UK Consumers Reporting Contactless Payment Errors

← Back to Stories (view on slashdot.org)

UK Consumers Reporting Contactless Payment Errors

Posted by timothy on Saturday May 18, 2013 @03:19AM from the how-to-buy-a-hundred-subway-rides dept.

leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."

139 of 193 comments (clear)

Min score:

Reason:

Sort:

Double payments by chromas · 2013-05-18 03:22 · Score: 4, Insightful

sometimes paying twice when they have used another payment method.
Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?
1. Re:Double payments by Anonymous Coward · 2013-05-18 03:29 · Score: 1
  
  It could be a chicken/egg problem. If the card is far enough away, but swung near enough, to authorize/capture payment when the payer is bringing out their bill fold to pay in cash.
  Only an assumption. But it makes me glad I live in the good ol' USA where we are scared of NFC and I have an RF blocking wallet.
2. Re:Double payments by Skapare · 2013-05-18 03:29 · Score: 4, Insightful
  
  You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.
  
  --
  now we need to go OSS in diesel cars
3. Re:Double payments by Anonymous Coward · 2013-05-18 03:34 · Score: 1
  
  Ah, after reading TFA, the summary is a bit off--this is slashdot afterall. The registers were accepting to plastic-type payments in some cases, others were paid by the NFC cards only (from greater than 4cm away).
4. Re:Double payments by Anonymous Coward · 2013-05-18 03:44 · Score: 1
  
  I always thought that, even if there is server-side protection for it already, the final "click this button to pay" button should get disabled when you click it the first time, preferably with a processing icon or the like. That way you provide a visual clue that something is happening if they are on a slow connection.
5. Re:Double payments by mjwx · 2013-05-18 04:38 · Score: 3, Interesting
  
  sometimes paying twice when they have used another payment method.
  Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?
  Because the software is shit.
  
  Having dealt with a few Point Of Sale systems I can say that the acronym POS is no accident.
  
  A lot of systems are just Windows systems with a program like Pronto Xi running on top. It's not unusual for these terminals to be running Windows XP. The back end is usually pretty good but the software really suffers on the front end and the front end is where we tend to get most of the errors.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
6. Re:Double payments by mjwx · 2013-05-18 04:52 · Score: 1
  
  I always thought that, even if there is server-side protection for it already, the final "click this button to pay" button should get disabled when you click it the first time, preferably with a processing icon or the like. That way you provide a visual clue that something is happening if they are on a slow connection.
  Nope,
  
  The server is handling 100 transactions a second or more. All through SSH sessions, or worse yet a proprietary protocol. Front end terminals are usually connected to a server in another location over VPN (or worse yet, a WAN link with an open port at the server side) and this server may be across the country. In almost all of the Point Of Sale software I've seen error checking is done locally and there is next to fuck all of that happening anyway as the goal of POS systems is to move as fast as possible. The customer hates waiting for the cash register to do its job properly.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
7. Re:Double payments by Jesus_666 · 2013-05-18 04:53 · Score: 1
  
  You raise a good point. However, I would still silently disable the button for a short amout of time just to catch accidental double-clicks. A second should suffice.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
8. Re:Double payments by dalias · 2013-05-18 05:34 · Score: 1
  
  That sure explains why they ask you for your phone number, email address, rewards card, and whether you want to apply for a new credit card (while 5 more people are waiting in line behind you) every time you check out...
9. Re:Double payments by ericloewe · 2013-05-18 05:41 · Score: 4, Informative
  
  Some POS systems are not integrated with the card payment terminal. You click "visa" for instance, and the POS system assumes a valid card payment has been made. The payment is then made in a seperate terminal which issues a receipt for the payment, which should be kept with the purchase receipt.
10. Re:Double payments by theshowmecanuck · 2013-05-18 05:56 · Score: 1
  
  Blame that on the store policy not the payment mechanism.
  
  --
  -- I ignore anonymous replies to my comments and postings.
11. Re:Double payments by MrL0G1C · 2013-05-18 06:04 · Score: 1
  
  It's not a good point, if the packets were lost the first time round then they should simply be resent.
  
  --
  Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
12. Re:Double payments by Anonymous Coward · 2013-05-18 06:07 · Score: 2, Informative
  
  Yes, the good old USA where we still have to use checks for many scenarios, have credit cards without even an attempt at authentication (yes, chip and PIN implementations have been flawed, but we don't even try here) and where anyone who knows your number can apparently charge on your card and all you can do is dispute the charges and get a new number (I've had to do this 3 times now over 30 years of having cards). I'd love to use Google Wallet on my phone. At least it makes you approve the transaction and isn't automatic. But of course even at the few retailers that accept it, it doesn't work about half the time.
  
  We in the US are very backwards on payment systems. The idiotic companies claim it will cost too much to modernize. Sure, it must have cost too much everywhere else too - that's why they all stagnated. Oh, wait... They didn't. It is the same thing with measurement systems. We can't possibly modernize and use the new stuff. They always claim either that it costs too much or that we have too many stupid people or something. Idiots in charge...
13. Re:Double payments by Jesus_666 · 2013-05-18 06:57 · Score: 3, Insightful
  
  The question is how often you want to resend the packets. What happens if the connection is genuinely down for, say, five minutes? Do you keep resending packets until eternity? Do you just have the user redo everything up until the purchase screen? Depending on the intended target audience the latter might not be an acceptable answer.
  
  For example, at my company we do most of our business with tech-unsavvy businesses. The people who make the buying decisions are usually impatient and capricious and very averse to entering their data more than once. Also, any problem is attributed to us, even if it's a network outage on their end. If their connection to us goes down they expect to continue the ordering process exactly where they left off or they will reconsider the entire deal. Some will take weeks to make room in their apparently ultra-busy schedules to go through our (phone-assisted) ordering process once. If there is a problem that they can't trivially recover from that means waiting for a few weeks more. "Just have them redo the last few steps" comes with an unspoken "and lose a few sales".
  
