back to article Canadian TV station wails: NFC bonking... it's not SAFE

Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works. This time it's Canadian outfit CBC News, last time it was Memphis-based News Channel 3, but the facts remain the same: an NFC-equipped card will …

COMMENTS

This topic is closed for new posts.
  1. Chris 3

    The acid test

    Bill,

    Would you be happy to pop up your credit card details on here - card holder's name, number and expiry date? It would certainly act as a powerful demonstration as to how there isn't a problem here.

    1. David Ireland

      Re: The acid test

      Yes, come on, do a Jeremy Clarkson, it worked out so well for him!

      1. TheVogon Silver badge
        Mushroom

        Re: The acid test

        Clarkson posted his bank account and sort code details - which someone used to donate £500 to a charity via direct debit. Just like with a credit card, if you didn't authorise the payment, you are protected.

        1. Anonymous Coward
          Anonymous Coward

          Re: The acid test

          Yes you are protected, but I rarely go over my credit card statement with a fine tooth comb. I use it for everything so there are typically more than 50 transactions and I only ever check the high value ones. This means that it would be possible for somebody to remove small amounts without my notice.

          I guess all those news items about databases being hacked for CC details or shopping tills and ATMs being infected with malware are simply scare stories designed to keep you awake at night. Who would have thought that criminal gangs would waste their money obtaining and trading these worthless numbers.

          1. David Ward 1
            FAIL

            Re: The acid test

            firstly your laziness in checking for fraud on your card statement is rather immaterial. The fact is that credit cards numbers are not secret and people who rely on them being so are misguided. The problem of database insecurity and atm's being infected is that they do contain the secrets required to make the transactions by virtue of them making the transactions in the first place, hence the data being worth something. I am not saying the system is ideal but the point is that you have to have the private data (PIN or CVV or authentication secret etc) to actually make the transaction which is not transmitted by NFC.

            1. Anonymous Coward
              Anonymous Coward

              Re: The acid test

              > credit cards numbers are not secret

              Actually they (kind of) are. This is why receipts only have the last few digits of the card printed on them and not the full number.

              There are any number of ways the credit card number can be used to obtain cash/goods/services. You may or may not detect it, but it will be a real pain to chase down a refund just because somebody got to close to you on the tube.

              http://www.kjrh.com/dpp/news/local_news/investigations/thieves-caught-turning-stolen-credit-card-numbers-into-quick-cash

              http://www.bet.com/news/music/2012/07/13/guerilla-black-arrested-for-buying-stolen-credit-card-numbers.html

              Neither of the above involved any pIn or CVV number.

      2. Anonymous Coward
        Anonymous Coward

        Re: The acid test

        It did actually, because of the DD guarantee, he got all his money back pretty damn pronto.

  2. Bruno Girin

    "there's really no need to go around [...] rehashing discredited ideas into new TV"

    How would they make new TV then? Surely you're not suggesting they get *new* ideas!?

  3. The Axe
    Trollface

    CBC

    Well CBC regularly promote AGW which is just as dodgy in science terms as the idea that getting just the number and expiry of a card via NFC is the end-of-times for credit cards.

  4. Chloe Cresswell

    NFC

    "Ordering anything online will need the Card Verification Code (CVC)"

    Except for sites that don't need it?

    Amazon, for example, doesn't require it..

    1. Semaj

      Re: NFC

      It asked me for mine. It does remember the details until the card expires though - but that's linked to the account so it should be OK.

      1. Chloe Cresswell

        Re: NFC

        With my cards, I just added the type/card number/name/expriry date.

        It never asked for the CVC, either adding the card, or when I completed an order.

    2. Anonymous Coward
      Anonymous Coward

      Re: NFC

      Amazon don't ask for the CVV, but because of this they are on the hook for all fraud, it's likely that they took a value judgment and value of one click is much higher to them than the cost of any potential fraud.

