposed, with a requirement to revert to standard Chip+PIN after a set number (10?) of transactions (a normal Chip+PIN transaction will reset this counter, so many people may not notice). This covers theft of the card and subsequent purchasing of low value items. Oh, and the cards can be blocked as with normal cards, so reporting them stolen will help reduce the risk of fraudulent use.
So in effect, out of all this you could be looking at a potential £100 loss on the card- but considering it's a credit-only thing, that's a small proportion of most people's credit limits. Compare this to normal credit cards being used for low value purchases in crowded places (ie. easy shoulder surfing) along with pickpockets taking your card - immediate £300+ from an ATM. If you manage to do something like the old Shell garage fraud with a dodgy chip+PIN reader, you may be able to get PIN and card details without the person knowing - create a mag stripe card and start taking out £300+ per day until their credit limit is exceeded or they get their statement.
I see contactless as reducing the use of PIN, making PIN more secure (as it'll probably be in higher value so possibly less crowded places), whilst limiting potential theft to a reasonably low value (which should be covered by your bank etc).
"RFID is shit because: It only proves that the card was somewhere near an RFID reader."
Yes. And not necessarily the reader intended...
Alice is walking down the street, followed closely but covertly by Eve. Inside Eve's pocket is a RFID reader linked to a radio transmitter. Trudy has a receiver linked to a cut-up RFID card in her wallet and is about to pay for something in the shop.
Trudy walks out with the goods and meets up with Eve to share. Alice, keeps on walking, completely unaware that she has just paid for Trudy and Eve's lunch.
I don't like the idea of RFID simply because it's a unique identifier(UID) and it responds to a transmitter.
In my opinion, RFID has the potential to make 1984 look like Woodstock.
Don't I have the right to walk or drive around the UK without the potential for those in authority to know where I was at what time? I'm not talking about breaking the law, I'm talking about my right as a human being to enjoy some freedom.
Criminals are 'tagged' so that authority can know where they are at a given date and time.
RFID allows each of us to be tagged in a similar manner if we are not careful.
Don't believe me? Consider this:
You use your credit card, with RFID to buy a pair of trainers, your new trainers also contain a RFID chip. Now, your UID (credit card) is associated with the trainers. Although your bank has stated that your card's RFID will only operate within 20cm of a scanner, there is no law in place that says your trainers should also do so. After all, the main purpose of the trainers RFID tag was for stock control, yet it was not deactivated when you brought them. Now, unknown to you, you have an item of clothing that will identify you uniquely every time you walk through a scanner.
Imagine the same for cars. Sure you get situations on motorways where average speed cameras are active. But imagine a case where, through the use of RFID scanners, your route could be traced and the time taken from A to B is known. If your time between A and B is less than the official time taken you automatically get a fine and points on your license.
By now, no doubt some of you are thinking that what I'm describing to far too draconian for our government to enforce.
I urge you to think again!
Clandestine means may help find a criminal but it does little to deter them. You really think a bunch of pissed and stoned teenagers are able to think well enough to stop them from kicking the shit out of someone because they think they will be nicked?
You really think that a twat that thinks that a jihad against the west is a good idea will be frightened by the prospect of RFID? Bollocks, they will have the intelligence to remove RFID tags.
What I'm saying is I want freedom, and I don't want arseholes who threaten that to be used as an excuse to constrain me.
Is a slave that does not know he's a slave still a slave? YES!
Firstly the enter you pin on the first transaction for each retailer thing? if that is correct how will that then work with buying tickets off posters etc.? if that is a requirement then I predict it will be exactly 5 minutes before swiping your card to get a free cd / scratch card / newspaper / whatever means in the smallest of print that you also authorise all future wireless billing from GenericBillCo inc. that solves that problem, you'll go to shops you've never visited before and not need your PIN because they are somehow related to whatever generic MegaCorp.
Ok now here is my nightmare scenario, everyone gets these cards, and sticks them in their wallet as you'd expect.