  The problem is that you're facing (potential) customers. Just like in every customer-facing situation that means that you end up dealing with a number of people who don't want to bother actually having realistic expectations. Depending on your business, these potential customers may be expendable or they may be critical to your success. If the latter applies then you have to bend over backwards to allow behavior that we consider wrong but they consider logical.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
14. Re:Double payments by jonbryce · 2013-05-18 07:37 · Score: 1
  
  I'm not sure about those two stores, but in a lot of stores, especially ones owned by smaller companies, the credit card terminal is not linked to point of sale system. The checkout operator presses the button on the till for card or cash, nobody takes cheques any more, then if it is card, they enter the total amount into the card terminal, process the payment, and usually put the store copy of the card receipt in the till. It may well be that they thought the card terminal wasn't working, and put the payment through again.
15. Re:Double payments by tlhIngan · 2013-05-18 18:20 · Score: 1
  
  You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.
  You mean the brilliance of being able to ding a customer for twice their shopping cart value? Extra profit from stupid and/or impatient people.
  And when they chargeback, you can provide proof and cancel their order and still keep the other payment. And tie it up with confusion because you can easily switch which payment you're talking about to cause mass confusion.
  The moronic thing would be to not accept a credit card, like one site I go to always claims the payment was denied. Call the bank and show that the payment was allowed. Now that is leaving money on the table by not accepting an order from a customer. But charging a customer multiple times for the same order? Brilliant business tactic.
16. Re:Double payments by AmiMoJo · 2013-05-18 21:59 · Score: 2
  
  It's operator error. The person on the till is confused by the customer trying to insert their card into the read even though it already appears to have made the transaction. They put it through again and the customer gets charged twice.
  It sounds too stupid to be true, but that is apparently what is happening.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
17. Re:Double payments by mjwx · 2013-05-19 12:21 · Score: 1
  
  That sure explains why they ask you for your phone number, email address, rewards card, and whether you want to apply for a new credit card (while 5 more people are waiting in line behind you) every time you check out...
  That's not the POS system, that's the store management.
  
  POS back ends are designed for fast transactions, it's the human and networking elements that tend to slow them down.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
tinfoil wallets by biodata · 2013-05-18 03:27 · Score: 3, Interesting

Suddenly they are becoming popular - Icelandair are selling one on the inflight goodies list, as are various designer shops in Reykjavik.

--
Korma: Good
1. Re:tinfoil wallets by Anonymous Coward · 2013-05-18 03:44 · Score: 1, Insightful
  
  Was issued a "contactless" bank card, (one that I only carry as a backup), and promptly wrapped it in tinfoil. A few people laughed at me when I told them what I'd done. This is one of those validating "told you so" moments for me.
  If any of the cards I use regularly are superseded by "contactless", they'll be contacting a pair of scissors and I'll go back to withdrawing cash (from inside the branch).
2. Re:tinfoil wallets by The+Archon+V2.0 · 2013-05-18 05:36 · Score: 3, Interesting
  
  My bank rolled out contactless cards... by mailing one to me. No notification to me, preactivated, no PIN needed for purchases under $200.
  I went there and bitched them out about it and they really could not understand why I was mad.
3. Re:tinfoil wallets by lightknight · 2013-05-18 06:44 · Score: 1
  
  Mental note: if / when I go totally insane, and need some quick cash to jump start my career in super villainy, purchase near-field scanner & Raspberry PI model B unit with battery, as well as directional antenna and signal booster. Then hide it in the bushes across the way from where the postal workers unload the trucks, and stop by daily to pick up the 'leads.'
  Actually, disperse several units at foreign postal offices, and employ WAP signals to push data to the internet. Use PGP to encrypt packages, and post to NNTP servers, in some alt.binaries.* group for later retrieval. No sense getting caught.
  Hmm. Might take some work to perfect....but I think I can work out a plan good enough to purchase a small island, and possibly get started on a hidden base. Still, airfields are expensive, yo.
  
  --
  I am John Hurt.
4. Re:tinfoil wallets by DamonHD · 2013-05-18 08:14 · Score: 2
  
  My card issuer decided to push me a personal NFC card, without asking.
  They would not disable it (claimed they could not) or issue me a card without it one activated (again, claimed that they could not).
  So it sits unused in my desk drawer as I told them it would, and another less high-handed card issuer gets my transactions.
  (They did the same with my business VISA, but when I phoned to complain and asked them to disable NFC they said "yes" which means they were probably lying either then, or when they told me they could not disable it on my personal card.)
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
5. Re:tinfoil wallets by innocent_white_lamb · 2013-05-18 08:20 · Score: 2
  
  I just bought one of these a couple of weeks back:
  http://www.thinkgeek.com/product/8cdd/
  It's surprisingly good quality for $20, too.
  I decided to buy it after reading this:
  http://www.cbc.ca/news/canada/manitoba/story/2013/04/23/mb-smartphones-skimmer-credit-card-winnipeg.html
  
  --
  If you're a zombie and you know it, bite your friend!
6. Re:tinfoil wallets by thegarbz · 2013-05-18 11:43 · Score: 2
  
  The antenna goes around the outside of the card. Cut a notch with scissors about 5mm into the card (opposite side of the magnetic stripe) and you've disabled the contactless portion.
7. Re:tinfoil wallets by Will.Woodhull · 2013-05-18 15:54 · Score: 1
  
  Good to know.
  I haven't yet been burdened by one of these cards, but I do appreciate comments about how to disable the wireless withdrawals.
  
  --
  Will
8. Re:tinfoil wallets by AmiMoJo · 2013-05-18 22:06 · Score: 1
  
  I actually quite like contactless payment when I have had the chance to use it in Japan. No looking for change, no PIN numbers, very easy for travelling and small purchases. Their card readers seem to have a range of about 20mm so there is no danger of accidentally paying for something you didn't intend to but no need to remove the card from your wallet/holder either. You can pay with an NFC enabled phone as well, which they have had for 5+ years now.
  This is a technical problem, not an issue with the system itself. Apparently buses also have the same issue. You get on and flash your free bus pass, but the contactless payment system debits your Oyster card or whatever it is they use (I don't live in London).
  Naturally UK companies can't possibly have learned from all that Japanese experience and will make a lot of stupid mistakes in the first few years, but eventually it will be usable.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:tinfoil wallets by Garybaldy · 2013-05-19 03:07 · Score: 1
  
  Just put it in the microwave for a few seconds or hit it with a hammer where the chip is.
10. Re:tinfoil wallets by The+Archon+V2.0 · 2013-05-19 07:07 · Score: 1
  
  Kinda hard to hit it with a hammer before they send it to me.
  It's funny, last I checked - admittedly years ago - there was less requirement for banks to reimburse you for debit card fraud than there was for credit card companies to do it for credit card fraud.
  My credit card company sends me unactivated cards that are useless until I prove that I'm the rightful owner of the card.
  My bank sent me - without warning - a card that anyone who robbed my mailbox could be using in minutes and kept using until I checked my balance.
  tl;dr Fuck you RBC.
11. Re:tinfoil wallets by Jaruzel · 2013-05-19 11:14 · Score: 1
  
  I use an Oyster card on London public transport all the time, and I have NEVER had it trigger until I was physically wiping the big yellow sensor with my oyster card. Yes, there may have been problems when it first rolled out, but these days it's totally bedded in and a working technology.
  Plus you save shedloads paying via Oyster, so it's silly not to.
  -Jar
  
  --
  Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
12. Re:tinfoil wallets by ranulf · 2013-05-19 20:49 · Score: 2
  
  I actually quite like contactless payment when I have had the chance to use it ...
  I quote like it too, when I only had one card - I could just wave my wallet over the machine and it'd work. Now every bank card I own has been upgraded without me having any say in the matter, they interfere with each other when they're all in my wallet and now I have to take the card out to use it. Once I've done that, I might as well also enter the PIN and prove it's me.
  I too really hate the fact that these cards were sent to me in the post, pre-activated, without even informing me they were coming and in one case with over 9 months left on my existing card. They could easily have been intercepted and I'd never even have known as I'd have just carried on using the old card.
Within 4 cm? by Skapare · 2013-05-18 03:27 · Score: 1

Someone must have gotten their units mixed up and used 4 inches.

