Why contactless cards are safe

LoganFive

@maz_net_au That article quoted by @Nephiel was about a specific technology in Germany. But even if a reader were compromised you don't actually send you bank numbers through. Just a one time use number for one transaction. Only the bank itself can translate that number in no your actual account number. No cloning, no reusing. That should keep the electronic theft numbers low. Using a Pin should also help keep the consequences of physical left low.

maz_net_au

@LoganFive
Yeah. If you watch the entire presentation they stole the mag stripe details and pin from the customer, (doesnt work with contactless but they would still be able to steal the PIN the same way).
And they showed you could clone a terminal and perform the same operations as a merchant (buying prepaid credit and performing refunds).

I agree with you. Contactless cards are more safe than anything else we've got so far. Here in Australia most people seem to be using contactless cards (and signatures on old credit cards stopped being accepted a couple of years ago). I wonder what effect that had on rates of fraud etc. Should be able to find stats from the last 12 months on it.
Security is fun.

Lokki

It's always a trade-off between secure and usable. I have yet to hear of a case of paypass/paywave fraud here though. It certainly doesn't feature in the media beyond a couple of 'woo spooky' bad news pieces I read a while back that were 49% conjecture and 51% technology panic.

Hotwire

I genuinely suggest anyone interested on the subject to watch Kristin Paget's 2012 Schmoocon talk (I know, there are many other talks, but Paget actually provides a decent band-aid at the second half -- the first half is about proving the fraude). It's very enlightening. Granted, it's a fairly old talk, so some points might be dated, and some might be common knowledge by now, but fundamentally speaking, NFC will never be entirely safe. No matter how sophisticated the backend security is.

The talk:

Personally, I'd much rather do NFC transaction via a phone (especially something that's well implemented software-wise like Apple Pay, as well as hardware-wise), because that's something I can switch off when not in use, instead of being statically passively present. Do need to abide to a couple of rules though. Which are: keep phone up to date, only install apps from official stores, and abstain from obtaining SU rights, but that's standard requirement for anything on any device these days.

I don't agree at all by the way that NFC transaction is more safe than anything we've got. The safest is still PIN + physical insertion (to read the chip, not magstrip) at terminal. You just can't beat non-wireless in terms of security. Remember that the banks and retail sector didn't choose NFC for better security over standard card insertion based transactions, but to raise the transaction flow rate. If they could've waved a magic wand and make insertion based transaction just as smooth as NFC, I'm pretty sure they'd stick to the former as it has got way less security variables to account for.

johnyma22

@Hotwire Kristin's talk is one of my favorites too however her talk has been mostly debunked/disproven in various other security talks recently. The tech has moved on a fair bit since then and things are a lot more secure.

You also have to remember that Kristin's talk purely shows a merchant processing transactions, this is a really bad example of an exploit because it leaves a paper-trail back to the fraudster. Something any semi-smart criminal wouldn't do.

Want to really see the weakness in payments? Check out the latest CCC talk on exploiting POS terminals.. https://media.ccc.de/v/32c3-7368-shopshifting#video

Finally just a friendly reminder the issuing banks always accept liability of any fraud on your account. So if you do detect fraud, you just let them know and it is dealt with by their fraud teams.

Hotwire

Thank you for the link, John. I appreciate it.

Regarding Kristin's demo: no I get that a proper skimmer wouldn't.

And regarding the liability part: that's true, but up to a point (or from a point, would be more accurate?). In the Netherlands you have to pay a liability fee of 50€ when skimmed (used to even be 150€ prior to last January the 29th, see link below). Coincidence is that for most banks (if not all) in the Netherlands, that the daily threshold before requiring PIN is set at 50€. So that means you won't get a refund when skimmed.

https://translate.google.nl/translate?sl=nl&tl=en&js=y&prev=_t&hl=nl&ie=UTF-8&u=https%3A%2F%2Fwww.security.nl%2Fposting%2F459176%2FEigen%2Brisico%2Binternetbankieren%2Bverlaagd%2Bnaar%2B50%2Beuro&edit-text=

johnyma22

That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!