      1. BristolBachelor Gold badge

        Re: NFC

        ISTR that the reason that Amazon don't tend to ask for the CVC is because the rules say that they must use the CVC instantly, and may not store in on their systems. Amazon only charge the card when they ship, and therefore cannot use the CVC on the order.

        What I don't know is where other sellers stand on the consumer credit act, which AFAIK does not allow them to charge credit for something until you have it (but e.g. booking a holiday is not the same because you have actually paid for the booking, not the actual going).

        I suppose that sites that store your credit card to re-use later (e.g. iTunes) must obviously use the numbers sans CVC for the later transactions.

    3. Kristian Walsh Silver badge

      Re: NFC

      Many US merchants don't ask for CVC. Some will accept payment from the 16-digit PAN and expiry alone. These are usually fly-by-night porn outfits, and they pay for the "privilege" with high merchant fees, but the business is commercially worthwhile to them, it's the banks that pay for card fraud, not the card clearing companies, so who cares...

      In any case, there's nothing new here. I have a device on my phone which uses electromagnetic radiation to acquire a copy of the details printed on any credit card. It's called a camera.

      1. Anonymous Coward
        Anonymous Coward

        Re: NFC

        > to acquire a copy of the details printed on any credit card. It's called a camera.

        I'd like to see you do that when my card is in my wallet in my pocket. The point about obtaining card details with NFC is that it can be done with the card still in your wallet.

        1. Kristian Walsh Silver badge

          Re: NFC

          Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of (despite it never having been demonstrated to work in a real-life setting) will trigger both cards and be unable to read from either.

          Just because an attack is "high-tech" doesn't mean it's worthwhile for an attacker to pursue. There are easier and cheaper ways of acquiring card numbers than trying to radio them out of peoples' wallets. A few quid in the hand of a dishonest waiter in a busy tourist bar is much better return on investment.

          1. Anonymous Coward
            Anonymous Coward

            Re: NFC

            The card number, expiry date and name will be handing over to an unauthenticated reader which means a phone with NFC can read it.

            The "high-tech" attack is risk free and cheap since there is no investment in specialist equipment (any NFC enabled smart phone will do).

          2. Phil O'Sophical Silver badge
            Stop

            Re: NFC

            "Put your mass-transit ticket card, or your building's door-access card, in front of it - or another NFC-enabled credit or debit card, for that matter.. The remote NFC snooper that everyone's so afraid of .. . will trigger both cards and be unable to read from either."

            Not so.

            I have three such cards in a badge wallet, for access to three diferent sites. Some of the badge readers can happily find the right card when I wave the wallet at them, others require me to extract the card concerned. It seems to depend on the sophistication of the card reader,.

  5. David Ireland
    FAIL

    The 3 digit CVC is such strong protection

    OK - so now there's a 3 digit number between you and the attacker. They'll never guess that...

    Just to spell this out. Pick a CVC. Capture a 1000 card details. Try each of them with the same CVC. You aren't scanning through the CVCs on the same card, so fraud detection, which is card oriented, won't notice you trying. Your odds of getting a card are pretty good. Presumably you can actually try several CVCs for each card without the issuer noticing, so you can improve your yeild.

    There must be loads of sites that handle 10s of 1000s of cards a day. It's those sites that NFC is aimed it.

    1. Anonymous Coward
      Anonymous Coward

      Re: The 3 digit CVC is such strong protection

      Card fraud detection is rather more sophisticated than you understand it to be. It wouldn't get this straight away, but it would flag up suspicious activity PDQ.

  6. Anonymous Coward
    Anonymous Coward

    Err...

    "Another North American TV network has discovered credit card numbers can be read using a phone, and whipped itself into a media frenzy due to its failure to understand how NFC works"

    Or

    "Another story on The Reg has reported credit card numbers can be read using a phone, and the commentators have whipped themselves into a frenzy due to their failure to understand how NFC works"

  7. Fido L Dido
    Angel

    NFC is evil, until...

    Don't you know that NFC is evil and flawed?