--
now we need to go OSS in diesel cars
1. Re:Within 4 cm? by julesh · 2013-05-18 04:06 · Score: 1
  
  Someone must have gotten their units mixed up and used 4 inches.
  So it turns out that like RFID tags, the assurances of limited range are absolute bullshit. A more powerful transmitter coupled with a more sensitive antenna than used in the reference design allow them to work from farther away. Who'd have thought it?
2. Re:Within 4 cm? by Z00L00K · 2013-05-18 05:55 · Score: 1
  
  The guaranteed distance for a successful reading is 4cm, but that doesn't mean that it has to be that close for a successful reading.
  I'm toying around with NFC right now and the distance is 4cm+ for a reading. Our local public transportation company (Västtrafik) uses NFC for the ticket system and there have been numerous accounts of accidental reading of the cards as well as missing to read. They have a system where you have to check in when boarding and check out when leaving - and if you don't check out you will pay for the trip to the end station for that line. And if you have two cards in your wallet it may read the "wrong" card and tax that too.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
3. Re:Within 4 cm? by St.Creed · 2013-05-18 21:41 · Score: 1
  
  The same issues are happening with the Dutch transport system. At the moment it's only a hassle with people checking out incorrectly (audible signal sounds) or having two cards in their wallet (a random one gets debited - during checks you may present the wrong one, resulting in a lot of hassle and a fine, and if you're unlucky a trip to the police station).
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Tap And Go Bankrupt by Anonymous Coward · 2013-05-18 03:30 · Score: 4, Funny

Quick, buy stock in companies selling RF-blocking wallets and bags
And don't forget fashion - my electric-blue aluminium wallet pairs nicely with my neon-green tinfoil hat!
Payment without user confirmation by Hentes · 2013-05-18 03:36 · Score: 5, Insightful

Who would've thought that it's a bad idea?
1. Re:Payment without user confirmation by beelsebob · 2013-05-18 03:38 · Score: 3, Informative
  
  If I had mod points, you would get them... I really genuinely don't get why no one saw this coming.
2. Re:Payment without user confirmation by Takatata · 2013-05-18 03:39 · Score: 1
  
  Bad idea for whom?
3. Re:Payment without user confirmation by isopropanol · 2013-05-18 03:53 · Score: 1
  
  I saw it coming... Before one of my banks put them on ALL their cards I got a survey about how much I would like them. All my asnwers were the most negative on their scale and multiple write-ins (in the write in space) to the effect of OMFG NO, worst idea ever!
  Sadly I was apparently the only one who thought so because now they do not have any credit cards that do not have NFC.
4. Re:Payment without user confirmation by click2005 · 2013-05-18 04:23 · Score: 4, Insightful
  
  Everyone saw this coming. The banks, card companies & shops just didn't care.
  Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
  either directly or through price increases.
  
  --
  I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
5. Re:Payment without user confirmation by julesh · 2013-05-18 04:24 · Score: 1
  
  Bad idea for whom?
  For the merchants accepting the payments, because they'll have to bear the cost of chargebacks on transactions that were otherwise perfectly valid but cannot be proven to have been authorised by the cardholder.
6. Re:Payment without user confirmation by Takatata · 2013-05-18 04:35 · Score: 1
  
  True. But how many don't check their accounts regularly? How many double charges remain unnoticed? Maybe it pays for the merchant?
7. Re:Payment without user confirmation by Takatata · 2013-05-18 04:38 · Score: 1
  
  Oh, an yes, there is one party, for which this problem definitely pays: The bank. Getting money for each transaction and getting money for chargebacks.
8. Re:Payment without user confirmation by mjwx · 2013-05-18 04:47 · Score: 1
  
  Bad idea for whom?
  For the merchants accepting the payments, because they'll have to bear the cost of chargebacks on transactions that were otherwise perfectly valid but cannot be proven to have been authorised by the cardholder.
  In addition to the fees for accepting the transaction.
  
  Yes, a merchant pays a fee for accepting payment via card. Fees for accepting a credit card range from 1-5% of the transaction amount. Paying with debit (your own money) is usually under 1% of the transaction.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
9. Re:Payment without user confirmation by porjo · 2013-05-18 07:54 · Score: 1
  
  This. I was in line at the checkout just the other day watching someone casually wave their card across the scanner, thinking to myself in a sarcastic voice 'what could possibly go wrong!?'
10. Re:Payment without user confirmation by cgimusic · 2013-05-18 12:45 · Score: 1
  
  Agreed. I really don't know what all the fuss with contactless payments is. The main benefit is that they are instant and you don't have to type in a PIN, not the fact that you don't have to put a card in the reader. Why not just make it so that any purchase under £15 doesn't require a PIN or bank confirmation and then you have the convenience of contactless without as many issues like this.
11. Re:Payment without user confirmation by AmiMoJo · 2013-05-18 22:17 · Score: 1
  
  The confirmation is supposed to be that you bring the card within 2cm of the payment terminal. The flaw is that the payment terminal has a range much greater than 2cm.
  The amount that can be authorized this way is limited to Â£20. A person could not use a special long range to rob people walking down the street because the transaction still needs to be authenticated with the card issuer, meaning they would be caught pretty quickly. That's why criminals who steal cards use them in shops and ATMs instead of setting up their own card payment terminal and sending the funds directly to their bank account.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re:Payment without user confirmation by AmiMoJo · 2013-05-18 22:21 · Score: 2
  
  In the UK the card issuer is liable for all the losses due to fraud or clerical errors.
  The Â£100 rule is that any item worth over Â£100 and paid for in whole or in part on credit card makes the card issuer liable as the vendor. In the event of a problem they have the same responsibility to sort it out as the seller does.
  The card issuers certainly do care because they want contactless payment to become popular. If it is abused or doesn't work people will carry on paying for small items in cash instead of generating revenue for the card issuer.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
13. Re:Payment without user confirmation by RaceProUK · 2013-05-19 23:47 · Score: 1
  
  Who would've thought that it's a bad idea?
  You mean without confirmation like the Amazon 1-click buy now button?
  Amazon doesn't charge the card/debit the account until the item is dispatched, so you have time to check the order and cancel it without charge. At least, that's how it's worked for all orders I've placed there (though I don't use 1-click).
  
