Talkswindon

Coffee Talk & What's On => Coffee Talk & New Member Introductions movement => Topic started by: Tobes on March 28, 2013, 12:47:57 AM

Title: Contactless cards - unasked for fraud risk?
Post by: Tobes on March 28, 2013, 12:47:57 AM
For reasons too depressing and annoying to relate, I had to replace my credit cards this week.

I was impressed by how quickly my bank (First Direct) sorted the issue and got me my new cards through in the post within 48 hows... Hooo-rah.

Then, as idly thumbing through the inevitable bumpf that came with them, I noticed the term 'contact-less card'. Now, a lot of you may be in the dark as to what this actually is - have a gander at your credit or debit cards and see if they have a logo which constists of four white semi-circles looking like a wireless signal indicator on you pc but on its side. If you've got one of those, you have possibly unwittingly been indoctrinated into having a card fitted with the latest supposed 'break-through in easy banking'. Unfortunately, the ease for the consumer may be matched with potential ease for the criminal.

If you actually consider what you've been bequeathed and try to find the answers directly from your bank, you might find that there are a LOT of unanswered questions regarding the security and efficacy of this new (unasked for) tech. The following Guardian article gives you some extra background -

http://www.guardian.co.uk/money/2012/sep/14/contactless-payments-cash-free-shopping (http://www.guardian.co.uk/money/2012/sep/14/contactless-payments-cash-free-shopping)

Quote
Contactless is for payments of £20 or less, and means you don't have to key in your pin. The advantages for consumers are that they are in and out of a shop quicker, with fewer queues and no fiddling around with change; retailers (are meant to) like it because they don't have to handle large amounts of coins, and they also hope you will spend more money. But many shoppers worry about what will happen if their card is stolen and the thief runs up a big bill.


Thats right - to make a transaction of up to £20, all that needs happen is for the card to be in close proximity to the till. No PIN. No signature. No proof required that the card is yours. None. In fact, the retailer doesn't even have to see the card.

Quote
In the banking industry a war of words has broken out over whether the public have taken to contactless payments. ATM operator Bank Machine recently published a survey that said 51% of Britons have no idea whether or not any of their bank cards are enabled for contactless transactions, and also highlighted concerns about fraud.


No (rather obvious!) shit!

In fact, this was one of the most worrying aspects to the bumpf - the lack of any reassurance regarding the very obvious attraction of a contactless card to any thief or fraudster. There was no indication of the spending limit of a contactless card in a given period either. Any thieving git with your wallet would presumably have a whale of a time buying easy to move on goods like fags, booze, mobile SIMs etc - quite a tidy haul if they moved on nice a quickly and kept individual items below the £20 ceiling.

But the biggest sting in the tail comes from what you learn doing even a basic bit of background research into the security of these cards. This piece of reporting from Channel Four won an award because of its findings:

http://www.channel4.com/news/fraud-fears-grow-over-contactless-bank-card-technology (http://www.channel4.com/news/fraud-fears-grow-over-contactless-bank-card-technology)

Quote
Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.


Quote
Channel 4 News reported that Barclays Visa contactless cards (ones which bear the symbol pictured) can be read using an off-the-shelf mobile phone running a special app.

ViaForensics, the company which carried out the research for Channel 4 News, has now shown the same technique works on a Visa debit card issued by Lloyds. And banking industry insiders have told us that all Visa contactless cards can potentially be read in this way.

The app reads the full name, number and expiry date from the card. Channel 4 News was able to use just these three details to order goods through Amazon; setting up an account under a dummy email address and having the goods shipped to an address which does not match that of the cardholder.

There are around 19 million contactless cards in circulation in the UK - Barclays accounts for around 13 million of those.


So, why the hell are we having these cards foisted upon us? It would appear that we as the consumers are having to carry the risk of something inherently and predictably insecure - one which places us more at risk of both street robbery AND fraud.

I phoned my bank, First Direct and told them that I had requested a replacement card, NOT a contactless card. At first I got the standard line that this was 'new technology which would feature on all their cards' until I dug in my toes. As a result, my new new card - minus contactless technology - is one its way.

Watch your cards people. A lot of banks have been rolling them out quietly for months now and if you have renewed a card or opened an account recently, you may not even be aware that you have one.

Quote
The Information Commissioner has also raised concerns that the information the card gives out could breach data protection laws. Christopher Graham told Channel 4 News: "Just your name is personal information and if that can be accessed surreptitiously that's a concern. If there's been a serious breach of the data protection act we do have very significant sanctions."

Viewers have told Channel 4 News that they have been told by their bank that they must have a contactless card and that no other option is available. Barclays confirmed that they will not offer an alternative to contactless credit cards, but they can issue a non-contactless debit card.


TS contributors can normally spot a lemon a mile off - especially when it involves technology and potential fraud... what think you, people?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mickraker on March 28, 2013, 06:04:14 AM
My bank issued me with a contwatless card years ago and to date I still wait to use the wifi bit. I am not a someone who bothers to get it out of my arse pocket for less than 20 quid. Call me old fashioned but I prefer to use cabbage for piddly little purchases and still feel pangs about the demise of cheques and guarantee cards  :-\

I have  wondered about why we have the card I think it is so that people can be scanned and details logged like a sort if back up to the CCTV. A sort of privacy buster no more anonymity when you walk down the street or in a building and it can be  used as a cross reference at checkpoints as you present one form of ID your are scanned for others and then cross checked.