    That is until Apple decide to launch a phone with NFC, then it'll be lovely, the public will believe Apple invented it, Apple will file a patent for it, and NFC will be the best thing that ever happened.

    1. DougS Silver badge

      Re: NFC is evil, until...

      No, if Apple releases a phone with NFC, they'll probably do something different to improve the security and/or make it more convenient. Like replacing typing in a PIN with a thumbprint on the home button (not that fingerprints are particularly secure, as the Mythbusters and many others have demonstrated) Apple haters will wail and moan about Apple not following standards, ignoring that there are multiple competing NFC pay by bonk standards, as well as complain that Apple is trying to lock in its users and make jokes about Apple charging 30% for all NFC transactions. Now I'm sure there will be some Apple fanboys who claim however Apple does NFC is superior to the Android implementations and give Apple credit for it if NFC takes off after Apple supported it, but what do you expect from fanboys? Certainly not logic.

      I still maintain NFC is a solution looking for a problem, and "pay by bonk" offers nothing over bonking a card, or swiping a card for that matter. The "not having to carry a wallet" is silly, unless you think that you'll be able to use your phone as a driver's license anytime soon, or that others who want proof of identity will accept a picture of your license (like the picture of my medical insurance card I have in my phone so I don't have to remember to bring it when I visit the doctor) Good luck buying a beer that way.

      Companies that promote NFC do so because they think they can get a small cut from trillions in purchases, but there are so many players who hope to claim a piece of that pie that the processors must either accept less than they get today (fat chance) or merchants must accept a bigger hit for processing NFC transactions (again, fat chance, absent legislation that forces it down their throats)

      Those supporting NFC today just do it because there is a certain segment of people who think it is "cool", not because it is actually any better at all over existing payment methods. Apple haters promote it only because iPhones can't do it, many of them will quickly lose interest in it if/when Apple products ever support it and go back to complaining about the lack of SD or removable battery.

  8. Pie
    Happy

    You don't need NFC, just a good memory.

    I was in a cafe a few weeks ago and a woman was ordering something via her mobile, she clearly stated name, address, card number, expiry and cvc number for all to hear... As I said to my children, practise remembering 16 digit numbers and you will never need to go short....

  9. Crisp Silver badge

    No Chip and Pin in America?

    Why not?

    1. Anonymous Coward
      Anonymous Coward

      Re: No Chip and Pin in America?

      It's not really clear, I suspect there are several reasons, but US banking is fairly odd in terms of technology. They still rely upon cheques (checks) and have introduced some novel systems to approving the cheque quickly - a modern solution to an ancient problem - but they haven't addresses the easy fraudulent use of cheques. Chip and PIN is coming to the US, I believe it's recently been rolled out in Canada, one of the other hold-outs. This is mainly because the rest of the world are getting sick of their magstripes being cloned and used fraudulently in the USA and the payment processors have finally said "enough".

      Prepare yourself for lots of conspiracy theory web sites popping up from many different sources when the rollout does commence.

      1. Mike VandeVelde
        Boffin

        "I believe it's recently been rolled out in Canada"

        http://thebankwatch.com/2008/10/28/chip-and-pin-canada-the-basic-flaw/

        We've had them in Canada for years, not sure what you mean by recently?

    2. Charlie Clark Silver badge

      Re: No Chip and Pin in America?

      Historically because banks have made more by selling fraud insurance than they lose due to fraud.

      1. turnip handler
        Meh

        Re: No Chip and Pin in America?

        If you made less money selling fraud insurance than you lose to fraud then you shouldn't be in the business of selling insurance.

        1. Kristian Walsh Silver badge

          Re: No Chip and Pin in America?

          No conspiracy theory needed: the answer is more mundane. Unlike elsewhere, US banks pass the full cost of the terminal equipment onto the merchant. It's a once-off fee, and the terminals then belong to the merchants. As the merchants would have to pay for new Chip-n-PIN terminals, they see little benefit in doing so, especially as the benefits aren't going to be obvious to them in terms of lower transaction costs. Similarly, the acquiring companies can't just cut off the magstrip services either, because as long as the merchants keep paying their service fees and refuse to pay for new equipment, forcing a change would result in loss of revenue.

