back to article Pay-by-wave: At least it's better than being mugged

The public thinks that paying with a tap of the phone is risky, with criminals able to intercept and steal credentials, so it seems a good time to take a closer look at proximity payments. Orange Quick Tap is already deployed in the UK; we used one to buy cookies in Inverness and they were delicious. In the US Google Wallet is …

COMMENTS

This topic is closed for new posts.
  1. Synonymous Howard

    good luck with that

    my experience of pay-by-wave has been much more miss than hit with a less than 25% success rate even with the retailers that have the right readers installed.

    I've tried slow waves, fast waves, down/up, up/down, towards/backwards, waggling, holding it still, you name it .... still less than 1 in 4 works and you end up having to put the card in the slot and use a pin to stop yourself looking like a complete numpty. Barclaycard adverts it is not.

    So it does not worry me about wave-by-hacking and when not in use my cards reside in an all metal case (Faraday would be proud).

    1. Daf L

      100% for me

      It has always worked 100% of the time for me - I think your problem could be your misunderstanding of "Wave".

      Don't take it literally, you don't move the card like when getting a barcode reader to work and you have to find the focus point. Just rest your card on the reader in the correct area until it beeps. If it is in the right place you don't need to move it. Should take less than 0.5s to acknowledge the card.

      Think of it more like the RFID readers for a hotel room key card or office block.

      The only time it appeared to fail for me was because the assistant had pressed the "pay by card" button on the till so it wasn't expecting a card - this is education of the retailer as they were waiting for me to put the card in the slot before pressing it.

    2. Vitani

      I've used contactless many times, and have pretty much had the opposite experience to you - about a 25% failure rate, although that is excluding the times that the reader is known to be broken (I'm looking at you McDonalnd's Drive-Thru). Even so, I think that a 25% failure rate is still too high.

      I have found though that the best way to "wave" is to just hold the card over the reader until it beeps, but then that's not really waving at all is it...

    3. Anonymous Coward
      Anonymous Coward

      Err?

      Seriously? Pay-by-wave is just the name, you put the card against the reader, hold it still for about half a second and that's it.

      I've used pay-by-wave more than a hundred times without a single failure.

  2. Dirk Vandenheuvel
    Holmes

    "It is super safe! ". People have said that about all secure payment schemes in the past, you underestimate the creativity of people who steal and the technology available to organised crime to deal with this new electronic payment system.

  3. CaptainHook
    Unhappy

    As soon as reported

    How long before someone can report a credit card or phone missing?

    Especially if it's your mobile phone hosting the secure element which has been nicked.

    I've never really been afraid for a wireless attack on NFC, i am worried than after years of decline street theft simply because no one carries cash any more, it's sudden becomes worth mugging someone in a low end crime sort of way.

    e.g. mug someone, buy a crate of beer, dump the card straight afterwards. *see note #1

    Note 1: Or keep the card until it stops working allowing you multiple dips into that £15 limit etc.

    1. Anonymous Coward
      Anonymous Coward

      Only a few dips

      The contactless payment application will only allow a certain number of contactless transactions (and a cumulative amount) without the PIN being used - when that limit is hit a physical card will require the transaction to be performed using Chip and PIN, a mobile phone with contactless app may display a PIN entry screen. Typically the total amount may be as low as £50. In normal use, cards are often used both Chip and PIN and contactlessly, so many people won't see the cumulative limit being hit.

      1. Richard 12 Silver badge
        FAIL

        So why did the author not mention that?

        Entering a PIN from time to time is really the only thing that limits the fun a miscreant can have with an NFC.

        The entire article avoids the critical point:

        It really doesn't matter if the card to terminal link is utterly perfect, as all a miscreant requires is the card itself. No hidden knowledge (PIN/signature), and no biometric.

        That's less secure than my El Reg forum account!

        Pay-by-wave does not require any authorisation whatsoever from the cardholder.

        Repeat after me: The card is *not* the account holder. The card can only veto a transaction, fundamentally it *cannot* authorise anything whatsoever.

        Quite simply, we cannot ever trust NFC. It's even worse than "Cardholder Not Present" transactions made over the phone and we all know how often those are abused by fraudsters.

        - And in fact, it increases my exposure to mugging. I can control my financial exposure to mugging events by carrying more or less cash depending on what I'm doing and where I'm going. Not possible with these cards except by not having one at all.

        1. Anonymous Coward
          Anonymous Coward

          Me again...

          It's certainly not worse than Card Not Present (CNP) transactions over the phone - all that's required are the details printed on the card. Once obtained, can be kept for months, emailed around etc - no limit on when it could be used (except for expiry) or how many people could end up with those details. Dodgy phone staff can copy down the details etc - fairly easy to 'copy'.