Mobile phone signal ... Check

Bank card signal ... Check

Does it confirm ID presented ..... Check

Is it  all futuristic big bruv wossaname  :-\

Title: Re: Contactless cards - unasked for fraud risk?
Post by: komadori on March 28, 2013, 08:51:03 AM
I can see that some might think the scope for fraud with a £20 limit is relatively small, but rather than thinking about the difficulty of quickly running up a large fraudulent bill, think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

The ability for the researchers to set up and use an Amazon account with the details probably says more about the low security standards for purchases there. The big online retailers seem to have special arrangements with the card companies that result in payments through them being subject to fewer security checks by the card companies.

I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on March 28, 2013, 09:32:47 AM
Quote
I can see that some might think the scope for fraud with a £20 limit is relatively small, but rather than thinking about the difficulty of quickly running up a large fraudulent bill, think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

Indeed. Though I was actually more concerned about the 'theivability' of the new cards: it would appear to me that they are 'instantly' valuable to a tea-leaf. If they can get hold of your wallet or card, either by stealth or burglary, they have a significant window of opportunity to buy invididual items of low value but which together amount to a worthwhile haul.

Putting myself in their shoes, if this rolls out across all cards and bank, it's the equivalent to guaranteeing to every thief that any bag, wallet or jacket pocket containing a card contains a large amount of cash.

As things stand at the moment, theft of credit or debit cards holds little purpose unless they've also managed to skim your PIN or are gambling on you not noticing for long enough for them to get in front of a PC and so make fraudulent purchases online.

This move appears to be about banks wanting to maximize profit by doing away with the 'troublesome' (and costly) handling of cash. It has nothing, NOTHING to do with benefit for the consumer.

The death of cash also has important privacy implications - as if even small transactions are directly attributable to your ID, your movement, activity and personal business can be monitored for marketing purposes down to a macro level not possible by looking at ordinary card pucrhases or ATM withdrawals.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Jean on March 28, 2013, 09:42:58 AM
Thanks for the warning, Tobes. I had no idea that such things existed. I should get out of my bubble!
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on March 28, 2013, 10:33:51 AM
Thanks Jean.

My take is that this all reads a little like a commercial version of the ID card scheme, in as much that vested interests are trying to sneak it through, hoping that it'll simply become accepted through vague familiarity and the fact that we've all ended up with one without even being made aware. Consumers certainly aren't demanding it - and retailers seem at best pretty ambivalent.

First Direct didn't ask me if I wanted it, and when they foisted it upon me, failed to give me any indication of where I could actually use it, failed to let me know either in the info accompanying the card or through the FAQs online what fraud or theft protection was in place - or even what the spending limit protections would be.

Also, like the ID card scheme, its a technically flawed concept from the off, and one which ignores basic human behaviors and which seeks to serve a number of unspoken agendas - saving money by doing away with cash and making money by harvesting data which can be sold. As the consumer, I won't benefit from either whilst be subjected to increased risk of theft, fraud and having my privacy compromised.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Jean on March 28, 2013, 02:46:31 PM
Your concerns are shared by me. I'll need to see if I can change my debit card from the "contactless" one I've been issued with.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on March 28, 2013, 05:07:51 PM
I have one, but had completely forgotten that it could do that, I've had it since last year after someone took money from my account via (I think - fairly sure) web purchasing.  I have no idea how they did that.  The sums were relatively small (but more than I could afford to give to some cyber wargame numpty) and spent on gaming sites.

So long as it can be proved that these were not your purchases, the bank re-imburses you and has done so on two occasions for me now. 

The bank does this to keep people internet banking etc.  I remember when the new card came it did inform me that it had special powers, it reassured me and I've thought nothing of it since.  I won't be choosing to use that function of it anyway.

If anything goes missing out of my account that shouldn't the bank will be paying me it back - or else!   
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Jean on March 28, 2013, 06:00:13 PM
I don't use Internet banking -it bothers me. There are too many clever hackers around.

I've ordered a new debit card now without the contactless feature. In common with Tobes, I use cash for purchases of this sort of size. Perhaps if I'd bought something under £20 with my card, I'd have found out sooner!

Once again, TS has served as a very useful community vehicle! Thanks Tobes.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Simon on March 28, 2013, 07:47:25 PM
I was quite surprised to read this. Debit or credit cards which can be used to make payments without the card holder needing to do anything (e.g. pin number or signature) to prove that it's really their card? But it appears to be true.

http://www.theukcardsassociation.org.uk/contactless/index.asp (http://www.theukcardsassociation.org.uk/contactless/index.asp)

Quote

What is contactless?

Contactless is a function on certain debit, credit and prepaid cards that allows you to make a quick and easy payment for goods or services for an amount that is £20 or less without entering a PIN.

Where you see the contactless wave displayed (like the one on this page) and have a contactless card (debit, credit or pre-paid), you can make a contactless payment where the amount is for less than £20.

All you have to do is place your contactless card over the card reader to make the payment.

How do I know if I have a contactless card?

Take a look at your card. If there is the logo (like the one on this page) on the card, it means that you have a contactless card and can use it in any of the high street shops or outlets listed below.

