Do you use contactless payment cards ? (1 Viewer)

[iandsm]

Of course there isn't. The banks and card issuers don't publicise it and won't admit there is a problem on the grounds of "security".

I had extensive correspondence after my credit card was cloned and it took months to get them to admit the flaws in security.

Yes, I get that but banks are not the only source of information the media love a good story. Programs like "You and Yours" or "The money Program" would love to do an expose, but they haven't yet.

There have been some media report according to this report

http://www.smartcardalliance.org/publications-contactless-payment-security-qa/

The ones worth reading too

http://www.computing.co.uk/ctg/anal...s-are-we-sacrificing-security-for-convenience

I suppose we just have to accept that nothing is totally secure, I have had a credit card cloned in the past but the company were very fast to spot unusual transactions, contact and and stop the card, they issued a replacement within 24 hours and reimbursed me within a month which I thought was not too bad.

 

[iandsm]

The banks are receiving payment from advertisers as the cards are used to activate smart boards.
As you approach them, they read your card, get your info from the card database as to your recent purchases and display adverts they think would be relevant to you.

At the moment ( as far as I am aware ) I do not have any contactless cards, but should I be forced to accept one then I shall get a card protector wallet and invoice the card issuer the price.
No idea if I will succeed in getting the lolly but at least it will cause a headache for someone...

I don't suggest for a moment your wrong, but I would be very interested to know where you got that from.

 

[Tanya_and_Mick]

Security is typically based on people, processes and technology, rather then technology alone - however, no comfort when it does go wrong.

^{_{Subscribers  do not see these advertisements}}

 

[Deleted member 29692]

I must be the only person who isn't worried at all. I use contactless cards and also Apple Pay whenever possible and can't see myself ever bothering with the silly little extra wallets.

 

[Chockswahay]

I use my contactless card ............ it's great

 

[Deleted member 29692]

I don't for one moment want to start an argument but you really have to take these scare stories with a large pinch of salt.

If you believe this one then what about the chip and pin devices that lift your card details or the devices attached to ATM machines? How about the risk of counterfeit cash or bank databases being so insecure people can access your account details at will?

If we all believed everything we hear then pretty soon we'd be reduced to a barter economy.

^{_{Subscribers  do not see these advertisements}}

 

[CWH]

If we all believed everything we hear then pretty soon we'd be reduced to a barter economy.

I'd be happy with that

 

[DuxDeluxe]

I don't for one moment want to start an argument but you really have to take these scare stories with a large pinch of salt.

If you believe this one then what about the chip and pin devices that lift your card details or the devices attached to ATM machines? How about the risk of counterfeit cash or bank databases being so insecure people can access your account details at will?

If we all believed everything we hear then pretty soon we'd be reduced to a barter economy.

Devices attached to ATM machines are a fact but you simply take a few precautions. You cannot have a zero risk life; it would be no life at all.............

 

[Deleted member 29692]

Devices attached to ATM machines are a fact but you simply take a few precautions. You cannot have a zero risk life; it would be no life at all.............

That's the point exactly.

I'm sure the technology exists for all these things, and plenty more the scaremongerers haven't thought of yet, to happen.

It's a hell of a jump from there to suggest these things are so common or so likely to happen to you that you need to take special precautions that impact on your daily life.

Muggers are a fact but how many of us employ bodyguards when we go out?

^{_{Subscribers  do not see these advertisements}}

 

[GJH]

Yes, I get that but banks are not the only source of information the media love a good story. Programs like "You and Yours" or "The money Program" would love to do an expose, but they haven't yet.

There have been some media report according to this report

http://www.smartcardalliance.org/publications-contactless-payment-security-qa/

The ones worth reading too

http://www.computing.co.uk/ctg/anal...s-are-we-sacrificing-security-for-convenience

I suppose we just have to accept that nothing is totally secure, I have had a credit card cloned in the past but the company were very fast to spot unusual transactions, contact and and stop the card, they issued a replacement within 24 hours and reimbursed me within a month which I thought was not too bad.

I'd much rather trust the Computing article than the industry's own publicity body

When my card was cloned the transaction amount was reimbursed straight away but that was of far less value to me than the hassle of replacing the card - and I wasn't reimbursed for that at all. What made the experience worse was finding out that the cloning could never have happened if the card issuers and banks hadn't been complicit in compromising the security measures that they like to claim to have in place.

 

[GJH]

That's the point exactly.

I'm sure the technology exists for all these things, and plenty more the scaremongerers haven't thought of yet, to happen.

