Author Topic: Contactless cards - unasked for fraud risk?  (Read 13229 times)

0 Members and 1 Guest are viewing this topic.

Offline Tobes

  • Regents
  • Member
  • *
  • Posts: 4951
Contactless cards - unasked for fraud risk?
« on: March 28, 2013, 12:47:57 AM »
For reasons too depressing and annoying to relate, I had to replace my credit cards this week.

I was impressed by how quickly my bank (First Direct) sorted the issue and got me my new cards through in the post within 48 hows... Hooo-rah.

Then, as idly thumbing through the inevitable bumpf that came with them, I noticed the term 'contact-less card'. Now, a lot of you may be in the dark as to what this actually is - have a gander at your credit or debit cards and see if they have a logo which constists of four white semi-circles looking like a wireless signal indicator on you pc but on its side. If you've got one of those, you have possibly unwittingly been indoctrinated into having a card fitted with the latest supposed 'break-through in easy banking'. Unfortunately, the ease for the consumer may be matched with potential ease for the criminal.

If you actually consider what you've been bequeathed and try to find the answers directly from your bank, you might find that there are a LOT of unanswered questions regarding the security and efficacy of this new (unasked for) tech. The following Guardian article gives you some extra background -

http://www.guardian.co.uk/money/2012/sep/14/contactless-payments-cash-free-shopping

Quote
Contactless is for payments of £20 or less, and means you don't have to key in your pin. The advantages for consumers are that they are in and out of a shop quicker, with fewer queues and no fiddling around with change; retailers (are meant to) like it because they don't have to handle large amounts of coins, and they also hope you will spend more money. But many shoppers worry about what will happen if their card is stolen and the thief runs up a big bill.


Thats right - to make a transaction of up to £20, all that needs happen is for the card to be in close proximity to the till. No PIN. No signature. No proof required that the card is yours. None. In fact, the retailer doesn't even have to see the card.

Quote
In the banking industry a war of words has broken out over whether the public have taken to contactless payments. ATM operator Bank Machine recently published a survey that said 51% of Britons have no idea whether or not any of their bank cards are enabled for contactless transactions, and also highlighted concerns about fraud.


No (rather obvious!) shit!

In fact, this was one of the most worrying aspects to the bumpf - the lack of any reassurance regarding the very obvious attraction of a contactless card to any thief or fraudster. There was no indication of the spending limit of a contactless card in a given period either. Any thieving git with your wallet would presumably have a whale of a time buying easy to move on goods like fags, booze, mobile SIMs etc - quite a tidy haul if they moved on nice a quickly and kept individual items below the £20 ceiling.

But the biggest sting in the tail comes from what you learn doing even a basic bit of background research into the security of these cards. This piece of reporting from Channel Four won an award because of its findings:

http://www.channel4.com/news/fraud-fears-grow-over-contactless-bank-card-technology

Quote
Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.


Quote
Channel 4 News reported that Barclays Visa contactless cards (ones which bear the symbol pictured) can be read using an off-the-shelf mobile phone running a special app.

ViaForensics, the company which carried out the research for Channel 4 News, has now shown the same technique works on a Visa debit card issued by Lloyds. And banking industry insiders have told us that all Visa contactless cards can potentially be read in this way.

The app reads the full name, number and expiry date from the card. Channel 4 News was able to use just these three details to order goods through Amazon; setting up an account under a dummy email address and having the goods shipped to an address which does not match that of the cardholder.

There are around 19 million contactless cards in circulation in the UK - Barclays accounts for around 13 million of those.


So, why the hell are we having these cards foisted upon us? It would appear that we as the consumers are having to carry the risk of something inherently and predictably insecure - one which places us more at risk of both street robbery AND fraud.

I phoned my bank, First Direct and told them that I had requested a replacement card, NOT a contactless card. At first I got the standard line that this was 'new technology which would feature on all their cards' until I dug in my toes. As a result, my new new card - minus contactless technology - is one its way.

