Turning off Contactless

DevilsAdvocate1

I think what worries me about contactless cards is that I could unwittenly pay for someone else's goods. A while back I was buying a scarf. My husband was stood next me and I was waiting for the staff member to take payment. Eventually she laughed and told me that she had.

Tuned out she had used a contactless payment (I didn't even know my card had it). But she used the wrong one as it was my husband's card. How did she do this as the card was in his wallet? Great for me though as he ended up paying for my scarf!

techno79

Nasqueron wrote: »

OK
Let me explain this simply:

Thanks very much but I understood your previous explanation just fine.

Nasqueron wrote: »

You need a merchant account at a bank in order to activate a card and take payment

You are seriously suggesting people are going to buy payment machines so they can go around sticking them up against people's legs on the off chance they a) have a contactless card and b) it can be read and c) hope no-one notices them waving the card reader around in public, all so they can steal £30 (which will be traceable through their account)?

Card fraud can happen at all levels. Fraudsters do not by off the shelf hardware, they can also create their own electronics and software to create such custom and bespoke devices. When the rewards are high, the effort is worthwhile. You only have to see this video to see how doable creating dodgy hardware is: https://www.youtube.com/watch?v=Ks0SOn8hjG8

You will also see from the video how all the major payment providers and banks can prevent real information from coming out if they feel threatened that it exposes weakness in the security measure they have. Truth is, if there is a weakness then they will do a lot to cover things up and keep it from the public eye.

Nasqueron wrote: »

Credit card fraud is done on a massive scale from stuff like buying millions of cards from hacking websites (e.g. Ashley Madison) not from random card skims

Fraud happens on all levels. The term skimming actually came from when cards had a mag stripe and staff who take cards for payment would secretly swipe the card on their own hardware reader to capture the mag stripe data. This was not a massive scale as it was a one card one hit attack. Someone dodgy who is technically capable would more than be incentivised with a reward of £10,000s each month.

Nasqueron wrote: »

You misunderstood - you can get simple sleeves for cards that block the RFID

And even those sleeves would prevent cards fitting in my wallet that I use. It would depend on the wallet.

Nasqueron wrote: »

If you don't notice odd transactions and report them, what does it matter whether it's contactless or chip and pin? If anything with C&P you are more likely to have problems as the banks have tended to argue if someone has your pin then you must have left it around or been unsafe!

The difference is that I feel I protect my PIN very securely. I am less exposed to fraud with a chip and PIN only card vs a contactless card. Everyone is different but this is how it is for me.

While others are happy with contactless, I am not.

Mulder00

Contactless is by far the safest. It is not possible to clone the contactless card. (Yes you can skim details from it, but those details are meaningless to transact with. People seem to think that a contactless chip simply does what magstripe did back in the day and carry details, but there are layers and layers and layers of security behind it). Don't leave your cards around and if stolen, then report it immediately and you will not be liable for any fraudulent transactions. By using contactless, even if your card is in fact stolen, there would have been no way to get your PIN.

Given the option to pay contactless or chip & PIN, you should ALWAYS use contactless if available on your card if you are at all concerned about fraud or security of your account. It is significantly safer and you are protecting yourself by doing this as long as you are sensible about things and don't leave things lying around. Make sure you know the details of your cards so in case of theft, you can report it immediately.

takman

techno79 wrote: »

I do check my statements to make sure nothing stands out. If say I regularly by lunch for a few quid at Tesco, then I'm not gonna check every single transaction against a receipt to make sure the date and amount tally up. So if someone does a fraudulent transaction within my spending profile, then I may not pick it up. However, transactions that are for larger amounts or non-routine are checked properly.

So say someone who has some contactless card skimming device starts skimming cards by walking around in Tescos. This person makes sure he only skims cards once and for a very small amount (sub £5). Assuming this person doesn't keep going to the same store, then I'm sure no one would notice that as most of them are likely to be regular Tesco customers. The risk exposure to any single person is only a few £s but the reward for the fraudster could be £1000s.