  --
  No colour or religion ever stopped the bullet from a gun
Wisdom of the paranoid ages by macraig · 2013-05-18 03:38 · Score: 2

Tinfoil is your friend. Always has been, always will be.
1. Re:Wisdom of the paranoid ages by Lee_Dailey · 2013-05-18 03:57 · Score: 3, Informative
  
  howdy y'all,
  is tin foil available any more? i looked the other day and only found aluminum foil. i have an old roll of tin foil stashed in the back of one of my closets that i got from my mom when i 1st went to college. i aint seen any _tin_ foil in decades ...
  take care,
  lee
2. Re:Wisdom of the paranoid ages by BasilBrush · 2013-05-18 04:19 · Score: 2
  
  I've got some tin foil stored in a steel tin.
3. Re:Wisdom of the paranoid ages by Beardo+the+Bearded · 2013-05-18 04:32 · Score: 2
  
  You can get adhesive copper foil. That's the better tool for this.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
4. Re:Wisdom of the paranoid ages by Gothmolly · 2013-05-18 13:59 · Score: 1
  
  You fail, both for being retarded, and for signing your post.
  
  --
  I want to delete my account but Slashdot doesn't allow it.
5. Re:Wisdom of the paranoid ages by maweki · 2013-05-18 22:13 · Score: 1
  
  It's all part of the conspiracy. They're taking our tinfoil precisely to prevent us from defending ourselves from the alien hive-mind.
Why by markdavis · 2013-05-18 03:41 · Score: 5, Insightful

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.
It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?
Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.
1. Re:Why by Jmc23 · 2013-05-18 03:48 · Score: 2
  
  Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.
  Hate those stupid gas pumps. Useless if your card is from outside the US.
  
  --
  Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
2. Re:Why by CrashandDie · 2013-05-18 03:55 · Score: 3, Interesting
  
  A lot of credit cards in the UK have the Chip'n'Pin system, which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.
  The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.
3. Re:Why by gl4ss · 2013-05-18 03:57 · Score: 2
  
  And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.
  It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?
  Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.
  plenty of countries have gone pretty much all chips. you stick the card in, put in the pin and the payment is done.
  nothing wrong with that, except if for bus fares etc.. if you need extremely fast throughput of people then contactless is nice.
  contactless without pin for your usual every day big money card though.. that's just fucking stupid. like having all your money in cash in your pocket. which geniuses came up with that?
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Why by willb · 2013-05-18 03:58 · Score: 4, Informative
  
  Hate those stupid gas pumps. Useless if your card is from outside the US.
  Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.
5. Re:Why by gl4ss · 2013-05-18 03:59 · Score: 1
  
  Hate those stupid gas pumps. Useless if your card is from outside the US.
  Then go inside and pay like you would everywhere else you make purchases. It's not hard, and you rarely have to queue. I guess, being a 'murican, you're either too fat or too lazy to waddle over to the door.
  would make more sense for the gas pump to support pin on cards which have pin. I mean, asking for zip code is the stupidest verification right after touchscreen signatures. do wallet stealers have a powerful washington lobby or what the fuck?
  
  --
  world was created 5 seconds before this post as it is.
6. Re:Why by b4dc0d3r · 2013-05-18 04:08 · Score: 1
  
  If you do it your way, it's slower. Most people with a phone have it on already, with no locking. If you do it the way people who use payment apps do it, it can be a lot faster.
  You could argue that this method is a lot slower: stare at the cashier, wait for the total, dig in your purse to find stray bills, decide you don't have enough cash, find a checkbook, hand the blank to the cashier so the register prints it, enter the amount and balance your checkbook.
  Yes people do it that way, but most people avoid it if possible. Have your method of payment ready when it's time to pay, no matter what system you use.
  You're worse than those people on infomercials who can't figure out how to change a light bulb, or get frustrated because they use every product in their house the wrong way. Don't be incompetent. And if you're going to argue against something, be realistic. Exaggeration of the sort found in infomercials is at best disingenuous, and more like outright falsification/
7. Re:Why by julesh · 2013-05-18 04:09 · Score: 1
  
  Hate those stupid gas pumps. Useless if your card is from outside the US.
  Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.
  Yep; in the end, they're just checking AVS which just checks the numbers in your postal code. Same should work for at least UK-issued cards, and probably all major European issuers as well.
8. Re:Why by Jmc23 · 2013-05-18 04:24 · Score: 1
  
  Well thank you, it would have helped more if any of the employees at any of the gas stations were aware of that. Made driving across the US irritating, well, that combined with the lower fuel efficiency of the crappy ethanol blends.
  
  --
  Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
9. Re:Why by Beardo+the+Bearded · 2013-05-18 04:34 · Score: 1
  
  So you don't have to touch the pad or the community pen?
  If it cuts 1/2-1 minute off a transaction, a line of 50 people will save a half hour. That's a lot more customers for a morning coffee run.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
10. Re:Why by JustOK · 2013-05-18 04:34 · Score: 4, Funny
  
  I thought in the UK chips were called crisps.
  
  --
  rewriting history since 2109
11. Re:Why by mcpheat · 2013-05-18 04:52 · Score: 1
  
  No, in the UK chips are what what you call French Fries
12. Re:Why by drinkypoo · 2013-05-18 05:19 · Score: 1
  
  It's a good idea because magstrips are easy to erase and contacts are easy to destroy. It's unfortunate that this implementation is so crap, but that doesn't invalidate the concept.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
13. Re:Why by kav2k · 2013-05-18 05:24 · Score: 4, Interesting
  
  And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.
  Contactless payments differ a lot from magnetic stripe swiping, invisible barcodes etc.
  They are not static information but an active challenge-response authentication system. You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses. You can trick it into authorizing a purchase you don't want if you're in physical proximity, which is happening here, but you cannot save that authorization for later use, since the bank is issuing the challenge here, just like with a chip-and-pin purchase. The whole point is to ensure that this is really the actual card.
  So the main problem is the lack of user interaction to go ahead with the purchase. A touch button on the card itself would help, but would destroy part of the convenience.
14. Re:Why by dadelbunts · 2013-05-18 05:34 · Score: 2
  