          Contactless however requires physical access to the card at point of transaction. You cannot 'copy' the cards (the private keys aren't disclosed by the card), and the account number provided over the contactless interface is often different to that printed on the front, thereby stopping fraudsters reading the A/C number contactlessly and then trying to use them with CNP transactions, or making mag-stripe cards for ATMs - as the A/C number would be invalid when submitted to the bank for a CNP transaction or mag-stripe transaction).

          Additionally, the cryptogram that the card generates includes a transaction counter within the data it encrypts - so even attempting the same transaction a 2nd time would generate a different cryptogram. So you can't even replay cryptograms - the card must be present at point of transaction. The cryptogram proves that it was the issued card that was present - not some 'clone' that someone had somehow created with your A/C number (the keys would be wrong).

          CNP fraud relies on "1 factor authentication" - which is a bit like "something you know" (the card details) - which like all knowledge, can easily be passed around. Chip and PIN is "2 factor authentication" as it has "something you have" (card) and "something you know" (PIN). Contactless could still be described as "1 factor authentication", but now is "something you have" (card, which cannot be copied) - but also falls back to 2 factor when the limits are hit and PIN is required again.

          For contactless cards, the banks have agreed to take the risk for any contactless fraud which occurs without the card holder's permission (e.g. card stolen and used and no PIN was required) - as I pointed out, this is typically up to £50 before the PIN is required, but is up to the issuer. I would imagine though, if a customer reports this sort of thing a couple/few times, they may start questioning whether they're being honest about their claims (once unfortunate, twice unlucky, third time?).

  4. jonathanb Silver badge

    Sounds impressive, but how does it compare?

    If you had a two page write-up on the security of a chip & pin card, it would probably sound even better. You need a metal-on-metal connection to the chip before anything will happen which means physical possession of the card, and you need to know what the pin is - 2 factor authentication rather than 1 factor. Of course it also has the encryption stuff that NFC cards offer which may or may not help with security.

  5. Eddie Edwards
    WTF?

    How's that kool-aid for you?

    "The NFC component won't communicate with just anyone, our miscreant needs to get hold of a legitimate reader - perhaps by registering as a merchant under a suitably false identity"

    Or else the protocol needs to be hacked. I mean seriously, this entire article is based on the assumption that you can't ever hack cryptographic protocols. Yet the web is full of tales of hacked cryptographic protocols, including Oyster.

    You may as well just wave your hands mysteriously in front of our eyes and say "It's going to be FINE because the BANK told us so."

    At least show us the details of the crypto that's used. And put that damned kool-aid down!

  6. Trygve
    Meh

    "it will come whether the public wants it or not."

    Nice. The default UK approach to everything, it seems.

    Also I note the charming optimism that the banks will give their customers big hugs and cuddles and sort everything out right sharpish.

    These being the same banks who make fat money off merchant accounts (including the fraudulent ones) and who have just spent years (and millions) making sure that Chip&PIN and the online schemes, such as verified by visa, are structured to force the cardholder to prove a transaction was fraudulent, whereas in the good old days the onus was on the merchant to produce a signed Record of Charge in order to demonstrate the transaction was legit.

    But in the grand scheme of things it makes little difference - consumers will increasingly get ripped off regardless of the technology used.

    1. Anonymous Coward
      Anonymous Coward

      Err...

      "...structured to force the cardholder to prove a transaction was fraudulent..."

      They are nothing of the sort, it's written into law that the burden of proof is on the bank, not the customer.

      1. Chad H.

        But have you ever tried to tell that to the bank. Newspaper financial advice columns have heaps of examples of the bank turning around and saying "your card, your pin, therefore it's authorised, no refund".

      2. Graham Marsden
        WTF?

        it's written into law...

        ... that the burden of proof is on the bank, not the customer.

        Right, and that's guaranteed to stop banks from trying to fob customers off with "It's your fault, we're not paying out" claims...!

      3. The Cube
        Stop

        Still takes the b45tards months to give your money back though

        And god help you if they have charged you some sort of "fee" thanks to account events which only happened because their "security" implementation can be broken by your average primary school students.

        1. Anonymous Coward
          Anonymous Coward

          re: The anti bank comments

          I know two people who've had their cards compromised:

          Person 1 - told the bank that he'd written down the PIN number, when his wallet was stolen (that gives you an idea about how sensible he is, writes down his PIN AND actually tells the bank.) He didn't get his money back, although the bank did temporarily extend his overdraft.

          Person 2 - card skimmed at a dodgy petrol station, he was given a courtesy overdraft and while it did take a while to get the cash back (a few weeks) the bank did make sure that he was in funds as they were required.