Watch your cards people. A lot of banks have been rolling them out quietly for months now and if you have renewed a card or opened an account recently, you may not even be aware that you have one.

Quote
The Information Commissioner has also raised concerns that the information the card gives out could breach data protection laws. Christopher Graham told Channel 4 News: "Just your name is personal information and if that can be accessed surreptitiously that's a concern. If there's been a serious breach of the data protection act we do have very significant sanctions."

Viewers have told Channel 4 News that they have been told by their bank that they must have a contactless card and that no other option is available. Barclays confirmed that they will not offer an alternative to contactless credit cards, but they can issue a non-contactless debit card.


TS contributors can normally spot a lemon a mile off - especially when it involves technology and potential fraud... what think you, people?


I do not agree with what you have to say, but I'll defend to the death your right to say it - [attributed to] Voltaire... 'Entia non sunt multiplicanda praeter necessita' - William of Occam.... 'You have a right to feel offended, but just cos you are offended doesn't mean you are right'

Offline Mickraker

  • Member
  • *****
  • Posts: 782
  • Strawberry Fields Forever!
Re: Contactless cards - unasked for fraud risk?
« Reply #1 on: March 28, 2013, 06:04:14 AM »
My bank issued me with a contwatless card years ago and to date I still wait to use the wifi bit. I am not a someone who bothers to get it out of my arse pocket for less than 20 quid. Call me old fashioned but I prefer to use cabbage for piddly little purchases and still feel pangs about the demise of cheques and guarantee cards  :-\

I have  wondered about why we have the card I think it is so that people can be scanned and details logged like a sort if back up to the CCTV. A sort of privacy buster no more anonymity when you walk down the street or in a building and it can be  used as a cross reference at checkpoints as you present one form of ID your are scanned for others and then cross checked.

Mobile phone signal ... Check

Bank card signal ... Check

Does it confirm ID presented ..... Check

Is it  all futuristic big bruv wossaname  :-\

My non aggresive posts are my own opinion and represent me, myself and I only!

Offline komadori

  • Member
  • *****
  • Posts: 1445
    • komadori's green corner
Re: Contactless cards - unasked for fraud risk?
« Reply #2 on: March 28, 2013, 08:51:03 AM »
I can see that some might think the scope for fraud with a £20 limit is relatively small, but rather than thinking about the difficulty of quickly running up a large fraudulent bill, think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

The ability for the researchers to set up and use an Amazon account with the details probably says more about the low security standards for purchases there. The big online retailers seem to have special arrangements with the card companies that result in payments through them being subject to fewer security checks by the card companies.

I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.
If something's worth doing it's worth doing in green. komadori's green c

Offline Tobes

  • Regents
  • Member
  • *
  • Posts: 4951
Re: Contactless cards - unasked for fraud risk?
« Reply #3 on: March 28, 2013, 09:32:47 AM »
Quote
I can see that some might think the scope for fraud with a £20 limit is relatively small, but rather than thinking about the difficulty of quickly running up a large fraudulent bill, think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

Indeed. Though I was actually more concerned about the 'theivability' of the new cards: it would appear to me that they are 'instantly' valuable to a tea-leaf. If they can get hold of your wallet or card, either by stealth or burglary, they have a significant window of opportunity to buy invididual items of low value but which together amount to a worthwhile haul.

Putting myself in their shoes, if this rolls out across all cards and bank, it's the equivalent to guaranteeing to every thief that any bag, wallet or jacket pocket containing a card contains a large amount of cash.

As things stand at the moment, theft of credit or debit cards holds little purpose unless they've also managed to skim your PIN or are gambling on you not noticing for long enough for them to get in front of a PC and so make fraudulent purchases online.

This move appears to be about banks wanting to maximize profit by doing away with the 'troublesome' (and costly) handling of cash. It has nothing, NOTHING to do with benefit for the consumer.