Annita Stephanou

My credit card got used twice, by people in New Mexico shopping in Walmart (?!) while I was in Cyprus. I filled a complaint and got my money back and the process was seamless for me. So apparently you can be a victim of fraud relatively easy even if your chosen form of payment is chip + PIN. So I guess, the only way to avoid fraud is pay cash, but maybe you run the risk of getting mugged?
Here the threshold before requiring a PIN is €10, but a lot of stores set it to €0.

maz_net_au

That's interesting. The limit in Australia seems to be $100 (AUD.. currently about US$75) and there aren't any fees to recover your money if you report the problem promptly.

Hotwire

@johnyma22 said:

That's fascinating @Hotwire -- Even if you can prove fraud you have to pay some admin type fee? Is that the case since the 29th of Jan IE still the case today?? The banking industry is constantly trying to improve the situation for contactless payments so hopefully they did the right thing and resolved that for you!

It's still the case. It used to be 150€, now it's reduced to 50€, which is good. A nuance however: the liability fee covers both fraud instances during online banking/transactions, in addition to being skimmed in public.

Apparently the EU allows for even further reduction below 50€, but our minister of finance (Dijsselbloem), isn't willing to go that far just yet, as he argues that (rough translation) "if there isn't some penalty in place, it could promote users to become careless [in regards to fraud prevention]".

That recent reduction from 150 to 50 has got something to do with the EU's 'Payment Service Directive 2'. But that's all I know.

Annita Stephanou

Dijsselbloem doesn't think very highly of the rest of the humans, does he? He reminds me of our director; he believes that if he lowers our annual inspection target, we'll use it to perform even less inspections. Sounds to me like two really insecure people.

Hotwire

He's the minister of finance. Not trusting other people with money is basically the nature of the creature. :)

The banking sector is expecting the user base to share the responsibility of online banking and wireless transactions. Yet they [banking sector] are pushing online banking (so that they can cut costs by closing their local establishments; which they have, and are progressing on as we speak), as are their retail partners pushing wireless transaction (to increase transaction rate in the hope that the consumer is more inclined to spend).
Now I consider myself a very capable person when it comes to basic -- and to some degree advanced -- security. I try to keep up to snuff with the latest news in regards to, as well as daily living of what I've learned. How can you ask Joe Sixpack to share the responsibility? Or the elderly for that matter? My parents for example. They're around their 60s, didn't grow up with computers, and barely know how to use a search engine, barely know how to drag and drop a file, and barely know what a URL is. Imagine how difficult it has been for me to inform my parents on the do's and don'ts of online banking. I'm basically their IT guy. I keep their system clean, and I weekly help them with their stumbling blocks. If they didn't had me; good luck to the banks expecting them to be responsible.

Besides that, the financial penalty is plain childish indeed. Has anyone ever enjoyed the process of going through the grinding mill with a bank at the other end of the line, in the instance you're the victim of fraud? 'Of course people enjoy that. That's why you need a financial penalty in place to keep the commoner on its toes.'

Annita Stephanou

You mean to tell me you don't enjoy that?! I loved it both times! And I wasn't stressed at all that someone across the world used my card!
The bank sends my dad a debit card every time the previous expires and every time he cuts it in two. Good luck convincing this guy to go online banking, touch less payments or whatever new way of payment you can come with, lol

jasok2

I saw this and thought people may like to read it as its NFC relevant

http://www.pcauthority.com.au/News/417126,cash-and-credit-cards-will-disappear-by-2030.aspx

MarkGabb

bumping an old topic but worth it

i agree with @Lokki older comments.
i myself have never actually seen a confirmed case of rfid skimmed data being used to preform a transaction
not personaly...

every single story i hear is prefaced with
"i know someone who"