It's a hell of a jump from there to suggest these things are so common or so likely to happen to you that you need to take special precautions that impact on your daily life

Muggers are a fact but how many of us employ bodyguards when we go out?

Having worked in IT and information security for so long I am all too aware of what is and what isn't scaremongering. That is why, rather than employing bodyguards we use aluminium foil rather than refuse the cards totally

As far as impact on daily life goes, there was no impact when contactless payment was not possible and there is no more impact by not using that payment method.

It would, though, be more reassuring if the card issuers were honest about the security they employ rather than hiding the fact that they routinely compromise it in the interests of transaction throughput

 

[Deleted member 29692]

I think this scam has actually worked perfectly.

Who ever it is in China that came up with the silly little wallets and then managed to plant the scare stories convincing you that they are vital to "keep you safe" has managed to relieve you all of your cash quite easily. He hasn't even needed to go to the trouble of following you around with a POS machine to do so. You've all given it to him willingly


Anyone who has ever had, or knows what's involved in setting up, such a machine would know just how patently absurd that particular story is.

^{_{Subscribers  do not see these advertisements}}

 

[Puddleduck]

I have one of those contact cards and have used it twice. The time my card was used fraudulently was when a trader took all the details from it using a manual swipe system. Once your number, expiry date and the digits on the back are in someone else's hands you are vulnerable.

I have one card that I use only for internet transactions and that needs a password to authorise it's use. Apart from the usual precautions when using a card for payment (cover up when entering PIN etc) I am not sure what else we can do.

 

[Deleted member 29692]

Having worked in IT and information security for so long I am all too aware of what is and what isn't scaremongering. That is why, rather than employing bodyguards we use aluminium foil rather than refuse the cards totally

As far as impact on daily life goes, there was no impact when contactless payment was not possible and there is no more impact by not using that payment method.

It would, though, be more reassuring if the card issuers were honest about the security they employ rather than hiding the fact that they routinely compromise it in the interests of transaction throughput

As I said before I'm not disputing that the technology exists.

What I am disputing is the idea that it happens so frequently that we all need to be worried enough about it to buy silly extra wallets or carry a pocket full of tinfoil everywhere.

How many documented, proven beyond all possible doubt, case are there of this happening? If there are more than a couple it would be far bigger news than it is. I'd probably bet on there being no proven cases.

I only have my phone here or I would find the answer for myself.

 

[DuxDeluxe]

That's the point exactly.

I'm sure the technology exists for all these things, and plenty more the scaremongerers haven't thought of yet, to happen.
Muggers are a fact but how many of us employ bodyguards when we go out?

I use a drooly spaniel as a bodyguard.........

^{_{Subscribers  do not see these advertisements}}

 

[iandsm]

I'd much rather trust the Computing article than the industry's own publicity body

When my card was cloned the transaction amount was reimbursed straight away but that was of far less value to me than the hassle of replacing the card - and I wasn't reimbursed for that at all. What made the experience worse was finding out that the cloning could never have happened if the card issuers and banks hadn't been complicit in compromising the security measures that they like to claim to have in place.

I don't suggest for a moment your wrong, but I would be very interested to know where you got that from.

 

[Hollyberry]

Paying for an £11-12 item in Boots the woman on the till asked me to use contactless. I refused and she asked again more forcefully asking loudly why I didn't like it? If I hadn't needed to eye treatment stuff I'd have walked out. Been told it's cheaper for shops when you use contactless.

 

[iandsm]

Paying for an £11-12 item in Boots the woman on the till asked me to use contactless. I refused and she asked again more forcefully asking loudly why I didn't like it? If I hadn't needed to eye treatment stuff I'd have walked out. Been told it's cheaper for shops when you use contactless.

I cant see why t would be cheaper for stors if you use contactless and whether you use or it or not, or whether you like it or not is absolutely nothing to do with the person on the till who needs to be told so and also need some customer service advise.

^{_{Subscribers  do not see these advertisements}}

 

[GJH]

As I said before I'm not disputing that the technology exists.

What I am disputing is the idea that it happens so frequently that we all need to be worried enough about it to buy silly extra wallets or carry a pocket full of tinfoil everywhere.

How many documented, proven beyond all possible doubt, case are there of this happening? If there are more than a couple it would be far bigger news than it is. I'd probably bet on there being no proven cases.

I only have my phone here or I would find the answer for myself.

This article claims that the incidence is low. Mind you, that is the UK Cards Association, the same body that hides the lack of security.

I don't suggest for a moment your wrong, but I would be very interested to know where you got that from.

The UK Cards Association and The Payments Council. The following response from them admits that the CVV2 value (which we are all led to believe by their adverts is always required) is not required if the retailer takes the risk - i.e. that they have allowed the introduction of a back door which can be exploited by fraudsters.