  Not only that, but its come to the point where paying cash is faster. I go to walgreens, swipe my card, before i even enter my pin it asks me if i want to donate to something. Then i get to enter my pin and tell it if i want cash back or not. Then i get to verify the amount and press another button. Or i can just give the cashier a 10 dollar bill and be done with it.
15. Re:Why by zazzel · 2013-05-18 05:53 · Score: 2
  
  Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something
  Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip).
  I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)
16. Re:Why by toby34a · 2013-05-18 05:56 · Score: 1
  
  The chip-and-pin system is the stupidest thing in the world for small amounts of money. For example, take my cafeteria line in my building. The queue occasionally builds to 4-5 students, each spending £3-4. Each time they pay by card, each transaction takes a few minutes, as the cashier has to hand over the card reader to the customer, the customer inserts their card, types in their PIN, and then hands the device (with the card in it) to the cashier again who then inputs the price, holds the machine as it calls the bank, confirms the transaction, prints the reciept, which is then handed back with the card. All of this BS, for what in the US is solved by a simple swipe of the card. Absolutely asinine to have the system as it is now for small purchases.
17. Re:Why by Richy_T · 2013-05-18 06:18 · Score: 1
  
  Why would you assume he's American when he's talking about cards from outside the US? (Looks like he isn't if the other post above is from him).
  Note that this zip code requirement has only been brought in in the last 5-7 years. Largely, I think, due to the high rise in gas prices. When you could fill a tank for 20-30 dollars, not an issue. Now even my relatively small car takes 60-70 to fill up on occasion.
18. Re:Why by Richy_T · 2013-05-18 06:19 · Score: 1
  
  They take pin if you're using the debit card portion. Not all credit cards have that though I understand. When you travel internationally, things get a little complex sometimes.
19. Re:Why by Richy_T · 2013-05-18 06:24 · Score: 1
  
  Just tell them you didn't want to have to file with the IRS every year even though they have no jurisdiction over your earnings. That's the main reason I'm putting off becoming a citizen (should I ever change my mind about returning to the UK).
20. Re:Why by Richy_T · 2013-05-18 06:25 · Score: 1
  
  UK postal codes include letters and numbers.
21. Re:Why by Richy_T · 2013-05-18 06:26 · Score: 1
  
  The potato product invented in Belgium
22. Re:Why by Richy_T · 2013-05-18 06:36 · Score: 1
  
  I was once standing a line in front of someone who complained quite loudly about the (marginal) extra time it took to process card transactions. That was about 20 seconds before someone turned up with a bunch of change to be sorted into the cash drawer. He was oddly quiet after that.
  Card processing terminals vary but some do it right. Typically, at Walmart, I have all the card business done by the time the checker is still swiping the last items and I have the cart loaded by the time the receipt is ready.
23. Re:Why by Richy_T · 2013-05-18 06:39 · Score: 1
  
  I'm one of those Bitcoin-heads and have been interested in some of the discussions of hardware wallets. What all the designs I have seen in common have is some way to display the charged amount on the device and a button to be pressed for user confirmation. It is such an obvious requirement for anyone who takes a moment to think about it so I can only think that it has not been implemented in this case because it detracts from the "gee-whiz" aspect of the technology. Marketing over design.
24. Re:Why by Richy_T · 2013-05-18 06:41 · Score: 1
  
  Username/password with my bank.
25. Re:Why by 93+Escort+Wagon · 2013-05-18 06:44 · Score: 1
  
  Sure they were... and I suppose next you're going to blame the Belgians for Morris Dancing?
  
  --
  #DeleteChrome
26. Re:Why by forkazoo · 2013-05-18 06:52 · Score: 1
  
  It's a good idea because magstrips are easy to erase and contacts are easy to destroy. It's unfortunate that this implementation is so crap, but that doesn't invalidate the concept.
  I'm sorry, but no. The concept of contactless payment is just inherently broken. It's really obviously, blatantly, completely invalid. Making it possible for me to pay from a distance wirelessly without having to do anything specific with the payment card/source/token, means that I can be robbed without noticing it. It just takes a big antenna hidden in a backpack, or stuffed under a coat, or in a car. No matter how much you clamp down on the concept, you just require the guy robbing me to have a slightly bigger antenna.
  If I absolutely had to design something like this, there would be a requirement for contact even if the data had to go over a wireless channel. Tap your conductive card on the metal plate to send a wakeup signal to the radio, or something similar. No moving parts, no requirements for the contact payment accepting device to keep the contact in pristine condition. Easy.
27. Re:Why by 93+Escort+Wagon · 2013-05-18 06:56 · Score: 1
  
  It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?
  Wait... You keep your phone in a holster? And off?
  Your issues with the payment app system aren't really anything that affects most other people. My phone, for example, is in my pocket - and on. Getting at it isn't any more work than pulling my wallet out of a pocket, and launching an app is as fast as finding the correct card somewhere in my wallet.
  Heck, my wallet isn't even in my pocket, more often than not. It's usually buried in my computer bag.
  
  --
  #DeleteChrome
28. Re:Why by 93+Escort+Wagon · 2013-05-18 07:05 · Score: 1
  
  You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses.
  Yeah, you're making two claims here, neither of which I believe.
  Yes, this is how the system is designed to work. But it's a very complicated system that was designed by humans. People make mistakes in implementation, and tomorrow people will know things they don't know today. I've seen too many claims similar to yours fail in the past to really believe the designers of NFC thought of everything.
  
  --
  #DeleteChrome
29. Re:Why by kav2k · 2013-05-18 07:40 · Score: 2
  
  Well, my point wasn't that the original card is impossible to clone given physical access to the card. My point is that using only radio communication with the chip, it is not possible to clone it. I imagine that NFC stuff and the crypto module are isolated, and the hardware crypto module quite literally has only one command exposed, to generate a response to a challenge. So neither passive (when you hear the challenge and the response) nor active (when you can submit challenges yourself) attacks can give you the required key, even if you can find a bug in NFC that you can exploit.
  As for complex protocols. I'm a logician working with proof theory. There have been precedents of full formal verifications of such protocols that, given a set of assumptions about the hardware, can exclude any possibility of a flaw in the protocol itself. Example 1, example 2. It's usually very hard, but can be done, and gives the same rigor as normal mathematical proofs.
  Smart card security isn't new. So it's a reasonably mature concept, but it has usability problems in this application.
30. Re:Why by jonbryce · 2013-05-18 07:43 · Score: 2
  
