Use contactless cards?

Blogg

LE
You aren't correct. I work for a leading retailer in an I.T. capacity and one of my responsibilities is chip and pin pads in our stores. We are still accepting contactless payments and will continue to do so.
And the POS units do indeed still work.

But if the card scheme drops the contactless floor limit to zero and the POS unit cannot authorise because it has lost Coms?
 
I refuse to have contactless, the bank I use (Nationwide) have a non-contactless option and i've 'secured' my credit card (Barclays - they don't have a non-contactless option) by using a 0.3mm PCB drill to cut the antenna, filling the hole with suitably coloured epoxy.
Yes, I know you can get the sleeves / shields to go in your wallet, doesn't stop it being used if your wallet is stolen though
I also have a tinfoil Google hat..... :cool:
So when you poke your card in the card reader terminal you're happy for them to read your card number, full name, account number, sort code and your three-digit security number on the back is open to be covertly noted?
 

OneTenner

Old-Salt
You know how close you have to put your card to the contactless reader in a shop. Now imagine how close some random bloke would have to get to you before he could skim your card.

"The truth about cloning/contactless skimming

One common concern around contactless relates to the possibility of fraudsters using mobile payment terminals to “skim” the details from your card. In reality, this is extremely unlikely.

Firstly, initiating a transaction while a card is in someone’s wallet is very difficult in practice – particularly since a fraudster would need to know precisely where you keep your card, and stand extremely close to you.

Secondly, any money that is taken from a card needs to go somewhere. Visa payments can only be processed by terminals that are registered and audited for security compliance. To obtain an authorised merchant account, a fraudster would need to take several steps that include registering with a bank or payment processor, providing their personal information, and meeting other Know Your Customer (KYC) requirements. Even if they did all of this, it would be possible to trace the stolen money back to the recipient.

At Visa, we are not aware of a case where a contactless card has been cloned to create a physical counterfeit copy of a card – the details that can be “skimmed” simply aren’t sufficient to enable this. "

You're assuming the card reader is an 'approved' model, as used in retailers, I read in some techy online stuff earlier this year that 'in Europe' (so could be Italy, where this type of fraud is prevalent) the card readers were being modified to increase the ERP so that they could skim the cards from a greater distance - we're talking centimetres rather than millimetres - the cards themselves are passive and require an EMF to power them up (and can be disabled by cutting the antenna). As another poster mentioned, this type of fraud is 'almost non-existent', well, to the banks maybe it is a small amount of the number of cards they issue, if the 'almost non-existent' fraud affected me, then i'm afraid I wouldn't care about all those that hadn't been defrauded by this vector, only of the very large percentage of cards issued to me affected by it.
I think that is part of the problem with banks, they can hike up overdraft rates, fail to secure cash machine networks or upgrade them from Win XP, turn the onus of proof from presumed innocent to prove you are innocent (in bank fraud cases) purely because it 'only affects a small percentage of customers' or is 'almost non-existent', without recognising or caring how customers are impacted by their decisions or (in)actions - and not just financially but also emotionally and just in the sheer amount of time 'the customer' has to devote to getting their financials back on track whilst still insisting on them having to jump through the security theatre hoops 'for your security' without taking any liability unless it is forced upon them by legislation or court action.
I'm not speaking from personal experience, although I have had close friends impacted by bank fraud (some might say that bank fraud can be from within the bank, not just from third parties...).
 

OneTenner

Old-Salt
So when you poke your card in the card reader terminal you're happy for them to read your card number, full name, account number, sort code and your three-digit security number on the back is open to be covertly noted?
That's a risk assessment I have to make, If i'm in Sainsburys or Costco, i'm reasonably happy that that data isn't visible to most, if any employees - and is the 'cost' of having ther convenience of a debit / credit card, if I was going to shop at 'Questionable Co's. pop-up shop to get some bargains, I'd most likely go to a cashpoint first, using the cash in the shop.
It may reduce the convenience of having 'plastic', but I feel it reduces my attack surface somewhat, whether that's real or imagined, only time will tell.
 

endure

GCM
You're assuming the card reader is an 'approved' model, as used in retailers, I read in some techy online stuff earlier this year that 'in Europe' (so could be Italy, where this type of fraud is prevalent) the card readers were being modified to increase the ERP so that they could skim the cards from a greater distance - we're talking centimetres rather than millimetres - the cards themselves are passive and require an EMF to power them up (and can be disabled by cutting the antenna).