The death of cash also has important privacy implications - as if even small transactions are directly attributable to your ID, your movement, activity and personal business can be monitored for marketing purposes down to a macro level not possible by looking at ordinary card pucrhases or ATM withdrawals.
I do not agree with what you have to say, but I'll defend to the death your right to say it - [attributed to] Voltaire... 'Entia non sunt multiplicanda praeter necessita' - William of Occam.... 'You have a right to feel offended, but just cos you are offended doesn't mean you are right'

Offline Jean

  • Member
  • *****
  • Posts: 850
  • Gender: Female
    • Jefferies Land Conservation Trust
Re: Contactless cards - unasked for fraud risk?
« Reply #4 on: March 28, 2013, 09:42:58 AM »
Thanks for the warning, Tobes. I had no idea that such things existed. I should get out of my bubble!
Live simply so that others might simply live

Offline Tobes

  • Regents
  • Member
  • *
  • Posts: 4951
Re: Contactless cards - unasked for fraud risk?
« Reply #5 on: March 28, 2013, 10:33:51 AM »
Thanks Jean.

My take is that this all reads a little like a commercial version of the ID card scheme, in as much that vested interests are trying to sneak it through, hoping that it'll simply become accepted through vague familiarity and the fact that we've all ended up with one without even being made aware. Consumers certainly aren't demanding it - and retailers seem at best pretty ambivalent.

First Direct didn't ask me if I wanted it, and when they foisted it upon me, failed to give me any indication of where I could actually use it, failed to let me know either in the info accompanying the card or through the FAQs online what fraud or theft protection was in place - or even what the spending limit protections would be.

Also, like the ID card scheme, its a technically flawed concept from the off, and one which ignores basic human behaviors and which seeks to serve a number of unspoken agendas - saving money by doing away with cash and making money by harvesting data which can be sold. As the consumer, I won't benefit from either whilst be subjected to increased risk of theft, fraud and having my privacy compromised.
« Last Edit: March 28, 2013, 11:42:40 AM by Tobes »
I do not agree with what you have to say, but I'll defend to the death your right to say it - [attributed to] Voltaire... 'Entia non sunt multiplicanda praeter necessita' - William of Occam.... 'You have a right to feel offended, but just cos you are offended doesn't mean you are right'

Offline Jean

  • Member
  • *****
  • Posts: 850
  • Gender: Female
    • Jefferies Land Conservation Trust
Re: Contactless cards - unasked for fraud risk?
« Reply #6 on: March 28, 2013, 02:46:31 PM »
Your concerns are shared by me. I'll need to see if I can change my debit card from the "contactless" one I've been issued with.
Live simply so that others might simply live

Offline Muggins

  • Member
  • *****
  • Posts: 8535
Re: Contactless cards - unasked for fraud risk?
« Reply #7 on: March 28, 2013, 05:07:51 PM »
I have one, but had completely forgotten that it could do that, I've had it since last year after someone took money from my account via (I think - fairly sure) web purchasing.  I have no idea how they did that.  The sums were relatively small (but more than I could afford to give to some cyber wargame numpty) and spent on gaming sites.

So long as it can be proved that these were not your purchases, the bank re-imburses you and has done so on two occasions for me now. 

The bank does this to keep people internet banking etc.  I remember when the new card came it did inform me that it had special powers, it reassured me and I've thought nothing of it since.  I won't be choosing to use that function of it anyway.

If anything goes missing out of my account that shouldn't the bank will be paying me it back - or else!   
Oi! Listen mush. Old eyes, remember? I’ve been around the block a few times. More than a few. They’ve knocked down the blocks I’ve been around and rebuilt them as bigger blocks. Super blocks. And I’ve been round them as well.  The Doctor (Night Terrors)

Offline Jean

  • Member
  • *****
  • Posts: 850
  • Gender: Female
    • Jefferies Land Conservation Trust
Re: Contactless cards - unasked for fraud risk?
« Reply #8 on: March 28, 2013, 06:00:13 PM »
I don't use Internet banking -it bothers me. There are too many clever hackers around.