A gang of criminals get hold of a merchant billing account, either through fraud, and by just sticking a gun to some shop owner's face.
Now at about 8:20am the group of criminals goes into Kings cross tube station and one each quickly slaps some big orange stickers on top of a few of the oyster tap terminals, no one really notices for a while, they don't look much different and most people would just assume the machine had been fixed / upgraded or something.
the stickers have the required RFID readers embedded as well as Class 2 Bluetooth transmitters and a few lithium CR2032 batteries. one of the criminals just has to hang around within 100 metres, with a bunch of PDAs or a laptop or two in a bag (He could just join the que for an information desk or spend a while looking at the tube map or whatever) in 20 minutes, thousands of Londoners on their way to work will pass through the readers tapping their wallets (containing their oyster cards) as they go, little do they realise that they are also tapping their bank card and being charged £10.
They gig would be up pretty quick, someone will realise what's going on possibly within 30 minutes or so, but at rush hour the criminals will have already made possibly tens of thousands of pounds, they could shift that money around electronically pretty damn quickly, either out of the country or perhaps just filter it into accounts and withdraw real cash from ATMs, or buy a load of stock in some 2bit technology company and screw the stockmarket before the banks had chance to reclaim their money.
I'm sure there are ways to protect from that particular scenario, but i'm sure criminals will be thinking up alternatives on a theme, any place with a lot of foot traffic could make a scammer £1000s in minutes. and a lot of the time people wouldn't even notice.
As easier scam would just be for the waitress and that expensive restaurant you go to (she knows you're a fat fish), to swap your card with a similar looking one, attached to an account with just £100 in it, you aren't going to look too closely at your card for quite some time, you don't even need to know your PIN number (and thus investigate when it's wrong) and for the next couple of days until that £100 runs out and you wonder why, her boyfriend is racking up £1000s on your bank card buying say... mobile phone top up cards.
So thieves can load card debit software onto PDAs and pull a small amount of cache from you by waving it near your pocket? Brilliant!
Here's my legal money making scheme - Sell a disabling plastic clip for each type of RFID vulnerable card. There's no expensive RF adsorption technology involved. It just has small hole where you insert a spinning drill bit.
> These have been in use here in Singapore for ages already. But, much like
> londoners with the Oyster card, we're very very used to RFID systems and
> paying with RFID systems so it's no big deal here.
Same here in Malaysia. We've been using the Touch 'N' Go payment system on tolls (turnpikes for those living stateside) and public transport systems for aeons now (yay for unified systems- one card to pay for them all!), and Visa's RFID-based Wave system has already officially launched here.
Also, I don't see why the Londoners are making such a big fuss about being issued ID cards. We have them here for over 40 years now, and apart from some hilarity that ensued (i.e. cloned cards being discovered on illegal immigrants, cards being issued to the wrong person, erroneous entry on the card), nothing bad has happened to any of us.
You may be able to get a tankful of petrol out of Tesco with a card without PIN or similar authorization - but like most all petrol stations these days aren't they taking pics of your car so that if you try to get the petrol without paying they can track you down by your number plate?
Again, hysteria with no factual basis.
1.) The merchant gets their money after a period - not instantaneously - holding a gun to their head won't get you any cash from the proposed fraud at a tube station - it'll just be a good-old plain armed robbery of cash on the premises. The period is there for stopping fraud/chargebacks, and for 'clearing' purposes.
2.) Due to the way readers work, they don't work with 2 readers/cards in the field. So, putting a dummy reader on top of an Oyster reader would stop the Oyster one working - and no-one would get through. Rather than your '30 minutes or so' time frame, you're looking at 30 seconds. Oyster gives far, far greater throughput than paper tickets, and any issue/hold-ups with them get noticed VERY quickly.
3.) So whilst Oyster users wouldn't get through - your reader wouldn't work either, as the field from the Oyster reader would interfere.
