back to article Marks & Sparks accused of silently bonking punters over the tills

High-street socks'n'frocks chain Marks and Spencer is accused of quietly taking money from shoppers' contactless bank cards at the tills. The accusations come from Radio 4's Money Box listeners, who called in to report that M&S had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to …

COMMENTS

This topic is closed for new posts.
  1. xyz
    Devil

    Thought this might happen...

    sooo... given that "It is possible that the terminals used by M&S were hugely overpowered if they were reading cards at 40cm, or that they fail to implement the EMV standard properly" should one be wary of Rom/Alb/anians at bus stops with suspiciously large batteries next to them?

    1. Magnus Ramage

      Re: Thought this might happen...

      @xyz: "should one be wary of Rom/Alb/anians at bus stops with suspiciously large batteries next to them?"

      Only if one is a racist. The technical point is a fair one, but the issue is surely about being wary of *anyone* at a bus stops with suspiciously large batteries next to them. Their country of origin is irrelevant.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thought this might happen...

        Yes but some nationalities seem to be so much more competent at using the technology!

        1. xyz
          Devil

          Re: Thought this might happen...

          As you say, I'm second to none in admiring the abilities of certain groups who seem to have an ability to grasp a tech concept, design and construct a solution for it in no time, release working systems and readily make money out of those systems. Anyway, to respond to anyone who may have been offended at my initial remark, regarding Eastern Europeans, my GF (from Tanzania) thought it was quite funny.

      2. Phil O'Sophical Silver badge

        Re: Thought this might happen...

        > Only if one is a racist.

        Curious, I didn't realise that Albanians and Romanians were racially distinct peoples.

        I think you may have meant 'xenophobe", but of course that isn't as damning an indictment, nor illegal.

      3. Wayland Sothcott 1 Bronze badge

        Re: Thought this might happen...

        If you are not wary of Romanians or other eastern Europeans then you are a fool.

        If you allow your hip and trendy "I'm not a racist, I randomly kiss Albanians at Bus Stops" brainwashing to influence your actions not just your words then you will get pick pocketed or card skimmed or all sorts of different scams by dubious people.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Oh dear, the sky is falling, better run to and fro waving arms in the air"

          In order to take payments from a payment card one requires a merchant account.

          To get one of these you must be a legitimate business and be vetted by a reputable bank.

    2. Anonymous Coward
      Anonymous Coward

      Re: Thought this might happen...

      Agreed

      Did they learn nothing from the passport RFID fiasco ?

      1. deadlift

        Re: Thought this might happen...

        What fiasco? The passport chip is designed to be open and read. All it contains is a copy of the data page and photograph. The passport office even has an app for that.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thought this might happen... @deadlift

          Here you go.

          http://www.zdnet.com/rfid-e-passport-security-at-risk-govt-1339315886/

        2. Anonymous Coward
          Anonymous Coward

          Re: Thought this might happen...

          Or this:

          http://www.guardian.co.uk/technology/2006/nov/17/news.homeaffairs

    3. Anonymous Coward
      Anonymous Coward

      Re: Thought this might happen...

      Former M&S Employee

      The tills at ours were underpowered Windows server boxes. When they "upgraded" 40% of the tills died for 2 days.

      On a side note, when contactless was first used at M&S, there was a bug in the system (I assume this has now been patched) where if you attempt to pay by chip and pin, cancel it and then pay by contactless, the transaction would go through (in a fashion) without charging the customer.

  2. Vimes

    And yet the credit card companies are still being allowed to refuse any request to provide a card without NFC functionality built in. The most I managed was to get it removed from my debit card.

    This really does need to change IMO.

    1. Anonymous Coward
      Anonymous Coward

      I'm pretty sure if you can work out where the coil is you can break the wire and stop the NFC chip from being energised.

      1. Horridbloke
        Go

        Very easily

        I nobbled the contactless elements in my credit cards using a craft knife a few months back. Chip and PIN payments were not affected. The NFC-capable phone came in handy to confirm an element was present and to confirm afterwards that it was dead.

        1. Captain Scarlet Silver badge
          Coat

          Re: Very easily

          Sorry but if you came in to pay for something and you had a hole in the credit card, I would be very suspicious it would be a fake (And then get fired for being annoying).

          1. Horridbloke
            Happy

            Re: Very easily

            For what it's worth my card doesn't have a blatant hole, it's a barely-visible nick. Besides, the vendor doesn't handle the card for Chip & Pin payments.

          2. Anonymous Coward
            Anonymous Coward

            Re: Very easily

            Sorry but if I went into your store and you came close enough to my card to notice a 1mm hole (you don't need 8mm) in my credit card I would be suspicious that you were up to no good.

            It is no longer the shop staff's job to determine if a card is fake or not, that is up to the electronics.

    2. Fuzz

      Drill

      I'd imagine a well positioned 8mm hole will disable the functionality nicely. Assuming that is that the NFC chip is in a different location to the payment chip.