I've ordered a new debit card now without the contactless feature. In common with Tobes, I use cash for purchases of this sort of size. Perhaps if I'd bought something under £20 with my card, I'd have found out sooner!

Once again, TS has served as a very useful community vehicle! Thanks Tobes.
Live simply so that others might simply live

Offline Simon

  • Jnr. Jedi
  • Member
  • *****
  • Posts: 2274
    • Swindon Climate Action Network
Re: Contactless cards - unasked for fraud risk?
« Reply #9 on: March 28, 2013, 07:47:25 PM »
I was quite surprised to read this. Debit or credit cards which can be used to make payments without the card holder needing to do anything (e.g. pin number or signature) to prove that it's really their card? But it appears to be true.

http://www.theukcardsassociation.org.uk/contactless/index.asp

Quote

What is contactless?

Contactless is a function on certain debit, credit and prepaid cards that allows you to make a quick and easy payment for goods or services for an amount that is £20 or less without entering a PIN.

Where you see the contactless wave displayed (like the one on this page) and have a contactless card (debit, credit or pre-paid), you can make a contactless payment where the amount is for less than £20.

All you have to do is place your contactless card over the card reader to make the payment.

How do I know if I have a contactless card?

Take a look at your card. If there is the logo (like the one on this page) on the card, it means that you have a contactless card and can use it in any of the high street shops or outlets listed below.




and

Quote
What’s good about having a contactless card?

There are loads of reasons why paying with contactless is so good:

*    There’s no need to have the correct change;
*    There’s no need to mess about entering your PIN in to the terminal every time though. You may have to on some occasions. This is just a security check - to verify that you, the authorised cardholder, are still in possession of the card;
*    There’s no need to queue for so long; as contactless speeds up the time it takes to make a payment;
*    It reduces the need to find a cash machine or carry cash;
*    It’s more convenient than other types of payment;
*    There’s no need to carry an additional card - contactless functionality can be provided on a standard credit, debit, charge or prepaid card.


I can't say I'm exactly sold on the benefits vs the lack of authentication. In my experience I spend more time queueing at the checkout behind people who are really slow at packing their purchases / have accidentally picked up an item with no barcode / insist on an extended argument with the cashier over whether the voucher they're trying to redeem is valid for that purchase than I do waiting for people to enter their PIN into the card reader.

I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.


I have both of those too, but the reason I'm less concerned about not having to prove that I'm the owner of the card when using them is that they're pre-pay cards - the potential for financial loss if the card is lost or stolen is limited to £13.50 (cost of a weekly travelpass in Swindon) or however much I've already put on the oyster card (typically not more than £20).

If the debit card associated with my current account had a similar lack of authentication then the loss is limited only by the balance of my account or how quickly I or my bank notice transactions that aren't mine.

Not sure what you mean by "wireless" though. It's not entirely clear what form these "contactless" cards take, but from the photos I've seen so far, they seem to be the same as our Thamesdown and Oyster cards, i.e. the card needs to very close (i.e. within millimetres) of the reader. I'm sure I could annoy many a bus passenger by experimenting with how close my card needs to be to the reader before it'll issue a ticket, although I'm not that antisocial.

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.


A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.

So long as it can be proved that these were not your purchases, the bank re-imburses you and has done so on two occasions for me now. 


Yes, that's how it should work. You're not liable for fraudulent withdrawals from your account as long as you haven't been negligent (e.g. telling someone else your PIN number), it's up to your bank to reimburse you and then somehow get the money back from the fraudster. I'm lucky enough to have never been in this position, although sometimes I wonder how easy it is to convince your bank that it wasn't you who made the purchases.

This move appears to be about banks wanting to maximize profit by doing away with the 'troublesome' (and costly) handling of cash. It has nothing, NOTHING to do with benefit for the consumer.