In order to skim your card they've still got to have an account approved by Visa/Mastercard etc to skim the money into with the full audit trail that that involves.
 
That's a risk assessment I have to make, If i'm in Sainsburys or Costco, i'm reasonably happy that that data isn't visible to most, if any employees - and is the 'cost' of having ther convenience of a debit / credit card, if I was going to shop at 'Questionable Co's. pop-up shop to get some bargains, I'd most likely go to a cashpoint first, using the cash in the shop.
It may reduce the convenience of having 'plastic', but I feel it reduces my attack surface somewhat, whether that's real or imagined, only time will tell.
Your phone is the most secure, as very little detail is exchanged, your card isn't exposed at all, and your fingerprint is authorisation.
 
That's a risk assessment I have to make, If i'm in Sainsburys or Costco, i'm reasonably happy that that data isn't visible to most, if any employees - and is the 'cost' of having ther convenience of a debit / credit card, if I was going to shop at 'Questionable Co's. pop-up shop to get some bargains, I'd most likely go to a cashpoint first, using the cash in the shop.
It may reduce the convenience of having 'plastic', but I feel it reduces my attack surface somewhat, whether that's real or imagined, only time will tell.

Stuff the banks, cash is the only way to go.
 

OneTenner

Old-Salt

OneTenner

Old-Salt
In order to skim your card they've still got to have an account approved by Visa/Mastercard etc to skim the money into with the full audit trail that that involves.
I can go into Costco and get card reader & account within minutes, i'm sure all the miscreants would do the same in Costco in South America, they might even consider shipping the readers over to somewhere more lucrative too. As with all fraud, it's only the greedy ones that get stopped, they might even use 'mules' to set up the accounts, same as they did for card skimming back in the day.
 
I refuse to have contactless, the bank I use (Nationwide) have a non-contactless option and i've 'secured' my credit card (Barclays - they don't have a non-contactless option) by using a 0.3mm PCB drill to cut the antenna, filling the hole with suitably coloured epoxy.
Yes, I know you can get the sleeves / shields to go in your wallet, doesn't stop it being used if your wallet is stolen though
I also have a tinfoil Google hat..... :cool:
I'm with you in spirit. We do not have as much contactless yet in't YooEssAy.

When I did my BSc dissertation I was looking at chip and pin about 10 years before it was adopted in the UK and was all for it as a security measure. Later the Mrs was involved on the peripherys of it's introduction when she was at A&L. The bloke who led the project for A&L refused to use chip and pin because so many of the larger stores have cameras over the till's and a nosey security person can see your pin go in if they are minded. Then there is some sort of gateway link in the larger stores that which carries the rest of your information over to the card company. A well organised team can have one sat watching for pins whilst card data is being harvested during transmission to the card provider.

We had chip and pin introduced in the USA a few years ago. Marvellous, you'd think. Sadly, no. No one requires a pin to be input. You just shove your card in the slot, it reads it and you move on, no pin required, so no safer than previously.

As for all this contactless RFID stuff, my lad who is not interested in hacking.........honest guv, tell's me tales of goings on. At a recent Black Hat event in Vegas FBI and NSA officials had their security passes read by one of the hackers who was wandering around with his gear in a daypack. He then embarassed the Fed's by presenting their data as part of his presentation. Apparently the chap is regularly employed to PenTest facilities and the easiest way he has of gaining access is by reading cards just standing on the corner where people pass, or by walking up to people to stop them and then asking them directions.