If this person didn't get greedy then they could easily do 10 stores a month (which is very low numbers) which would net them £10k a month. That's a very rewarding amount for someone yet the risk exposure to any single person is so small.

So even though my risk exposure is small, do I want to fall victim of this crime? Of course not. Chances are, I may not notice but if it does happen to me then I'm only encouraging that kind of fraud. It is for this reason that I choose not to carry around a payment card that is contactless.

I'm assuming from your borderline paranoid attitude to conctactless that you must not have online banking either. I check my bank accounts daily because it only takes 30 seconds and I will easily notice any payments that I haven't made that day without looking at a receipt. So by not checking every transaction your not as secure as you think!.

Also you seem to be missing a big flaw in your skimming theory. When the bank see that joe blogs has almost every contactless transaction reported as fraudulent his account won't stay open long and it will be easy to convict him of fraud. Every payment is traceable so it simply wouldn't be possible to get away with stealing money in this way.

Nasqueron

techno79 wrote: »

Thanks very much but I understood your previous explanation just fine.



Card fraud can happen at all levels. Fraudsters do not by off the shelf hardware, they can also create their own electronics and software to create such custom and bespoke devices. When the rewards are high, the effort is worthwhile. You only have to see this video to see how doable creating dodgy hardware is: https://www.youtube.com/watch?v=Ks0SOn8hjG8

You will also see from the video how all the major payment providers and banks can prevent real information from coming out if they feel threatened that it exposes weakness in the security measure they have. Truth is, if there is a weakness then they will do a lot to cover things up and keep it from the public eye.

£30 is a high reward? OK!

Your first video talks about skimming details but how would they actually take payments without a merchant account? All they can do is get the card details, same as stealing your card in a pickpocket or through the cloning process which is detailed in your second video which also identifies numerous failings of chip and pin - the system you claim to be the safest model can easily be defeated through fiddling around with terminals, using fake devices or devices over the top of proper readers.

The video was posted 4 years ago and the report is probably older than that. Who knows what has changed since.

techno79 wrote: »

Fraud happens on all levels. The term skimming actually came from when cards had a mag stripe and staff who take cards for payment would secretly swipe the card on their own hardware reader to capture the mag stripe data. This was not a massive scale as it was a one card one hit attack. Someone dodgy who is technically capable would more than be incentivised with a reward of £10,000s each month.

Fraud happens when people can be stealthy and avoid risk of being captured e.g. buying stuff online. You don't seem to grasp the problem with these RFID readers in that they require the thief to go around in public and wave the reader around people's legs, it's extremely obvious and nothing like the model operated by the fraudsters who want to be anonymous and untraceable - with these scanners they would be caught in minutes.

techno79 wrote: »

And even those sleeves would prevent cards fitting in my wallet that I use. It would depend on the wallet.

Wallets with card slots that are maybe 1mm wider than the card, perhaps, anything more than that is fine

techno79 wrote: »

The difference is that I feel I protect my PIN very securely. I am less exposed to fraud with a chip and PIN only card vs a contactless card. Everyone is different but this is how it is for me.

While others are happy with contactless, I am not.

Your second video proves your belief about being less exposed to fraud or that your pin is protected is garbage yet you are continuing to argue about something your own source proved you wrong over.

techno79

Nasqueron wrote: »

£30 is a high reward? OK!

Your first video talks about skimming details but how would they actually take payments without a merchant account? All they can do is get the card details, same as stealing your card in a pickpocket or through the cloning process which is detailed in your second video which also identifies numerous failings of chip and pin - the system you claim to be the safest model can easily be defeated through fiddling around with terminals, using fake devices or devices over the top of proper readers.

The video was posted 4 years ago and the report is probably older than that. Who knows what has changed since.




Fraud happens when people can be stealthy and avoid risk of being captured e.g. buying stuff online. You don't seem to grasp the problem with these RFID readers in that they require the thief to go around in public and wave the reader around people's legs, it's extremely obvious and nothing like the model operated by the fraudsters who want to be anonymous and untraceable - with these scanners they would be caught in minutes.