That may well be true  :(

The death of cash also has important privacy implications - as if even small transactions are directly attributable to your ID, your movement, activity and personal business can be monitored for marketing purposes down to a macro level not possible by looking at ordinary card pucrhases or ATM withdrawals.


I can empathise with where you're coming from on this point, but I think you may be worrying overmuch. Yes, that information is all available to your bank, but thanks to the data protection act there are restrictions on what they can do with it. Marketing for example, they could use it to suggest to you that you'd be better off with a savings account than keeping a large balance in your current account, or that a personal loan would be cheaper than your ongoing overdraft. They wouldn't be able to sell your shopping habits to Tesco (unless you happen to bank with Tesco, in which case get a proper bank  ;D )

My biggest concern here is that if I was issued with one of these cards and it escaped my posession, someone could quite easily relieve me of this month's salary without ever having to prove that the money they're spending is actually theirs.

I don't have a contactless card yet, and I'm not looking forward to having one.
We are all in this together, but some of us are more in it than others (with apologies to George Orwell)

Offline Spunkymonkey

  • Member
  • *****
  • Posts: 999
  • Gender: Male
  • Hello !
Re: Contactless cards - unasked for fraud risk?
« Reply #10 on: March 28, 2013, 08:35:04 PM »
I have had a contactless card for some time but have never used it without a PIN. I was sent the card without asking for it and wasn't very happy about the lack of security. I carry cash for small sums and am happy to take 10 seconds to enter a PIN number when I use my card. I carry a debit and credit card instead of cash for security reasons not convenience.

On a similar note, I recently entered into a contract with Virginmedia for a smart phone. The bundle includes more free text and data than I will ever need, but Virgin have given me a credit limit of £200. I have told them I have no desire to exceed my quota and do not want a credit facility, but they won't remove or reduce it. If someone steals my phone I could be liable for £200. My keypad is locked with a PIN number, but unlike a credit card the phone doesn't lock after 3 failed attempts.

While writing this, my girlfriend has just warned me of an internet security scam. Her sisters email has been hacked. Rather than targeting her, the hackers are emailing her contacts claiming that she is stuck abroad. They are asking friends/family to send money to a bank account. Sounds a fairly easy fraud to spot but worth passing on.

Offline Muggins

  • Member
  • *****
  • Posts: 8535
Re: Contactless cards - unasked for fraud risk?
« Reply #11 on: March 29, 2013, 08:18:22 AM »
I went on to my bank web site after this discussion to check that I had properly read the paperwork that came with my card. Obviously as this idea is supposed to be for my convenience (and the smaller shop keepers because they have to pay the banks a fee for the small card purchases. i.e. the small garden centre I use sometimes to get the bird food used to ask me for cash if I had it.) they are 'selling' it on the front page of their web site.

Firstly Simon, my bank has stood by their promise to reimburse, with very little problem on two occasions - I'm pretty sure caused by me using the card to online shop.  In fact on both occasions they have re-imbursed first and asked questions later. 

It seems that I do indeed have to get very close to the machine to pay by the contactless method, and I do from time to time spend less than £20, but have not so far even thought about using the contactless  facility, in fact clean forgot I could.  As I can only use it for purchases under £20 and from time to time it will ask me for my PIN anyway.   Apparently the same re-imbursement rules apply.  I remain sanguine about it and I'm not going to the bother of replacing it until it all goes wrong. 

Waste of a good stamp, plastic etc. and my time.

Spunky, Thanks for pointing out about the phone charge if it goes missing, I was only thinking yesterday I wonder what would happen if I lost mine, whilst hoping that the house insurance would cover it. I haven't figured out the locking device on it yet. so have to be extra careful!