          In Europe, on the other hand, the terminal is the bank's property, and is rented to the merchant as part of their monthly service fee. So, if the bank wants to upgrade their security, they tell the merchant that they'll be sending a new terminal, and that's that.

          (The US situation is a pain in the hole for security, as it's the only reason why the rest of the world is stuck with magnetic strip readers -- the easiest method of stealing card numbers)

          1. Ian Yates
            Alert

            Re: No Chip and Pin in America?

            "the easiest method of stealing card numbers"

            Didn't you read the article?!

    3. Syldra
      Joke

      Re: No Chip and Pin in America?

      No, only chips and pints...

  10. Velv Silver badge
    FAIL

    "El Reg would be interested to know which retailers sell five grand's worth of kit without checking the CVC, the home address or even the signature."

    play.com (I know a victim)

    They have a policy of only delivering the first order to the card holders home address. The second order can be sent to any address. Sadly however there is no time delay enforced between placing the orders, so the victim receives a single DVD at their home address from the first order and the thief receives all subsequent orders placed the same day at their drop address.

    1. Anonymous Coward
      Anonymous Coward

      But Play.com will be on the hook for any fraudulent activity on the card... It's not if someone is a victim, it's how quickly that's put right, there will always be fraud in the system the balance is how to make the system work in a useable manner but also be resilient to as much fraud as possible, without costing the earth.

      1. Phil O'Sophical Silver badge
        Thumb Down

        > But Play.com will be on the hook for any fraudulent activity on the card..

        Which Play factors into their prices, so that all Play's customers end up paying for it. That's how all businesses handle theft, by adding it in as a "business cost".

        It does not mean that it can be ignored because there's apparently no important victim...

  11. Killraven

    Sarcasm Mode = On

    Yep, cards without the security card are worthless. That's why there no ATM scammer anywhere anymore.

    Uh-huh.

  12. Anonymous Coward
    Anonymous Coward

    I was under the impression that the number that's given up by the NFC portion of the card is not, in fact the PAN and that all the different applications of the card have a different account number. That is: the embossed number and magstripe have a different account number to the chip and pin and to the NFC etc. Can anyone confirm this?

    1. BristolBachelor Gold badge

      The Chip-n-pin certainly gives up the same details on the card (number, name, etc.), but not the CVC. As for the NFC, don't know. If the NFC is the same, all it takes is a shoulder surfer / cam near an ATM and and NFC reader and you could clone the mag-stripe on the card, with no suspicious add-on bulges on the machine.

      1. Anonymous Coward
        Anonymous Coward

        You'd need a suspicious bulge to house the NFC reader and it's going to need to be close to the card slot. The best distance I've heard NFC working over is about 20cm and that's in lab conditions.

        1. This post has been deleted by its author

        2. Irongut

          "you'd need a suspicious bulge to house the NFC reader"

          Because my Galaxy S3 is sooo suspicious and bulgey. Who would notice the guy behind them at the ATM using his mobile? Just pretend you're using it to talk or text and no one would be suspicious. You probably don't even need to take it out of a pocket depending on how you write the card snaffling software.

          1. Anonymous Coward
            Anonymous Coward

            Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.

            1. Anonymous Coward
              Anonymous Coward

              > Did you miss the bit where I said that you'll not be able to get NFC to work over more than about 20cm and that's in a lab? We're not talking about RFID here.

              Stand behind someone in the ATM queue. They usually have their card or wallet in their hand ready for their turn. Bend down and pretend to pick up a coin and tap them on the shoulder. "Is this yours?" you say as you hand them the coin with your phone in your hand. You wont have any problem getting within 20cms.

              If you try to hand somebody something they will automatically reach out to take it. They might ultimately refuse but by then it is to late because you have got within the 20cms.