          I realise it's fashionable to blame everything on the banks and say how stupid they all are and crooked, but at least make accusations based on fact, or experience rather than just randomly.

          1. Anonymous Coward
            Anonymous Coward

            >> I realise it's fashionable to blame everything on the banks and say how stupid they all are and crooked, but at least make accusations based on fact, or experience rather than just randomly.

            OK, to counter your "banks are so good" tales, I also have a friend who had a card skimmed. Best of all, he knows where and by whom as he'd only used it once ! His bank account was maxed out just after he got paid - leaving him with no money, but bills to pay, for another month.

            **Some** of the transactions were reversed without fuss - those where he could **prove** he was on-shift (he's a train driver) at the time and so could not have physically made them. For the rest, they turned round and said that he must have made them as they are around his home town. So much for the "the banks *will* refund fraudulent transactions" crap.

            The police were involved, and one of the transactions was at a local pub/eatery. Figuring they have CCTV (they do) he phoned the officer handling his case to suggest he gets the video records saved before they are deleted/wiped. Said officer showed no interest, so mate said he'd pop round and ask them to save the evidence. Only at this suggestion did the copper spark into life - threatening my mate with arrest if he dared to interfere with the investigation.

        2. Anonymous Coward
          Anonymous Coward

          @The cube

          Which banking security can be broken by primary school kids? Cite sources.

  7. Anonymous Coward
    Anonymous Coward

    As a new merchant the payment processor (i.e. Barclays Merchant Services etc.) will usually require you to post a significant deposit and / or will hold the payments for up to 90 days. So for them to get away with it - they would have to hope no-one notices the fraud within 90 days (extremely unlikely).

    Gone are the days when you can setup a company, start accepting credit cards and be taking the cash out immediately.

    Mine is the patent on the phone case that blocks the frequency used (but not GSM / 3G of course).

    1. Velv
      FAIL

      Have you seen the extremes criminals will go to? Setting up fake companies and transactions for six months is nothing if they can then spend a month swooping thousand out of our pockets without even touching us

      No wonder you stayed anonymous - you realise what a stupid statement you were making

      1. James Hughes 1

        @valve

        Are you sure yours isn't the stupid statement?

        That 90's days from the original post is 90 days for anyone who has been conned to discover it, or the bank to discover it, then inform said bank. The chances on no-one noticing a fraudulent transaction in that time is very remote, so the bank knows that fraudulent transaction are going on with that account before the end of the 90 days, which means they can stop the account before the crim gets any of the money, and refund the money to the user. It doesn't matter how long a company has been set up - its that 90 days before you get the money that important.

        Or something.

  8. DrXym

    A solution looking for a problem

    I don't understand what is in this technology for shops, or customers.

    How is NFC in a phone better than NFC in a credit card? A card could implement a challenge / response architecture or challenge for a PIN for purchases above some amount. A card would work with chip & pin readers. There would be no worries of what happens to your credit or ability to pay if you lose your phone, go abroad or decide switch providers.

    Phones throw up questions about processing fees. Say Visa charges 1% fee. If I top up my Orange account with Visa then how much fee will Orange hit the store or me with? Probably 2%. Will we suddenly see phones slapping processing fees onto your bill or penalizing people who top up by credit card? Or will stores take the hit and jack up their prices to compensate?

    I might be more convinced if contactless payments were an extension of existing Visa / Mastercard so the fees were the same and were available in card and phone formats with zero penalties for using either format. But at the moment, it looks like a land grab with all and sundry attempting to insinuate their way into the payment model and I don't see the benefit to consumers or stores.

  9. TRT Silver badge
    Coat

    Mine's the one...

    with the lead-lined wallet in the pocket.

  10. Anonymous Coward
    Anonymous Coward

    "Punters who've been ripped off ...

    ... are easily identified and most will have their £15 refunded before they even notice it's gone."

    There is an issue of trust here: am I forced to trust that the bank will do the right thing, or is there some actual obligation on them to refund disputed transactions?

    1. Anonymous Coward
      Anonymous Coward

      @AC

      There is indeed a legal obligation for banks to refund contested payments, unless they can prove that the customer was at fault (ie: willingly gave away their PIN, have video of the customer making the contested payment themselfes, etc)

  11. Anonymous Coward
    Anonymous Coward

    It starts off small..

    Only £15 maximum (per transaction) will be lost; but like bank cards that limit will be increased by the banks. How many people regularly take out £300 cash from a cash machine?. Not many, but this is the daily limit, why don't banks lower this to a much more sensible £50?. Or even better have a facility so the account holder can set it?.

