Contactless cards (RFID)
Dec 14th 2016 | 10:10 am
#16
Forum Regular
Joined: Jan 2016
Posts: 58
Re: Contactless cards (RFID)
Whilst I understand your concerns Dave just to put a bit of context here. This is another Which report about contactless cards
http://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/guides/new-ways-to-pay/contactless-cards
Regards someone being able to scan your card without you knowing they would have to be pretty close. Usually within 5cm but occasionally up to 15cm (less than 1% of the time). In their tests in your link the cards had to actually touch the scanner to work.
Which advice on 'secret scanning' is this:
Our researchers tested wrapping a card in tin foil - and this prevented it from being read, even when we rubbed it against the reader.
While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
I agree with Which I don't think it essential or necessary, I've been using contactless without issue since it was introduced but each to his own.
http://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/guides/new-ways-to-pay/contactless-cards
Regards someone being able to scan your card without you knowing they would have to be pretty close. Usually within 5cm but occasionally up to 15cm (less than 1% of the time). In their tests in your link the cards had to actually touch the scanner to work.
Which advice on 'secret scanning' is this:
Our researchers tested wrapping a card in tin foil - and this prevented it from being read, even when we rubbed it against the reader.
While we don’t think this is essential, we believe that lining your wallet with foil should protect your card details.
I agree with Which I don't think it essential or necessary, I've been using contactless without issue since it was introduced but each to his own.
Last edited by BigD Nerja; Dec 14th 2016 at 10:19 am.
Dec 14th 2016 | 10:29 am
#17
BE Forum Addict
Joined: Apr 2007
Posts: 2,675
Re: Contactless cards (RFID)
Contactless cards are not RFID.. but NFC cards.
RFID is what is used in stores to combat shoplifting (in clothing for example).
Most good banks will (even though they issue these cards automatically because it's a growing technology) allow you to enable/disable the function either by filling in a form at your local branch or via your online banking account.
RFID is what is used in stores to combat shoplifting (in clothing for example).
Most good banks will (even though they issue these cards automatically because it's a growing technology) allow you to enable/disable the function either by filling in a form at your local branch or via your online banking account.
Dec 14th 2016 | 9:12 pm
#18
BE Enthusiast
Joined: Mar 2006
Posts: 828
Re: Contactless cards (RFID)
Sounds like a pick pockets wet dream to me.
When was the last time you were walking down the street and someone bumped into you and you instinctively checked your pocket to confirm that your wallet was still there?
Now they don't even need to make physical contact or to actually take your wallet - they just have to stand close enough with a hand-held reader to take payments from your card whilst it is still in your pocket.
Don't go out in a crowd with a contactless card in your wallet.
When was the last time you were walking down the street and someone bumped into you and you instinctively checked your pocket to confirm that your wallet was still there?
Now they don't even need to make physical contact or to actually take your wallet - they just have to stand close enough with a hand-held reader to take payments from your card whilst it is still in your pocket.
Don't go out in a crowd with a contactless card in your wallet.
Dec 14th 2016 | 9:21 pm
#19
BE Enthusiast
Joined: Mar 2006
Posts: 828
Re: Contactless cards (RFID)
Have you read about India's economy lately?
But I suppose if you've nothing to hide you've nothing to fear.
Dec 14th 2016 | 9:22 pm
#20
BE Forum Addict
Joined: Apr 2007
Posts: 2,675
Re: Contactless cards (RFID)
Sounds like a pick pockets wet dream to me.
When was the last time you were walking down the street and someone bumped into you and you instinctively checked your pocket to confirm that your wallet was still there?
Now they don't even need to make physical contact or to actually take your wallet - they just have to stand close enough with a hand-held reader to take payments from your card whilst it is still in your pocket.
Don't go out in a crowd with a contactless card in your wallet.
When was the last time you were walking down the street and someone bumped into you and you instinctively checked your pocket to confirm that your wallet was still there?
Now they don't even need to make physical contact or to actually take your wallet - they just have to stand close enough with a hand-held reader to take payments from your card whilst it is still in your pocket.
Don't go out in a crowd with a contactless card in your wallet.
Not quite a simple as that - when the contactless card comes into the vicinity of a reader there is a dialogue which includes an exchange of security information to verify the credentials of the card AND the reader - both need to be certified and be loaded with the correct keys - not a trivial problem to overcome. For fraud to occur there needs to be an awful lot of collusion between the card issuer, the scheme operator, the acquirers etc and all for 30 quid - the game is just not worth the candle.