Wallets with card slots that are maybe 1mm wider than the card, perhaps, anything more than that is fine



Your second video proves your belief about being less exposed to fraud or that your pin is protected is garbage yet you are continuing to argue about something your own source proved you wrong over.

The point of the chip and pin video is to show you that even the hardware supply chain for devices can be exploited by fraudsters who are invested. If the actual supply chain for payment devices can be hacked, then of course devices can be created using custom hardware.

This video shows you how contactless payment cards can be exploited: https://www.youtube.com/watch?v=4Tb-J1uui8Q

A simple smartphone can contactlessly obtain all the details of the card. Someone who has a smartphone in their pocket ready to scan anything that comes in close proximity would capture hundreds of cards in a crowded place like the London tube in rush hour. All they'll need to do is brush past people on a crowded carriage (like so many people do). If they did this for the entire rush hour (twice per day), then they would possibly get thousands of card details per day.

I'm not saying chip and pin is perfect, but at least my risk exposure is only the duration for when my card is out of my wallet.

RFID sleeves are great if you can use them but for me, my wallet is extremely slim and wouldn't be able to hold anything larger than a credit card.

techno79

Mulder00 wrote: »

but there are layers and layers and layers of security behind it.

https://www.youtube.com/watch?v=4Tb-J1uui8Q&feature=youtu.be&t=2m22s

Doesn't look like any layers of security to me.

takman

techno79 wrote: »

The point of the chip and pin video is to show you that even the hardware supply chain for devices can be exploited by fraudsters who are invested. If the actual supply chain for payment devices can be hacked, then of course devices can be created using custom hardware.

This video shows you how contactless payment cards can be exploited: https://www.youtube.com/watch?v=4Tb-J1uui8Q

A simple smartphone can contactlessly obtain all the details of the card. Someone who has a smartphone in their pocket ready to scan anything that comes in close proximity would capture hundreds of cards in a crowded place like the London tube in rush hour. All they'll need to do is brush past people on a crowded carriage (like so many people do). If they did this for the entire rush hour (twice per day), then they would possibly get thousands of card details per day.

I'm not saying chip and pin is perfect, but at least my risk exposure is only the duration for when my card is out of my wallet.

RFID sleeves are great if you can use them but for me, my wallet is extremely slim and wouldn't be able to hold anything larger than a credit card.

But then they have collected loads of contactless card information, what do they do with it ?

You can't get any personal information this way and they can't use the information to take money from the person's bank account...

So there is no risk!

techno79

takman wrote: »

But then they have collected loads of contactless card information, what do they do with it ?

You can't get any personal information this way and they can't use the information to take money from the person's bank account...

So there is no risk!

Well the video goes on to say they had enough information to place orders on Amazon. I'm sure there are other places and ways that information could be used to financially exploit things.

But even then, if an attacker needs all pieces of a puzzle, I'm not going to be comfortable that most of the puzzle pieces are obtainable because then you're relying on the fact that the other puzzle pieces really are secure, which they may not. It's entirely possible that the other pieces are obtained from other sources.

There are countless stories of how really popular company websites have been hacked and millions of customer details have been obtained. All of those companies have waived off the severity by saying "Yes, the hacker has your name, address, email address, phone number but your passwords and payment info is still safe".

So with two massive databases of information, one containing millions of customers private data name, address etc. The other containing payment card details.

Only takes very small amount of computer programming knowledge to script a program to match up records on name from both lists. It might result in quite a few false match-ups but there would still be a reasonable number of positive match-ups.

The point is, a malicious person needs a number of bits of information to use for fraud. I'm not going to be lax about protecting some of that info by assuming the other bits are secure. I prefer to keep all bits of information secure as much as I can and thus reduce my risk exposure.

dekaspace

Interesting about the contactless thing, I can't use my contactless cards in same wallet as my bus pass as it just confuses it, or even college ID cards (as they have data on them) don't work

Must be a easy way to have all cards in 1 wallet and just take out one I need.