              1. Anonymous Coward
                Anonymous Coward

                That's not going to work ATMs are covered by CCTV and have it built into them. How much pay-off do you think that would have before someone noticed suspicious activity and the person doing it got arrested, particularly compared to a skimmer on the ATM?

                Personally if someone bumped into me or touched me in the queue to an ATM, I'd be hugely suspicious and, yet again, I'll point out that the 20cm is in a lab, not real life.

                1. Anonymous Coward
                  Anonymous Coward

                  There is no touching involved and the contrived reason for getting close does not have to be immediately in front of the ATM. The point being that it is possible to get card details remotely.

                  > yet again, I'll point out that the 20cm is in a lab, not real life.

                  And I'll point out that you don't have a personal force field preventing people from getting within 20cm of you.

    2. Lee D Silver badge

      The school I work for use a Miifare entry system (same system as some Oyster cards - I can actually access the property with my Oyster because I programmed it onto the system).

      When we tried a Galaxy S4 near it, it went mad, recording lots of non-existent card numbers on the Miifare reader. Once we worked out what it was, we just kept tapping. Through the Miifare interface it appears to give a largely random huge (16 digit I think) number that is presumably used for NFC payments. We couldn't make it give out a consistent number (so, no, my boss couldn't enter the building using just his Galaxy S4 even if he wanted to).

      That's not to say that that is ALL the information it gives out, but over the Miifare NFC system (which appears to be compatible insofar as it detects an ever-changing number whenever you "doink" a reader) it appears to give some sort of transaction hash rather than easily-readable card numbers. A "PayWave" NFC pre-pay credit card that I have tested also had similar results.

      Personally, though, I wouldn't trust it hence why the only NFC device I own is a pre-pay card that you can't spend anything unless I put it on anyway (yeah, sure, the banks say the same, but I *KNOW* there's only £5 on the card).

      1. MrXavia

        he has a fabled S4?

        I thought they were rumours spread by tech bloggers......

        (only envious as mine has not yet arrived)

  13. Great Bu

    All this talk.....

    ...has made me hungry.

    Oh, no. Hang on, I'm thinking of KFC.

    1. Anonymous Coward
      Anonymous Coward

      Re: All this talk.....

      I think I'd rather eat my NFC than a KFC...

  14. Big_Boomer
    Boffin

    Cost reduction

    The only reason any banks & retailers ever considered NFC Bonking is that they hoped it would reduce their cash handling costs and/or credit card costs. As it turns out it will cost about the same, so most of them really cannot be bothered with YET ANOTHER payment method. So, we will almost certainly stay with cash and card. Most of them were relieved when cheques were finally phased out last year.

    As for the north American credit card security panics, that is because they have yet to implement Chip&Pin (EMV) so all in person transactions require a signature (like that ever prevented fraud) and all remote transactions require the CVC. As a consequence card fraud over there is rife and increasing but they are starting to implement EMV this year. Canada has less than half the Card Fraud rate of the USA or Mexico but it is still double that of the western EU countries.

    1. Peter Gathercole Silver badge

      Re: Cost reduction @Big_Boomer

      Cheques in the UK remain a valid payment method for transactions with businesses that choose to accept them. What has been phased out is the 'cheque guarantee' function of your card.

      What has happened is that most major retailers have chosen to not accept cheques (it is their choice), although they did it on the back of the presumption that cheques would be phased out. In the end, they weren't because of the lack of a non-cash, disconnected payment method that many older people and particularly charities complained was missing. The Payments Council concluded that there was still a role for cheques (http://www.paymentscouncil.org.uk/media_centre/press_releases/-/page/1575/)

      After making such an inaccurate about cheques being withdrawn, I wonder whether the icon you've chosen is actually justified.

      1. Lee D Silver badge

        Re: Cost reduction @Big_Boomer

        Cheques won't die any time soon.