    The problem isn't being mugged or drive-by stealing; it's losing the card and not noticing it's missing until later in the day.

    1. Anonymous Coward
      Anonymous Coward

      £50!

      At £50 per day, I'd have to go to the bank at least 2 or 3 times a week.

      It's rare I have less than £50 in my wallet at any one time. A typical night out at the weekend will set me back easily £80.

      I could cope with a £100 daily limit, but only just!

  12. Ian Halstead
    Stop

    "It will come....

    .... whether the public wants it or not."

    Like everything the banks and large retailers do then to 'enhance our experience'. A little enhancement on the number of bank counter staff and on till check-outs would be preferable, but hey they'd have to employ people wouldn't they?

    I have not voted for this. You are infringing my freedoms.. etc etc...

  13. jubtastic1
    WTF?

    So what you're basically saying

    Is that we're very likely to be robbed every time we step on the underground, but don't worry because the Banks have our backs?

    Is there such a thing as a Faraday wallet?

    1. Anonymous Coward
      Anonymous Coward

      Yes there is

      http://www.amazon.co.uk/s/?ie=UTF8&keywords=rfid+blocking+wallet&tag=googhydr-21&index=aps&hvadid=8366512160&ref=pd_sl_5xkso37erm_b

  14. Geoff Johnson

    Maybe there's another way...

    Have two people carrying a box each linked by some wireless data transport mechanism. One person holds their box next to the victims pocket. The other person buys something at he supermarket and waves their box at the payment terminal. The two boxes relay signals from the card to the terminal and back. The terminal and card think they're in proximity and talk quite happily via the wireless link. Money goes from victim to legitimate retailer. Goods go anonymously to the bad guys to be sold on e-bay.

    So, buy your RF screened wallet from Geoff's shielded wallet store now.

    1. Anonymous Coward
      Anonymous Coward

      Ok...

      You've read one of Ross Anderson's attacks against Chip and PIN. It will work in a lab, but won't in practice due to timeout values on the transaction. Also, the people carrying out the transaction will be on CCTV in the supermarket.

  15. Anonymous Coward
    Anonymous Coward

    One thing that will make it less attractive to criminals is the limited amount of money that they can extract from each card. Credit cards are very attractive as you can usually spend a large amount before getting stopped (or reaching the limt). It'll be an unlucky mugger who uses a card already maxed out.

    Simple cost benefit analysis. Is it worth nicking £15 quid (usually less) for the amount of investment required to build the nicking technology.

    1. CaptainHook

      £15

      Per transaction, until the card company decides to challenge with a PIN request.

      I don't really fear organised crime with this technology, I fear chav's just picking a pocket or just out right mugging people so they can go get a crate of beer and a MacDonalds immediately after getting the card/phone and then just dumping them down a drain straight away.

      Its low level, opportunistic crime which I think this system will encourage.

      1. david wilson

        >>"I fear chav's just picking a pocket or just out right mugging people so they can go get a crate of beer and a MacDonalds "

        Presumably there's a fair chance of people being fairly quickly identified on CCTV using the stolen card?

  16. Individual #6/42
    Go

    Old school

    How about having to enter a pin onto your phone to activate the mechanism? Seems like something to put on an unlock screen?

  17. Velv
    FAIL

    So the banks will now expect us to check our account daily to spot fraudulent transactions?

    Most people only check their account a few times a month, and many won't miss £15 in the short term.

    Perhaps the answer is to permit contactless with pin request. You get the benefit of contact less but the punter still has to authorise the transaction with their PIN. It removes the cash element and it should speed most transactions as the pin auth is only local.

  18. Boothy

    Disputes etc.

    Quote: 'Punters who've been ripped off are easily identified and most will have their £15 refunded before they even notice it's gone. In the case of a dispute the money is refunded to the customer while the bank sorts out the details with the merchant,'

    I'm curios about this. With chip-and-pin, most Banks used it to shift much of the responsibility of securing your card and pin to the punter, trying to distance themselves from as much responsibility as possible. And so disputes are common.

    If proximity payments are now locked down from a technical standpoint, does this mean the responsibility now goes back to the Banks rather than the punters?

    Granted if it was a lost card, without pin-lock, you'd still need to report the loss, so you'd still probably be responsible up to the point of reporting the loss. But if it's in a phone with pin protection, even loosing it shouldn't compromise it.

    But this should mean, any unauthorised payments are due to a technical failure (cracked encryption, vulnerability, compromised Bank system etc.) rather than user error, so hopefully this means responsibility is now back with them, rather than the punters.

  19. Stuart Castle Silver badge

    Nice sales pitch by the providers there..