In addition to our earlier response, the following clarifies the matter detailed in your email correspondence.

Whilst a PIN is a "Cardholder Verification Method" (CVM) used in card payments at both ATM's and face to face in shops, the CVV (Card Verification Value) is not a type of CVM. Each carries out a different function.

The CVV (Card Verification Value) technology is one of the means which helps to validate a card or card number as being genuine, (i.e. the card number is not a mere random string of 10 digits added to Bank Identification Number 6 digits which has perhaps in part been captured or created by say a fraudster). There are 3 CVV values on a card, each different: one in the mag stripe (CVV1), one on the signature panel (CVV2) and one in the Chip (iCVV). These CVV's are not interchangeable and each will only help verify a card number in the relevant transaction environment (e.g. card present, card not present).

In transactions where neither the card and/or cardholder are present at the retailer, the CVV2 value is sought to help mitigate against a particular card number based fraud threat. To verify the cardholder as the genuine rightful possessor of that card/card number, as mentioned in one of our earlier responses, there are global authentication systems (Cardholder Verification Method's - CVM's) such as Verified by Visa, SecureCode by MasterCard and SafeKey by American Express.

With all forms of remote commerce, whatever the form of payment, it is vital that retailers carry out appropriate know your customer checks before entering into any transaction, to enable them to be comfortable that their customer is who they say they are, and can rightly enter into a transaction (e.g. age related sales).

In the UK, the card schemes (Visa, MasterCard, American Express etc) strongly recommend that retailers always seek the CVV2 value whenever handling say, a telephone order transaction. However to avoid potentially inconveniencing a bona fide customer, who genuinely may not be able to provide the CVV2 at time of the order and with whom the merchant has perhaps an established relationship, provided goods to the same delivery address as in the past, and being prohibited from storing card holder card details including CVV data (under payment card industry data security standards), there may be good reason to enable the transaction to occur. If the merchant is comfortable to proceed, they can, on the basis that should the transaction be subsequently disputed they will take the liability. Clearly if the retailer is at any point concerned or suspicious about a transaction, they should not proceed. Ultimately it is a decision for the retailer to take on a case by case basis, as they are in the best position to do so.

It is also worth noting that this response comes on behalf of The UK Cards Association, the trade body for the card payments industry in the UK, representing financial institutions that act as card issuers and acquirers.

 

[Deleted member 29692]

I use a drooly spaniel as a bodyguard.........

So do I. And bloody useless the pair of them are too

 

[Gromett]

Can I just point out that aluminium will not prevent them working. It will reduce the range a bit but won't prevent them being read in your wallet?

You need something that can stop a magnetic field dead..

^{_{Subscribers  do not see these advertisements}}

 

[DBK]

Just been watching the local news on TV and there was an item about some houses having to be evacuated because of a suspicious package being found. There were also interviews with a few of the evacuees who were ringing their hands and giving the impression the sky had just fallen in. Without prompting my wife said "have they no sense of adventure?"

What she meant was at the very least these folk now had something to talk about for the next few weeks if not longer. No one was hurt, it was a minor inconvenience and even perhaps a little bit of excitement.

My thoughts on these cards are somewhat similar, they (the ill-disposed) aren't going to take all your money and whatever they pinch, if they did, should be reimbursed by the bank. And similarly for cloning cards, yes you will be without a card for a few days (which is why you should have a different card to cover for just this sort of event) and when the new card arrives you will have the chore of having to open the envelope and then find a pen which works to sign it, but on the scale of cataclysmic events which might befall you, it could be a lot worse!

 

[Gromett]

ok, I stand corrected. I just ran a test using my phones NFC reader and some kitchen foil on both an NFC tag and my Debit card.

1 wrap of foil protected my NFC tags and my card.

However the NFC coil in my phone requires direct contact between the phone and the tag.

The transmitters in a card reader or independent NFC scanner can put out a lot more power. For instance a proximity scanner using NFC has a range of around half a meter.
If the hackers use one of these your foil would not work.

 

[Gromett]

My thoughts on these cards are somewhat similar, they (the ill-disposed) aren't going to take all your money and whatever they pinch, if they did, should be reimbursed by the bank. And similarly for cloning cards, yes you will be without a card for a few days (which is why you should have a different card to cover for just this sort of event) and when the card arrives you will have the chore of having to open the envelope and then find a pen which works to sign it, but on the scale of cataclysmic events which might befall you, it could be a lot worse!

