Why contactless cards are safe
-
@Hotwire Kristin's talk is one of my favorites too however her talk has been mostly debunked/disproven in various other security talks recently. The tech has moved on a fair bit since then and things are a lot more secure.
You also have to remember that Kristin's talk purely shows a merchant processing transactions, this is a really bad example of an exploit because it leaves a paper-trail back to the fraudster. Something any semi-smart criminal wouldn't do.
Want to really see the weakness in payments? Check out the latest CCC talk on exploiting POS terminals.. https://media.ccc.de/v/32c3-7368-shopshifting#video
Finally just a friendly reminder the issuing banks always accept liability of any fraud on your account. So if you do detect fraud, you just let them know and it is dealt with by their fraud teams.
-
Thank you for the link, John. I appreciate it.
Regarding Kristin's demo: no I get that a proper skimmer wouldn't.
And regarding the liability part: that's true, but up to a point (or from a point, would be more accurate?). In the Netherlands you have to pay a liability fee of 50€ when skimmed (used to even be 150€ prior to last January the 29th, see link below). Coincidence is that for most banks (if not all) in the Netherlands, that the daily threshold before requiring PIN is set at 50€. So that means you won't get a refund when skimmed.
-
That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!
-
My credit card got used twice, by people in New Mexico shopping in Walmart (?!) while I was in Cyprus. I filled a complaint and got my money back and the process was seamless for me. So apparently you can be a victim of fraud relatively easy even if your chosen form of payment is chip + PIN. So I guess, the only way to avoid fraud is pay cash, but maybe you run the risk of getting mugged?
Here the threshold before requiring a PIN is €10, but a lot of stores set it to €0. -
That's interesting. The limit in Australia seems to be $100 (AUD.. currently about US$75) and there aren't any fees to recover your money if you report the problem promptly.
-
@johnyma22 said:
That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!
It's still the case. It used to be 150€, now it's reduced to 50€, which is good. A nuance however: the liability fee covers both fraud instances during online banking/transactions, in addition to being skimmed in public.
Apparently the EU allows for even further reduction below 50€, but our minister of finance (Dijsselbloem), isn't willing to go that far just yet, as he argues that (rough translation) "if there isn't some penalty in place, it could promote users to become careless [in regards to fraud prevention]".
That recent reduction from 150 to 50 has got something to do with the EU's 'Payment Service Directive 2'. But that's all I know.
-
Dijsselbloem doesn't think very highly of the rest of the humans, does he? He reminds me of our director; he believes that if he lowers our annual inspection target, we'll use it to perform even less inspections. Sounds to me like two really insecure people.
-
He's the minister of finance. Not trusting other people with money is basically the nature of the creature. :)
The banking sector is expecting the user base to share the responsibility of online banking and wireless transactions. Yet they [banking sector] are pushing online banking (so that they can cut costs by closing their local establishments; which they have, and are progressing on as we speak), as are their retail partners pushing wireless transaction (to increase transaction rate in the hope that the consumer is more inclined to spend).
Now I consider myself a very capable person when it comes to basic -- and to some degree advanced -- security. I try to keep up to snuff with the latest news in regards to, as well as daily living of what I've learned. How can you ask Joe Sixpack to share the responsibility? Or the elderly for that matter? My parents for example. They're around their 60s, didn't grow up with computers, and barely know how to use a search engine, barely know how to drag and drop a file, and barely know what a URL is. Imagine how difficult it has been for me to inform my parents on the do's and don'ts of online banking. I'm basically their IT guy. I keep their system clean, and I weekly help them with their stumbling blocks. If they didn't had me; good luck to the banks expecting them to be responsible.Besides that, the financial penalty is plain childish indeed. Has anyone ever enjoyed the process of going through the grinding mill with a bank at the other end of the line, in the instance you're the victim of fraud? 'Of course people enjoy that. That's why you need a financial penalty in place to keep the commoner on its toes.'
-
You mean to tell me you don't enjoy that?! I loved it both times! And I wasn't stressed at all that someone across the world used my card!
The bank sends my dad a debit card every time the previous expires and every time he cuts it in two. Good luck convincing this guy to go online banking, touch less payments or whatever new way of payment you can come with, lol -
I saw this and thought people may like to read it as its NFC relevant
http://www.pcauthority.com.au/News/417126,cash-and-credit-cards-will-disappear-by-2030.aspx
-
bumping an old topic but worth it
i agree with @Lokki older comments.
i myself have never actually seen a confirmed case of rfid skimmed data being used to preform a transaction
not personaly...every single story i hear is prefaced with
"i know someone who"