  In Europe, and most of the rest of the world, we use smart-chips when we aren't using contactless. There is a magnetic stripe on the card, that that is only so that the card can be used in the USA and other similarly backward countries.
31. Re:Why by jonbryce · 2013-05-18 07:49 · Score: 1
  
  Chips are called chips, and look like this - http://www.mccain.co.uk/Global/Images/Products/Product%20Category/Healthy/oven%20chips%20sc%20large.jpg
  Crisps are called crisps and look like this - http://images2.mysupermarket.co.uk/Products_1000/37/174137.jpg?v=2
32. Re:Why by Anonymous Coward · 2013-05-18 07:58 · Score: 1
  
  Yes they were. And if you ever are in Belgium: They make the best fuckin' fries in the history of mankind! Serious gourmet stuff compared to everything else. Of course you eat them with mayonnaise not tomato jam. (Not that I care though, eat whatever you want. I just find tomato jam to be disgusting. Like eating steak with nutella. Or candy with mustard filling. Eww.)
33. Re:Why by Richy_T · 2013-05-18 09:28 · Score: 1
  
  I could give it a go but the exchange charges aren't too good.
34. Re:Why by markdavis · 2013-05-18 10:28 · Score: 2
  
  No credit cards have that because you are talking about a debit card. I will not own a debit card with a credit card logo- it is just ASKING for trouble.
  If I want to use a credit card, I use a real credit card- which is using SOMEONE ELSE'S money until I pay for it. There is zero risk of my bank account being instantly drained for who knows how long.
35. Re:Why by markdavis · 2013-05-18 10:36 · Score: 1
  
  If you think it is an exaggeration, then you need to watch the typical people around you. SLOW.
  I am always fast, and I can almost guarantee I can use a swipe credit card just as fast as any "phone" user.... unless the cashier puts obstacles in my way...
36. Re:Why by Rising+Ape · 2013-05-18 10:39 · Score: 1
  
  £3-4? Isn't that what cash is for?
  Actually, my office has one of these NFC systems. It's acceptable givent there's never more than £10 in the account it's linked to, which is completely separate from my bank account. No way in hell would I trust my main bank account to a system like that.
37. Re:Why by markdavis · 2013-05-18 10:40 · Score: 1
  
  +1 informative
  Yours is one of the best replies yet. Yes, the idea of having a button or some other technology that confirms intent is what would be needed to "fix" the situation.
38. Re:Why by markdavis · 2013-05-18 10:44 · Score: 1
  
  Being in a holster is no less accessible or slower than being in a pocket.
  No, it is not "off", the SCREEN is off, you have to press the button to turn the screen on
39. Re:Why by markdavis · 2013-05-18 10:51 · Score: 2
  
  >"Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip)."
  None of my USA credit cards have chips.
  My Bank of America debit/ATM card also has no chip.
  >"I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)"
  I can only speak to home/consumer use with Bank of America. They use a login, site image ID, and password for verification. The only other option is that F**KING "Rapport Trusteer" S**T software for MS-Windows-only that takes over your whole computer like a virus. BTW- we are *FORCED* to use that with SunTrust at work and it is a total NIGHTMARE, especially since we are nearly 100% Linux based. I have already recommend to the CFO and CEO we need to change banks because of it.
40. Re:Why by Highland+Deck+Box · 2013-05-18 11:10 · Score: 1
  
  It sucks in corner shops or whatever that have crap connections, but it's pretty nice in chains or supermarkets. I go in my local Tescos and it's way quicker to use my card than trying to fiddle with cash. It validates my pin basically instantly.
41. Re:Why by knorthern+knight · 2013-05-18 16:03 · Score: 1
  
  I make all my phonecalls and texts with a Nokia 6015i "dumbphone" http://www.cellphones.ca/cell-phones/nokia-6015i/specs/ Yes, I do have a "smartphone", but the greedy asshole cell carriers insist on an extra "data plan" charge for smartphones. So I don't bother getting a sim card or a plan for it. I leave it off except when I'm using it. The smartphone is a mediocre mp3-player/FM-radio/ebook-reader/web-browser/etc, but I'm *NOT* going to pay extra for connecting it versus the Nokia.
  
  --
  
  I'm not repeating myself
  I'm an X window user; I'm an ex-Windows user
42. Re:Why by Jmc23 · 2013-05-18 17:08 · Score: 1
  
  There are other countries less backwards than the USA you know, pin's on credit cards exist.
  
  --
  Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
43. Re:Why by markdavis · 2013-05-19 01:07 · Score: 1
  
  >"There are other countries less backwards than the USA you know, pin's on credit cards exist."
  Yes, I know, but I thought it was pretty clear I was talking about the USA.
44. Re:Why by marka63 · 2013-05-19 01:56 · Score: 1
  
  All it verifies is that a card with a mag strip programmed with your data has been presented. That card could be library card, hotel door key ....
45. Re:Why by GNU(slash)Nickname · 2013-05-19 02:24 · Score: 1
  
  Hate those stupid gas pumps. Useless if your card is from outside the US.
  Then go inside and pay like you would everywhere else you make purchases. It's not hard, and you rarely have to queue. I guess, being a 'murican, you're either too fat or too lazy to waddle over to the door.
  Wouldn't it make more sense that the OP is a cross border commuting/shopping Canadian who buys cheaper gas in the US with his Canadian issued credit card?
  'Course, he could still be fat and lazy I suppose. :)
46. Re:Why by 91degrees · 2013-05-19 02:26 · Score: 1
  
  Yeah. These are the equivalent to french fries and PIN.
47. Re:Why by graphius · 2013-05-19 03:26 · Score: 1
  
  Every day I go to my local coffee shop for a morning coffee. I hand them my cup, put my card in the machine and type in a 4 digit number. Done. The person ahead of me had to dig through their pockets to find the right change, then the cashier had to count it and sort it into the till, and then count back the change. Heaven forbid if some little old lady's change purse dumps on the floor.
  I'll keep my secure (ish) chip and pin thank you
  Why would I want to introduce the complete insecurity of near field silliness?
That's funny by fustakrakich · 2013-05-18 03:42 · Score: 1

Like at an auction, when you scratch an itch on your nose, you find that you just bid 2 mil for a painting of Bea Arthur

--
“He’s not deformed, he’s just drunk!”
Security Concern by Capt.Albatross · 2013-05-18 03:43 · Score: 4, Insightful

While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.
1. Re:Security Concern by TitusGroan8856 · 2013-05-18 04:14 · Score: 1
  
  I would argue that the additional distances quoted in TFA is a security breach. this increases the danger of skimming if the cards can be read from so far away.
2. Re:Security Concern by Capt.Albatross · 2013-05-19 04:37 · Score: 1
  
  I would argue that the additional distances quoted in TFA is a security breach. this increases the danger of skimming if the cards can be read from so far away.
  I think you are almost certainly right, but because I don't know of an exploit that demonstrates a specific vulnerability of this sort, I did not want to make a claim that could be narrowly refuted. For more details on what I was thinking, see this response: http://news.slashdot.org/comments.pl?sid=3763223&cid=43767955
in Soviet Russia by FudRucker · 2013-05-18 03:43 · Score: 4, Funny

retail stores shoplift YOU!