([url]http://www.theukcardsassociation.org.uk/wm_functions/fnc_get_image.asp?path=pagecontent\contactless%20icon%20l(1).jpg&width=190&height=130)[/url]


and

Quote
What’s good about having a contactless card?

There are loads of reasons why paying with contactless is so good:

*    There’s no need to have the correct change;
*    There’s no need to mess about entering your PIN in to the terminal every time though. You may have to on some occasions. This is just a security check - to verify that you, the authorised cardholder, are still in possession of the card;
*    There’s no need to queue for so long; as contactless speeds up the time it takes to make a payment;
*    It reduces the need to find a cash machine or carry cash;
*    It’s more convenient than other types of payment;
*    There’s no need to carry an additional card - contactless functionality can be provided on a standard credit, debit, charge or prepaid card.


I can't say I'm exactly sold on the benefits vs the lack of authentication. In my experience I spend more time queueing at the checkout behind people who are really slow at packing their purchases / have accidentally picked up an item with no barcode / insist on an extended argument with the cashier over whether the voucher they're trying to redeem is valid for that purchase than I do waiting for people to enter their PIN into the card reader.

I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.


I have both of those too, but the reason I'm less concerned about not having to prove that I'm the owner of the card when using them is that they're pre-pay cards - the potential for financial loss if the card is lost or stolen is limited to £13.50 (cost of a weekly travelpass in Swindon) or however much I've already put on the oyster card (typically not more than £20).

If the debit card associated with my current account had a similar lack of authentication then the loss is limited only by the balance of my account or how quickly I or my bank notice transactions that aren't mine.

Not sure what you mean by "wireless" though. It's not entirely clear what form these "contactless" cards take, but from the photos I've seen so far, they seem to be the same as our Thamesdown and Oyster cards, i.e. the card needs to very close (i.e. within millimetres) of the reader. I'm sure I could annoy many a bus passenger by experimenting with how close my card needs to be to the reader before it'll issue a ticket, although I'm not that antisocial.

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.


A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.

So long as it can be proved that these were not your purchases, the bank re-imburses you and has done so on two occasions for me now. 


Yes, that's how it should work. You're not liable for fraudulent withdrawals from your account as long as you haven't been negligent (e.g. telling someone else your PIN number), it's up to your bank to reimburse you and then somehow get the money back from the fraudster. I'm lucky enough to have never been in this position, although sometimes I wonder how easy it is to convince your bank that it wasn't you who made the purchases.

This move appears to be about banks wanting to maximize profit by doing away with the 'troublesome' (and costly) handling of cash. It has nothing, NOTHING to do with benefit for the consumer.


That may well be true  :(

The death of cash also has important privacy implications - as if even small transactions are directly attributable to your ID, your movement, activity and personal business can be monitored for marketing purposes down to a macro level not possible by looking at ordinary card pucrhases or ATM withdrawals.


I can empathise with where you're coming from on this point, but I think you may be worrying overmuch. Yes, that information is all available to your bank, but thanks to the data protection act there are restrictions on what they can do with it. Marketing for example, they could use it to suggest to you that you'd be better off with a savings account than keeping a large balance in your current account, or that a personal loan would be cheaper than your ongoing overdraft. They wouldn't be able to sell your shopping habits to Tesco (unless you happen to bank with Tesco, in which case get a proper bank  ;D )

My biggest concern here is that if I was issued with one of these cards and it escaped my posession, someone could quite easily relieve me of this month's salary without ever having to prove that the money they're spending is actually theirs.

I don't have a contactless card yet, and I'm not looking forward to having one.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Spunkymonkey on March 28, 2013, 08:35:04 PM
I have had a contactless card for some time but have never used it without a PIN. I was sent the card without asking for it and wasn't very happy about the lack of security. I carry cash for small sums and am happy to take 10 seconds to enter a PIN number when I use my card. I carry a debit and credit card instead of cash for security reasons not convenience.

On a similar note, I recently entered into a contract with Virginmedia for a smart phone. The bundle includes more free text and data than I will ever need, but Virgin have given me a credit limit of £200. I have told them I have no desire to exceed my quota and do not want a credit facility, but they won't remove or reduce it. If someone steals my phone I could be liable for £200. My keypad is locked with a PIN number, but unlike a credit card the phone doesn't lock after 3 failed attempts.

While writing this, my girlfriend has just warned me of an internet security scam. Her sisters email has been hacked. Rather than targeting her, the hackers are emailing her contacts claiming that she is stuck abroad. They are asking friends/family to send money to a bank account. Sounds a fairly easy fraud to spot but worth passing on.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on March 29, 2013, 08:18:22 AM
I went on to my bank web site after this discussion to check that I had properly read the paperwork that came with my card. Obviously as this idea is supposed to be for my convenience (and the smaller shop keepers because they have to pay the banks a fee for the small card purchases. i.e. the small garden centre I use sometimes to get the bird food used to ask me for cash if I had it.) they are 'selling' it on the front page of their web site.

Firstly Simon, my bank has stood by their promise to reimburse, with very little problem on two occasions - I'm pretty sure caused by me using the card to online shop.  In fact on both occasions they have re-imbursed first and asked questions later. 

