29 November 2011 / Money

How a contactless payment took me by surprise

Ceri Stanaway Which? Home Editor

Comments 30

Q: What’s quick, easy and stays inside your wallet? A: A ‘contactless’ card. But what happens when it’s too quick and easy and you end up using this payment without even choosing to? That’s what happened to me…

A few days ago, I bought something by accident.

I don’t mean that I walked into a shop for a pair of tights and walked out with a handbag (although it’s happened before!). This was something I actively paid for using my credit card but without realising I’d done so.

How contactless payments work

It was all thanks to a newfangled technology that enables ‘contactless payment’ just by tapping your card on a reader. It’s built into many newly-issued credit cards – like my new Barclaycard – and even some mobile phones. And I managed to use it without any intention of doing so in a branch of Boots.

To be fair, I had every intention of buying the item in question (some £5 make up) and had taken it up to the till. The shop assistant had scanned the item and I was ready to pay – I’d even taken out my credit card and popped it in the card machine ready to enter my Pin.

That’s where things got confusing. I can’t quite remember if I got round to entering my Pin or not, but the next thing I knew it was telling me the card attempt had been cancelled. Some electronic error, I assumed, and was all set to try again when the assistant thanked me and handed me my receipt.

When I mumbled something about payment cancellations, she reassured me that all was well – I’d paid by contactless payment. Despite her reassuring tone, I felt a little perturbed.

Contactless payment protections

When I asked a chap at Barclaycard’s press office about my experience, he said that the contactless payment pad is generally entirely separate from the Chip and Pin machine, but perhaps Boots used a different system.

He reassured me that you can’t pay for items costing more than £15 without entering your Pin, and that we have the same fraud protection for contactless payments as ‘normal’ credit card payments.

He did acknowledge, though, that there was a risk of some payments being made without the customer realising, just by holding an enabled card too close to a reader (the contactless payment zone is between 4-10cm from the reader).

The future of payments?

I’m probably making a mountain out of a molehill here. After all, I wanted the item, and I wanted to pay with my Barclaycard – both of which I achieved. But I was thrown by the fact that I’d managed to pay in this way without even realising it was an option (I didn’t spot any signs about contactless payment anywhere near the till).

I’ve got nothing against contactless payment per se – so if I’d known about, and chosen to pay by, Boots’ contactless payment option I’d have had no problem.

Perhaps, as contactless payment devices and the places that accept them become more widespread, most of us will be tapping our cards (or mobiles) on readers without a care in the world. But until then, I for one would welcome a few notices up in stores so I know not to wave my wallet around too much.

Comments

wavechange says:

29 November 2011

Thanks for the warning Ceri. One more thing to worry about. 🙂

If problems are reported then security measures will be applied, but it could take some time. For years it was possible to use a credit or debit card at Tesco fuel pumps without the need for a PIN. Thank goodness common sense prevailed.

It’s incredible that we blunder our way forward with technology when it would not be too difficult to think about the likely problems.

JAZZJIM says:

23 January 2014

I knew from TV advertising that Barclaycard had the Contactless Payment system but its only in the last few months that I discovered that the Bank of America also have the system and I have been using it.
Its so quick and easy to use and it allows purchases to be made swiftly where you would normally pay with Cash.It save the change problem for the Shops and Shoppers. It has largely lead to me not having to be concerned about carrying money.Its a technological advance that has made my life a lot easier.

Patrick Steen says:

29 November 2011

Sounds incredibly annoying and confusing. It really is too easy to spend money with this new tech, but maybe it will be a good thing in the end (when we know what we’re doing and shops make it obvious, as Ceri argues.)

Little bit of news to add to the fire, MasterCard has launched a range of ‘contactless watches’ which use the same technology. Very James bond, but don’t look at the time when you’re out the counter… you may up paying for something you didn’t expect too 😉

Sophie Gilbert says:

29 November 2011

Like Wavechange says, another thing to worry about. Credit card users should have the option of being issued credit cards without the contactless payment technology built in if that’s what they want. If I were told I had no choice by my credit card issuers I would cancel my credit cards and moving to issuers who do give me a choice.

Richard Dilks says:

29 November 2011

I’d completely forgotten my experience with this, but reading Ceri’s post suddenly reminded me.

It was about three years ago and in a branch of Itsu, which sells sushi to hordes of London office workers. I took my food up to the till and the rather distracted-looking staff member said “put your card here”, pointing to a piece of plastic.

Not really concentrating, I thought this was a new design of chip and PIN machine and was about to say I couldn’t see the slot to put the card in when he handed me my receipt and clearly expected me to get going.

It was incredibly quick – under 5 seconds.

I looked at him dumbly and he took pity on me enough to explain they were using a contactless payment system and I had, in fact, already paid.

Took me back to student days, when my campus had a chip-based cash on card system called Mondex, that I think NatWest ran.

Anyway, it all felt a bit disconcerting at first – but very quick indeed.