    3. ZanzibarRastapopulous Silver badge

      I have a Natwest credit card without NFC, and a Barclaycard with. I don't like it either, how will it work when it's widespread and you are expected to prove you agreed to pay?

      1. Steven Roper

        It's no good drilling out or microwaving or otherwise destroying electronic components on credit cards. The card issuers have already cottoned on to this practice.

        Last year, my local supermarket introduced PINless chip-based payments in addition to the old magnetic swipe. My card, issued by my bank, had both magnetic stripe and chip. Since I didn't like the idea of payments being able to be taken from my card without a PIN or other authentication, I fried the chip.

        Then I found that the smartcard terminals wouldn't accept the card from a magnetic swipe. Apparently my card was "pipped" or "tagged" as having a chip, and the terminal wouldn't accept the magnetic swipe since it preferred to use the chip. Result: I had to explain to my bank that the card had been damaged, and wait for two weeks while they sent me a new card.

        So you simply don't have the choice. If your card comes with a chip, and the terminal is equipped to read a chip, that's what you WILL use, like it or lump it. Obviously the magnetic swipe is only there for legacy terminals without chip capability.

        So now I just use cash when I go shopping.

        1. Trygve Henriksen

          PINless at the supermarket?

          Who the H! thought that was a good idea?

          Besides pickpockets, of course...

          Which Supermarket was it, anyway?

          (In case I ever come across it in my travels)

          1. Charles Manning

            Well lapdancers for one....

            Surely they'd think it a good idea.

        2. Phil O'Sophical Silver badge

          @Steven Roper

          NFC cards have two chips. One for the standard chip&PIN, and a separate one at the other side of the card for the NFC contactless payment. A stripe reader will indeed refuse to read the strip on a chip&PIN card, it's a security measure to minimize fraud due to card copying. It has nothing to do with the NFC pay-by-bonk functionality.

          If you "fried the chip" by zapping it in a microwave or something similar you probably fried both chips. All you really needed to do was cut the antenna strip for the NFC chip, leaving the chip&PIN one intact.

        3. andy 45

          I did this too

          I think the only way is to request one without RFID.

          If we all did this the world may be a better place.

  3. Anonymous Coward
    Anonymous Coward

    Design fault

    Surely with any sort of contact-less card there should at least be a button that enables the NFC chip?

  4. Ragarath

    Billing twice certainly shouldn't be possible. The process flow of a payment is well known, and the till shouldn't issue multiple receipts any more than it would accept two successive Chip-and-PIN payments for the same goods.

    How many people have had the person operating the till say something has gone wrong, pull out what looks like a receipt and chuck it away? Then you have to make sure you look at that transaction on your statements to make sure it went through properly.

    I have had this several times. so in my opinion these things are more likely till operator error / bad training. Maybe not, but it seems more likely to me that it reading a card 40cm away if they are built to the standard.

    1. Don Jefe

      Agreed. Cashier error is extremely commonplace and is a far more likely cause of the issue. The NFC spec isn't terribly complex and I find it hard to fault the tech when Humans are known to be extremely error prone.

    2. DaLo

      ANy normal system wouldn't allow for cashier error like that (I would easily expect M&S to be on a normal system). If there are goods awaiting payment and a payment is made (by whatever means) then the transaction is completed and the only way of double charging would be to re-scan all the items in again.

      The operator doesn't get the opportunity to scrunch up a receipt and ask for payment again. There would be no outstanding transaction to pay against.

      The only way I could see this happening (although it definitely shouldn't) is that the C&P has gone off to get authorised and in the meantime the coil is still active (or reactivated) and takes payment via NFC before the confirmation from the bank has been returned.

      However that seems very unlikely.

    3. John McCallum
      WTF?

      Being billed twice

      every time that I have had an error in any payment by chip+pin I have been given the erronious till recipt without having to ask if you donot get the reciept chalenge it there and then not maybe 3or4 weeks later when you get your statement.

  5. Anonymous Coward
    Anonymous Coward

    Err...

    I heard that episode of Moneybox and there was a single customer complaining that she tried to enter her card into the PED and brushed her purse with an other card past the PED. She noticed at once that it said it has been paid by contactless.

    She claimed that she had brushed her purse past the PED, but this isn't really that credible, you have to hold your card and keep it pretty much still. The PED can detect movement and a present and remove motion and not take a payment. I suspect she held her purse against the PED and kept it there, but was to embarrassed to say so.

    As for range, it doesn't matter if the PED has too powerful a transmitter, because the transmitter in the card has to be uprated to make a distance change. NFC only works over about 20cm in a lab and with my experiments at home on my contactless cards, I can only detect them with my phone about 1cm away at the most, even then the card has to be in the correct orientation wrt the phone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Err...

      The distance the card can transmit is a function of the magnetic field it is exposed to (NFC uses magnetic induction between the coil in the reader and the coil in the card). The stronger the field the further the transmission.

      Your phone, which will often be kept in your pocket near to cards with magnetic strips, will only generate a relatively weak magnetic field and thus the transmission from the card will also be weak.