        Finance people still write cheques. Businesses that want to deal with that finance department still have to accept payment by cheque. Banks, thus, still have to issue and accept cheques, en masse. Personal users still send cheques to their kids at college. Cheques are how you get refunded when you've overpaid on a bill or demand compensation / a refund.

        And, in the end, a cheque is nothing more than a contract or promisary note in the eyes of the law. Phase out cheques and people will write the equivalent and make the bank handle them somehow. You can't really outlaw cheques, only one particular "official" form of them. You can cash a cheque that someone has given you without your own bank even being involved, really. When I bought a house last year, I had to send off the payment via a cheque despite the entire conveyancing, mortgaging and purchasing side being done online. And I had to send things by fax, too!

        What's dead is retailers voluntarily accepting cheques. They fell for the bank's line that it was a lot of hassle for them and all they've done is managed to put themselves into the hands of a bank charging them per transaction where they weren't charged before (oh, and with Chip & Pin trying to push the liability for fraud to the retailer, make them have expensive integrated equipment, make their business reliant on an always-on Internet connection, etc.). Was it really that much hassle to accept a cheque before? I don't think so.

        To be honest, I haven't issued a cheque in years. Paid in three in the last few months, though, including a refund of an overpayment on my car insurance (even though I pay by DD). I watched a stack of cheques get signed by a school bursar only the only day (and a parent paying school fees by cheque just this morning - we have all the card facilities, but not everyone uses them).

        What matters is not the method of payment, it's what method is accepted. BitCoin might be a perfectly useful method of paying for goods and have real value. But until I can *BUY* things with it in *NORMAL* shops, it's never going to become mainstream. Cheques will go the same way eventually. But by then a £10 a month bank account to do bugger-all will be the norm.

  15. Andy The Hat Silver badge

    Steal the details of 50 cards, email them to a.n.other in the US. Generate cards. Buy some stuff. All done and dusted the same day ... Isn't technology a wonderful thing?

    1. Charlie Clark Silver badge

      Theft is easy

      But finding merchants that can launder them for you can be a bit harder, especially now everything is electronic.

      One of the reasons why credit card companies charge merchant such hefty fees is that they serve as vetters of customers. They have, and do use, considerable resources to track down and punish abuse of their payment processing cartel. Anyone laundering cards faces the risk of paying for any products paid for with them, plus any criminal charges and possible loss of banking access.

      The industry talks up the sums involved when it wants more power, higher rates or protection from competition but in reality even in the fraudsters' paradise of America the costs are not that high. They are other, safer ways of defrauding people. Just as Goldman Sachs, JP Morgan, et al.!

      1. Stevie Silver badge

        Re: Theft is easy

        "They have, and do use, considerable resources to track down and punish abuse of their payment processing cartel."

        Not in my experience. Recently a vendor called me from California to ask if a transaction was valid. It wasn't. The vendor then kindly offered to give the police all the information the buyer had supplied, including the bogus address that had triggered the phone call.

        I thanked them and called Visa, who were supremely uninterested in following up on that, there apparently being no procedural path to get that information to anyone who cared. I, as a resident in a state thousands of miles from California was unable to initiate a police procedure over the phone, and the crime was committed there so my local police couldn't care less.

        End result: I got my money back ( the thief had gone shopping with a vengeance but made a mistake on that last purchase), the thief got some of the stuff and Visa's fraud fund were out a few hundred dollars.

        1. Anonymous Coward
          Anonymous Coward

          Re: Theft is easy

          You do relise that it's your card issuer you should be calling, as to speak to the fraud department - they are all required to have one. Visa is just the payment processor, they expect complaints or investigations to come to them from the bank who issued you with your card.

          1. Stevie Silver badge

            Re: Theft is easy

            "You do relise that it's your card issuer you should be calling,"

            Really? Coo, never thought of that. I just called the toll-free number on the back of my Visa card. I guess I just didn't think it through.

  16. Anonymous Coward
    Anonymous Coward

    I too...