--
Politics is Treachery, Religion is Brainwashing
The NFC terminal shouldn't be active until needed by soramimicake · 2013-05-18 03:47 · Score: 2

The hardware having the wrong range is probably pretty hard to avoid due to variance between terminals and problems keeping them all tuned over their lifetime.
However, the NFC reader shouldn't be active until the customer told the cashier he/she will be using a contactless card for payment and the cashier enabling the reader.
It wouldn't prevent reading the wrong card if the customer has several NFC cards, but it would at least prevent the kind of surprises shown in the article.
Handbags by abigsmurf · 2013-05-18 04:13 · Score: 1

I'd be willing to bet that 90% of the time this happens it's because a woman's put her handbag on the counter to get the wallet out, it's brushed up close against the sensor and activated it. Contactless is designed to be able to be used in a wallet, guessing distance is the big limiting factor, not having a couple of layers of cloth between them.
1. Re:Handbags by julesh · 2013-05-18 04:27 · Score: 1
  
  Right, and why is a second payment then accepted in another way?
Not a security breach? by Okian+Warrior · 2013-05-18 04:19 · Score: 4, Insightful

While these incidents do not involve a security breach...
A vendor's machine can take money from me without my consent or knowledge.
Apropos of nothing, what would constitute a security breach in your model?
1. Re:Not a security breach? by julesh · 2013-05-18 04:26 · Score: 4, Insightful
  
  When they say it does not involve a security breach, what they mean is "it doesn't breach *our* security." Why do you think they give a shit about *your* security, exactly?
2. Re:Not a security breach? by Capt.Albatross · 2013-05-19 03:11 · Score: 1
  
  While these incidents do not involve a security breach...
  A vendor's machine can take money from me without my consent or knowledge.
  Apropos of nothing, what would constitute a security breach in your model?
  That's a fair question, and I probably should have written something like "arguably, there was no security breach in these specific incidents." I don't think it would be a very good argument, but I wanted to 'immunize' my post against a sort of argument that has been used against me elsewhere (e.g. http://slashdot.org/comments.pl?sid=3682437&cid=43544497 ) This 'so far, so good' fallacy takes several forms, such as 'the incidents [so far] have caused no losses / have only occurred in the lab / have all been caught [so far as we know]', 'the losses [so far] have been minimal / reversed'... In this particular case, an apologist for the system might say 'none of the incidents reported here involve covert subversion of [what passes for] the security of these systems'.
  With regard to the specific incidents reported in this article, that seems to me to be true, but irrelevant. All 'so far, so good' fallacies share two problems. The first is that they ignore the fact that such incidents are good evidence that the system is not trustworthy, and the second is that the person making the fallacy is either unaware of its bogosity, or is deliberately trying to hide it. That means the commentator (and the organization she represents) is either incompetent (in the first case) or untrustworthy (in the second) on the subject of security.
  The article includes another bogus argument: "the system has been extensively tested"... but the incidents are irrefutable evidence that the testing did not work. Another bogus argument that has been used in other cases is "there is nothing wrong with the standard, the problem was in the vendor's implementation"... but a standard without effective verification of compliance is useless.
  By attempting to immunize my comment, I brought on your response instead, but that's OK, because we agree over what matters here.
Re:The NFC terminal shouldn't be active until need by Anonymous Coward · 2013-05-18 04:38 · Score: 1

Wouldn't just having a button/contact pad on the card be much much simpler? You must press the button to connect the antenna/battery/collector? Press button on card, swipe. On your way?
Coleman and Brookstone sell RFID-blocking wallets by Burz · 2013-05-18 05:47 · Score: 1

But the Brookstone one costs 4X as much, true to form...
chips by cmurf · 2013-05-18 06:09 · Score: 1

My first Amex Blue for Business had a chip on it. It wasn't compatible with chip and pin, it was a separate system. Now it has an RFID chip, ExpressPay. And Visa has payWave. And MasterCard as PayPass. They're all separate systems. If a merchant terminal supports contactless, they tend to support all three systems. Google Wallet on Android phones mostly use PayPass. A few earlier ones used payWave. As for online banking, HSBC business requires a fob. I've asked for them to support Google Authenticator instead so I don't have to keep that fob around with me all the time. None of my other banks do this. UBS now emails or robo calls you with a one time passcode used for MFA in addition to the password. For CitiBank it's username/password only.
Re:their paying me too by Z00L00K · 2013-05-18 06:25 · Score: 1

It is possible to successfully read the data exchanged with a NFC card up to 2 meters away. Just have a decent snooping device in your backpack or handbag and you can sniff the transactions of other people.
You can have a transmitter with decent power at 13.56MHz that you turn on when you get in an area with NFC readers and see how many checkouts that fails to work.
There are a few other listed security issues too with NFC cards here: MMN-o | Blog, for those that aren't able to read Swedish - use the online translator.
Yet more reading:
Study on Public Transport Smartcards – Final Report
Do contactless cards expose you to fraud?
Anyway - when it comes to NFC there are different types of cards, some are simple and doesn't have any encryption at all (E.g. Mifare Ultralight), some have an encryption which is very weak and is cracked within minutes (Mifare Classic) and some are running DES, but I expect that it has a few weaknesses too since the exchange between the card and reader is easy to snoop.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:Cards without chips by Z00L00K · 2013-05-18 06:29 · Score: 1

The cards with a visible chip aren't the problem, it's the cards with hidden chips that communicates with radio that are.
The contact-chips have a different set of problems and attack vectors but they are safer than the magnetic strip. Recently some skimming equipment has been found for the chip cards. As for NFC cards you can be further away to skim them.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:The NFC terminal shouldn't be active until need by Richy_T · 2013-05-18 06:42 · Score: 2

The confirmation method has to be attached to the card otherwise it leaves open the option for rogue devices to drain your money.
Re:NFC - A disaster waiting to happen by Richy_T · 2013-05-18 06:46 · Score: 1

