

Contactless cards fail to recognise foreign currency - eksith
http://www.ncl.ac.uk/press.office/press.release/item/contactless-cards-fail-to-recognise-foreign-currency

======
Someone1234
Contactless card transactions always struck me as bonkers. By the very nature
of the system, there is nothing stopping an individual walking down the street
and stealing whatever the cap is out of everyone's card.

You then immediately use this "money" to buy gift cards, which you then sell
on, turning the dirty money into clean money. By the time they have traced
back the money to the gift card, you're long gone (you can also cross
international borders a couple of times to make things difficult/slow).

The fact banks shut down the Mythbusters' investigation into just how insecure
contactless cards are really tells you everything you need to know. They know
full well they are completely insecure, and they want to keep it hush hush.

Now contactless phone transactions are secure, but contactless phone
transactions require action from the user to confirm the transaction. If the
plastic cards had you press a button to activate contactless-mode they would
be fine too, but they don't...

NFC is great technology that has a lot of uses. This is just a mis-use.

~~~
smackfu
The limited scan range is the main security. 2-6 cm is what I see quoted.

~~~
Someone1234
Hmmm:
[http://www.bbc.com/news/technology-24743920](http://www.bbc.com/news/technology-24743920)

~~~
jp555
That is eavesdropping a transaction, not soliciting one. Plus every NFC
transaction generates a new token. Even if you record it as the transaction
takes place, that information cannot be used again.

------
sjwright
This doesn't make sense. Why would any transaction occur in a foreign
currency? If I use my Australian credit card to purchase a cup of coffee in
the UK, the transaction occurs in pounds, not Australian dollars.

The terminal never sees "foreign currency". It is the responsibility of
Visa/MasterCard to perform currency conversion.

~~~
cmsj
This isn't about the terminal.

Your card, which sees itself as a payer of AUD, gets a request for a
transaction in GBP. This research suggests it will authorize the transaction
even if it is above whatever normal local limit you have on AUD transactions.

Whether that's actually true or not, is unknown at this stage - this was a
test on a UK contactless card, so maybe we have a slightly different
arrangement than your Australian contactless card would.

It's also fairly unlikely that the payment processors would accept a
transaction higher than the contactless cap, just because it's in a foreign
currency.

It's also entirely possible that they don't bother enforcing a limit because
the UK banks involved won't accept _any_ foreign currency contactless
transactions. I've never tried to use my UK contactless cards abroad.

------
lxgr
The research paper seems to grossly oversimplify the matter of "cashing in"
the fraudulent transactions.

While the authors claim to "appreciate that banks will have a number of
security systems in place to prevent fraud", they seem to neglect that those
systems should effectively render the attack impossible:

\- There are limits for CVM-less transactions; not only in the application
running on the chip, but also for terminals. I think that there is one limit
above which a CVM (e.g. PIN or signature) is required, and another limit for
offline authorizations. CVM-less high-vale transactions would not only be
suspicious, but even non-compliant for most card schemes.

\- It is not trivial to apply for a merchant account, and I guess that a new
account would not be allowed to immediately withdraw recently acquired funds.
(If it were that simple, magnetic stripe card skimmers could simply apply for
a merchant account and avoid all the hassle with PIN skimming, finding
vulnerable merchants or ATMs etc.)

\- A merchant with a higher than average rate of transactions challenged by
cardholders will surely be scrutinized even more closely.

All in all, the implemented failure mode of offline-authorizing all
transactions in unknown currencies seems like a really bad idea and should be
improved. The rest of the paper seems like speculation, though.

(Compare e.g. to Steven J Murdoch's work ("Chip and PIN is broken" etc.),
where the claims have been verified with an actual payment terminal.)

------
mcv
First time I heard about contactless transactions I wondered if people never
learned. Apparently they don't.

Allowing anyone to take my money without my explicit approval, even if it's
only up to 20 pounds at a time, is simply begging to be abused. I don't
understand how anyone could possibly have thought this was a good idea.

------
Guvante
How is the card supposed to know the limit in a foreign currency?

The real question is whether the banks will accept the transaction.

~~~
mey
It could simply deny transaction requests in foreign currency.

~~~
tormeh
That doesn't sound like something the EU would be glad to hear...

~~~
dwild
Set a limit for each currency and if it's not on that list, deny it.

~~~
Guvante
What about currency's that fluctuate? The rate can change a lot in the several
years a card is in consumer hands.