    Let me get this right. You've asked the providers for the service about the security of the service. People who make a profit from those who use it. Do you think they would give unbiased advice?

    Repeatedly over the years, we've had reports in El Reg about how NFC Systems are easily compromised, yet we are suddenly being asked to believe those problems have been fixed? Yes the system may use various forms of encryption, but encryption systems have weaknesses which can be exploited.,

    OK, so for now, the banks are going to refund any losses as a result of theft. How long is that going to last? Also, you can bet they'll be passing the cost of that particular bit of generosity onto the customer.

    On the face of it, Cash isn't secure at all. Chip and Pin cards are not much better. However, they both have one security related "feature". They require that the thief has physical access to them at least once. Raising the probability of me actually noticing I am being ripped off, and possibly seeing the thief.

    With NFC, I could be walking down Oxford Street (say), have my card details swiped, have a load of sub £15 charges placed on my account, and it could be any one of the 10s of thousands of people I have just passed. It may not even trip the security systems (depending how they implement them) if there are a lot of low value transactions on the card anyway.

    1. Anonymous Coward
      Anonymous Coward

      @Stuart

      Didn't bother reading the article, did you? If you had you'd know that:

      NFC isn't the same thing as RFID

      You need a merchant account to have the money go anywhere, so the bank know who you are.

      Also - it's not a case of "for now" the banks will refund losses, they have a legal obligation to refund losses which they can't prove are the fault of the customer. This has been the case for a couple of years now.

  20. MJC
    FAIL

    Nice propaganda. You work for a bank I take it?

    So according to you, despite detailing quite thoroughly how it is absolutely practical for a thief to indulge in drive-bys and how I should trust the bank to give me my money back before I even notice (sorry, took me a while to pick myself up from the floor after that one) this is still more secure than a system where my card (or a clone) and my PIN is needed? How did you write this with a straight face, let alone a clear conscience? I don't want ANY way to pay for ANYTHING that doesn't require my active consent at the point of transaction. Let alone one that allows me to be robbed repeatedly without knowing it. At least if I'm mugged I know my wallet is gone and can cancel the cards, and I can take precautions against pickpockets too. This? Time to go back to cash. Having this forced on me is plain offensive.

    1. Anonymous Coward
      Anonymous Coward

      Err?

      Did you read the same article as me? A "driveby" is only available to someone who has a merchant account which is only available if the bank knows who you are, has your name and address, etc. Have you ever heard of "know your customer" regulations?

  21. Anonymous Coward
    Anonymous Coward

    Multiple cards

    What happens if you have multiple NFC cards in your wallet?

    If it means taking you card out each time and slapping said card against the reader to pay you might aswell just stick with chip and PIN no?

  22. Anonymous Coward
    Anonymous Coward

    But where??

    I've got a Pay-Wave credit card, but have yet to see anywhere advertising the ability to use it - and I live in the northwest UK not far from Manchester, NOT the wilds of Scotland or something...

    1. Anonymous Coward
      Anonymous Coward

      Err...

      Currently all over London and the South-east and spreading out from major population centres.

      1. Anonymous Coward
        Anonymous Coward

        Currently at all sorts of fast food drive through places all over the Northwest.

    2. Chad H.

      Subway and McDonald's. Surely there's one near you.

      1. Anonymous Coward
        Anonymous Coward

        Ah that explains it

        I avoid over-priced over-processed under-nutricious crap as much as possible.

  23. Anonymous Coward
    Anonymous Coward

    You already had your cookies then

    Though mine are better. Paid for the ingredients in cash, made them myself. So there. Anyway.

    If we'd only listened to the banks, we'd *know* their systems are perfectly safe, one hundred percent or all your money back no questions asked, no hassle, they're completely trustable, will never fail to work, skimming doesn't exist, magstripes really don't need to be replaced and chip&pin is even more impossible to subvert, and we all live in teletubbieland. Same with paypal. And credit cards. They'll never sell your data and they'll never shut you off unless it is for your own good. Their call, but they're enlightened so it's all good. Honest.

    I'm so glad you found a completely trustworthy source for some fine, valuable information regarding this "pay by putting your hands in the air and wave them like you just don't care", er, system.

    So useful, in fact, that I'm a bit at a loss why I bothered reading the thing. You wrote something of eerily similar tone and with about as high quality sources something like a year ago. NFC is still being pushed through from on high. Apparently it, like so many alternative do-away-with-cash electronication schemes, has trouble pushing out cold hard cash on its obviously much superior merits. Wonder how that's possible, eh.

