HSBC Contactless Card

Jamie_Carter

reclusive46 wrote: »

If your really that fussed, have two contactless cards and put them next to each other in your wallet. Problem solved.

And how would that solve anything?

It would be exactly the same problem as the one where people have their oyster card in the same wallet as their contactless card. It would be random which card is read.

JuicyJesus

Jamie_Carter wrote: »

It has only been used for credit/debit cards in the UK since 2008. It has been used for transport tickets for longer.

That's five years, during which time the number of frauds committed using contactless technology have been so infinitesimally low that it doesn't bear thinking about, even with an explosion in the number of contactless cards in use since last year.

Why would people dislike contactless cards, they would be far more convenient if they could just be made 100% secure.

I can't go into details for obvious reasons. But there are some huge holes in credit card security that the banks need to close up before they bring out gimmicks.

Like the magstripe, which I mentioned. Still the number one cause of card fraud other than MOTO/CNP fraud.

At any rate, nothing is 100% secure. But contactless is still pretty damn secure.

These reports are from 2012, so some people will still be using these cards.

http://www.telegraph.co.uk/technology/news/9163969/Barclays-contactless-cards-exposed-to-fraud.html

http://www.thisismoney.co.uk/money/cardsloans/article-2119697/Electronic-pickpockets-targeting-contactless-credit-debit-card-holders-smartphones.html

http://www.channel4.com/news/fraud-fears-grow-over-contactless-bank-card-technology

http://www.mendeley.com/research/practical-attack-contactless-payment-cards-1/

All of those refer to Barclays' old contactless cards, which broadcast things in plain text (which is plainly idiotic). Newer cards do not do this.

I'm not arguing that magnetic strips aren't secure, as I'm fully aware of that. However you can't read a magnetic strip by just being in the proximity. With contactless cards this is what they are designed to do.

But again, you ignore the actual facts: 1) the proximity is a few inches of your mark 2) the reading you'd get off the card would be meaningless burble unless you had the encryption key. This isn't a concern. It's rubbish.

Encryption is just a challenge for many hackers. And most encryption is broken eventually.

Contactless hasn't been. Neither has Chip and PIN, for that matter, and C&P has been out far longer than contactless has.

I'm not paranoid, or a conspiracy theorist, but I do obviously know more than you about credit card security.

No, you don't. You've linked to out of date information about a specific subset of contactless cards that are now out of use and think that because encryption can theoretically be broken it is therefore useless, while ignoring the fact that there are numerous technological and indeed physical barriers to committing contactless fraud and/or harvesting card details from contactless cards and that despite a significant increase in the use and holding of contactless cards within the last year there has been no corresponding significant increase in card fraud to go with it and still no demonstrable examples of anyone successfully harvesting card details from a modern, encrypted contactless card. The most significant concern there is with contactless is a family member taking the card and buying a McDonald's with it, and if a family member inclined to commit fraud has your card there are far more significant and damaging things they could do with it than buying a burger.

You are talking rubbish and scaremongering.

dr_adidas01

Jamie_Carter wrote: »

I haven't got one, and I don't want one.

So if you don't have one and don't want one, why are you on this thread scaremongering?

I've had a contactless cards for quite sometime and not had a problem with them. In fact I find them very useful and like that I can just tap it at the terminal and pay for items.

If you are stupid enough to let someone get near your wallet with a reader or other such device, and not challenge them. Then quite frankly you deserve it.

People need to be responsible for there actions, not blame others or the bank for there own stupidity.

Lets face it in the days when we had to sign for things when paying for an item, it was far less secure than the payment systems we have today.. Half the time the person taking the payment didn't even look at the signature on the back of the card to make sure it was correct.

They still use this system in America and not once while I was there did anyone look at the signature strip on the back. I could have used anyone's card!!

Jamie_Carter

JuicyJesus wrote: »

That's five years, during which time the number of frauds committed using contactless technology have been so infinitesimally low that it doesn't bear thinking about, even with an explosion in the number of contactless cards in use since last year.



Like the magstripe, which I mentioned. Still the number one cause of card fraud other than MOTO/CNP fraud.

At any rate, nothing is 100% secure. But contactless is still pretty damn secure.



All of those refer to Barclays' old contactless cards, which broadcast things in plain text (which is plainly idiotic). Newer cards do not do this.



But again, you ignore the actual facts: 1) the proximity is a few inches of your mark 2) the reading you'd get off the card would be meaningless burble unless you had the encryption key. This isn't a concern. It's rubbish.



Contactless hasn't been. Neither has Chip and PIN, for that matter, and C&P has been out far longer than contactless has.



No, you don't. You've linked to out of date information about a specific subset of contactless cards that are now out of use and think that because encryption can theoretically be broken it is therefore useless, while ignoring the fact that there are numerous technological and indeed physical barriers to committing contactless fraud and/or harvesting card details from contactless cards and that despite a significant increase in the use and holding of contactless cards within the last year there has been no corresponding significant increase in card fraud to go with it and still no demonstrable examples of anyone successfully harvesting card details from a modern, encrypted contactless card. The most significant concern there is with contactless is a family member taking the card and buying a McDonald's with it, and if a family member inclined to commit fraud has your card there are far more significant and damaging things they could do with it than buying a burger.

You are talking rubbish and scaremongering.

The reports were from last year. So those cards will still be in use. I said this earlier, but you chose to ignore it.

Yes the magnetic strip is unsecure. But as you say, chip and pin is relatively safe. And it is the fact that the card has to be swiped (or chip read), combined with the holder entering the pin number that makes it so secure.