Dec 14th 2016 | 9:27 pm
#21
BE Enthusiast
Joined: Mar 2006
Posts: 828
Re: Contactless cards (RFID)
Not quite a simple as that - when the contactless card comes into the vicinity of a reader there is a dialogue which includes an exchange of security information to verify the credentials of the card AND the reader - both need to be certified and be loaded with the correct keys - not a trivial problem to overcome. For fraud to occur there needs to be an awful lot of collusion between the card issuer, the scheme operator, the acquirers etc and all for 30 quid - the game is just not worth the candle.
Once the technology becomes more mainstream the hardware will be reverse-engineered. Give a "certified" reader to a pickpocket and send him out into the crowd. Lots of individual 30 quids add up to a nice day's takings - far less risk than having to make physical contact with anyone.
And don't say the tech will be fool proof. All new tech is fool proof until it isn't anymore.
Dec 14th 2016 | 9:28 pm
#22
Forum Regular
Joined: Aug 2005
Posts: 297
From: El Cotin, Chiclana
Re: Contactless cards (RFID)
These FAQs from Visa explain it clearly. https://www.visa.co.uk/products/visa-contactless/faqs
My only concern in Spain is that there doesn't seem to be a low transaction limit set as there is in the U.K.
My only concern in Spain is that there doesn't seem to be a low transaction limit set as there is in the U.K.
Dec 14th 2016 | 9:30 pm
#23
BE Enthusiast
Joined: Mar 2006
Posts: 828
Re: Contactless cards (RFID)
If the technology is safe and unhackable then why do they have to set a low transaction limit? <hint: because it's new technology and they just don't know>
Dec 14th 2016 | 9:39 pm
#24
BE Positive
Joined: Sep 2005
Posts: 3,984
Re: Contactless cards (RFID)
One can buy various wallets that are RFID-hack proof.
I had one of those neat hard sided ones, just bigger than a credit card, available everywhere, RFID protected. Holding about 10 cards and some folded notes, hinged.
However, beware, they are shiny! And as such can easily slide/slip out of the pocket. When I see a rubberised one, I may switch back. I didn't buy it for RFID, as for me it was a handy little thing to carry about with the basics inside.... and protected the cards from snapping.
Jon
I had one of those neat hard sided ones, just bigger than a credit card, available everywhere, RFID protected. Holding about 10 cards and some folded notes, hinged.
However, beware, they are shiny! And as such can easily slide/slip out of the pocket. When I see a rubberised one, I may switch back. I didn't buy it for RFID, as for me it was a handy little thing to carry about with the basics inside.... and protected the cards from snapping.
Jon
Last edited by Jon-Bxl; Dec 14th 2016 at 9:42 pm.
Dec 14th 2016 | 10:10 pm
#25
BE Forum Addict
Joined: Apr 2007
Posts: 2,675
Re: Contactless cards (RFID)
Yeah and chip 'n' pin was supposed to be unhackable.
Once the technology becomes more mainstream the hardware will be reverse-engineered. Give a "certified" reader to a pickpocket and send him out into the crowd. Lots of individual 30 quids add up to a nice day's takings - far less risk than having to make physical contact with anyone.
And don't say the tech will be fool proof. All new tech is fool proof until it isn't anymore.
Once the technology becomes more mainstream the hardware will be reverse-engineered. Give a "certified" reader to a pickpocket and send him out into the crowd. Lots of individual 30 quids add up to a nice day's takings - far less risk than having to make physical contact with anyone.
And don't say the tech will be fool proof. All new tech is fool proof until it isn't anymore.
As you say - technology is never foolproof - however it can be very expensive to hack. It takes a supercomputer several years to crack the latest security keys. Not many pickpockets carry one of these in their backpack.
Dec 14th 2016 | 11:02 pm
#26
Thread Starter
BE Forum Addict
Joined: Aug 2005
Posts: 1,617
From: Beckenham, London borough Bromley
Re: Contactless cards (RFID)
Not quite a simple as that - when the contactless card comes into the vicinity of a reader there is a dialogue which includes an exchange of security information to verify the credentials of the card AND the reader - both need to be certified and be loaded with the correct keys - not a trivial problem to overcome. For fraud to occur there needs to be an awful lot of collusion between the card issuer, the scheme operator, the acquirers etc and all for 30 quid - the game is just not worth the candle.
I quote from the various "Which" reports:-
A recent Which? investigation into contactless card security revealed significant security flaws when we tested 12 leading credit and debit cards. And although banks say they will refund fraudulent purchases, our previous research has found card fraud cases where refunds were delayed – or wrongly refused.