Oi! Listen mush. Old eyes, remember? I’ve been around the block a few times. More than a few. They’ve knocked down the blocks I’ve been around and rebuilt them as bigger blocks. Super blocks. And I’ve been round them as well.  The Doctor (Night Terrors)

Offline komadori

  • Member
  • *****
  • Posts: 1445
    • komadori's green corner
Re: Contactless cards - unasked for fraud risk?
« Reply #12 on: March 29, 2013, 09:44:39 AM »
I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.

I have both of those too, but the reason I'm less concerned about not having to prove that I'm the owner of the card when using them is that they're pre-pay cards - the potential for financial loss if the card is lost or stolen is limited to £13.50 (cost of a weekly travelpass in Swindon) or however much I've already put on the oyster card (typically not more than £20).
The lack of direct link to a bank balance is also something I would prefer.

Not sure what you mean by "wireless" though. It's not entirely clear what form these "contactless" cards take, but from the photos I've seen so far, they seem to be the same as our Thamesdown and Oyster cards
I'd taken 'contactless' at face value, and that is how the proposals were when I first heard of them in the middle of last year: a card you could pay with by proximity, rather than having to touch it against a reader. As described in your quote from the UK Card Association, they're not contactless.

I'm sure I could annoy many a bus passenger by experimenting with how close my card needs to be to the reader before it'll issue a ticket, although I'm not that antisocial.
From seeing some people - sometimes with more than reasonable persistence - attempting to use their Thamesdown card with it still in a fat wallet, I think they have to be within a few millimetres of the reader.

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.
That's not what I meant. What I was thinking of was a local crook, who gets your card details by some means (e.g. when behind you at the checkout), but then, having got your card details, because they live in the same locality as you, it is difficult for fraud detection methods to see a difference in spending patterns. And possibly easy for someone who doesn't check their bank balance carefully to miss the fraud too.
If something's worth doing it's worth doing in green. komadori's green c

Offline Mart

  • Member
  • *****
  • Posts: 5249
  • Where's my cow?
Re: Contactless cards - unasked for fraud risk?
« Reply #13 on: March 29, 2013, 10:02:06 AM »
spend more time queueing at the checkout behind people who are really slow at packing their purchases / have accidentally picked up an item with no barcode

When I have time to kill I will make a purchase in one store then re-present it at another shop and inwardly chuckle as the assistant attempts to scan the unfamiliar barcode. I have whiled away many otherwise wasted hours in this way, it's also allowed me to chat to people I might otherwise have never met. We've always shared a good laugh afterwards when I've explained my ruse.

I've got a contactless card and I think I used it once, Timpsons up at Sainsburys I think. I must confess to a twinge of uncertainty every time I pay for something online anyway. I don't think it's something I'll ever quite get over.

Pay at the pump is another one that feels like risky expenditure as well. The fraud industry is probably as well staffed as the anti fraud industry, you just rely on the bank to do the right thing if they get beaten.

My bank advises me to advise them if I travel out of the immediate area which could be viewed as sensible yet intrusive in equal parts I suppose.

The only answer that I can see is to be so skint or rich it doesn't matter.
Sometimes I think you have to march right in and demand your rights, even if you don’t know what your rights are, or who the person is you’re talking to. Then, on the way out, slam the door.

Offline Simon

  • Jnr. Jedi
  • Member
  • *****
  • Posts: 2274
    • Swindon Climate Action Network
Re: Contactless cards - unasked for fraud risk?
« Reply #14 on: March 29, 2013, 06:51:10 PM »
While writing this, my girlfriend has just warned me of an internet security scam. Her sisters email has been hacked. Rather than targeting her, the hackers are emailing her contacts claiming that she is stuck abroad. They are asking friends/family to send money to a bank account. Sounds a fairly easy fraud to spot but worth passing on.


Social engineering. The use of deceit to fool someone into handing over money, or information which could be used to access their account. Same principle as those emails purporting to be from your bank or ebay or paypal, saying you need to visit their fake web site and enter your login details.