      If the NFC readers in M&S are using a stronger field than that specified then it may be reading cards further than 20cm.

      1. Anonymous Coward
        Anonymous Coward

        Re: Err...

        I think you're getting mixed up with RFID, which is a function of the induced field. NFC is much more complex than that and had powered transmitters (with power regulators).

  6. graeme leggett Silver badge

    true scale of the problem?

    With a million transactions of all kind, 100 misapplied NFC transactions in the same period although a significant error in each customer's case is quite a small percentage overall.

    Perhaps a bigger sticker on the NFC reader to remind people not to get their cards close unless they mean it. Like there used to be a warning near tills not to put your magnetically striped cards near the machine that disabled the security tag.

    What would be really scary would be tills taking payment from someone who wasn't buying anything...

  7. Anonymous Coward
    Anonymous Coward

    re: Paula from London

    Paula from London is not credible the PEDs at M&S are hardly that much more than 40cm apart and the PED just won't debit a card contactless if there is a card in the slot.

    1. Anonymous Coward
      Anonymous Coward

      Re: re: Paula from London

      While I don't doubt the theory that it shouldn't be possible to read a card from more than a few centimeters away from the reader there have been numerous credible projects on the 'net and various respected news sites that indicate it's possible to read RFID/NFC cards from significantly larger distances. If you're calling a Pin Entry Device a PED then you're in the trade and you should be aware of them too if you're going to comment on the security of devices.

      Power levels in PEDs are programmable, card skimmers are credible, and NFC card payments scare the bejesus out of me as I have no doubt that the banks will deny it's possible to get ripped off unless you are complicit or negligent. Five contactless payments in a day before having to use your PIN is all well and good but that's £100 a day at the current transaction limit and it'd make my finances very tricky indeed if someone managed to gain access to my card and maxed it out with contactless payments.

      So all in, Paula may have made a mistake but to say she's not credible is insulting.

      1. Anonymous Coward
        Anonymous Coward

        Re: re: Paula from London

        NFC is not the same as RFID. It works in a different way, you can get RFID to work over silly distances, but NFC is very limited because it uses magnetic induction not radio frequency.

      2. Anonymous Coward
        Anonymous Coward

        Re: " Five .. in a day ... before having to use your PIN"

        This is not how it works. The user will be expected to enter the PIN at random and at least every 5 transactions.

  8. g e
    Black Helicopters

    Don't forget the conspiracy angle

    That VISA reckon they can skim a coupla billion to get interest on before being forced to refund/fix it.

  9. The Commenter formally known as Matt
    Unhappy

    nfc annoying

    The pay points at our local car park have been 'upgraded' to accept nfc.

    So if you put a wireless card in it uses it automatically rather than ask you for a pin.

    Only take about twice as long to authenticate, grr

    1. Anonymous Coward
      Anonymous Coward

      Re: nfc annoying

      If you put a card in it will read the chip on the card, it won't go wireless unles you just hold the card against it.

      In both cases the PIN can be optional for small accounts, there's nothing new in that.

      1. Anonymous Coward
        Anonymous Coward

        Re: nfc annoying

        Why the downvote? Apart from me typoing "accounts" for "amounts" my post was factually correct...

  10. Anonymous Coward
    Anonymous Coward

    Bonking

    Bonkers!

  11. Infernoz Bronze badge
    Flame

    Get some NFC Card Sleeves damned fast!!!

    NFC Card issuers should be DAMNED ashamed for not providing full RF sleeves for ALL NFC cards; I had to buy some of Amazon marketplace because my negligent bank did not provide one for my debit card, and I was wary, for good reason!

    Beware the cards have to be fully in RF sleeves, because an NFC tester at work noticed that if they are not fully in my sleeves, they can still activate!

    Criminals will cotton on to this damned fast!

    The NFC card issuers who don't provide RF sleeves should be sued for negligently enabling 'drive by' theft!

    No excuses!!!

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Get some NFC Card Sleeves damned fast!!!

      Is that the new tinfoil?

  12. Anonymous Coward
    Anonymous Coward

    One possible issue.

    Take you average woman with a "handbag" the size of a small suitcase.

    She plonks it down on the till, say to the left of her shopping., next to the adjacent till (in many stores this is very easily as they are often bunched together in banks). Whips out card. to pay for her goods. Meanwhile another card sat in her handbag, happily pays for goods at the next till.

    This does not require a huge distance, less than >50cm is quite obtainable, especially if the card reader is in front of the till.

    1. Anonymous Coward
      Anonymous Coward

      Re: One possible issue.

      The NFC cards simply do not and cannot work over more than a cm or two in the real world. If they did, there would be all sorts of problems of the type you suggest, the fact that there are no credible reports of this happening suggest it's not the case. In particular consider the amount of people who go past NFC turnstyles each day and have a wallet with both NFC debit card and an oyster card in it, without cross charging to other turnstyles, or interfering with their own cards or other's use of the turnstyles.

