Why contactless cards are safe
-
Well, the form of payment doesn't really matter when it's the terminal that is fraudulent these days. you can't really compare with current chip-based systems as the contactless is far from mainstream. People will find ways once contactless payment becomes even more popular. While I may not have been reading the article too closely, I do believe there's no difference between the two, because even today, if you were a victim of fraud, the card issuer will most likely refund you, as it's a known and calculated risk- it's easier for them to refund you as it's a penny in the pond for them to do so.
~Deas
-
@Andreas said:
contactless is far from mainstream. People will find ways once contactless payment becomes even more popular.
Come to 'Straya for a holiday, man. Contactless is everywhere and we've had it for years now. Paypass/Paywave, AU$100 limit before you have to feed the machine your pin - but you can easily do that and it doesn't interrupt the flow of things.
It's safe and insured, if there's a fraudulent contactless payment then you just let the bank know. Bam, done.
And most of the skimming tech is still reading your mag stripe. The sooner they do away with that ridiculous relic the better.As ubiquitous as contactless has become here I have not heard of one verified instance of contactless fraud where the card isn't in their physical possession. If they're stolen then you've already reported it (haven't you?) and everything is all good.
-
The issue is more terminals taking smaller unauthorized payments without the user knowing and ever noticing.. Imagine seeing 10$ value of "tax relief" on your credit statement, you would hardly flinch...
So the issue isn't theft or fraud at a large value it's performing fake transactions at a large volume/scale.. Almost like taking a penny from everyone’s bank account..
The funny thing is the merchant would need to pay the bank xfer fee to complete the transaction and also the merchant would get busted right away..
So basically it'd be the dumbest crime ever ;)
-
Isn't it possible to just tunnel the NFC by using two phones? So you could buy certain stuff using some strangers credit card.
-
@johnyma22 said:
The issue is more terminals taking smaller unauthorized payments without the user knowing and ever noticing.. Imagine seeing 10$ value of "tax relief" on your credit statement, you would hardly flinch...
Just as in everything, the onus is on you to look after your affairs - plenty of us can and do obsess over the little things like that, and imagine rogue operators being banned from using equipment that gives them access to more and more customers.
It's self-correcting, if it ever happens then it wont happen for long, it'll be insured and then the rogue operator is done.
Contactless is as safe as chip and pin for the consumer IMO.
Loads safer than magnetic swipe or heaven forbid card imprint.@Lafunamor got better info on that one?
-
As I understand it, unlike the contact less that is being passed out, both nfc payments and chip and pin/signature payments use tokenization. So even if your cats were skimmed, or info intercepted, the number holds no card info and only good for one transaction. So no card copying or multiple transaction of any size can be performed. I read that US card companies will have the choice of chip and pin or signature. Pin would be far safer of course.
-
whether it is safe or not ,most of time , i think it depend on how we use our credit card or how we are careful with our payment.
there is no strict limit on that the contactless cards are safer than contact.
because all of them will get your bank card information to complete your payment.
About how to protect our bank card reader , here i would like to recommend an article that i read. hope it could help us all guys.
[how to protect our bank card safe ? ](whether it is safe or not ,most of time , i think it depend on how we use our credit card or how we are careful with our payment.
there is no strict limit on that the contactless cards are safer than contact.
because all of them will get your bank card information to complete your payment.
About how to protect our bank card reader , here i would like to recommend an article that i read. hope it could help us all guys.
link :[how to protect our bank card safe ?link text) -
Cards aren't too safer than cash anyway: http://arstechnica.com/security/2015/12/common-payment-processing-protocols-found-to-be-full-of-flaws/
-
@Nephiel
John posted a youtube link to their presentation and it was fantastically interesting to watch. Cash is about as unsafe as you get, when it's stolen, it's gone. But there is a finite amount of it in your possession and you can control that easily. -
@maz_net_au That article quoted by @Nephiel was about a specific technology in Germany. But even if a reader were compromised you don't actually send you bank numbers through. Just a one time use number for one transaction. Only the bank itself can translate that number in no your actual account number. No cloning, no reusing. That should keep the electronic theft numbers low. Using a Pin should also help keep the consequences of physical left low.
-
@LoganFive
Yeah. If you watch the entire presentation they stole the mag stripe details and pin from the customer, (doesnt work with contactless but they would still be able to steal the PIN the same way).