Firstly Simon, my bank has stood by their promise to reimburse, with very little problem on two occasions - I'm pretty sure caused by me using the card to online shop.  In fact on both occasions they have re-imbursed first and asked questions later. 


Glad to hear it  :)

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.


A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.

That's not what I meant. What I was thinking of was a local crook, who gets your card details by some means (e.g. when behind you at the checkout), but then, having got your card details, because they live in the same locality as you, it is difficult for fraud detection methods to see a difference in spending patterns. And possibly easy for someone who doesn't check their bank balance carefully to miss the fraud too.


Ah, I misunderstood you. You're talking about "card not present" transactions, where the vendor doesn't have sight of the actual card, only the numbers which identify the card, e.g. when paying for something over the phone or on the www. In this case I don't think there's any difference in the vulnerability to fraud between contactless / touch cards and the traditional read-the-magnetic-strip cards. The vendor should check that you're in posession of the card by asking for the expiry date and CVV number (the 3 digits printed on the signature strip), but they should also check that you're the person who should be in posession of the card by asking for your Verified by Visa password, the one piece of information which isn't available to someone who's stolen your card. From the earlier posts it seems that not all www vendors do the VBV step.

So we're back to my main objection, the lack of validation that the person who's got the card is someone who's authorised to use that card, whether by pin number, signature or VBV password.
We are all in this together, but some of us are more in it than others (with apologies to George Orwell)

Offline Muggins

  • Member
  • *****
  • Posts: 8535
Re: Contactless cards - unasked for fraud risk?
« Reply #15 on: March 29, 2013, 07:00:24 PM »
My bankers (my, that sounds good) assures me of the security of the contactless bit and says that just to make sure I will be asked to give my pin on occasion.

Surely by now everyone knows not to let others see the numbers on the card and what you are dialing in, and not to let go of it in a shop, and anyway they'd have to be blooming sharp eyed to see it with my big mitt around it and even I can't see it without my specs and getting it out of sunlight.

Just have to watch out for the bloke behind me with the long zoom lens. 
Oi! Listen mush. Old eyes, remember? I’ve been around the block a few times. More than a few. They’ve knocked down the blocks I’ve been around and rebuilt them as bigger blocks. Super blocks. And I’ve been round them as well.  The Doctor (Night Terrors)

Offline Tobes

  • Regents
  • Member
  • *
  • Posts: 4951
Re: Contactless cards - unasked for fraud risk?
« Reply #16 on: March 29, 2013, 07:30:02 PM »
Muggins - read the Channel Four piece in my initial post. The 'security' of the contactless bit has already been compromised, simply and easily. I suggest your bank is simply lying to you. Check by referring them to the article.

I don't think you've understood what this card does (? don't verbally spank me if you have, I'm just checking) - the whole point of it electronically transferring your information is that NOBODY (neither retailer nor crim with a long lens) needs to see your card. And your PIN will only be very occasionally asked for - otherwise there'd be none of the advantages of speed and convenience which they're telling us is the entire purpose!!!!  :wink:

Quote
So we're back to my main objection, the lack of validation that the person who's got the card is someone who's authorised to use that card, whether by pin number, signature or VBV password.

Thats the crux

1. Its been proven in the articles above that contactless cards can be skimmed electronically using a mobile phone - and that will reveal your name, account number etc. That makes it possible to spend money online with retailers who don't require the three digit code off the back of the card. The technology means they don't even need sight of your card - just the opportunity to get within a few cms of it (potentially through clothes, wallet etc.) I predict a new crime of 'electronic pickpocketing' - all they'd need do is have the right kit in a pocket of their own and to brush past you in a crowded bar, train, que for a shop etc.