    By the by the kit to do just about anything (fully programmable and all that) as either a tag or as a reader is freely available for a modest sum; don't even have to dive into the "security research"-infested depths of the digital black market. Should some form of registration be required, well, then you just dive in anyway and you buy a sack of identities to abuse. Complete with bank account in Bermuda, then toss the dosh to the next, and the next. Cash it out all over Europe. These are commercial services and you can set it all up in very little time.

    Thing is, NFC is a stack of complexity that from the get-go needs so many parties to work, even for just a single transaction, that there's bound to be gaps, holes, back routes, garden paths, and so on, and so forth, up the yin yang. The black market definately has the complexity and the grasp to match, no worries.

    What I find far more worrying is that again most of the security argumentation rests on handwaving away "impracticalities" that are only so on cursory examination, that is "for the average user". But it's exactly that average user that's getting fleeced, regardless of what shady bunch do it and what side of the law they're officially on. The people doing the fleecing do so in large quantities because they can get away with it better that way. They're set up just fine to overcome hurdles that are "impractical for the average user". Like how the push to require government ID for every bank account has actually increased the demand for "money mules", and people are still falling for that just like they're still falling for nigerian four-nineteens. What do you mean you managed to require the perp to register? He's paid someone a pittance to take the fall. And that's just the deep end of the trouble.

    Take, for example (and this has been raised before, but curiously not answered) the simple problem of your NFC phone going walkies, whether lost or stolen. How, exactly, are you proposing I trigger that wonderful process where the network will kindly tell the NFC component to stop spending my hard-earned dosh? I call them? My what a suggestion. That was my phone, you son of a silly person. A payphone? Paid for how, exactly? Someone else's phone? Why, I'll just have to beg random strangers on the street for the use of their phone (that itself is NFC enabled and thus too valuable to let go out of sight for a minute). Sound plan.

    Now, what number do I call again? That, too, was stored in my phone. Well.

    Useful, that, Bill. Wonderful. Truly useful. Not a flaw in sight. I applaud your efforts and feel reassured already. Thank you kindly, sir.

  24. Alex C

    Mobile devices only

    If we're being foisted with more responsibility for this the least they can do is to allow us to have control over how it works?

    An App that comes up with the name, cost and details of the requesting provider and service provided and asking for pin / gesture/ facial confirmation (at user's discretion).

    At this point the user could determine whether or not they wanted to trust that merchant and to how much they were willing to trust that merchant with e.g. total per transaction and total per day/month.

    Every time the device was used there would be a record and with which merchant, and you'd be able to determine your own notifications (personally mine would go to the notification bar in Android as well as making a loud 'beep-boop'). Every time you used your device outside usual parameters it would ask for your chosen credentials before proceeding.

    Clever banks would allow you to apply this app to your account highlighting all items on your statement that had been paid for using your device and usually what they had paid for.

    It'd even be pretty handy for setting yourself spending limits in the pub, on those nights you won't quite remember. "Lads I'm a ton down and it's only 10pm - surely it's someone else's round by now." Sure you could still buy with the right credentials but you'd know about it.

    I could work with a device like that but not one described in the article.

    1. Alex C

      couple of addendums to this

      Using Facial characteristics as your credentials would mean if you were hit in the face as part of the mugging it wouldn't allow them to take your money (though whether that'd leave you better or worse off is open to debate).

      You'd also need to be able to turn vendors off and / or manipulate how much they had access to. Probably best if this was hidden behind different credentials.

  25. andy 45

    I like ca$h

    ...and it means the bank doesnt get a slice of every transaction I make.

    The banks have robbed us all enough.

    I'm paying with cash at every opportunity, and I won't be installing NFC on my phone...

    1. Anonymous Coward
      Anonymous Coward

      Really?

      Do you think that a bank doesn't charge a merchant for cash handling services?

      In fact, do you think that a bank doesn't charge you for cash handling services?

    2. Anonymous Coward
      Anonymous Coward

      If you want that nasty bank (who provided you with an overdraft, mortgage, home improvement loan, car loan etc) to get as little money as possible from your transactions then either barter or pay by debit card.

      Oh, and you could always use one of those televised loan sharks that charge 2400% (typical APR) to cover your shortfall at the end of the month instead of using an overdraft facility. It might cost you a little more but at least the bank will get less money.

  26. Yet Another Anonymous coward Silver badge

    Simple solution

    Along side your Apple/Crackberry/non-fruit-related-Android-unit you also carry a Nokia1100 in order to call the bank when you your NFC smart phone is stolen.

    It's also useful for calling other people when the battery on your smart phone is dead by 10:00 am because you watched a video on the tube.

  27. You Are Not Free
    Meh

    Can Someone Enlighten Me?

    Can someone please tell me (in non-NFC industry speak if possible)...

