The utter lack of control on the part of the customer, having neither an approval step nor the ability to switch the card off seems to me to be a fundamental flaw in this payment method.
This system was pretty much designed to be abused.
I don't know how serious this problem is, but since this is the first we're hearing about it it must be pretty rare, as contactless cards are much more widely used in, say, Hong Kong.
We're designing an easy method of paying for small items, not arming nuclear weapons. We'll accept 1 in 1e6 errors.
Here in Australia we have PayPass which is Mastercard. Most places have eftpos terminals (handheld pin entry things) where they just tap the card and it charges your card.
It scares me that they could charge any amount and you wouldn't know.
But a fraudulent "merchant" could still install a custom machine at a busy spot, and charge a good percentage of all passing NFC payment cards. Do this in a tourist area or near airport / other terminal, targetting foreign cards, and there's a good chance the fraud detection does not kick in before the weekend is over, and you have $20 x 50,000 "customers" x 2 days = 2 million in bank, converted immediately to bitcoin or similar and laundered before banks open on Monday.
Why, yes, I've been the receiving end of a similar scam. It was Visa Electron and PIN-less purchases, then a new opt-out feature. The math was more like 5 customers, but 10,000 euro limit. (No, I did not lose that, or even close, by being lucky.)
I have a credit card that had the contactless payment feature. It is more convenient, but the lack of 2 FA (have card, know PIN) made it really weird to use. Eventually I turned off the contactless feature (via the internet banking branch).
Millions of people use this exact system here in Hong Kong each day. It's amazingly convenient to be able to pay for train, bus, groceries, food in seconds without having to even take the card out of your wallet. People love it here.
But what happens when you have two contactless cards? The system in the article says it won't work if multiple cards are detected... but this would mean you'd have to take the card out of your wallet.
In Hong Kong you verbally ask to pay by for example Octopus (the most popular card) and it activates that option only. So I don't think double charging is possible here.
Barring wallets that block radio signals, yes - there are tons of them.
Outside those, I agree, there's quite a large possibility for issues, though this seems weird that it seems to be happening from significantly larger distances than it's designed to work under. To such an extent that I suspect some / all of these people are simply not remembering correctly - they swung their purse between hands, bringing it near the reader, or something. People are forgetful, and this is way way outside what anyone else can replicate that I've seen.
FWIW this will no longer be an issue when everything moves to the user's phone. You'll choose a default 'card' but will be able to change it to a preferred card before any transaction.
The approval step is "you hold your card within inches of the pickup". What these people were probably doing (their protestations to the contrary) was holding up a wallet. Which does work, if only one card in the wallet is contactless.
The story on the BBC site concerns people who attempted to pay with their chip card by placing it in the reader but had their contactless card charged instead, which was still in their purse/wallet. In some instances, the transaction was processed twice using both forms of payment.
The first customer was able to obtain a refund after demonstrating the problem to the store manager.
isn't it a keyfob that you press and hold up - if you don't have to press it, what's to stop a thief from simply walking through a crowd charging anyone unfortunate enough to have one of these?
isn't it then just cash that you can take without touching?
It's not a keyfob, it's built into the card itself.
The security measures are pretty good actually:
- Can't pay for things costing more than £20 via contactless (have to use chip and pin, the 'normal'/old method)
- After a certain number of continuous contactless payments, it will ask you for your PIN to verify the cardholder is still in possession of the card. This 'counter' is reset to 0 every time you pay for using Chip and PIN. E.g. if you alternate between contactless and Chip and PIN, you'll never have to enter your PIN for the contactless payment.
- If your card does get skimmed, your bank will cover you for any losses.
Skimming is possible yes, but you really have to be pretty close (the article is the exception here, not the norm). Within a few cm of the card, which it's certainly possible to skim someone's card - the person would almost certainly notice.
Actually, it's impossible to skim anyone with a regular reader. Because NFC cards are active, they need to receive a decryption key from the terminal first, before they broadcast their own data. Commercial readers are not able to read bank cards, they mostly show the card's type,and that's it, every memory bank is marked as private and cannot be read without the authorization key. So a skimmer would need to use an actual payment terminal obtained from a bank, and only such terminal would be able to read and charge money from contactless cards. But to get such a terminal,you would need to register with a bank and would be super easy to trace down.
Yes, absolutely. Read the article though - she read an RFID card, which yes, can be read by anyone,using any reader available on the marker. This is NOT how new contactless cards are implemented - new ones use NFC for active transmission, which requires a valid authorization key to release their details. With RFID she could've read anything she wanted from these cards.
So how shops do it? What is the thing that makes it possible for a shop to charge you for grocery while making it impossible for someone to skim you on the bus with a shop terminal?
Shops have proper authorized terminals, that have authentication keys. The terminal sends the key to the card, then the chip on the card replies with its own details.
You cannot read bank cards with commercial NFC readers that you can just buy.
If you manage to get a proper shop terminal(which are only given to proper registered businesses) then yes, you could theoretically skim peoples' cards in a bus or any other public place. The only problem with that is, that you can only charge at most 15 quid, and you cannot get the card details back, so you can't use it for internet payments. And because the bank has your details they can very very quickly track the payments back to you and stop you from stealing money(and not even pay out any money to your account).
So yes, the trouble is completely not worth it, which is why probably no one will do that.
So with a contactless card a thief simply has to have the card - there's no chance a teller will check for matching signatures (not that most tellers do this in the US, though I have noticed in Germany tellers are more likely to). Who wanted these?
The card readers rarely function adequately if at all.
On occasions when they do work, the screen is broken meaning the customer can't identify whether payment has been requested, the amount requested, whether payment has been made, how much you are being charged, or even whether you are paying the bill of the correct till.