2. Back to the 'standard' way in which these cards will be used: Any potential thief now has an extra reason to steal your wallet: Previously, your cards are of little immediate use to them if they knew you knew they were missing or compromised because without the PIN, all they could do would be to use them for online fraud. NOW, with contactless, they'll have a window to spend as many of the up to £20 purchases as they can get away with before the card either tops out, requires a PIN check (remember, these are described as 'occasional - afterall, if they weren't, the bank may as well have issued you a standard visa/debit card!!!) - or you can cancel it. Now remember, canceling that card may not be as simple as you imagine: Street muggings usually include the thief taking your mobile phone to delay you calling the cops as much for its own value. If you're minus your mobile, plus your wallet and bag, think about the process: First, you've got to recover your wits enough to summon help and contact the police. Then you have to try and find your bank contact details, then find a means to call them, then find a means to convince them you are who you say you are (without your card and account details which have disappeared off with the mugger), then get them to cancel the contactless card. In the meantime, the thief will have bought as many bottles of booze, packets of fags and other easily shifted items as he or her can manage. Of course, you may well be covered by the bank for the money missing - but if we all end up carrying one of these cards by default, its akin to letting every crim know that every man or woman with a bank account is wandering around with the equivalent of about £100 worth of cash on them. Your account might be ultimately safe in this scenario if the bank refund that money - but you as a target of potentially violent crime will be significantly more at risk.

Thats somewhat ironic, when the banks are trying to tell us that the contactless cards are 'no more risky than carrying cash'. Many choose to carry cards protected with PINs to avoid precisely that risk!
I do not agree with what you have to say, but I'll defend to the death your right to say it - [attributed to] Voltaire... 'Entia non sunt multiplicanda praeter necessita' - William of Occam.... 'You have a right to feel offended, but just cos you are offended doesn't mean you are right'

Offline bobwright

  • Member
  • *****
  • Posts: 640
Re: Contactless cards - unasked for fraud risk?
« Reply #17 on: March 29, 2013, 09:08:51 PM »
The banks have invented a new way of being robbed, I regard that as an additional risk. Using money means the Bank of England promising the bearer something. How will it be proved that the bearer and user of the of the card should receive the promise of the Bank of England?

Offline Muggins

  • Member
  • *****
  • Posts: 8535
Re: Contactless cards - unasked for fraud risk?
« Reply #18 on: March 30, 2013, 08:09:02 AM »
Don't worry Tobes, my card  only leaves the house as much as I do - which is
not often these days and even then only when I need it. i.e. If I'm going somehere on the Titanic  I usually leave it at home.  (In which case I use the old safety thing of sticking a fiver down my bra) The card is safely tucked into my purse and when that part is folded it's squashed in the middle of another load of plastic and driving licence etc etc.

I have not used it as a contactless card. I do not intend to use it as such.

I think cards are and always has been vulnerable to the muggers etc. same as the ten pound note.

None the less, if the banks want us to use the technology, they must make it safe.

To use it I must purchase something, so someone will see me take that purchase, someone will be checking I've paid for it.

I understand the virtualness of it - I have a little gismo thing here that when I use the bank online, it checks me in and out and checks purchases and cost before it will let me complete the purchase.  I take it off the shelf, slide my card in on command and enter data which goes between my PC and the gizmo without wires.  All brilliant if you ask me.

I await a letter from the bank telling me how they have made this more secure, like you say, I didn't ask for it and they are inviting me to try it - so it will all be their fault if anyone taps into the Muggins Millions.
Oi! Listen mush. Old eyes, remember? I’ve been around the block a few times. More than a few. They’ve knocked down the blocks I’ve been around and rebuilt them as bigger blocks. Super blocks. And I’ve been round them as well.  The Doctor (Night Terrors)

Offline peach

  • Member
  • *****
  • Posts: 112
Re: Contactless cards - unasked for fraud risk?
« Reply #19 on: March 30, 2013, 11:07:02 AM »
Come to Australia, the transaction limit on contactless payments is $100 (about 60 quid) without requiring a PIN.  You can also spend up to $35 in McDonalds, without needing to do more than swipe your card - again no PIN or signature required.

Chip & Pin has been around here longer than the UK, but swipe with signature is still happily accepted.