      1. Anonymous Coward
        Anonymous Coward

        Re: One possible issue.

        The NFC cards simply do not and cannot work over more than a cm or two in the real world

        It depends on the NFC implementation in the terminal. This is not really the first report of uncontrolled charging - Starbucks had quite a few incidents like this as well when they introduced NFC. The short distance is a function of deliberately poor design of the terminal transceiver stage so you need to be close, but it's not exactly hard to "upgrade" that for someone with criminal intent (or even accidental).

        The best sign that credit card companies know this too is the NFC transaction limit. They're not normally shy in getting you into debt.

      2. Anonymous Coward
        Anonymous Coward

        Re: One possible issue.

        > do not and cannot work over more than a cm or two

        Do not usually? Fair enough.

        Cannot? I have no confidence that statement.

  13. Mer Ner
    Facepalm

    Another severe lack of common sense?

    I would imagine the customers that this effected had their purses/wallets in their hands whilst fiddling with the chip n' pin terminal. However, this is not the lack of common sense I am referring to.

    More that when the NFC payment standard was designed, why was it not specified that there should simply be a confirmation dialogue? Is anything more than a wand waving motion too much for the average consumer to be burdened with?

    Surely this would have prevented potential fraudsters as well.

  14. Anonymous Coward 15

    There ought to be a "confirm" button on the operator's screen.

    Also, don't you mean Hanlon's Razor?

    1. Carrot007

      > There ought to be a "confirm" button on the operator's screen.

      You mean on the card.

      Why trust someone else to confirm you are paying?

  15. Tezfair
    FAIL

    Let me see...

    Take the money from the debit card, or the credit card which charges 29.9% APR. Wonder which one they prefer?

    1. Anonymous Coward
      Anonymous Coward

      Re: Credit/debit card merchant charges

      For the retailer, they would prefer to take the debit card as it is almost always cheaper for them (~15p vs. ~3% for a credit card).

  16. Pypes
    Stop

    Whoever thought security through proximity was a good idea.

    Is a fucking Idiot

    Antenna slightly more directional than intended, that's a payment

    Wave your wallet within a few inches of the till while trying to pay cash, that's a payment

    Walk past some nefarious type with a modified card machine in his pocket, thats a payment.

    I think I may start marketing faraday cages for your pockets, it's the only way to ensure these convenient payment methods don't get a bit too convenient .

    1. Neil Barnes Silver badge
      FAIL

      Re: Whoever thought security through proximity was a good idea.

      Indeed.

      Any payment method that does not require a positive authorisation from me - such as, say, handing over bank notes, or sticking a card in a slot and typing in a number - is broken by design. I don't care if it's limited in value - if I'm not actively doing it, I don't want to transfer cash. Full stop.

      Have you noticed how many things which claim to 'make life easier for the customer' really simply make life simpler for the retailer?

      1. Stacy
        WTF?

        Re: Whoever thought security through proximity was a good idea.

        WTF??? You can now pay for things without having to enter your pin? Wow...

        I appreciate that I can steal a card and order on-line, or over the phone, and not have to enter a pin, but at least them for it to be useful to me I have to have it delivered to an address which makes it somewhat traceable.

        But to be able to get hold of a card and then use it straight away, on the high street without having to enter a code is just insanity... How much is card crime going to jump now?

        1. VinceH Silver badge
          Meh

          Re: Whoever thought security through proximity was a good idea.

          "But to be able to get hold of a card and then use it straight away, on the high street without having to enter a code is just insanity... How much is card crime going to jump now?"

          Quite.

          I think there's a fairly low payment limit for contactless cards of about £20, but that just means the thieves can't purchase something large with a stolen card, not that they can't run up a nice bill - but hopefully (!) credit card companies will spot unusual activity and stop it/contact the card owner to verify it before it gets too bad.

        2. Anonymous Coward
          Anonymous Coward

          Re: Whoever thought security through proximity was a good idea.

          You can use a card a couple of times without a pin, it will ask for a pin if one isn't entered every so often. You can also only get ~£20 out at a time and your card also looks to see if it is being used in quick succession and asks for a PIN as appropriate.

          Of course, if someone mugs me, they get all the money I've got.

          1. Anonymous Coward
            Anonymous Coward

            Re: Whoever thought security through proximity was a good idea.

            I believe five successive payments in a day is the limit before asking for a PIN, I've managed three in quick succession in the same store (forgetful) and not been asked for a PIN. If you don't spot your card is missing for a couple of days (entirely possible, I have an NFC capable card for a little used account)

            Once I'd thought about contactless payment I decided I don't want it, now all I have to do is persuade my bank to stop foisting NFC cards on me.

      2. Phil O'Sophical Silver badge
        Thumb Up

        Re: Whoever thought security through proximity was a good idea.

        > make life simpler for the retailer?

        Or make life cheaper for the retailer. Like plastic bags, instead of getting free ones that you can use for your rubbish bin at home, you now have to buy plastic binbags from the shop, which is just "helping the environment", of course.

