Privacy Pitfalls in No-Swipe Credit Cards

Nrbelex writes to mention a New York Times article about the privacy pitfalls of 'no-swipe' credit cards. Despite assurances from the card companies, researchers Tom Heydt-Benjamin and Kevin Fu were able to easily retrieve data from the new cards ... data available without encryption and in plain text. From the article: "They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150. They say they could probably make another one even smaller and cheaper: about the size of a pack of gum for less than $50. And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. 'Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?' Mr. Heydt-Benjamin, a graduate student, asked."

Re:Oyster Cards on the London Underground

[CowboyBob500]

Take anything on that Spy Blog with a very large sack of salt. They wrote about one of the projects I was involved in a few years back, and it was just about the most complete load of uninformed bollocks I've ever read.

Bob

How they think about fraud

[truthsearch]

As a former employee of one of the credit card companies, I'd like to explain a little bit of how they think. Banks and credit card companies take fraud for granted. They have departments which analyze potential and reported fraud. They set certain thresholds which they consider acceptable. Since they know it's going to happen they study it and figure out the best way to flag accounts. To the credit card companies it makes the most financial sense to not bother with the technological blocks and catch the fraud on the tail end. For example, with smaller purchases no longer requiring a signiture, card use for small purchases has gone up. If a few percent of those purchases are fraud the banks and credit card companies don't care because in the end they're making more money. People who notice fraudulent transactions on their statements will make calls and the banks will eat the cost of the purchases. Banks who suspect fraud has taken place simply block the accounts until the card holder calls. It all works out to the benefit of the banks and credit card companies.

So even though the credit card companies should do more to protect the information from a logical and PR perspective, they've already decided that the small potential increase in the cost of fraud is outweighed by the increased use of these cards that some people consider more convenient.

Re:Oyster Cards on the London Underground

[SenseiLeNoir]

Silverlink Metro will be coming under the new tfl "London Overground" system in 2007. And yes will be fully oysterised.

I do know about the thugs who pose as Ticket inspectors... I was once getting off the SilverLink COunty service from Euston to Harrow and Wealdstone, and the "thugs" were waiting on the stairs.. I shown my Oyster (travelcard, not pre pay) and he checked with the reader, then grunted in a few loud syllables that would make an orangutang proud "Not Valid". And pushed me aside.... (for once i was glad there was CCTV in the area).

I piped up, louder "Of course its bloody valid!" and fished out my record card. It seems there was another chap also given the rough treatment...

Mr gorrilla, said "That record card must be fake!" with obvious snicker.

"Call your manager NOW, before I call the Police!"

He was saying "You do that sonny," when his supervisor came to see what the commotion was about (The other guy next to me was makign an equally loud commotion)..

He checked my record card, and saw it was perfectly valid.. then checked the readers of the baboons, and found them set for zone 6.. WTF.

With a lot of apologies, we were allowed to move on.

My suggestions for anyone who has an issue with these blokes, write a letter to both TfL and Silverlink.

I do understand they do need to check for tickets, they are loosing millions of pounds a year thanks to fare avaders. And nothing annoys me more than watching people chance it.

However, their bahviour is not on.

Re:Dumber then not signing

[DrSkwid]

A good way to look dumb is to use "then" rather than "than".

Liability, merchants, and you

[BrianRoach]

our
Everyone keeps saying, "Who cares, I'm not liable if someone takes my card and uses it", and that "The banks eat it".

No, they don't. The merchants do. And the customers end up covering it in the end.

I own an online retail business. If someone disputes a purchase and we lose the dispute, the credit card processor simply takes the money back from *us*. We're out the money. Nobody else.

We go to great lengths to try and prevent this (AVS, CVV, etc), but you will get one every once in a while no matter what you do.

So fraud rates are built into retail *pricing*. When we get a new product, we have a formula to decide our selling price. It's based on our business costs. Fraud is one of those costs - we know how much we incur per year, so we build it into the profit margin. Every business does this in one way or another.

If fraud goes up, so do our prices. Therefore, it goes full-circle back to the consumer.

Brian Roach