It seems that I do indeed have to get very close to the machine to pay by the contactless method, and I do from time to time spend less than £20, but have not so far even thought about using the contactless  facility, in fact clean forgot I could.  As I can only use it for purchases under £20 and from time to time it will ask me for my PIN anyway.   Apparently the same re-imbursement rules apply.  I remain sanguine about it and I'm not going to the bother of replacing it until it all goes wrong. 

Waste of a good stamp, plastic etc. and my time.

Spunky, Thanks for pointing out about the phone charge if it goes missing, I was only thinking yesterday I wonder what would happen if I lost mine, whilst hoping that the house insurance would cover it. I haven't figured out the locking device on it yet. so have to be extra careful!

Title: Re: Contactless cards - unasked for fraud risk?
Post by: komadori on March 29, 2013, 09:44:39 AM
I'd prefer it if the chosen technology for low value transactions was the touch-card. I already have two - an Oyster card and a Thamesdown Transport card. One touch-card that could be used anywhere for low value purchases would seem far safer than a wireless card.

I have both of those too, but the reason I'm less concerned about not having to prove that I'm the owner of the card when using them is that they're pre-pay cards - the potential for financial loss if the card is lost or stolen is limited to £13.50 (cost of a weekly travelpass in Swindon) or however much I've already put on the oyster card (typically not more than £20).
The lack of direct link to a bank balance is also something I would prefer.

Not sure what you mean by "wireless" though. It's not entirely clear what form these "contactless" cards take, but from the photos I've seen so far, they seem to be the same as our Thamesdown and Oyster cards
I'd taken 'contactless' at face value, and that is how the proposals were when I first heard of them in the middle of last year: a card you could pay with by proximity, rather than having to touch it against a reader. As described in your quote from the UK Card Association, they're not contactless.

I'm sure I could annoy many a bus passenger by experimenting with how close my card needs to be to the reader before it'll issue a ticket, although I'm not that antisocial.
From seeing some people - sometimes with more than reasonable persistence - attempting to use their Thamesdown card with it still in a fat wallet, I think they have to be within a few millimetres of the reader.

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.

A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.
That's not what I meant. What I was thinking of was a local crook, who gets your card details by some means (e.g. when behind you at the checkout), but then, having got your card details, because they live in the same locality as you, it is difficult for fraud detection methods to see a difference in spending patterns. And possibly easy for someone who doesn't check their bank balance carefully to miss the fraud too.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mart on March 29, 2013, 10:02:06 AM
spend more time queueing at the checkout behind people who are really slow at packing their purchases / have accidentally picked up an item with no barcode

When I have time to kill I will make a purchase in one store then re-present it at another shop and inwardly chuckle as the assistant attempts to scan the unfamiliar barcode. I have whiled away many otherwise wasted hours in this way, it's also allowed me to chat to people I might otherwise have never met. We've always shared a good laugh afterwards when I've explained my ruse.

I've got a contactless card and I think I used it once, Timpsons up at Sainsburys I think. I must confess to a twinge of uncertainty every time I pay for something online anyway. I don't think it's something I'll ever quite get over.

Pay at the pump is another one that feels like risky expenditure as well. The fraud industry is probably as well staffed as the anti fraud industry, you just rely on the bank to do the right thing if they get beaten.

My bank advises me to advise them if I travel out of the immediate area which could be viewed as sensible yet intrusive in equal parts I suppose.

The only answer that I can see is to be so skint or rich it doesn't matter.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Simon on March 29, 2013, 06:51:10 PM
While writing this, my girlfriend has just warned me of an internet security scam. Her sisters email has been hacked. Rather than targeting her, the hackers are emailing her contacts claiming that she is stuck abroad. They are asking friends/family to send money to a bank account. Sounds a fairly easy fraud to spot but worth passing on.


Social engineering. The use of deceit to fool someone into handing over money, or information which could be used to access their account. Same principle as those emails purporting to be from your bank or ebay or paypal, saying you need to visit their fake web site and enter your login details.

Firstly Simon, my bank has stood by their promise to reimburse, with very little problem on two occasions - I'm pretty sure caused by me using the card to online shop.  In fact on both occasions they have re-imbursed first and asked questions later. 


Glad to hear it  :)

think about the ease with which someone living a few streets away could use your card details for a long period of time without being detected.


A card which could be read from that far away, especially with no authentication that it is in the possession of the account holder, would surely be considered unviable by any self-respecting payment scheme? I think we need a proper definition of "contactless" in this context.

That's not what I meant. What I was thinking of was a local crook, who gets your card details by some means (e.g. when behind you at the checkout), but then, having got your card details, because they live in the same locality as you, it is difficult for fraud detection methods to see a difference in spending patterns. And possibly easy for someone who doesn't check their bank balance carefully to miss the fraud too.


Ah, I misunderstood you. You're talking about "card not present" transactions, where the vendor doesn't have sight of the actual card, only the numbers which identify the card, e.g. when paying for something over the phone or on the www. In this case I don't think there's any difference in the vulnerability to fraud between contactless / touch cards and the traditional read-the-magnetic-strip cards. The vendor should check that you're in posession of the card by asking for the expiry date and CVV number (the 3 digits printed on the signature strip), but they should also check that you're the person who should be in posession of the card by asking for your Verified by Visa (http://www.visa.co.uk/en/security/online_security/verified_by_visa.aspx) password, the one piece of information which isn't available to someone who's stolen your card. From the earlier posts it seems that not all www vendors do the VBV step.