        1. Anonymous Coward
          Anonymous Coward

          Re: Whoever thought security through proximity was a good idea.

          Um, you can't do an NFC transaction as cardholder not present. Obviously.

          Also, a PIN request related to an NFC transaction is most definitely recorded by the operator. Also obviously, as it is the central system that makes this decision to request the PIN in the first place.

          So little clue demonstrated by so many on this subject.

    2. Ledswinger Silver badge

      Re: Whoever thought security through proximity was a good idea.

      "I think I may start marketing faraday cages for your pockets, it's the only way to ensure these convenient payment methods don't get a bit too convenient ."

      Just keep the card under your tinfoil hat, achieving two things at once.

      1. andy 45

        Re: Whoever thought security through proximity was a good idea.

        You can buy them over the internet quite easily. Little flexible, lightweight wallets.

    3. Anonymous Coward
      Anonymous Coward

      Re: Whoever thought security through proximity was a good idea.

      @Pypes - You'd best go away and learn about how banking payments work before making such naive comments about "Wave your wallet within a few inches of the till while trying to pay cash, that's a payment

      Or

      "Walk past some nefarious type with a modified card machine in his pocket, thats a payment."

      You should understand that if you are incompetent in a subject, by definition you don't know that and are incapable of seeing it. Go away and learn about payment processing before commenting on this subject again.

      1. Pypes

        Re: Whoever thought security through proximity was a good idea.

        @AC

        It so happens I have a streamline machine about 8 inches away from this keyboard, and know well enough how to empty your account in 10 seconds flat using cardholder not present payments. I don't see how removing the need to "verify" cardholder information is going to make a system that relies so heavily on vendor honesty any more secure than it already isn't

        I may only be able to do you over 20 quid at a time, but I can still do you over, and now I don't even have to go to the trouble of physically nicking your card.

        1. Anonymous Coward
          Anonymous Coward

          Re: Whoever thought security through proximity was a good idea.

          @Pypes - Possession of a "Streamline machine" does not qualify you in payments processing and more than it qualifies the guy at my corner shop.

          Had you any real understanding you'd know that the bank have your name and address, so any fraud is linked to you, via your account and they know where to send the Police. Also you'd know that you won't get more than £100 out of my account from NFC based payments before my card asks for a PIN.

          You are just proving my point that you don't know what you're talking about.

          1. Anonymous Coward
            Anonymous Coward

            Re: Whoever thought security through proximity was a good idea.

            You may be an expert in transaction tech, but it appears you haven't been close to actual card fraud - the sods are seriously inventive.

            Card scams always operate in volume if they are based on low value in order to remain under the radar of both card holder and issuer, and an NFC transaction is by definition low value. Provided the transaction is labelled as something innocuous (assuming a card holder actually checks their statement, another variable) they will get away with this long enough to mule away the income, drop the shell company and then hop to the next one - rinse & repeat. A PIN request simply means that that transaction will be aborted. A card network operator does not see an abort local to the terminal, so will not spot a vendor with a high number of cancellations.

            In addition, there are presently enough problems with NFC that there is a high error threshold, which gives a rogue operator enough margin to clean up and run. The threshold issue may improve, but any statement that NFC transactions are in any way, shape or form secure is simply ignoring reality. From a card security perspective this dumb marketing-inspired idea should have been spiked the moment the very concept was uttered.

            1. ZanzibarRastapopulous Silver badge

              Re: Whoever thought security through proximity was a good idea.

              >the sods are seriously inventive.

              ..and violent. Some people obviously don't realise that a mugger is often quite happy to get 20 quid.

  17. sisk Silver badge
    Coat

    So....

    Anyone still thing NFC on credit cards is a good idea?

    Mine's the one with the big, red 'Told you so!' sign rolled up in the pocket.

    1. This post has been deleted by its author

  18. MachDiamond Silver badge

    A bit too convenient

    In the states there has been a system called PayPass which sounds just like the NFC. I've steered clear. I don't see what is so hard about running a plastic card through a slot. For residents in many of the states adjoining Canada, there is an "enhanced" license with an RFID chip to "speed up passage through customs". I have to wonder if there are other readers dotted here and there so The Man can track where people go. It also makes it much easier to electronically record a person's trip across the border where a passport is a little more difficult.

    Many toll roads in the US use a radio transponder to automatically debit a driver so they don't have to slow for a toll booth. The is a good thing, but there seems to be many of the reader systems being installed in places other than the motorway. I stopped once and asked a technician working on such an installation and he confirmed that it read the toll road transponders.

    There was once a short series of TV shows that featured a security consulting company that would hire out to firms to check the firm's security systems. In one episode, an operative scanned the RFID card in a back pocket that allowed access to a bespoke jewelry designer's office while the owner was walking down the street. It was so fast and unobtrusive that it scared me into never wanting any type card with the same function. What would happen if I worked at the jewelry firm and my code was used durning a burglary? I'm sure that I would spend many hours in the back room with lights in my eyes at the very least. I would really be screwed if the coppers decided that I was guilty and I had to prove my innocence at trial. Never mind that a person is "Innocent until proven guilty in a court of law" in the US. Scenarios can always be manufactured to lay blame at the feet of whoever looks to be an easy subject to convict.