The cards interfere with each other and in particular with Oyster transport card in London - people use their Oyster card frequently and therefore have that in primary location: still have to pull out whichever other card they want to pay with.
In practice, people don't often use contactless cards and most customers I've observed attempting to use them express fear and wish to revert to traditional method.
The receipt is still the final part of the transaction, which customers are more inclined to wait for because they have no other way of confirming what just happened.
This is almost entirely FUD, and 'the card readers rarely function adequately if at all' is just plain untrue. What makes you say the readers don't work? Personal experience?
I've seen a broken screen on a contactless reader once, however I've also seen lots of broken Chip and Pin readers -- doesn't make the system faulty.
All contactless systems I've seen are either built-in to the same unit as the Chip and Pin device (which has a display) -- or a separate reader, which also has a display. Both clearly state when payment has been requested, and how much you are being charged. The problem of '[..] or even whether you are paying the bill of the correct till.' is rarely ever a problem at all. With the vast, vast, vast majority of readers, it's instantly obvious which reader you should use (because it's right in front of you!).
Besides, if it's not immediately 100% obvious which reader you should use, the cashier will point it out to you, but again, this 'problem' is not a regression on chip and pin, which suffers from this.
Contactless payment is a hugely popular choice of payment in central London. Take a look at a Pret or Eat (or indeed, M&S) at lunchtime. Consumers aren't in the least bit scared about contactless, nor do they 'express fear'. Everyone I've spoken to about contactless has absolutely loved it. It's unbelievably convenient for consumers and a huge win for businesses too.
Agree with the interference though, that is annoying. That said, anyone with any sense doesn't keep their Oyster in their wallet :). Having to hold your wallet out in your hand and place it on the sensor is just asking for someone to grab your wallet (keep oyster in separate pocket during journey, replace during wallet upon arrival at destination).
That's BS. I use my contactless cards wherever I can. The only people that ever had a problem with it are some store managers, who didn't even know that they had a contactless terminal and were completely baffled with what I just did. Also, UK does not have enough of them, I wish they had contactless terminals in every shop, like they do in my own country.
And you are completely wrong to say that the customers don't know if the transaction was approved or not - the terminal definitely shows "Transaction Approved" when using a contacless card.
That's UK though, where large stores like Greggs install new terminals without educating the cashiers, so they don't even know they have them. In my country(Poland) you get contactless terminals everywhere, I actually had people notice that I have a PayWave card and tell me that I can use the contactless terminal instead. But I am sure that the awareness will increase.
Perhaps a microwave oven can fry the input stage to the radio receiver, which presumably has an antenna hanging off it and so is more susceptible to damage, whilst leaving the rest of the chip intact? Anyone tried this?
That will probably visibly damage the card (I expect the loop antenna would get really hot) and it would disable the chip-and-pin feature as well, making the card useless.
I've had a MIFARE card crack starting from an edge, sectioning the loop antenna. I couldn't get it to work again even if pressing the two sides together, and it wasn't visible unless pulling the two sides apart, so this seems like a better approach.
It would be an interesting experiment to try and do it closed loop, in an effort to dump enough energy in to damage the radio front end, but not overheat the rest of the circuit. Have a computer with a card reader interrogating the chip via the near field, and cutting the power to the microwave, via a relay, as soon as the chip stops responding?
You only need to put it in for a couple of seconds to fry it. Many cards do not respond well to this https://www.youtube.com/watch?v=bBk8yZcyt5g A better way is to find the chips (either look for the raised part, or shine a high-powered flashlight through to look for it). Then you can crack it with a hammer, or peel a tiny piece of the card off and take it out.
Am I right in thinking that the only thing stopping NFC working at greater distances is signal strength?
If so, presumably someone could make a targetted aerial which would allow functioning over greater distance (like the 'pringle can wifi' approach). If I understand correctly, you will still increase the distance with only one end using a directional antennae.
If so, couldn't someone walk through a crowd and skim passers-by fairly easily?
The thing is, that NFC is NOT like RFID. That's how the cards in Korea or Hong-Kong work, and that's how early contactless cards in the US worked. RFID is super easy to abuse, because you can just read what is on the chip and clone the card, even from a large distance. NFC however, is active - if you have an NFC reader, it will NOT be able to read your bank card, because you don't have an authentication key, so your card will literally not send you the details stored on it. I have personally tested this with commercial NFC readers - bank cards cannot be read by them, they only work with approved, authorized,and connected to the internet payment terminals(so they can get the auth key from the bank). That's why it would be very difficult to skim peoples' cards off the street - you most certainly can't do it without an authorized terminal, which means that to get one you would need to register with a bank,and give them all your details and such, which would make you very easily traceable.
So the issue stopping NFC abuse is the policing of questioned payments?
[i.e. someone with a auth key can basically choose to charge people what they want (by using modified aerials), it's up the the people charged to complain sufficiently to get that auth key revoked]
I'd imagine that there might be a low bar of complaints to get a key revoked, but perhaps a higher bar to start legal proceedings?
The problem is, that if you just wire an aerial to a legit payment terminal and point it at people, it will probably pick up more than a single card, in which case, it won't charge anyone. The use case for that is extremely limited.
Read how that application works!!!!
This is not stealing cards - this is literally capturing signal from the terminal and sending it to a card elsewhere, so the card is still authorized with proper key.
And that means that you are NOT getting the card details for yourself, and that you still need access to a registered and authorized payment terminal.
From the commentary on the news today, it seems that people inadvertently held another card (maybe in a wallet) too close to the reader whilst trying to use Chip and Pin with another card.
This system was pretty much designed to be abused.