The RFID scanners read all the card data. This can include your card number expiry date and name etc.... It is enough for fraudsters to purchase stuff from the US where they are not yet on chip and pin.

This is worth a watch.


The bit about the cards is near the end 10 minutes in.

^{_{Subscribers  do not see these advertisements}}

 

[Deleted member 29692]

This article claims that the incidence is low. Mind you, that is the UK Cards Association, the same body that hides the lack of security.

The UK Cards Association and The Payments Council. The following response from them admits that the CVV2 value (which we are all led to believe by their adverts is always required) is not required if the retailer takes the risk - i.e. that they have allowed the introduction of a back door which can be exploited by fraudsters.

That article concerns lost or stolen cards and the card being physically present when the fraud occurs. I'm aware of the potential for problems with offline payments or customer not present ones that don't use the CVV but those are a different discussion

Unless I've completely misread the thread I thought the issue here was the potential lifting of data from contactless cards hence the daft wallets and tinfoil . I've seen no evidence anywhere that this is actually happening. Just because something is theoretically possible doesn't mean anyone is doing it.

The other idea mentioned of someone running around with a POS machine touching people's pockets is laughable. I can only suggest that anyone who thinks there is any truth at all in this one tries to get such a machine up and running and able to take payments. The paperwork and security checks are endless. You don't just buy a machine and program it to send the payments anywhere you like.

 

[DBK]

The RFID scanners read all the card data. This can include your card number expiry date and name etc.... It is enough for fraudsters to purchase stuff from the US where they are not yet on chip and pin.

This is worth a watch.


The bit about the cards is near the end 10 minutes in.

One of the earlier links said this had been shown in demonstration but it had not been seen on the street, so to speak. But as I was trying to say in my post, what's the worst that can happen? The banks are reimbursing those who have been defrauded unwittingly, assuming they haven't done anything silly. It is an inconvenience which I can live with for the convenience of these cards.

 

[GJH]

That article concerns lost or stolen cards and the card being physically present when the fraud occurs. I'm aware of the potential for problems with offline payments or customer not present ones that don't use the CVV but those are a different discussion

Unless I've completely misread the thread I thought the issue here was the potential lifting of data from contactless cards hence the daft wallets and tinfoil . I've seen no evidence anywhere that this is actually happening. Just because something is theoretically possible doesn't mean anyone is doing it.

The other idea mentioned of someone running around with a POS machine touching people's pockets is laughable. I can only suggest that anyone who thinks there is any truth at all in this one tries to get such a machine up and running and able to take payments. The paperwork and security checks are endless. You don't just buy a machine and program it to send the payments anywhere you like.

The points I've been making are about a general lack of security - and misleading of the public - within the payment cards industry.

I agree with you about a POS machine but the same doesn't apply to a RFID scanner. That was demonstrated years ago when retailers started putting RFID tags into goods or their packaging and reading the tags subsequently to obtain data on customer habits. The one I always remember was to embed a tag into clothing so that the retailer could gather data on which other shops customers subsequently wearing the clothes used.

Once the data has been scanned and a card has been cloned it can be used for a while to obtain goods/services. The defrauded customer may receive a refund of the amounts taken, and the bank won't lose out because it will charge the retailer or cover the cost from increased throughput, but the customer will never recover the cost of the hassle caused because the banks and retailers are simply not interested in taking responsibility for that.

^{_{Subscribers  do not see these advertisements}}

 

[Deleted member 29692]

The points I've been making are about a general lack of security - and misleading of the public - within the payment cards industry.

I agree with you about a POS machine but the same doesn't apply to a RFID scanner. That was demonstrated years ago when retailers started putting RFID tags into goods or their packaging and reading the tags subsequently to obtain data on customer habits. The one I always remember was to embed a tag into clothing so that the retailer could gather data on which other shops customers subsequently wearing the clothes used.

Once the data has been scanned and a card has been cloned it can be used for a while to obtain goods/services. The defrauded customer may receive a refund of the amounts taken, and the bank won't lose out because it will charge the retailer or cover the cost from increased throughput, but the customer will never recover the cost of the hassle caused because the banks and retailers are simply not interested in taking responsibility for that.

Again Graham I don't dispute the theory but there is no evidence whatsoever of anyone actually doing it.

 

[hilldweller]

I also like my privacy

So throw away your mobile phone, cut up all your credit cards and most important disconnect your internet.

 

[Geo]

FOR SALE ​

Anti RFID Suits all sizes available
Seen demonstrated at a Fun Rally

All Size Custom Motor Home Faraday Cages made to order
Non Contact Payments not accepted

^{_{Subscribers  do not see these advertisements}}