So we're back to my main objection, the lack of validation that the person who's got the card is someone who's authorised to use that card, whether by pin number, signature or VBV password.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on March 29, 2013, 07:00:24 PM
My bankers (my, that sounds good) assures me of the security of the contactless bit and says that just to make sure I will be asked to give my pin on occasion.

Surely by now everyone knows not to let others see the numbers on the card and what you are dialing in, and not to let go of it in a shop, and anyway they'd have to be blooming sharp eyed to see it with my big mitt around it and even I can't see it without my specs and getting it out of sunlight.

Just have to watch out for the bloke behind me with the long zoom lens. 
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on March 29, 2013, 07:30:02 PM
Muggins - read the Channel Four piece in my initial post. The 'security' of the contactless bit has already been compromised, simply and easily. I suggest your bank is simply lying to you. Check by referring them to the article.

I don't think you've understood what this card does (? don't verbally spank me if you have, I'm just checking) - the whole point of it electronically transferring your information is that NOBODY (neither retailer nor crim with a long lens) needs to see your card. And your PIN will only be very occasionally asked for - otherwise there'd be none of the advantages of speed and convenience which they're telling us is the entire purpose!!!!  :wink:

Quote
So we're back to my main objection, the lack of validation that the person who's got the card is someone who's authorised to use that card, whether by pin number, signature or VBV password.

Thats the crux

1. Its been proven in the articles above that contactless cards can be skimmed electronically using a mobile phone - and that will reveal your name, account number etc. That makes it possible to spend money online with retailers who don't require the three digit code off the back of the card. The technology means they don't even need sight of your card - just the opportunity to get within a few cms of it (potentially through clothes, wallet etc.) I predict a new crime of 'electronic pickpocketing' - all they'd need do is have the right kit in a pocket of their own and to brush past you in a crowded bar, train, que for a shop etc.

2. Back to the 'standard' way in which these cards will be used: Any potential thief now has an extra reason to steal your wallet: Previously, your cards are of little immediate use to them if they knew you knew they were missing or compromised because without the PIN, all they could do would be to use them for online fraud. NOW, with contactless, they'll have a window to spend as many of the up to £20 purchases as they can get away with before the card either tops out, requires a PIN check (remember, these are described as 'occasional - afterall, if they weren't, the bank may as well have issued you a standard visa/debit card!!!) - or you can cancel it. Now remember, canceling that card may not be as simple as you imagine: Street muggings usually include the thief taking your mobile phone to delay you calling the cops as much for its own value. If you're minus your mobile, plus your wallet and bag, think about the process: First, you've got to recover your wits enough to summon help and contact the police. Then you have to try and find your bank contact details, then find a means to call them, then find a means to convince them you are who you say you are (without your card and account details which have disappeared off with the mugger), then get them to cancel the contactless card. In the meantime, the thief will have bought as many bottles of booze, packets of fags and other easily shifted items as he or her can manage. Of course, you may well be covered by the bank for the money missing - but if we all end up carrying one of these cards by default, its akin to letting every crim know that every man or woman with a bank account is wandering around with the equivalent of about £100 worth of cash on them. Your account might be ultimately safe in this scenario if the bank refund that money - but you as a target of potentially violent crime will be significantly more at risk.

Thats somewhat ironic, when the banks are trying to tell us that the contactless cards are 'no more risky than carrying cash'. Many choose to carry cards protected with PINs to avoid precisely that risk!
Title: Re: Contactless cards - unasked for fraud risk?
Post by: bobwright on March 29, 2013, 09:08:51 PM
The banks have invented a new way of being robbed, I regard that as an additional risk. Using money means the Bank of England promising the bearer something. How will it be proved that the bearer and user of the of the card should receive the promise of the Bank of England?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on March 30, 2013, 08:09:02 AM
Don't worry Tobes, my card  only leaves the house as much as I do - which is
not often these days and even then only when I need it. i.e. If I'm going somehere on the Titanic  I usually leave it at home.  (In which case I use the old safety thing of sticking a fiver down my bra) The card is safely tucked into my purse and when that part is folded it's squashed in the middle of another load of plastic and driving licence etc etc.

I have not used it as a contactless card. I do not intend to use it as such.

I think cards are and always has been vulnerable to the muggers etc. same as the ten pound note.

None the less, if the banks want us to use the technology, they must make it safe.

To use it I must purchase something, so someone will see me take that purchase, someone will be checking I've paid for it.

I understand the virtualness of it - I have a little gismo thing here that when I use the bank online, it checks me in and out and checks purchases and cost before it will let me complete the purchase.  I take it off the shelf, slide my card in on command and enter data which goes between my PC and the gizmo without wires.  All brilliant if you ask me.

I await a letter from the bank telling me how they have made this more secure, like you say, I didn't ask for it and they are inviting me to try it - so it will all be their fault if anyone taps into the Muggins Millions.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: peach on March 30, 2013, 11:07:02 AM
Come to Australia, the transaction limit on contactless payments is $100 (about 60 quid) without requiring a PIN.  You can also spend up to $35 in McDonalds, without needing to do more than swipe your card - again no PIN or signature required.