Jerry E says:

2 December 2011

If a Chip and PIN card is stolen, the thief can’t use it without knowing your PIN. If a contactless card is stolen there’s nothing to stop him or her. Do you trust your bank to refund you? I don’t.

davetparkes says:

7 December 2011

i have several credit cards.

as far as a know, none of the providers has told me anything about them being contactless.

surely you should be told about such a thing.

Reece N says:

6 January 2012

I don’t see the need for “contactless” payment as I don’t see any realistic scenario where you are not able to touch the card reader with your card in order to make a purchase.

Surely the better solution is to make it “touch” payment where your card only has to physically touch the reader in order for the transaction to be processed thus avoiding any false positives preventing any mistakes of waving your card next the the reader.

It’s the same as contactless but without the unnecessary heightened possibility of a mistake.

William says:

29 March 2012

So basically anyone with a contactless card is broadcasting their card details to anyone or anything within range with a reader, whether you’re attempting to buy anything or not. And the details aren’t encrypted. And people think banks take security seriously. Doesn’t look like it to me.

William says:

30 March 2012

Does anyone know if such poor treatment of you personal credit card data breaches the Data Protection Act?

CNash says:

27 April 2012

If you don’t understand how this technology works, please refrain from passing comment on it.

For your information, your card can’t “broadcast” anything. When a card reader is used at the point of sale, it starts looking for any nearby RFID signatures on the correct frequency; if it finds one, it queries the data on the RFID chip inside the card using a 128-bit encryption key (so yes, it IS encrypted), and if the key matches, reads the card details and processes payment.

In addition – there is a maximum spend limit of £15, and the usual safeguards are in place to prevent rapidly draining the card in £15 increments – the bank will lock out your account if it detects suspicious activity. You’re also covered by the normal security guarantees of your card provider (Visa, MasterCard etc.), so even if you don’t trust your bank (in which case, why are you banking with them?), you have that to fall back on.

William says:

27 April 2012

Please don’t be blinded by how smart or clever this technology might be, as its use by the banks isn’t.

Just watch http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud

And as you’ll see IT IS possible to spend over £15.

And forgive me for now commenting on something I know about .. I can see organised gangs just standing outside a tube station during rush hour. And walking off with several card details.

CNash says:

27 April 2012

First of all, I apologise for speaking hastily, but your comments about credit cards “broadcasting” details raised a red flag – by their nature, passive RFID chips don’t broadcast, they respond to requests for their information.

Secondly, it’s not the banks or the providers which are at fault – as the Channel 4 article points out, it’s the retailers who fail to require proper security details when processing payments. Visa’s PayWave, which powers Barclays’ contactless system, carries only the card number and expiry date, and not the name of the cardholder or the CVV2 security number.

And it does so under 128-bit encryption, as I said before. I did a little basic research and apparently it’s difficult to simply scan contactless cards without having the encryption key. So what potential thieves actually have is half the details they need, which are all encrypted anyway. It’s like a pickpocket who snatches your purse only to find a broken key inside.

William says:

27 April 2012

No worries. I still think the banks ARE at fault. If I was running one I’d refuse to accept any payment which doesn’t come with a CVV2 number. The fact that the banks do, at least in my mind, makes them just as guilty as the retailers who take transactions in the first place.

And I wonder how quickly retailers would plug that gap if the banks simply told them they’d refuse to honor any transaction without one. So again, banks, get your act together. It’s not rocket science here.

And from someone who knows nothing about any of this, it does seem so very easy to at least make it less attractive to the “villains” of this world.

If only I had Mr Diamonds job for a tenth of his money.

Oh and thanks for the “tech” lesson. 🙂

William says:

30 April 2012

Hot off the press so to speak … http://www.dailymail.co.uk/news/article-2137106/Your-card-details-stolen-air-Information-robbed-radiowave-thanks-new-contactless-technology.html

CNash says:

30 April 2012

Sloppy reporting from the Daily Mail as usual – a provocative (I don’t want to say “scaremongering” but…) and misleading headline, and the majority of claims are unsourced. Of the two sources they’ve actually got, one of them runs an independent ATM company, so it’s in his best interests to stop contactless technology as it lets people pay (and get cashback) without withdrawing cash from his ATMs!

It’s clear that they’ve interviewed him and this RFID security bloke, taken the best (worst?) soundbites that they can, and not bothered to look into any actual scientific research on the subject. Many of the comments on the article back me up – although in true Daily Mail style, the ones that talk sense are voted down, while the paranoid ones are voted up!

There are two main issues with this idea that unscrupulous types will hang around outside tube stations waving their magic wands over everyone’s wallets. Firstly, the contact range is very small – 5cm at best – which you can easily experiment with by using an Oyster card and seeing how far it has to be from the reader before it’ll register. So they’d have to be in touching distance of your wallet, at which point it’s probably easier just to steal it. And secondly, as I’ve mentioned before, all of the data coming from these cards is encrypted.

Rich says:

1 December 2012

Easier to steal it? Don’t be absurd. Wireless is what makes it easy.