    1. Anonymous C0ward

      Re: A bit too convenient

      Being able to scan the card isn't necessarily the same as being able to copy the card, if there is encryption involved.

    2. Rukario

      Re: A bit too convenient

      > For residents in many of the states adjoining Canada, there is an "enhanced" license with an RFID chip to "speed up passage through customs". I have to wonder if there are other readers dotted here and there so The Man can track where people go.

      The Man also supplies the little tinfoil sleeves to keep the enhanced card in.

    3. Slx
      FAIL

      Re: A bit too convenient

      I really don't think they've thought this one through very well! There's bound to be some kind of issues with anything that can be read and authorised without contact.

      I would prefer an e-purse on my debit card, so I could maybe pre-load it at an ATM with a fixed amount and treat it like cash. I don't like the idea of a NFC system without pins being able to dip into my bank accounts / credit card accounts.

      We have those toll tag systems here in Ireland too, but they're a bit more comprehensive than just toll payments. They setup a whole clearing system so there are multiple toll-tag operators and you can use them to pay for barrier-free tolling on some tolled roads. They're just read from transponders mounted on gantries over the motorway. You don't even have to slow down for these as there are no barriers at all.

      You can also use them for the express-lanes or any other lane of toll roads which have barriers.

      They've extended the functionality though and they now also work for payments for quite a few car parks. So, you just drive in the tag's recognised and the barrier lifts. Then when you drive out your payment is collected via the RFID tag on the window and it's debited from your bank account / credit card or whatever you've setup.

      There's no risk of scamming it as you'd have to have access to the clearing system to get payment so it's just a few toll operators and car park operators. However, for these NFC credit/debit cards, there'll be far less control as there are millions of retailers and card processors out there.

      ----

      BTW for US readers - here in Europe, Chip and PIN credit/debit cards are the norm. You have to insert your card into a reader and key in a PIN to process a normal transaction. Swipe / Swipe and Sign systems were phased out of use as Smart Cards and PINs were considered more secure.

      This NFC system just undermines all that!

      1. Steven Roper

        Re: A bit too convenient

        "I don't like the idea of a NFC system without pins being able to dip into my bank accounts / credit card accounts."

        Which is why I have two bank accounts. One is my savings account, into which all income and payments to myself are deposited, and to which no cards are linked. The other is my spending account, to which my Mastercard debit card (I refuse to have a credit card) and ATM card are linked.

        The spending account runs on empty most of the time. If I need to buy something online, or go out shopping, I first log on to my bank and transfer the required amount of money from the savings account to the spending account.

        This not only reduces my potential losses from fraud and skimming, it also protects me from impulse purchasing, since there's only ever enough money in the spending account to buy what I originally wanted in the first place.

      2. Anonymous Coward
        Anonymous Coward

        RFID !== NFC

        RFID with back-end payments system linked to a few accredited suppliers, also not the same as NFC.

  19. Anonymous Coward
    Anonymous Coward

    I worked in QA for a payment solution provider and there was a known problem with contactless cards registering unexpectedly due to poor reader design. In the scenerio of needing to fall back from chip and pin to swipe, it was virtually impossible to swipe because as soon as the card get near the reader orientated for swipe it triggered as contactless.

    1. Anonymous Coward
      Anonymous Coward

      That wasn't "poor" design..

      there was a known problem with contactless cards registering unexpectedly due to poor reader design

      .. that was actually a card transceiver stage that was designed for optimal transmission (which is where the problem started). The NFC transceiver stage had to be deliberately made bad to make sure it would only work in close proximity.

      Now, just to crank up your paranoia: do you realise that an NFC card acts as a perfect people tracker, given that it can actually be accessed as a remote readable ID? I wonder if that was a design goal - might explain the original wide reach. People don't always carry their RFID passport, but they do habitually carry their credit cards.

  20. zb42

    it isn't radio waves

    To be pedantic about the physics the communication between the terminal and card isn't a radio wave, it's a high frequency magnetic field. It's radio frequency but not a radio wave in the sense of a propagating electromagnetic wave.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: it isn't radio waves

      In that case, no directional antennas ....

    2. ZanzibarRastapopulous Silver badge
      WTF?

      Re: it isn't radio waves

      A radio frequency electro-magnetic wave that isn't a radio wave?

      I'm not a physicist, but this doesn't sound right.....

      1. Anonymous Coward
        Anonymous Coward

        Re: it isn't radio waves

        NFC is near-field, it is magnetic coupling, (the carrier frequency does happen to be the ISM frequency 13.56MHz)

        At 13.56MHz I've not seen much data captured at distances greater than 70cm or so however MY Barclays NFC credit-card is wrapped in Alu-Foil.

        The US/Canadian travel device mentioned above is a 900MHz RFID which does use radio frequency and can be read probably at greater than ten metres or so.