    What are the "benefits" to the end user?

    What are the benefits to the providers?

    Why is this being pushed so?

    1. Anonymous Coward
      Anonymous Coward

      Yes...

      1) It's fast

      2) See 1

      3) See 1, also, it's cheaper than handling cash.

      1. You Are Not Free
        Meh

        That is one benefit not three

        Faster? By how much? A few seconds? Well that must be worth it then.

        It's cheaper than handling cash because the banks make it so, and only because they are initially trying to encourage retailers to introduce another cashless system.

        I've given it some thought and it seems to me that the banks want everyone using cashless because they want the ability to take a slice of every single transaction once they can do this and control it, they own everyone.

        The benefits to the consumer are non-existent, it's a control method pure and simple.

        Your hard cash is yours, the banks want it.

  28. Chad H.

    No sale

    I was in Australia the other week and there credit cards (the chip n pin type, not NFC) can now be used without PIN for purchases less than $25.

    My brother lost his wallet. You can guess what happened next.

    For some of us, no pin purchases like pay and wave want, are not a desirable feature but a problem waiting to happen. Ask for my pin all the time, or no sale.

    1. Chad H.
      Thumb Down

      I can but presume

      that the downvoter is a credit card defrauder

  29. HeyMickey
    FAIL

    MITM Anyone?

    As well as mugging, what's to stop you using 2 NFC smartphones to conduct a man in the middle relay attack - hold one phone up to someone else's card/back pocket, and the other up to the card reader in a shop. Wifi, bluetooth or UMTS links the two phones which act as a dumb bridge. Someone else ends up paying for your purchase and if the phones were purchased anonymously there is no traceability and no merchant account required... No card account required either, just two SIM free phones with NFC...

  30. ■↨

    Aluminium Card Case

    As usual the Japanese have a solution...

    http://www.muji.eu/pages/online.asp?V=1&Sec=15&Sub=64&PID=387

    Comes in various depths, also available in Stainless Steel.

    Every time I've used a proximity payment the staff have got confused that there's no receipt and called their supervisor. As a result it takes far longer than entering the pin. So now I tend not to bother.

  31. The Cube
    Stop

    ASTROTURF

    This article stinks of astoturf and is about as one sided as a speech by the home secretary, this is not journalism, it is an advertorial, please el reg don't ever accept an "article" from this shill again, or if you do make sure you are getting the money from the NFC vendor / bank who clearly paid for this horrid piece of fluff and put the vendor's name and the amount paid at the top of the page so we know how bent the article is.

    May I suggest that as a balance to this BBC grade bum licking you send a proper journalist like A Orlowski to go and see the bods at Cambridge University Computer Lab and get a proper, independent, somebody might actually believe it, version of what improvements or risks the banks are now inflicting on their customers without their request or permission?

  32. ad47uk

    not for me

    NFC may come, but I can't see how it can be forced onto people, no doubt there is a way to set the amount of times the card can be used before a pin is needed, I would set mine to zero, so a pin is needed all the time.

    Thankfully my debit card is not a NFC one, or it was not when I lost it on Monday, just waiting for a new one, I doubt it will be NFC either.

    I have shivers thinking about how easy it could be for someone to have used my card if it was NFC.

  33. Anonymous Coward
    Anonymous Coward

    The real reason They are introducing this technology

    So They can track you even when your mobile is turned off.

    1. Anonymous Coward
      Anonymous Coward

      Err?

      What, from 10cm away? Or didn't you read the article.

      1. Anonymous Coward
        Anonymous Coward

        "Paper trail"

        Also, "whoosh", unless deliberate, then dishonest.

  34. Anonymous Coward
    Anonymous Coward

    Thanks

    Thanks for explaining how this tech works. Much appreciated.

    Here in Australia Pay by Wave has a limit of $100, so there is the opportunity to lose a bit more, but overall it seems to be a fairly good option.

    I've also noticed that some merchants (a fast food joint, and a supermarket chain) here in Australia no longer require a PIN for purchases under $20.... not sure how I feel about this.

  35. John Burton

    Erm...no.

    "Why don't you install this application on your phone that can be used remotely to remove small amounts of money from your bank account directly without you having to be involved in the transaction or authorize it....Or even know about it"

    Erm. No.

  36. Anonymous Coward
    Thumb Up

    Finally, some common sense...

    Thank you for this article. Hopefully people will see the reasoning and drop some of the FUD.

    Two things to add:

    1) A phone could also be configured so you have to press a button to enable the NFC payment. That would be a very easy way to guard against unwanted payments.

    2) Legally, the bank always protects the consumer against fraud.

