Slashdot Mirror
Are Contactless Payments Really Secure?
berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."
Look, encrypted or not the RFID chips simply send out a unique signal. A signal that, once trapped, can be recoreded and reused. For the true "contactless" payment systems this contact is the only one. Unless the number changes in response to some handshake (something that isn't being done in the present generation of Contactless systems) then possession of the key is the only security and, in absence of a signature or indefinitely stored security cameras, the only record of the card's use.
Lacking the independent verification this is begging for an attack.
This just doesn't track with me. The article fails to explain:
1) How Contactless is necessarily more or less secure than 'Magnetic Strip' cards. Both would require special technology to replicate. Both would store the same information. I'm assuming there's a threat vector of someone wanding your entire wallet, but that isn't in the article. Is it assumed?
2) Why do fewer 'small ticket' restrictions mean any more of a threat on Contactless than on Magnetic?
3) Why are 'small ticket' restrictions a threat at all? Isn't this just more of the same old credit card fraud?
Frankly if they'd just forbit the 'small ticket' waiver for not-in-person transactions, I'd be fine with it.
Who wants a Big Mac?
Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.
For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.
One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.
She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.
Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.
According to Visa's Rules for Visa Merchants: http://usa.visa.com/download/merchants/rules_for_v isa_merchants.pdf
Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures
So you can't *mandate* that someone provide ID in order to complete their transaction. But at least with Visa, merchants do have the right to ask (knowing that you don't have to give it to them).
Close, but not quite. If/when there's a dispute, the credit card company reverses all disputed funds and then demands signatory proof. If there's no electronic swipe of the card on record, they also demand an imprint to go along with the signature.
When I was working for a pizza delivery restaurant (mom & pop shop) they had a customer who ordered about $40-50 worth of food about 3-4 nights a week. Pretty much the same stuff each time; fried foods, milk shakes, cans of pop, stuff like that. After about 12-15 orders, Visa reversed the funds for all of his orders and demanded proof; the customer had called 'fraud'. Due to different drivers at different times (and their respective attitudes towards being thorough) the store had let's say 12 receipts with only 9 imprints. A couple of the imprints were deemed illegible so only 7 of the 12 charges were allowed to go through.
The contention of the store, and it took a lot of fighting to get this point across, was that the orders came from the same phone number (verified with caller ID), followed the same pattern, came at the same time of day (late at night), went to the same address and obviously if the first 7 were correct then why not the other 5?!?
It was later discovered that this individual (a casual drug user who had a Sherrif's notice of eviction on his apartment door, incidentally) had recently been sent the card in one of those "You're Pre-Approved!" style mail-outs, activated it for however many thousand dollars they'd give him then started going wild ordering from several restaurants. Basically anybody who'd deliver to his crummy building. I'm not sure what happened to him in the end but for the pain he put the merchants through and the money he cost the Visa fraud team and the credit he blew through on that card I'd hope that he's atleast a guest of the Province for the next 5 years of his life, but hey, what can you do right?
BD Phone Home!
Shameless plug. Like you weren't expecting it.