        1. ZanzibarRastapopulous Silver badge

          Re: it isn't radio waves

          So you have a magnetic field changing at a frequency of 13.56MHz and this isn't a radio?

          Nope, I still don't get it.

      2. Anonymous Coward
        Anonymous Coward

        Re: it isn't radio waves

        Your right it is magnetic coupling, basically a transformer with air as the core. But it would not be to hard to build a high power reader, solid core, thick copper and lots of amps that would activate a card at lot further than 10cm the problem would be that you would probably burn out the coils of cards very close to the reader.

        1. Anonymous Coward
          Anonymous Coward

          Re: it isn't radio waves

          "radio equipment could be used to extend the range"

          Nope.

          It's EM induction that is required to power the electronics on the card. See transformer theory:

          http://en.wikipedia.org/wiki/Transformer

    3. Wayland Sothcott 1 Bronze badge

      Re: it isn't radio waves

      It has radio frequency and it's magnetic. So a tiny step away from being a radiowave. It sounds to me as if radio equipment could be used to extend the range.

  21. RRob
    Stop

    Cameras are everywhere, SOMEONE knows exactly where her purse was when it happened.

    1. ZanzibarRastapopulous Silver badge

      There will also be two transactions at exactly the same time for exactly the same amount, one on chip and pin the other on bonk.

      I suspect that's the basis of the refunds, as it's pretty unarguable that one must be wrong.

  22. Snivelling Wretch

    Eadon?

    Some of these terminals run Windows, which is undoubtedly the root cause.

  23. Timo

    another way to fix the contactless card?

    I bet that 5 seconds in the microwave oven would take care of the contactless portion of the card (and would be less damaging to the physical card, only frying the electronics inside.

    1. Robert Carnegie Silver badge

      Re: another way to fix the contactless card?

      Well, you probably want to keep the chip-and-PIN feature of the payment card, so, better not kill that chip. So the microwave is out. You can use a magnetic eraser on the brown strip, though. If that isn't there then it can't be stolen. And there's probably some other way besides mechanically abusing the card (which was described above) to kill the NFC component.

      Perhaps you also can choose to have the NFC card always insist on a PIN for each transaction.

      I suppose the idea is to be like the Queen of the United Kingdom, you don't carry money and when you want a thing, such as a newspaper, somebody just gives it to you. But really it's debited from your card.

      1. Anonymous Coward
        Anonymous Coward

        Re: another way to fix the contactless card?

        I highly recommend cutting up an expired NFC card, that way with a magnifying glass (hey, I'm getting on a bit) you can see where the NFC coil runs through the card. A cut in the right place on your new card of the same type will open circuit the coil and render the NFC chip inaccessible.

      2. Anonymous C0ward

        That's a point...

        Will the magnetic field for contactless erase the swipe strip?

    2. Wayland Sothcott 1 Bronze badge

      Re: another way to fix the contactless card?

      So the chip 'n' pin gets fried also so the card is useless in shops.

  24. Ben Rose
    Thumb Up

    Cash Points

    For decades I have been plagued by idiots in front of me at the cash machine who seem to insert the wrong card. Or insert a card, check a balance, then insert another card for their cash.

    These people with two cards are a total pain in the ass.

    If the new tills are affecting these people by reading the wrong card, I see this as revenge for having such a stupid method of handling their personal finance. One bank account, one card, no queue at the cashpoint.

    1. ZanzibarRastapopulous Silver badge

      Re: Cash Points

      >These people with two cards are a total pain in the ass.

      Don't run your own business then?

  25. The BigYin

    WHAT?

    Payment can be taken without positive action from the cardholder?

    Screw that!

  26. Steve Knox Silver badge
    Headmaster

    Testing

    The retail chain refunded the disputed payments - even those that went unnoticed until the customer's bank statement turned up weeks later - while pointing out that its NFC system was well tested prior to deployment.

    No, it wasn't well tested. It may have been tested a lot but if the tests failed to predict these now-known real-world issues, then it certainly was not tested well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Testing

      No, what they've done is refund as there is no proof that the customer was fraudulent, as they are required to by law.

  27. Kubla Cant Silver badge
    Mushroom

    Bad faith

    I can see that contactless payments offer benefits for retailers because they speed up transactions and reduce cash throughput. I suppose there's a benefit for card companies because they increase card throughput. But what's in it for me?

    The BBC programme included these pathetic attempts at exculpation from a card company drone:

    "If you lose cash, it's gone, but that's not the case with a card" (nothing to do with contactless payment).

    "The most you can lose is £50" (I want a system where the most I can lose is zero).

    OK, maybe the system is really secure, and the chance of error infinitesimal. But I don't want it, and I regard the card companies' refusal to issue cards without contactless payment as evidence of bad faith.

  28. M Gale

    Perfect solution to the problem.

    A Dremel or similar miniature power tool, and a 0.2mm or finer drill bit. Give that chip a bit of air to breath, with a hole so small a cashier won't notice it.

