How a contactless payment took me by surprise

I knew from TV advertising that Barclaycard had the Contactless Payment system but its only in the last few months that I discovered that the Bank of America also have the system and I have been using it.
Its so quick and easy to use and it allows purchases to be made swiftly where you would normally pay with Cash.It save the change problem for the Shops and Shoppers. It has largely lead to me not having to be concerned about carrying money.Its a technological advance that has made my life a lot easier.

Does anyone know if such poor treatment of you personal credit card data breaches the Data Protection Act?

If you don’t understand how this technology works, please refrain from passing comment on it.

For your information, your card can’t “broadcast” anything. When a card reader is used at the point of sale, it starts looking for any nearby RFID signatures on the correct frequency; if it finds one, it queries the data on the RFID chip inside the card using a 128-bit encryption key (so yes, it IS encrypted), and if the key matches, reads the card details and processes payment.

In addition – there is a maximum spend limit of £15, and the usual safeguards are in place to prevent rapidly draining the card in £15 increments – the bank will lock out your account if it detects suspicious activity. You’re also covered by the normal security guarantees of your card provider (Visa, MasterCard etc.), so even if you don’t trust your bank (in which case, why are you banking with them?), you have that to fall back on.

Please don’t be blinded by how smart or clever this technology might be, as its use by the banks isn’t.

Just watch http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud

And as you’ll see IT IS possible to spend over £15.

And forgive me for now commenting on something I know about .. I can see organised gangs just standing outside a tube station during rush hour. And walking off with several card details.

First of all, I apologise for speaking hastily, but your comments about credit cards “broadcasting” details raised a red flag – by their nature, passive RFID chips don’t broadcast, they respond to requests for their information.

Secondly, it’s not the banks or the providers which are at fault – as the Channel 4 article points out, it’s the retailers who fail to require proper security details when processing payments. Visa’s PayWave, which powers Barclays’ contactless system, carries only the card number and expiry date, and not the name of the cardholder or the CVV2 security number.

And it does so under 128-bit encryption, as I said before. I did a little basic research and apparently it’s difficult to simply scan contactless cards without having the encryption key. So what potential thieves actually have is half the details they need, which are all encrypted anyway. It’s like a pickpocket who snatches your purse only to find a broken key inside.

No worries. I still think the banks ARE at fault. If I was running one I’d refuse to accept any payment which doesn’t come with a CVV2 number. The fact that the banks do, at least in my mind, makes them just as guilty as the retailers who take transactions in the first place.

And I wonder how quickly retailers would plug that gap if the banks simply told them they’d refuse to honor any transaction without one. So again, banks, get your act together. It’s not rocket science here.

And from someone who knows nothing about any of this, it does seem so very easy to at least make it less attractive to the “villains” of this world.

If only I had Mr Diamonds job for a tenth of his money.

Oh and thanks for the “tech” lesson. 🙂

Sloppy reporting from the Daily Mail as usual – a provocative (I don’t want to say “scaremongering” but…) and misleading headline, and the majority of claims are unsourced. Of the two sources they’ve actually got, one of them runs an independent ATM company, so it’s in his best interests to stop contactless technology as it lets people pay (and get cashback) without withdrawing cash from his ATMs!

It’s clear that they’ve interviewed him and this RFID security bloke, taken the best (worst?) soundbites that they can, and not bothered to look into any actual scientific research on the subject. Many of the comments on the article back me up – although in true Daily Mail style, the ones that talk sense are voted down, while the paranoid ones are voted up!

There are two main issues with this idea that unscrupulous types will hang around outside tube stations waving their magic wands over everyone’s wallets. Firstly, the contact range is very small – 5cm at best – which you can easily experiment with by using an Oyster card and seeing how far it has to be from the reader before it’ll register. So they’d have to be in touching distance of your wallet, at which point it’s probably easier just to steal it. And secondly, as I’ve mentioned before, all of the data coming from these cards is encrypted.

Easier to steal it? Don’t be absurd. Wireless is what makes it easy.

In the best case – no, just one of them, as the reader will detect the first card it comes across, process the payment on that and then end the vending process. In the worst case, the conflicting signals from the multiple cards will cause none of them to be detected, and you’ll have toremove the card you want to pay with from your wallet.

Again, this can easily be tested by placing two Oyster cards into your wallet and seeing how the readers on the Tube react. You could also do it with any RFID card, like hotel room keys or office door passes.

Wrong, wrong, wrong.

If you know you’ve got two contactless cards in your wallet, why would you put your whole wallet on the contactless reader? That’s just asking for trouble. As I have other RFID-equipped cards in my wallet that could interfere with the signal, such as an Oyster card, I make sure to take my card out whenever I want to pay via contactless – and indeed, I usually have to anyway, as the range and power on most commercial reader units is very low.

“Anyone” won’t be able to get a terminal, just as “anyone” can’t get a chip and pin terminal now. They’re issued through the bank, and then only to their business customers. Then you’d need the infrastructure to actually process the payments – a dedicated phone line, ideally. You can’t just take an RFID reader onto the street, away from your local wi-fi network, and have all the functionality of a reader in a shop.

As I’ve explained above, “they” (these shadowy thieves whom you believe to be lurking around every corner) won’t be able to steal your card details either – at least not in any usable way, as all that’s broadcast is the card number and expiry date – not the CVV2 code, which is required by almost all online merchants; not the cardholder’s name or address, which is similarly required, and certainly NOT your PIN.

Finally, you CAN opt-out. Barclays will send you a non-PayWave card if you ask them, and I’m guessing other banks will too. If your bank won’t let you, then you can STILL “opt-out” by moving your bank account to somewhere that will. Don’t act like it’s being forced on you against your will – it’s perfectly possible to reject it entirely.

“as all that’s broadcast is the card number and expiry date”. As that’s all Amazon need, why broadcast more. As I’ve mentioned before any system is only as secure as its weakest link, and with Amazon that is one huge gaping hole.

Sadly any name and address the last time I checked.