

Contactless 'charging errors' at Marks and Spencer - makomk
http://www.bbc.co.uk/news/business-22545804

======
onemorepassword
The utter lack of control on the part of the customer, having neither an
approval step nor the ability to switch the card off seems to me to be a
fundamental flaw in this payment method.

This system was pretty much designed to be abused.

~~~
Osmium
Time for RF-blocking wallets to become more mainstream perhaps? That gives
control back to the customer.

~~~
kaolinite
Are there any nice, good quality RF-blocking wallets? I've only found poor
quality fake-leather / synthetic fabric wallets when I've looked.

~~~
kalleboo
I got an RF-blocking card that you can put in your current wallet.

------
octatone2
So with a contactless card a thief simply has to have the card - there's no
chance a teller will check for matching signatures (not that most tellers do
this in the US, though I have noticed in Germany tellers are more likely to).
Who wanted these?

~~~
Piskvorrr
Everybody in the foodchain - well, except for the customers, but who cares
about the customers, right?

~~~
lmm
Many customers wanted them - they make payment a lot more convenient.

~~~
ronaldx
In current implementation, no.

The card readers rarely function adequately if at all. On occasions when they
do work, the screen is broken meaning the customer can't identify whether
payment has been requested, the amount requested, whether payment has been
made, how much you are being charged, or even whether you are paying the bill
of the correct till.

The cards interfere with each other and in particular with Oyster transport
card in London - people use their Oyster card frequently and therefore have
that in primary location: still have to pull out whichever other card they
want to pay with.

In practice, people don't often use contactless cards and most customers I've
observed attempting to use them express fear and wish to revert to traditional
method.

The receipt is still the final part of the transaction, which customers are
more inclined to wait for because they have no other way of confirming what
just happened.

~~~
hafabnew
This is almost entirely FUD, and 'the card readers rarely function adequately
if at all' is just plain untrue. What makes you say the readers don't work?
Personal experience?

I've seen a broken screen on a contactless reader once, however I've also seen
lots of broken Chip and Pin readers -- doesn't make the system faulty.

All contactless systems I've seen are either built-in to the same unit as the
Chip and Pin device (which has a display) -- or a separate reader, which also
has a display. Both clearly state when payment has been requested, and how
much you are being charged. The problem of '[..] or even whether you are
paying the bill of the correct till.' is rarely ever a problem at all. With
the vast, vast, vast majority of readers, it's instantly obvious which reader
you should use (because it's right in front of you!). Besides, if it's not
immediately 100% obvious which reader you should use, the cashier will point
it out to you, but again, this 'problem' is not a regression on chip and pin,
which suffers from this.

Contactless payment is a hugely popular choice of payment in central London.
Take a look at a Pret or Eat (or indeed, M&S) at lunchtime. Consumers aren't
in the least bit scared about contactless, nor do they 'express fear'.
Everyone I've spoken to about contactless has absolutely loved it. It's
unbelievably convenient for consumers and a huge win for businesses too.

Agree with the interference though, that is annoying. That said, anyone with
any sense doesn't keep their Oyster in their wallet :). Having to hold your
wallet out in your hand and place it on the sensor is just asking for someone
to grab your wallet (keep oyster in separate pocket during journey, replace
during wallet upon arrival at destination).

~~~
ronaldx
Yes, the FUD is gathered from personal experience of several non-City branches
of Pret and Caffe Nero, in particular.

------
femto
Perhaps a microwave oven can fry the input stage to the radio receiver, which
presumably has an antenna hanging off it and so is more susceptible to damage,
whilst leaving the rest of the chip intact? Anyone tried this?

~~~
lgeek
That will probably visibly damage the card (I expect the loop antenna would
get really hot) and it would disable the chip-and-pin feature as well, making
the card useless.

I've had a MIFARE card crack starting from an edge, sectioning the loop
antenna. I couldn't get it to work again even if pressing the two sides
together, and it wasn't visible unless pulling the two sides apart, so this
seems like a better approach.

~~~
femto
It would be an interesting experiment to try and do it closed loop, in an
effort to dump enough energy in to damage the radio front end, but not
overheat the rest of the circuit. Have a computer with a card reader
interrogating the chip via the near field, and cutting the power to the
microwave, via a relay, as soon as the chip stops responding?

------
jbert
Am I right in thinking that the only thing stopping NFC working at greater
distances is signal strength?

If so, presumably someone could make a targetted aerial which would allow
functioning over greater distance (like the 'pringle can wifi' approach). If I
understand correctly, you will still increase the distance with only one end
using a directional antennae.

If so, couldn't someone walk through a crowd and skim passers-by fairly
easily?

~~~
gambiting
The thing is, that NFC is NOT like RFID. That's how the cards in Korea or
Hong-Kong work, and that's how early contactless cards in the US worked. RFID
is super easy to abuse, because you can just read what is on the chip and
clone the card, even from a large distance. NFC however, is active - if you
have an NFC reader, it will NOT be able to read your bank card, because you
don't have an authentication key, so your card will literally not send you the
details stored on it. I have personally tested this with commercial NFC
readers - bank cards cannot be read by them, they only work with approved,
authorized,and connected to the internet payment terminals(so they can get the
auth key from the bank). That's why it would be very difficult to skim
peoples' cards off the street - you most certainly can't do it without an
authorized terminal, which means that to get one you would need to register
with a bank,and give them all your details and such, which would make you very
easily traceable.

~~~
jbert
So the issue stopping NFC abuse is the policing of questioned payments?

[i.e. someone with a auth key can basically choose to charge people what they
want (by using modified aerials), it's up the the people charged to complain
sufficiently to get that auth key revoked]

I'd imagine that there might be a low bar of complaints to get a key revoked,
but perhaps a higher bar to start legal proceedings?

~~~
gambiting
The problem is, that if you just wire an aerial to a legit payment terminal
and point it at people, it will probably pick up more than a single card, in
which case, it won't charge anyone. The use case for that is extremely
limited.

------
tomdeakin
From the commentary on the news today, it seems that people inadvertently held
another card (maybe in a wallet) too close to the reader whilst trying to use
Chip and Pin with another card.