A contactless card only requires the chip to be read, and this is done remotely (making it more vunerable). And doesn't require the pin to be entered.

You are wrong to say that chip and pin hasn't been broken, even though it is the most secure method. There are a number of ways that criminals have done this:






Granted the encryption is hard to crack, but criminals are very resourceful. After all they manage to crack all encryption eventually. If they can crack NASA, CIA, and NSA encryption, then they can certainly crack a banks.

All of those refer to Barclays' old contactless cards, which broadcast things in plain text (which is plainly idiotic). Newer cards do not do this.

Yes it is idiotic. But the banks to tend to do things that are idiotic. And they only close the gate once the horse has bolted. As I said earlier, security in the verification system is terrible, and could very easily be made much tighter. But they won't until a program like Watchdog exposes it.


I don't know what your reason is to champion contactless, and to be honest I don't really care. I'm not scaremongering, I'm simply saying that while there is a choice, it's far safer to stick with chip and pin for now, but take security measures.

Jamie_Carter

dr_adidas01 wrote: »

So if you don't have one and don't want one, why are you on this thread scaremongering?

I'm not scaremongering. I don't want one for the reasons I have explained.

dr_adidas01 wrote: »

I've had a contactless cards for quite sometime and not had a problem with them. In fact I find them very useful and like that I can just tap it at the terminal and pay for items.

I've had a chip and pin even longer, and I've never had a problem either, because I take security precautions. But my wife has.

dr_adidas01 wrote: »

If you are stupid enough to let someone get near your wallet with a reader or other such device, and not challenge them. Then quite frankly you deserve it.
People need to be responsible for there actions, not blame others or the bank for there own stupidity.

You are being very naïve if that's what you think. Have you never been in a crowded lift, bus, train, escalator, or even queue with your wallet in you pocket or handbag (sorry I don't know your sex)? Well this is exactly how they were being skimmed.

dr_adidas01 wrote: »

Lets face it in the days when we had to sign for things when paying for an item, it was far less secure than the payment systems we have today.. Half the time the person taking the payment didn't even look at the signature on the back of the card to make sure it was correct.

They still use this system in America and not once while I was there did anyone look at the signature strip on the back. I could have used anyone's card!!

Yes I know. You would also be surprised how few cashiers know how to spot a fake card.

In some countries in Europe they use chip and pin as well as a signature

Thieves are having a field day with stolen contactless cards, by using them for small purchases.

amiehall

Jamie_Carter wrote: »

Yes I know. You would also be surprised how few cashiers know how to spot a fake card.

In some countries in Europe they use chip and pin as well as a signature

Thieves are having a field day with stolen contactless cards, by using them for small purchases.

Why would you think cashiers would have any more knowledge about card, fake or otherwise than your average Joe?

I would always make a point of checking a signature if someone has to sign. Customers are normally holding out their hand to have their card back and are shocked that I want to keep it until they have signed so I can compare... This suggests to me that people never check. A signature requirement would offer no extra security as far as I'm concerned.

I guess the main difference of opinion stems from the fact that I don't really care that much about the security of my contactless card. It is convenient for me, so I use it. I am not reckless with my card or details and always ensure I know where they are, but, as I know any loss from fraud will be refunded, why should I care about the security of it.

As to criminals going round buying 15 cafe lattes with their newly stolen contactless cards, it's honestly one of the funniest things I ever heard... As if this is a huge concern. If someone stole your card and all they used it for was £19 in Pret a Manger and a McDonalds on the way home then you've had a lucky day.

We use contactless terminals and if a customer pays for their order in a few transactions, maybe coming back for extra items a couple of times, the terminal will normally prompt for the pin at around the third attempt.

rb10

Jamie_Carter wrote: »

Thieves are having a field day with stolen contactless cards, by using them for small purchases.

Do you have a source for this claim?

DevCoder

1. C&P has been broken, albeit the PoC is limited in the real world
2. Contactless NFC has also been broken but the newer revisions are only providing a one time hash good for the next transaction so the most they could gain would be ~£15 and that's if they beat you to the next NFC transaction.

Gromitt

Jamie_Carter wrote: »

Thieves are having a field day with stolen contactless cards, by using them for small purchases.

I'm sure if a thief goes through all the effort of stealing the card form my wallet without me noticing, then they are going to use it for something else other than a McDonalds or a Starbucks!

The very first version of Contactless didn't use authentication or encryption (silly Barclays), all of them now do so and require communication and authentication before they'll give out the encrypted contents which is then useful for one single purchase.

Jamie_Carter

amiehall wrote: »

Why would you think cashiers would have any more knowledge about card, fake or otherwise than your average Joe?

I would always make a point of checking a signature if someone has to sign. Customers are normally holding out their hand to have their card back and are shocked that I want to keep it until they have signed so I can compare... This suggests to me that people never check. A signature requirement would offer no extra security as far as I'm concerned.

I guess the main difference of opinion stems from the fact that I don't really care that much about the security of my contactless card. It is convenient for me, so I use it. I am not reckless with my card or details and always ensure I know where they are, but, as I know any loss from fraud will be refunded, why should I care about the security of it.

As to criminals going round buying 15 cafe lattes with their newly stolen contactless cards, it's honestly one of the funniest things I ever heard... As if this is a huge concern. If someone stole your card and all they used it for was £19 in Pret a Manger and a McDonalds on the way home then you've had a lucky day.

We use contactless terminals and if a customer pays for their order in a few transactions, maybe coming back for extra items a couple of times, the terminal will normally prompt for the pin at around the third attempt.

It should be basic training for cashiers to identify fake cards. Otherwise the retailer will lose money.

Do you still use signatures?