Chip & Pin has been around here longer than the UK, but swipe with signature is still happily accepted.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on March 30, 2013, 03:02:38 PM
Its interesting to have a scan through the latest Australian bank fraud stats. Overall card fraud is up this year - though nowhere do the stats break down to show the level of fraud resulting from contactless - though its clear that taken as a whole 'proprietary credit/debit card' fraud is up.

Read into that what you will
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mart on March 31, 2013, 10:12:59 AM
though its clear that taken as a whole 'proprietary credit/debit card' fraud is up.

Do you think that is because that it is a relatively low risk crime for the perpetrator requiring minimal investment? You can also work from home which is handy given spiralling childcare costs.

You don't need a Ford Transit, hosiery, construction equipment, C4 or shooters, you just need a quick trip to PC World and to watch a couple of videos on Youtube. Presumably.

Crime evolves and keeps pace with the society it takes place in, I'd guess that 'crews' doing banks while someone counts down the police response time (I know) is a dying art and perceived by the latest generation of criminals as a mug's game and it's a long time since a British pirate or highwayman was a household name.

I think that, if you are so inclined, you can commit more crime with circuit boards and a bit of legwork than you can by be learning to turn a Granada on a sixpence, twas ever thus and will be ever so.

Asking the banks to do more is entirely legitimate, it's the 21st century equivalent of building a bigger safe, but there has to be recognition than the criminal fraternity will do their damndest to keep pace and nose ahead where they can.

n the meantime we all take what we think are reasonable precautions.

Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on March 31, 2013, 11:03:25 AM
Yeh, thinking of re-creating the Elizabethan ruff, making a bit larger and wearing it down the shop, so no-one can see over my shoulder.

And developing an entirely new fashion for wrist ruffs (that rolls of the tongue good, don't it?) so no one can see what's in my hand.

Like my son in law says, whenever someone invents something to make life easier some clot has to figure out a way to spoil it for us.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Jean on March 31, 2013, 12:02:53 PM
I had a campaigning mate about 10 years ago who managed to survive without a Bank Account, plastic or anything else apart from a Post Office savings account. I doubt that he is still managing to live this way.   
Title: Contactless encounters - unasked for risk?
Post by: Mickraker on March 31, 2013, 12:49:30 PM
My mate told me a story once about a contactless encounter he told his significant half  he had drunkenly and mistakenly had on a night out who left him. He dutily paid up for the contactless encounter over the next 16 years. Technology as ever moves on by the 17th birthday DNA testing was invented. It can at times be wearisome  that technology stuff just ask my mate. Do these cards come with electronic condoms  to prevent premature or accidental ejaculation of funds into someone else's purse :-\
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on May 18, 2013, 01:19:28 PM
Check your cards and statements people... how many people may have been charged without even being aware, eh?

Quote
Some Marks and Spencer customers have told the BBC of cases where the chain's contactless payment terminals have taken money from cards other than the ones intended for payment.

Card are supposed to be within about 4cm of the front of the contactless terminal to work.

But some customers say payments have been taken from cards while in purses and wallets at much greater distances.


http://www.bbc.co.uk/news/business-22545804 (http://www.bbc.co.uk/news/business-22545804)

Quote
A Pret a Manger customer also contacted Money Box to report a payment was taken from her contactless-enabled MBNA visa credit card in the outlet when she intended to pay with a different card.

She says the MBNA card was in her purse around 30-40 cm from the contactless card reader.

And again, she had not realised that card had a contactless facility.


Its so weird that despite the flaws and risks being so damn obvious, that a system like this can be rolled out nationally with barely a pause for thought. Another example of Group Think? Or just another indication, if any was needed, of corporations putting greed ahead of customer security?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Simon on May 18, 2013, 07:49:36 PM
You can listen to the money box programme where this was discussed here http://www.bbc.co.uk/programmes/b01shqc7 (http://www.bbc.co.uk/programmes/b01shqc7) (it's the first item in the programme).

It's rather scary that these devices seem to be able to take payments from a card which the user hasn't consciously presented to the device.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mart on May 18, 2013, 07:55:04 PM
Loads of people take my feckin money from sodding miles away.

My gas and electric is pinged to bloody France via Exeter and I ain't happy about that.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Spunkymonkey on May 18, 2013, 08:31:29 PM
Contactless cards seem to be less secure than cash - I really can't see the point of them. Are we really that lazy as a society that we can't be bothered to open our wallets now?

I opened a joint account with my girlfriend last month and as a result of this thread asked for the contactless feature to be disabled. The bank clerk told me how wonderful the feature was, but agreed to remove it without to much pressure.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on May 19, 2013, 08:28:28 AM
I think that they are supposed to be secure in our wallets!   seeing as how I do not have the time to mess around getting new cards, I'll line my purse with a piece of tin foil, will it do the job?

Barring that I'll have to find that sheet of lead.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: ph1lc on May 19, 2013, 08:48:28 AM
I think that they are supposed to be secure in our wallets!   seeing as how I do not have the time to mess around getting new cards, I'll line my purse with a piece of tin foil, will it do the job?