    ...have made transactions on (Canadian, as it happens) websites with purely the name, number and expiry date - CVC not required. Address not required. Postcode not required. And the transaction cleared.

    Whilst it may be that the retailer (not the bank) is liable for fraudulent use, that's not much good to me when my account has several hundred quid/dollars/rubles missing and I need to pay my leccy bill now is it?

    Whilst transactions capable of being made like this are rare - hence a lot of people not believing that they can be made, but they can. If you don't believe me, go ahead, put your CC details on here and I'll donate a fiver to charity on your behalf. AC in case someone takes me up on the offer.

  17. Stevie Silver badge

    Bah!

    Speaking as someone who has had his credit card "borrowed" on many occasions, starting on New Years Eve 1984 (I am absolutely sure of the location and date the initial crime occurred) when someone duped my Access card by the simple act of having access to the onion skin and took it to Atlantic City (unaware of the pathetic credit limit it had), and continuing through the internet store era where my card has taken trips to Queens and California sans my permission, can I just say that assuming that having the number and name is *not* enough for a fraud to take place is delightfully naive?

    I'm sure the homeland security bods in both the USA and the UK are *sure* that one cannot gain enough information from a slurp of a biometric passport to do any harm, yet in these very pages I've read about the wisdom of carrying those documents in a Faraday cage wallet. So why the double standard? Wait - I see the mention of a smartphone there. Nothing bad can come of <insert favourite brand of smartphone> use can it?

    As you were.

  18. Mr Young
    Coat

    Whatever

    I'm guessing this is all about traceability myself. I can see the point but when you do nothing exciting and are spied on every movement it just feels a little creepy. I'll go for for my jacket now (and the wallet is in my front jeans pocket if I'm worried about theft thanks);

  19. Andrew Jones 2

    Apart from the fact that the range on NFC is completely pathetic.... most websites that I use ask for the CVC on the back of the card, there are some that don't - they have been highlighted above by other people. Additionally - I quite often have to enter certain digits from my bank account password too - further reducing the possibility that someone might be able to do something with just my card details.

    Having been the victim of a very low tech and *never* reported fraud scam though - I no longer worry about these things - because the reality is there is *literally* (and that is being used in the proper context) NOTHING* you can do to prevent being a victim.

    * shops could - but they choose not to.

    1. Lee D Silver badge

      The range of NFC is entirely dependent on the size and directionality of the antenna.

      What you are mistaking is the powering up of the circuit (for which, yes, you need to be close enough to apply the magnetic induction necessary to power the other side of the connection). That has to be "close". The radio waves, however, could be coming from and going to anywhere.

      All you need is an accomplice (perhaps even unwitting) to carry a device into NFC power range that powers up the NFC devices, and a directional radio antenna connected to the most basic of software radios or scanners. Once something is in the air, you can't claw it back, I think that's the point of the article

      So although we take a small step towards "impractical", we're much further from "impossible" than you would think.

  20. JeffyPooh Silver badge
    Pint

    "station" .NE. Network

    I recommend never sharing your credit cards details with anyone, especially merchants and their staff.

  21. Graham Cobb
    Black Helicopters

    Privacy, not fraud

    I am less worried about fraud than I am about privacy. I don't worry too much about fraud. Travelling for work, I use cards all the time, all over the world, in some quite dodgy places: I have rarely been a fraud victim and when I have been it has been sorted out.

    But I do worry about the privacy & safety implications. I don't want shops to be able to track my coming and going, particularly in a way which they could relate to my card number (and hence my purchases). More seriously, I don't want a criminal to watch for people leaving a train station carrying Gold AmEx cards (or something) because they are likely to also be carrying more cash. Worse still, I don't want it to be easy for the terrorist to set up their IED to explode when someone carrying a Western credit card walks past.

    In other words, my credit card information is mine, and private to me. I don't want some device broadcasting it to anyone nearby who asks. NFC could, and should, have required that the user press a physical button to enable the read-out. As they didn't, it is dangerous.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019