    1. Robert E A Harvey

      Nextb week's news

      HSBarclyTSB announce ATMs will not issue cash unless the NFC is working 'for added security'.

  29. deadlift

    If this is so easy, I'd note that when I bonked my wallet against a Visa reader at the 'lympics, it was rejected because I had two NFC cards and an Oyster card therein. I reckon "Paula from London" fancied a free bra.

  30. roy lovelock

    mastercard

    i was really annoyed when my mastercard was replaced early with a contactless payment card, i work in an job where my friends have had payments taken from thier cards accidently.

    i explained this to my card supplier and they told me its an standard now with mastercard.

    the CS agent told me that any payments taken would be returned, but didnt seem to understand the agro it cause the customers when they have to change thier cards with online payments etc.

    in the end i found the nfc chip and pushed a small screwdriver though it, voila dead nfc, (fyi the chip is right next to the visible chip and pin chip in the centre of the card, you have to be careful not to damage the chip and pin contacts).

    Ive now switched my account to visa as they gave me the option. Sometimes progress is not needed or wanted, i dont ever want or need my card details be accessable by anyone with a nfc reader, i want the option to disable this useless and dangerous feature, until then i will be avoiding mastercard.

    the problems shown here by M&S just show that sometimes tech is not the answer

  31. Idocrase

    It should be obvious.

    ANY wireless technology, can, under the right circumstances operate at vastly greater ranges than advertised. often in fact, the advertised range is downplayed, Bluetooth for example only advertised as good for up to 15 feet - while I know for a fact, I can be 30 or 40 feet away in the garden with my bluetooth headphones on, and my phone sitting at my computer still sending the tunes quite happily.

    That NFC work further away than expected comes as no surprise, and there needs to be some form of warning system put up. Similar to how there used to be signs in libraries warning you to keep your credit cards away from the check in desk because the magnets could wipe them.

  32. Anonymous Coward
    Anonymous Coward

    Inadvertent charging happening in New Zealand as well

    A local consumer affairs show, Fair Go, did a brief article on this recently where customers complained about charges to cards that hadn't been used. The card issuers denied it could happen but the receipts showed otherwise.

  33. Crusader

    World Wide issue

    A like issue was reported on New Zealand's 'Fair Go' consumer programme last week.

    Some cahp was billed 3 Coffees , 01 on his Wave Visa and 2 in his wallet Mastercard.

    I understand these are quite an issue at Airports with scanners being used , brushing up against you downloading the data and removing cash lost. The use of lead /Aluminum foil lined wallets are being used to counter these tactics. Now maybe a serious need to use such

    1. Anonymous Coward
      Anonymous Coward

      Re: Some points that may be helpful

      * Merchant account is required to take payments

      * Card issuer indemnifies the user against fraud

      "cash lost" : there is no 'cash' stored in the card. The transaction is electronic, traced and takes place on a batch schedule once approved by the bank.

      Please learn how electronic payments work before crying that the sky is falling.

      "I understand these are quite an issue at Airports" [citation needed]

  34. dave 76
    Thumb Down

    in Australia...

    the transaction limit on my paypass card without requiring a pin is $100 - not sure what the daily limit is. This is the default limit.

    For those wanting to disable the NFC - here is a pic from Wikipedia showing where the antenna is: https://en.wikipedia.org/wiki/File:Australia_Bank_Paypass_Card.png

  35. OzBob
    Stop

    Problem solved,...

    optic sensors at 2 corners of card, and the rfid only works when one sees light and the other sees dark (when you put your finger on the corner when holding it to swipe). Two dark sensors = in your pocket, two light sensors = not being held properly (and an audible twang when you try to swipe with two light). Simples.

    1. M Gale

      Re: Problem solved,...

      Or screw all the radio crap and shove the relevant comms through a bunch of gold-plated contacts on the card.

      Even simpler.

  36. Wayland Sothcott 1 Bronze badge

    Astonishing stupidity

    With all this chip 'n' pin song and dance when it was introduced to keep us safe how can they justify a system which bills your card by radiowaves? It's the easiest thing in radio to improve a signal so it goes 10 times further. Someone in a disused office above the highstreet could have all sorts of gear set up to skim the cards. And people worry about the security of Bitcoin.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Radio signal"

      It isn't the radio signal that's important. Electromagnetic induction is required to provide power for the card. EM works on different principles to radio waves (transformer theory).

  37. Anonymous Coward
    Anonymous Coward

    Cash is King!

  38. Anonymous Coward
    Anonymous Coward

    Absolute rubbish

    The cards cannot be read at any distance.

    The computer systems do not by default allow payments to a greater value than the transaction to be taken.

    PEBKAC.

  39. Anonymous Coward
    Anonymous Coward

    After all this discussion

    There is a fairly simple solution to most people's objections.

    Card issuers: please can you fit a button to the card that I can press when I want to use it.

    It could be possible to set it, like the write-protect on an SD card maybe, for those who would like to use their cards in a permanently-enabled state?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019