Ben says:

1 June 2012

I’m not interested in something that allows already-wealthy banks to squeeze even more money out of me – I assume that this is a cost-saving exercice by banks.

Thank you to Benjamin Cohen and Channel 4 News for that useful information.

Rob says:

27 June 2012

Say, for example, there’s a machine at the tube station that lets you pay for a ‘single journey’ ticket just by waving your card over it, no other selections or buttons to press whatsoever. What happens if you wave your wallet over it and the wallet contains three cards? Will all three cards each buy a ticket?

CNash says:

27 June 2012

In the best case – no, just one of them, as the reader will detect the first card it comes across, process the payment on that and then end the vending process. In the worst case, the conflicting signals from the multiple cards will cause none of them to be detected, and you’ll have toremove the card you want to pay with from your wallet.

Again, this can easily be tested by placing two Oyster cards into your wallet and seeing how the readers on the Tube react. You could also do it with any RFID card, like hotel room keys or office door passes.

Rich says:

30 November 2012

You are right to be worried. There are NO safeguards here. What if there are 2 cards in your wallet? You don’t even know which one will be debited – you don’t have to open your wallet.

We have portable Chip & PIN machines. In pubs and restaurants so on. Soon we will have portable contactless terminals for newspaper sellers, etc. Small purchases is what they are for, right?

So anyone will be able to get a terminal. Imagine then, someone on a crowded Tube train with one. BEEP. £20 gone. BEEP. £20 from someone else. Being within 10cm is easy on the Tube. Its a lot easier than pick-pocketing.

Its disgraceful that you are not allowed to opt out of this. You should be allowed to say: no, I always want to enter my PIN. Its another failure of banking regulation. Of course!

CNash says:

1 December 2012

Wrong, wrong, wrong.

If you know you’ve got two contactless cards in your wallet, why would you put your whole wallet on the contactless reader? That’s just asking for trouble. As I have other RFID-equipped cards in my wallet that could interfere with the signal, such as an Oyster card, I make sure to take my card out whenever I want to pay via contactless – and indeed, I usually have to anyway, as the range and power on most commercial reader units is very low.

“Anyone” won’t be able to get a terminal, just as “anyone” can’t get a chip and pin terminal now. They’re issued through the bank, and then only to their business customers. Then you’d need the infrastructure to actually process the payments – a dedicated phone line, ideally. You can’t just take an RFID reader onto the street, away from your local wi-fi network, and have all the functionality of a reader in a shop.

As I’ve explained above, “they” (these shadowy thieves whom you believe to be lurking around every corner) won’t be able to steal your card details either – at least not in any usable way, as all that’s broadcast is the card number and expiry date – not the CVV2 code, which is required by almost all online merchants; not the cardholder’s name or address, which is similarly required, and certainly NOT your PIN.

Finally, you CAN opt-out. Barclays will send you a non-PayWave card if you ask them, and I’m guessing other banks will too. If your bank won’t let you, then you can STILL “opt-out” by moving your bank account to somewhere that will. Don’t act like it’s being forced on you against your will – it’s perfectly possible to reject it entirely.

williambarn says:

1 December 2012

“as all that’s broadcast is the card number and expiry date”. As that’s all Amazon need, why broadcast more. As I’ve mentioned before any system is only as secure as its weakest link, and with Amazon that is one huge gaping hole.

CNash says:

1 December 2012

In that cas, it’s Amazon that’s the weak link, not the banks and not the contactless payment system. I didn’t know that Amazon wasn’t secure – as I said, most retailers now require the CVV2 at least. Also, correct me if I’m wrong but Amazon still require the cardholder’s name and address, don’t they? That’s not broadcast by the contactless tech.

williambarn says:

1 December 2012

Sadly any name and address the last time I checked.

Bella says:

29 April 2017

I hate it when the shop assistant taps your card without asking first. I prefer to use chip and pin.
And you can’t always see the total. They( the shop assistant) just tap ( or spend your money for you!!!!)
I dislike those kind of shop assistants.

Jonty Robinson says:

23 January 2018

When are Which going to do a feature on RFID blocker wallets? (for contactless cards and car fobs). I tried one that didn’t work and it has been returned to the store.

Alex Whittle says:

25 January 2018

Hi Jonty, I’ve passed this onto our money team and they assured me they will take this into consideration for future testing 🙂

Peter derrington says:

23 January 2018

Has any had experience of using cards like ‘Skim Guard’ to prevent electronic at-a-distance reading. Are they worth it?

Alex Whittle says:

25 January 2018

Hi Peter, we’ve not tested these yet but I have passed the request on to our money team. They said they are happy to look into these and test them, however there has been no cases of ‘skimming fraud’ in real life, only in test situations conducted by journalists.

Help

How a contactless payment took me by surprise

How contactless payments work

Contactless payment protections

The future of payments?

Search

Latest discussions

Vote in our poll

How contactless payments work

Contactless payment protections

The future of payments?

Search

Latest discussions

Vote in our poll

Join the debate

Related discussions