Easy if you know how.

I also have a tinfoil Google hat..... :cool:
Put some foil in your wallet too.
 

NSP

LE
Same with Norway.
Last time I was over there I was told that there'd be a surcharge if I wanted to pay for the taxi with cash. Card is king.
 
As for all this contactless RFID stuff, my lad who is not interested in hacking.........honest guv, tell's me tales of goings on. At a recent Black Hat event in Vegas FBI and NSA officials had their security passes read by one of the hackers who was wandering around with his gear in a daypack. He then embarassed the Fed's by presenting their data as part of his presentation. Apparently the chap is regularly employed to PenTest facilities and the easiest way he has of gaining access is by reading cards just standing on the corner where people pass, or by walking up to people to stop them and then asking them directions.

Easy if you know how.



Put some foil in your wallet too.
Security pass and passports use a different form of RFID to debit/credit cards, which don't give up their information on demand they require one-off security codes issued by the bank.
 

endure

GCM
I'm with you in spirit. We do not have as much contactless yet in't YooEssAy.

When I did my BSc dissertation I was looking at chip and pin about 10 years before it was adopted in the UK and was all for it as a security measure. Later the Mrs was involved on the peripherys of it's introduction when she was at A&L. The bloke who led the project for A&L refused to use chip and pin because so many of the larger stores have cameras over the till's and a nosey security person can see your pin go in if they are minded. Then there is some sort of gateway link in the larger stores that which carries the rest of your information over to the card company. A well organised team can have one sat watching for pins whilst card data is being harvested during transmission to the card provider.
One of the oil majors had quite a problem in the UK until they started taking security a bit more seriously. The chip and pin machines were mounted onto a pole where it was easy to hide extra wiring.

Connecting the C&P machine to a hard drive under the counter and installing a pinhole camera in the ceiling meant that card data and pin numbers could both be read.
 

endure

GCM
I can go into Costco and get card reader & account within minutes, i'm sure all the miscreants would do the same in Costco in South America, they might even consider shipping the readers over to somewhere more lucrative too. As with all fraud, it's only the greedy ones that get stopped, they might even use 'mules' to set up the accounts, same as they did for card skimming back in the day.

The card reader will be serial numbered and registered to Costco. If you then try and use your alternative high power card reader it won't work.
 

OneTenner

Old-Salt
The card reader will be serial numbered and registered to Costco. If you then try and use your alternative high power card reader it won't work.
I accept that, it doesn't however, stop a legit unit being 'upgraded'
Equifax, whilst not a financial institution themselves, do work on the inside of the finance industry and have this to say....

You can minimise the chances of becoming a victim of contactless fraud by following these steps:


  • Don't keep your cards in easily accessible pockets or bags which will draw pickpockets' attention
  • Line your wallet or cardholder with tin foil to block scamming devices from reading your card. If you don't fancy the DIY approach, there are products like RFID readers available which do the same thing
My Bold, I assume this is a typo and should be 'blocker' or similar
taken from How to avoid contactless card fraud | Equifax UK

Interestingly, on the subject of the £30 limit, they have this to say:

However, there's also been recent research that shows that the £30 maximum spend on contactless cards can be bypassed. Researchers have found that the flaws in the payments system for some contactless cards could potentially allow criminals to steal hundreds of pounds in a single transaction.

The hack the researchers used to “break” the £30 limit uses a device which intercepts the signals between the card and the card reader. It then simultaneously ‘tells' the card that no verification is needed and the card reader that verification has been provided.

Another purported method that fraudsters use is to actually process payments by standing near someone on a train or in another crowded public place and reading their contactless card through their clothes. However, according to Which?, there's little evidences that this type of fraud is common.

Little evidence that this type of fraud is common != does not happen
 
I accept that, it doesn't however, stop a legit unit being 'upgraded'
Equifax, whilst not a financial institution themselves, do work on the inside of the finance industry and have this to say....