And they showed you could clone a terminal and perform the same operations as a merchant (buying prepaid credit and performing refunds).I agree with you. Contactless cards are more safe than anything else we've got so far. Here in Australia most people seem to be using contactless cards (and signatures on old credit cards stopped being accepted a couple of years ago). I wonder what effect that had on rates of fraud etc. Should be able to find stats from the last 12 months on it.
Security is fun. -
It's always a trade-off between secure and usable. I have yet to hear of a case of paypass/paywave fraud here though. It certainly doesn't feature in the media beyond a couple of 'woo spooky' bad news pieces I read a while back that were 49% conjecture and 51% technology panic.
-
I genuinely suggest anyone interested on the subject to watch Kristin Paget's 2012 Schmoocon talk (I know, there are many other talks, but Paget actually provides a decent band-aid at the second half -- the first half is about proving the fraude). It's very enlightening. Granted, it's a fairly old talk, so some points might be dated, and some might be common knowledge by now, but fundamentally speaking, NFC will never be entirely safe. No matter how sophisticated the backend security is.
The talk:
Personally, I'd much rather do NFC transaction via a phone (especially something that's well implemented software-wise like Apple Pay, as well as hardware-wise), because that's something I can switch off when not in use, instead of being statically passively present. Do need to abide to a couple of rules though. Which are: keep phone up to date, only install apps from official stores, and abstain from obtaining SU rights, but that's standard requirement for anything on any device these days.
I don't agree at all by the way that NFC transaction is more safe than anything we've got. The safest is still PIN + physical insertion (to read the chip, not magstrip) at terminal. You just can't beat non-wireless in terms of security. Remember that the banks and retail sector didn't choose NFC for better security over standard card insertion based transactions, but to raise the transaction flow rate. If they could've waved a magic wand and make insertion based transaction just as smooth as NFC, I'm pretty sure they'd stick to the former as it has got way less security variables to account for.
-
@Hotwire Kristin's talk is one of my favorites too however her talk has been mostly debunked/disproven in various other security talks recently. The tech has moved on a fair bit since then and things are a lot more secure.
You also have to remember that Kristin's talk purely shows a merchant processing transactions, this is a really bad example of an exploit because it leaves a paper-trail back to the fraudster. Something any semi-smart criminal wouldn't do.
Want to really see the weakness in payments? Check out the latest CCC talk on exploiting POS terminals.. https://media.ccc.de/v/32c3-7368-shopshifting#video
Finally just a friendly reminder the issuing banks always accept liability of any fraud on your account. So if you do detect fraud, you just let them know and it is dealt with by their fraud teams.
-
Thank you for the link, John. I appreciate it.
Regarding Kristin's demo: no I get that a proper skimmer wouldn't.
And regarding the liability part: that's true, but up to a point (or from a point, would be more accurate?). In the Netherlands you have to pay a liability fee of 50€ when skimmed (used to even be 150€ prior to last January the 29th, see link below). Coincidence is that for most banks (if not all) in the Netherlands, that the daily threshold before requiring PIN is set at 50€. So that means you won't get a refund when skimmed.
-
That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!
-
My credit card got used twice, by people in New Mexico shopping in Walmart (?!) while I was in Cyprus. I filled a complaint and got my money back and the process was seamless for me. So apparently you can be a victim of fraud relatively easy even if your chosen form of payment is chip + PIN. So I guess, the only way to avoid fraud is pay cash, but maybe you run the risk of getting mugged?
Here the threshold before requiring a PIN is €10, but a lot of stores set it to €0. -
That's interesting. The limit in Australia seems to be $100 (AUD.. currently about US$75) and there aren't any fees to recover your money if you report the problem promptly.
-
@johnyma22 said:
That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!
It's still the case. It used to be 150€, now it's reduced to 50€, which is good. A nuance however: the liability fee covers both fraud instances during online banking/transactions, in addition to being skimmed in public.
Apparently the EU allows for even further reduction below 50€, but our minister of finance (Dijsselbloem), isn't willing to go that far just yet, as he argues that (rough translation) "if there isn't some penalty in place, it could promote users to become careless [in regards to fraud prevention]".
That recent reduction from 150 to 50 has got something to do with the EU's 'Payment Service Directive 2'. But that's all I know.
-
Dijsselbloem doesn't think very highly of the rest of the humans, does he? He reminds me of our director; he believes that if he lowers our annual inspection target, we'll use it to perform even less inspections. Sounds to me like two really insecure people.