For example, in 2015 Which? was able to easily and cheaply acquire contactless-card technology and use this to remotely 'steal' key card details from a contactless card. We were then able to order items online, one of which was a £3,000 TV.
My problem is that I receive paper credit card statements infrequently and was "hacked" for several hundred pounds earlier this year. When questioned, the company was happy that the transactions were fraudulent but no further action could be taken against the fraudsters even though the articles were ordered on-line to an address in Cumbria!
Davexf
Dec 14th 2016 | 11:39 pm
#27
BE Enthusiast
Joined: Feb 2009
Posts: 487
Re: Contactless cards (RFID)
The UK Card Association is keen to point out that there has never been a confirmed report of money stolen from a contactless card still in the cardholder's possession in the UK.
They point out that you would have to get extremely close to read someone's card - and even then you would not get their name, address or CVV, which should protect them from anyone being able to make a purchase on the card. They add that you can't just steal money from a card - a fraudster would have to use it to pay themselves - so the money could be easily traced and returned.
They would be able to steal the card and make contactless transactions, but the system will require them to enter a PIN every so-often to verify they are the legitimate cardholder, which would eventually halt them in their tracks. Even when on their spending spree, each transaction would be limited to £30. And because you are protected against fraud, unless you had been negligent, you would have any money refunded.
They point out that you would have to get extremely close to read someone's card - and even then you would not get their name, address or CVV, which should protect them from anyone being able to make a purchase on the card. They add that you can't just steal money from a card - a fraudster would have to use it to pay themselves - so the money could be easily traced and returned.
They would be able to steal the card and make contactless transactions, but the system will require them to enter a PIN every so-often to verify they are the legitimate cardholder, which would eventually halt them in their tracks. Even when on their spending spree, each transaction would be limited to £30. And because you are protected against fraud, unless you had been negligent, you would have any money refunded.
Dec 15th 2016 | 12:13 am
#28
BE Enthusiast
Joined: Mar 2006
Posts: 828
Re: Contactless cards (RFID)
Let's not worry, we've been assured that everything is fine. 
Naivety in the extreme.
They would say that though, wouldn't they?
And never a confirmed report.
Such as brushing past people in a crowd?
Name, address, CVV are not required for contactless transactions.
Banks have been coming out with this crap for ever.
Why do online banks insist on multiple layers of security to access their websites?
Because the hackers are smarter than they are. Tesco Bank anyone?
Websites are always getting hacked (Yahoo, AshleyMadison), Microsoft (and others) are continually installing updates (read bug fixes) to their operating systems. In fact with MS it's got to the point where you don't get a choice about it, the OS just downloads and installs it for you without you even being aware of it.
https://www.theguardian.com/technolo...ounts-breached
https://www.theguardian.com/technolo...over-huge-hack
So that's all right then. Nothing to worry about. Carry on.
Naivety in the extreme.
The UK Card Association is keen to point out that there has never been a confirmed report of money stolen from a contactless card still in the cardholder's possession in the UK.
And never a confirmed report.
They point out that you would have to get extremely close to read someone's card
and even then you would not get their name, address or CVV, which should protect them from anyone being able to make a purchase on the card
Banks have been coming out with this crap for ever.
Why do online banks insist on multiple layers of security to access their websites?
Because the hackers are smarter than they are. Tesco Bank anyone?
Websites are always getting hacked (Yahoo, AshleyMadison), Microsoft (and others) are continually installing updates (read bug fixes) to their operating systems. In fact with MS it's got to the point where you don't get a choice about it, the OS just downloads and installs it for you without you even being aware of it.
https://www.theguardian.com/technolo...ounts-breached
https://www.theguardian.com/technolo...over-huge-hack
And because you are protected against fraud, unless you had been negligent, you would have any money refunded.
Dec 15th 2016 | 1:10 am
#29
BE Enthusiast
Joined: Feb 2009
Posts: 487
Re: Contactless cards (RFID)
Yep, nothing to worry about.
Show us just one case where there has been CONTACTLESS fraud and the bank has refused to re imburse.
DOESN'T EXIST!
It just ain't a problem.
And even if it is you can just cut up all your cards and just spend cash, so where's the problem?
Show us just one case where there has been CONTACTLESS fraud and the bank has refused to re imburse.
DOESN'T EXIST!
It just ain't a problem.
And even if it is you can just cut up all your cards and just spend cash, so where's the problem?
Dec 15th 2016 | 4:14 am
#30
Thread Starter
BE Forum Addict
Joined: Aug 2005
Posts: 1,617
From: Beckenham, London borough Bromley
Re: Contactless cards (RFID)
