UK Consumers Reporting Contactless Payment Errors

leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."

Double payments

[chromas]

sometimes paying twice when they have used another payment method.

Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

Re:Double payments

[Skapare]

You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

Re:Double payments

[Jesus_666]

The question is how often you want to resend the packets. What happens if the connection is genuinely down for, say, five minutes? Do you keep resending packets until eternity? Do you just have the user redo everything up until the purchase screen? Depending on the intended target audience the latter might not be an acceptable answer.

For example, at my company we do most of our business with tech-unsavvy businesses. The people who make the buying decisions are usually impatient and capricious and very averse to entering their data more than once. Also, any problem is attributed to us, even if it's a network outage on their end. If their connection to us goes down they expect to continue the ordering process exactly where they left off or they will reconsider the entire deal. Some will take weeks to make room in their apparently ultra-busy schedules to go through our (phone-assisted) ordering process once. If there is a problem that they can't trivially recover from that means waiting for a few weeks more. "Just have them redo the last few steps" comes with an unspoken "and lose a few sales".

The problem is that you're facing (potential) customers. Just like in every customer-facing situation that means that you end up dealing with a number of people who don't want to bother actually having realistic expectations. Depending on your business, these potential customers may be expendable or they may be critical to your success. If the latter applies then you have to bend over backwards to allow behavior that we consider wrong but they consider logical.

Payment without user confirmation

[Hentes]

Who would've thought that it's a bad idea?

Re:Payment without user confirmation

[click2005]

Everyone saw this coming. The banks, card companies & shops just didn't care.
Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
either directly or through price increases.

Why

[markdavis]

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

Security Concern

[Capt.Albatross]

While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

Re:tinfoil wallets

Was issued a "contactless" bank card, (one that I only carry as a backup), and promptly wrapped it in tinfoil. A few people laughed at me when I told them what I'd done. This is one of those validating "told you so" moments for me.

If any of the cards I use regularly are superseded by "contactless", they'll be contacting a pair of scissors and I'll go back to withdrawing cash (from inside the branch).

Not a security breach?

[Okian+Warrior]

While these incidents do not involve a security breach...

A vendor's machine can take money from me without my consent or knowledge.

Apropos of nothing, what would constitute a security breach in your model?

Re:Not a security breach?

[julesh]

When they say it does not involve a security breach, what they mean is "it doesn't breach *our* security." Why do you think they give a shit about *your* security, exactly?