If I find out that I've been issed with an NFC Card
Are you sure you haven't? I have a few cards that contain rfid chips and I was never notified. The only way to know was the logo on the card (and I guess the absence of that is not a guarantee)
how to get rid of NFC on a passport or credit card by lkcl · 2013-05-18 07:07 · Score: 1

there are two ways. my favourite is the first.
1) put passport / credit card on a plate
2) put small amount of water on top of NFC chip
3) put plate into microwave oven
4) set for 3 seconds on HIGH
5) press button and watch pretty sparks
6) open door VERY QUICKLY and put out anything that's smoking or on fire
7) smile and relax, knowing that you are secure from being phished.
the other way is perhaps less risky:
1) obtain a 50,000 volt electrocution device aka "stun gun"....
I am currently living in Europe. by bdwoolman · 2013-05-18 07:26 · Score: 2

My Norwegian bank issued me a chip and pin card. I like it. The waitress or the teller never touches my card. I put it in the terminal when I see the total I am being charged. I punch in the PIN and the card verifies with the bank and the term. prints a receipt. In a restaurant the server brings a wireless terminal to the table and I do the same thing. The protocol allows for a gratuity to be added. As long as no thug or dip looks over my shoulder and sees my PIN I fell pretty safe from fraud. I use this card all over the continent. My US cards work, but they are less secure and I get a nasty foreign transaction fee and a disadvantageous exchange rate. Chip and PIN rocks. Hard to believe consumers wearied of punching in a little PIN. Besides, for small purchases cash works. Near Field Communication payment is an idea whose time is yet to come. I do not want an experimental-stage NFC. It will be cool when all my products are fitted with rfid tags and my NFC payment fob is in my pocket. I walk out of the store with my basket, pause at a terminal to visually scan the inventory for which I am being charged (or not), confirm, then get the receipt beamed to my fob or smart phone. Until then the chip and pin is fine. I was wondering at the profusion of stainless steel wallets on Travel Smith. They were not all passport sized. Now I understand. It makes me wonder if my current chip and pin is NFC too. Feh! Makes me want to return to the good old days of cowrie shells.

--
"No fear. No envy. No meanness." Liam Clancy
1. Re:I am currently living in Europe. by DamonHD · 2013-05-18 08:18 · Score: 1
  
  Not only is remembering endless new passwords and PINs very hard, but I don't want to entrust the PIN for a bank card with a direct call on my current account (for example) to retailers who are notoriously cheap when it comes to security measures.
  The only thing I want to use a PIN on a bank card for is an a bank ATM to withdraw cash or as part of 2-factor authentication for on-line transactions.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
2. Re:I am currently living in Europe. by DamonHD · 2013-05-18 19:12 · Score: 1
  
  If the terminally is correctly designed and uncompromised. In several high-profile retail cases neither of those has been true.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
3. Re:I am currently living in Europe. by DamonHD · 2013-05-18 19:13 · Score: 1
  
  Which has happened.
  Or someone standing behind you in a dense queue watches what you enter.
  Rgds
  Damon
  
  --
  http://m.earth.org.uk/
4. Re:I am currently living in Europe. by AmiMoJo · 2013-05-18 22:29 · Score: 1
  
  The stupid thing is that NFC is well beyond the experimental stage. Japan has been using it for going on a decade now and it works really well. They have stored value cards that you can load money on to, they have phones where the payment appears on your monthly bill and they have debit/credit cards. They don't have problems with payment terminals having too much or too little range, they don't have problems with fraud or skimming. It all just works really well and is very, very convenient. No messing about looking for change when you just want to buy a couple of items on the way home or hop on the metro.
  Somehow I knew that we would find a way to fuck it up though. Instead of getting some Japanese companies with experience in we went for the lowest bidder bunch of cowboys we could find who thought that MOAR PWR to the NFC field was a good idea. They were probably proud of the 30cm range they got out of the damn thing.
  This is why we can't have nice things.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
It's not a bug, it's a feature! by Immerman · 2013-05-18 07:57 · Score: 1

*Somebody* had to say it.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:how to get rid of NFC on a passport or credit c by Takatata · 2013-05-18 09:09 · Score: 2

You forgot:
8) Throw card away since it is useless now.

No idea how it is in the USA, but in Europe the magnet strip is hardly used anymore. Too insecure. Some people even destroy it on purpose. Instead a chip in the card used. Not a NFC chip. So, how do you destroy one chip in a microwave oven, but leave another chip on the same card intact?
Re:how to get rid of NFC on a passport or credit c by petermgreen · 2013-05-18 12:55 · Score: 1

Someone else in this discussion suggested cutting a notch in the edge of the card to destroy the antenna.

--
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
workaround by gronofer · 2013-05-18 15:10 · Score: 1

Use cash in stores and leave the card at home. The only place you need to take it is the ATM.
And this is NEWS? by cheros · 2013-05-18 22:23 · Score: 1

Since RFIDs landed in passports it's been a fairly badly held secret that the only thing that limits the range of such devices is the quality of the antenna and the transceiver.
The only reason those terminals work on proximity is because they use crap aerials. All it takes is a larger aerial and you can get up to max 10 meter range (beyond that the S/N ratio becomes an issue).
The only real question is why card companies are pretending they don't know this.
When have you ever known a card company to limit its opportunity to get you into interest paying debt? Why else do you think they put a payment limit on NFC transactions?

--
Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
1. Re:And this is NEWS? by Hanzie · 2013-05-19 00:43 · Score: 1
  
  The only reason those terminals work on proximity is because they use crap aerials. All it takes is a larger aerial and you can get up to max 10 meter range (beyond that the S/N ratio becomes an issue).
  That's what DIRECTIONAL antennae are for. The entire field of radio astronomy is dedicated to improving NFC theft.
  
  --
  ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Re:Any instances of money being credited accidenta by biodata · 2013-05-18 23:25 · Score: 1

crickets

--
Korma: Good
Re:Repeaters by Hanzie · 2013-05-19 00:40 · Score: 1

mod parent +1, Sneaky Bastard.

--
********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
Why by bdwoolman · 2013-05-19 01:45 · Score: 1

am I not surprised? *Sigh*

--
"No fear. No envy. No meanness." Liam Clancy
Re:I am currently living in Europe. &sign by eionmac · 2013-05-19 04:56 · Score: 1

Some UK cards require Chip (on card) PIN entry on card machine and signature as well into machine. It detects after the fact false records, originally for use inside banks so elderly (memory loss etc for PIN numbers) can get teller to enter PIN from a record in bank, the signature verified the request to enter PIN.

--
Regards Eion MacDonald
Not just *my* purchases by phorm · 2013-05-21 04:45 · Score: 1

How about those of the person in line in-front-of/behind me?
If I have a receipt showing I paid for something via debit and Visa also charged me, I'm probably good. How do I show that I didn't pay for what was actually Bob's groceries?