4.) You're relying on people using the Barclays combined Oyster/PayWave card - as that's the only card which will work with both readers. If someone has a separate PayWave card and an Oyster card, they'll need to only present the Oyster card - otherwise they'll have the same issue with 2 cards in the field at once and it won't work.
5.) RFID readers aren't stickers you can stick to things. They're large, physical readers, requiring something to drive them and significant power requirements. Not something you can stick onto some Oyster readers without someone behind you (or the TFL staff around) noticing. Whilst you can get RFID tags which are small stickers, there are nothing other than dumb cards and require a reader to power them - just like any contact less/RFID card.
6.) Swapping someone's card for a fake is possible - just as it is currently possible with Chip+PIN/ATM cards. The only difference is that you don't need a PIN but for contact less transactions you're limited to about £100 max loss (as you can only do about 10 contact less transactions without having done a Chip+PIN transaction). If the waitress shoulder surfs the PIN entry (how many waitress places cost < £10?), then it's a standard Chip+PIN issue - keep your PIN and your card safe. It's not a contact less risk.
You're suggesting that scum will mug you for your card, so they can get a tenner off of it for White Lightning or something?
Personally I carry around far more actual cash than that, especially on a night out, and I suspect many many people do - by your logic, why don't I get mugged every time I'm out? Let's face it, cash must be more valuable to scum - there's no easy method to trace it after all, and it can be used anywhere.
"Bank staff, having verified Pete's identity, were not immediately able to work out why the card had been retained.."
As an ex-employee of Halifax, the staff would have been able to see from their records the old card's cancellation date and that it had been replaced. Shows the 'bank' that now likes to employ dumb staff, but for customers of the Halifax, don't worry, they've all been on training courses and are experts!
As for the frustration of your reader getting a normal card, it's on par with my attempt to try and get my Internet banking access closed down which they said could not be done as "... I may want to use it in the future." This rule was quickly reversed when I breached their Ts & Cs by publishing my login details online.
The card stuff here is only a precursor to an NFC application loaded onto your SIM card. Actually there it makes more sense because you can popup a java app to let you confirm the payment. You also have many other control possibilities, along with a current log of your transactions. And real tap and buy off posters will only happen when you have this facilty. It doesn't stop it being inherently insecure, especially if stolen, but it gives you better control of it whilst it's in you possession.
> 1.) The merchant gets their money after a period - not instantaneously - holding a gun to their head won't get you any cash from the proposed fraud at a tube station - it'll just be a good-old plain armed robbery of cash on the premises. The period is there for stopping fraud/chargebacks, and for 'clearing' purposes.
It's still worth bopping someone one the head & using the card. The merchant might to get the cash, but the thief has the goods.
>You're suggesting that scum will mug you for your card, so they can get a tenner off of it for White Lightning or something?
Yes. I've known people mugged for a fiver - and 3 trips to different offies & it adds up to a lot of White Lightning
The problem with things like the Oyster card is that to obtain the discount you can't top it up anonymously, you must submit your bank details. The discount is because "cashless payments are more efficient - odd you don't get a discount on credit card or debit card payments. Also to get the discount you must swipe at both ends of your journey, not just on boarding.
So, it's sod all about efficiency - it's about tracking where you gen on and off the transport system.
And cashless payments are a wet dream for a fascist government such as in power in Britain. I'm not surprised to find out they are already in use in Singapore for the same reasons - a government obsessed with control over its citizens.
So, contactless paying
scam artists swiping a tenner everytime your trousers goes past a waist height scanner.
This is not permission to board a tube train (Oyster), this is raw cash; of course its different -what was the fools name who said that? take him to the stocks now.
Records of exactly when and where you have been - its a doddle to register the card ID's location as you walk past, not even bothering to tell the punters or go to the hassle of asking them................
....................................................hhhmmmmmm is big brother's first name Halifax?
Biting the hand that feeds IT © 1998–2019