  37. Andy Watt
    FAIL

    @"You cannot 'copy' the cards (the private keys aren't disclosed by the card)"

    http://www.theregister.co.uk/2011/08/04/smartcard_hacking_tools/

    "Black hat hackers have released tools that unlock the software stored on heavily fortified chips so researchers can independently assess the security and spoy weaknesses"

    Karsten Nohl / Christopher Tarnovsky strike again - use of OCR and microscopy (both standard and electron), microscopic needles...

    I'm trying my best to nuke the NFC capability on my cards using focussed microwave energy. I didn't ask for this "feature", which is waiting to be hacked to shit.

    That is all.

  38. Anonymous Coward
    Mushroom

    worst article in ages

    Hint, try biting the hand that feeds IT.

    Let's go to fantasy Island: "At which point the bank looks at the transactions with the customer, identifies the fraudulent merchant and claws back what money they can, as well as reporting the fraudster to the police. Punters who've been ripped off are easily identified and most will have their £15 refunded before they even notice it's gone. In the case of a dispute the money is refunded to the customer while the bank sorts out the details with the merchant, though the customer may be required to jump through some hoops just as with credit card refunds today."

    The bank looks at the transactions.. - this won't happen.

    ..as well as reporting the fraudster to the police.. - 3 things:

    1 the cops won't take reports of card fraud from joe soap

    2 the banks have no incentive to report fraud

    3 in the unlikely event of the cops hearing about it, they'll decide it's more fun to go and punch some smelly hippies.

    .. most will have their £15 refunded before they even notice it's gone .. - As if

    .. customer may be required to jump through some hoops .. - like paying out £30 in premium rate phone calls for a £15 fraud.

    And just what does " it will come whether the public wants it or not" mean? If the public don't use it, they will made to use it? There will be no other way of paying for things? Astounding arrogance. Reminds me of the 'payments council (aka the banks)' we're going to abolish cheques so suck it up stance.

    Abysmal puff piece from the banking / mobile industry. Can read this sort of garbage anywhere, not why I visit the reg.

    1. david wilson

      >>"2 the banks have no incentive to report fraud"

      ...apart from saving money in refunds, minimising customer disquiet, and avoiding discouraging use of the system.

      >>"3 in the unlikely event of the cops hearing about it, they'll decide it's more fun to go and punch some smelly hippies."

      Sure, since we all know that the police universally conform to whatever stereotype people choose to dream up about them and post on web forums.

      >>"And just what does " it will come whether the public wants it or not" mean?"

      I'd have thought that at the very least it would mean that it's arrival isn't dependent on customer demand (though it's hard to see how it could be - most people wouldn't see a huge use for it until there are plenty of places they can use it, and they have a card/device which gives them the option to use it.

      >>"If the public don't use it, they will made to use it? There will be no other way of paying for things?"

      Only if governments withdraw cash, or individual traders decide they don't want to deal with cash.

      Neither of those things would necessarily be a bank's fault.

      Trying to follow your logic, are the banks supposed to not introduce anything new just because some people might not want to use it?

      >>".. customer may be required to jump through some hoops .. - like paying out £30 in premium rate phone calls for a £15 fraud."

      Does that happen much at the moment?

      My main bank's card loss line seems to be a (free to BT landline) 0870 number, but even if it *hadn't* been free, it'd have taken something like 8 hours to rack up a £30 bill, and with the bank getting about half the charges, I'm not sure how much profit they could make even with a pretty low daily pay rate at an overseas call centre.

      Even with charged-for calls, if they had a UK call centre, I could at least take some comfort that I was probably costing them about as much to answer a call as they were costing me to make it.

  39. Frank Bitterlich
    Terminator

    Welcome to Utopia...

    ... where banks are smart, helpful, and on the side of the fraud victim.

    "At which point the bank looks at the transactions with the customer, identifies the fraudulent merchant and claws back what money they can, as well as reporting the fraudster to the police. Punters who've been ripped off are easily identified and most will have their £15 refunded before they even notice it's gone."

    Sure. I'll believe that right away.

  40. FreeBrad
    FAIL

    Audit Trail

    I will not use this type of payment because of the audit trail that can be generated if cash is abandoned in favour of card payments.

    I don't class myself as a conspiracy theorist, but a scumbag government (and I might add that we haven't had any other kind for my 40 years on this planet) will certainly use such an audit trail to automaticlly calculte your taxes and take the money from your account without intervention.

    1. Chad H.

      Errr

      Which Taxes are you trying to avoid by paying cash?

  41. ad47uk
    Happy

    new debit card

    is not NFC, yeah, so I am safe for another 3 years.

This topic is closed for new posts.

Other stories you might like