A favourite trick of shoplifters lining their bags with foil to stop the security tags setting off the alarms!
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on May 19, 2013, 09:10:46 AM
Might work then?  Or do you think if I'm found out I might get dragged off?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: ph1lc on May 19, 2013, 09:16:16 AM
Probably carted off for going equipped - they never nick real criminals!!
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on May 19, 2013, 05:11:34 PM
Can see the headlines now.   "Old dear on scooter get arrested for going equipped  - with a two inch square of foil."

Though no doubt TSr's can think of something Sun like instead?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Simon on May 19, 2013, 05:37:17 PM
Can see the headlines now.   "Old dear on scooter get arrested for going equipped  - with a two inch square of foil."

Though no doubt TSr's can think of something Sun like instead?

Scooter looter's foil plot foiled?
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Muggins on May 19, 2013, 05:59:51 PM
 :clap: :clap: :clap:

Good start!  If it helped, I always imagine myself at Aldi when I do this.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mickraker on October 24, 2013, 07:58:51 AM
More advice about wifi enabled cards  :-\

http://www.computerweekly.com/news/2240207707/First-Direct-advises-on-customers-on-contactless-payments (http://www.computerweekly.com/news/2240207707/First-Direct-advises-on-customers-on-contactless-payments)
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on September 05, 2014, 01:43:32 PM
My current debit card seems to have bitten the dust. I requested a replacement today and it appears that First Direct may no longer supply a non-contactless replacement. If so, it will be with great reluctance given that I have been a customer for nearly 20 years, I will be closing my account and taking my business to what I believe is the last bank/building soc offering a non-contactless option, Nationwide.

I had a long conversation with the customer services people at First Direct; given that they are normally so well informed, I wa surprised to hear how ignorant they were at some of the basic issues and details around these cards.
1. There as confusion as to the credit limit for each individual transaction ("about £15 was one quote - though I believe it is actually £20)
2. Confusion about how many £20 transactions could be made in quick succession before a PIN would be requested at point of sale (I still haven't had a clear answer on that)
3. Concentration on the fact that is the card was used fraudulently, my money would be reinbursed, whilst ignoring that for me the main 'problem' might be the lump on my head or the stab wonld occasioned by someone mugging me for a wallet knowing that even if it only contains a bank card, its still has contents worth at least £40+

Mind you, I have found the following piece of online information which might be of interest:

http://www.instructables.com/id/How-to-Disable-Contactless-Payment-on-Your-Debit-C/ (http://www.instructables.com/id/How-to-Disable-Contactless-Payment-on-Your-Debit-C/)

Title: Re: Contactless cards - unasked for fraud risk?
Post by: Jean on September 05, 2014, 08:22:00 PM
I had a campaigning mate about 10 years ago who managed to survive without a Bank Account, plastic or anything else apart from a Post Office savings account. I doubt that he is still managing to live this way.

I spoke to this old friend last week as it happens. He still manages his life using cash but he admits that it gets harder by the day.

From the information you gave me before Tobes, I managed to exchange my card back to a non-contactless replacement with Halifax. I wonder if they have stopped issuing these too? 
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on September 05, 2014, 08:50:32 PM
Hello Jean! Well, a bit of good news to round my day off - I wasn't convinced the call handler earlier today knew what she was talking about, so put another call in; it appears I'm going to get a replacement NON contactless card afterall - HURRAH!  :)

And hurrah for First Direct - at least some of the banks seem motivated to give their customers what they want, and perhaps secretly harbour some serious doubts themselves about the numerous flaws this technology presents.

If any of you are reviewing who you bank with, its food for thought - you ought to ask about their policy on contactless and non contactless cards.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Spunkymonkey on September 05, 2014, 09:00:08 PM
Barclays have given me a non contactless card.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Mart on September 05, 2014, 09:07:03 PM
My Beloved told me if I touch my card again she'll chop my feckin hands off. For my own good, obviously.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on September 05, 2014, 09:08:14 PM
 ;D
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Spunkymonkey on November 01, 2014, 01:38:07 PM
Another reason not to have a contactless card:-

http://www.bbc.co.uk/news/business-29861514 (http://www.bbc.co.uk/news/business-29861514)

Quote
Researchers claim they have found a security flaw with Visa contactless payment cards.

In the UK, people can make purchases up to £20 by just touching the card against a machine - without needing to enter a PIN.

However, the researchers say that a glitch means Visa's cards will approved unlimited spending if it is put through in a foreign currency.
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on September 01, 2015, 05:14:31 PM
Spunky - I hope you're going to stay with us as this story continues to raise my eyebrows...

http://www.bbc.co.uk/news/business-34110348 (http://www.bbc.co.uk/news/business-34110348)

Quote
Shoppers in the UK will now be able to spend up to £30 using contactless cards after the limit was increased.
The limit per transaction for the wave and pay cards, which do not require a PIN or a signature to authorise payment, was previously £20. The move follows a huge rise in the number of people using contactless cards in the UK.
Transactions for the first half of this year totalled £2.5bn, already higher than the £2.32bn spent in 2014.
The UK Cards Association, the trade body for the card payments industry, said the increase meant that the average supermarket spend of £25 would now be covered. "The growth in contactless payments shows people want to use contactless cards, and increasing the limit gives customers even more opportunities to pay in this way," said chief executive Graham Peacop.


All very predictable... How many uses would be required however, before a cashier would require a PIN check to ensure the card hadn't been recently stolen from someone?