You can minimise the chances of becoming a victim of contactless fraud by following these steps:


  • Don't keep your cards in easily accessible pockets or bags which will draw pickpockets' attention
  • Line your wallet or cardholder with tin foil to block scamming devices from reading your card. If you don't fancy the DIY approach, there are products like RFID readers available which do the same thing
My Bold, I assume this is a typo and should be 'blocker' or similar
taken from How to avoid contactless card fraud | Equifax UK

Interestingly, on the subject of the £30 limit, they have this to say:

However, there's also been recent research that shows that the £30 maximum spend on contactless cards can be bypassed. Researchers have found that the flaws in the payments system for some contactless cards could potentially allow criminals to steal hundreds of pounds in a single transaction.

The hack the researchers used to “break” the £30 limit uses a device which intercepts the signals between the card and the card reader. It then simultaneously ‘tells' the card that no verification is needed and the card reader that verification has been provided.

Another purported method that fraudsters use is to actually process payments by standing near someone on a train or in another crowded public place and reading their contactless card through their clothes. However, according to Which?, there's little evidences that this type of fraud is common.

Little evidence that this type of fraud is common != does not happen
Back before end to end encryption we used to find all sorts of "gizmos" that sneaky sods would connect up to our chip and pin pads while distracting shop assistants. This has largely stopped now due to end to end strong encryption but we still get attempts at putting keyboard overlays onto pads to intercept data and key presses to get the pin etc.

The smarter the chip and pin pad designers and manufacturers get the smarter the thieves become and it's a never ending battle quite frankly as their are very rich rewards obtainable with very little financial outlay.
 
And the POS units do indeed still work.

But if the card scheme drops the contactless floor limit to zero and the POS unit cannot authorise because it has lost Coms?
If the card scheme drops the contactless floor limit to zero AND the pad cannot connect to the clearing agency to authorize the transaction then indeed yes no transaction as it is declined until the retailer telephones the clearing agency for an authorisation number.
 

Blogg

LE
If the card scheme drops the contactless floor limit to zero AND the pad cannot connect to the clearing agency to authorize the transaction then indeed yes no transaction as it is declined until the retailer telephones the clearing agency for an authorisation number.
And this is why it's happened:


It's gone from "almost all" to "all"
 
One of the oil majors had quite a problem in the UK until they started taking security a bit more seriously. The chip and pin machines were mounted onto a pole where it was easy to hide extra wiring.

Connecting the C&P machine to a hard drive under the counter and installing a pinhole camera in the ceiling meant that card data and pin numbers could both be read.
The Mrs used to show me an occasional report distributed by the bank. There were a a few cashpoint machines that had totally fake flush fitting fronts made by a particularly ingenious gang of Romanians, or Bulgarians. The thing just simply laid onto the front of a cashpoint machine, it looked like part of the machine, still allowing viewing of the screen and access to all keys. It had a skimmer and a camera built into it.
 
One of the oil majors had quite a problem in the UK until they started taking security a bit more seriously. The chip and pin machines were mounted onto a pole where it was easy to hide extra wiring.

Connecting the C&P machine to a hard drive under the counter and installing a pinhole camera in the ceiling meant that card data and pin numbers could both be read.
A quick one on oil majors: Years ago one of them tested a box connected to the petrol pump that you put a fiver into - it was intended for overnight out of hours use when the petrol station would ordinarily be unmanned and closed. It scanned the fiver to determine it was real, then sucked it away and allowed you to pump a fivers worth of 4 star. The daily crime bulletin in the nick highlighted that the owner of the petrol station had reported the theft of around a hundred quids worth of petrol. Apparently when he opened the box in the morning he found a bundle of photocopied fivers. Funnily that evening a lot of the single blokes from the section house (thats accomodation block to those who don't know) were queued up waiting to fill up their cars at said petrol station. A few days later the scanning boxes were removed as word had gone round big time as to the flaw in the tech.
 

Latest Threads

Top