Quote
In July, consumer group Which? warned that data from contactless cards could be easily stolen by determined fraudsters.
But the trade body said fraud via the cards was "extremely low", at less than one penny for every £100 spent.
The increase also comes after technology giant Apple allowed users of its latest devices to make contactless payments.
Kevin Jenkins, managing director UK and Ireland at Visa Europe, said contactless payments were becoming the "new normal".
"We've seen unprecedented growth in this area, with the number of Visa contactless transactions more than trebling in the past year in the UK," he added. The increase was first announced in February. Payment terminals must be updated for the new limit to apply, and card issuers still have the right to limit an individual's contactless payments to a lower amount.


We've been told that the array of products and services offered to us by banks are there for our convenience and for our 'choice' - but it appears that very soon this choice will be removed.

The list of banks offering customers the right to protect their data and to reduce the chances of being mugged for a card which will be worth over £100 to ANYONE stealing it, is dwindling rapidly. This new form of transaction is simply absorbed into the norm through a mixture of point of sale bombardment, the automatic 'upgrade' of all reissued cards to contactless and retailers desire to avoid handling cash or going through the pesky security check of having someone type in a PIN.

Its another example of how the corporate world regards a level of crime and fraud as simply an acceptable business risk - even though, in this instance, its a risk which is actually being carried by the card holding customer.

Sharp practice, in my view - and another 'Tobes' prediction on TS for future trouble...
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Tobes on September 01, 2015, 05:23:52 PM
... and not just cynical old me either:

(Taken from a July Telegraph article - http://www.telegraph.co.uk/technology/internet-security/11758990/Contactless-cards-at-risk-of-fraud-warns-Which.html (http://www.telegraph.co.uk/technology/internet-security/11758990/Contactless-cards-at-risk-of-fraud-warns-Which.html) )

Quote
"As the use of contactless payment becomes increasingly widespread, it has never been more important for banks to have robust security checks in place. Not only to ensure that sensitive data is masked, but also to flag unusual activity on a user’s account," said Ross Brewer from security intelligence company LogRhythm.
"As contactless payment limits rise to £30 in September, it is more likely that criminals will begin to target cards rather than the old-style chip and pin for a quick and easy pay day."


 ???

Quote
Contactless payment cards were used more than 1bn times in the past 12 months in Europe, but a security flaw means they can be "easily and cheaply" exploited for fraud, according to new research by the consumer watchdog Which?
Using inexpensive card-reading technology puchased from a mainstream website, the researchers were able to bypass security measures and remotely 'steal' key details from 10 contactless cards (six debit and four credit).
These included the card number, expiry date, and a list of the last 10 transactions carried out on the card. However, none of the cards revealed their CVV security codes (the number on the back of the card).
Although it is difficult to make online purchases without the cardholder's name and CVV code, the researchers succeeded in ordering two items – including a £3,000 TV – from a mainstream online shop using the "stolen" card details, combined with a false name and address.


... and scary as that is, it still doesn't address a basic threat which even chip and PIN and signature strip cards largely obviate; that of a mugger grabbing your mobile and wallet and going on a spree until such time you can report it to the police, get in touch with your bank, pass through their own security checks, and get your card cancelled.

Remember, if it can take up to four transactions [see important note below] before a PIN is required, everyone with a contactless card may as well also be flaunting a wallet carrying £120 in cash.  :idiot2:

EDIT. I've been doing some research to try and find a statement from the UK Card Association confirming how often you'll be asked for a PIN check on your card, and rather scarily, I can't.

IN FACT, THERE IS NO CONFIRMED CRITERIA FOR WHEN YOU'LL BE ASKED FOR A PIN CHECK THAT I CAN FIND ANYWHERE.

This is what they say themselves (my italics)

http://www.theukcardsassociation.org.uk/individual/what-is-contactless.asp (http://www.theukcardsassociation.org.uk/individual/what-is-contactless.asp)
Quote
There’s no need to mess about entering your PIN in to the terminal every time. From time to time, you may have to enter your PIN in to the terminal, this is just a security check - to verify that you, the authorised cardholder, are still in possession of the card.


'From time to time'.

Note that carefully: It means your card is potentially worth much more than £120 to any standard pick-pocket, mugger or burglar who will soon find out that virtually EVERYONE on the street will be carrying one, regardless of sex, age or appearance. And all they need to do is steal it from you and they can buy their booze, fags or whatever else, either for themselves or to sell on to turn into folding money. No PIN, no signature required - just the wave of a card in front of a till.

This inevitably means an associated rise in street robbery. Tain't brain surgery.

I wonder if, after the scandal of mis-sold PPI, the banking Industry has set up a similar fund to cover the costs of those traumatised or injured as a direct result of this enforced technology and the crime it will encourage? Afterall, its not even as if most customers are being given the choice of contactless or not. I wonder if they bare a duty of care which extends beyond their profit margin?

 :-\
 
Title: Re: Contactless cards - unasked for fraud risk?
Post by: Phil Chitty on September 02, 2015, 08:40:55 AM
Nice work Tobes.

At present it is possible to opt out of contactless cards - I indeed have and I'm certainly not registering my cards on my I-phone.

How long will it be possible to carry on opting out? The usual practice it to bring in compulsion via the back door -take driving licences for example.