UK Consumers Reporting Contactless Payment Errors

leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."

Double payments

[chromas]

sometimes paying twice when they have used another payment method.

Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

Re:Double payments

[Skapare]

You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

Re:Double payments

[mjwx]

sometimes paying twice when they have used another payment method.

Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

Because the software is shit.

Having dealt with a few Point Of Sale systems I can say that the acronym POS is no accident.

A lot of systems are just Windows systems with a program like Pronto Xi running on top. It's not unusual for these terminals to be running Windows XP. The back end is usually pretty good but the software really suffers on the front end and the front end is where we tend to get most of the errors.

Re:Double payments

[ericloewe]

Some POS systems are not integrated with the card payment terminal. You click "visa" for instance, and the POS system assumes a valid card payment has been made. The payment is then made in a seperate terminal which issues a receipt for the payment, which should be kept with the purchase receipt.

Re:Double payments

Yes, the good old USA where we still have to use checks for many scenarios, have credit cards without even an attempt at authentication (yes, chip and PIN implementations have been flawed, but we don't even try here) and where anyone who knows your number can apparently charge on your card and all you can do is dispute the charges and get a new number (I've had to do this 3 times now over 30 years of having cards). I'd love to use Google Wallet on my phone. At least it makes you approve the transaction and isn't automatic. But of course even at the few retailers that accept it, it doesn't work about half the time.

We in the US are very backwards on payment systems. The idiotic companies claim it will cost too much to modernize. Sure, it must have cost too much everywhere else too - that's why they all stagnated. Oh, wait... They didn't. It is the same thing with measurement systems. We can't possibly modernize and use the new stuff. They always claim either that it costs too much or that we have too many stupid people or something. Idiots in charge...

Re:Double payments

[Jesus_666]

The question is how often you want to resend the packets. What happens if the connection is genuinely down for, say, five minutes? Do you keep resending packets until eternity? Do you just have the user redo everything up until the purchase screen? Depending on the intended target audience the latter might not be an acceptable answer.

For example, at my company we do most of our business with tech-unsavvy businesses. The people who make the buying decisions are usually impatient and capricious and very averse to entering their data more than once. Also, any problem is attributed to us, even if it's a network outage on their end. If their connection to us goes down they expect to continue the ordering process exactly where they left off or they will reconsider the entire deal. Some will take weeks to make room in their apparently ultra-busy schedules to go through our (phone-assisted) ordering process once. If there is a problem that they can't trivially recover from that means waiting for a few weeks more. "Just have them redo the last few steps" comes with an unspoken "and lose a few sales".

The problem is that you're facing (potential) customers. Just like in every customer-facing situation that means that you end up dealing with a number of people who don't want to bother actually having realistic expectations. Depending on your business, these potential customers may be expendable or they may be critical to your success. If the latter applies then you have to bend over backwards to allow behavior that we consider wrong but they consider logical.

Re:Double payments

[AmiMoJo]

It's operator error. The person on the till is confused by the customer trying to insert their card into the read even though it already appears to have made the transaction. They put it through again and the customer gets charged twice.

It sounds too stupid to be true, but that is apparently what is happening.

tinfoil wallets

[biodata]

Suddenly they are becoming popular - Icelandair are selling one on the inflight goodies list, as are various designer shops in Reykjavik.

Re:tinfoil wallets

[The+Archon+V2.0]

My bank rolled out contactless cards... by mailing one to me. No notification to me, preactivated, no PIN needed for purchases under $200.

I went there and bitched them out about it and they really could not understand why I was mad.

Re:tinfoil wallets

[DamonHD]

My card issuer decided to push me a personal NFC card, without asking.

They would not disable it (claimed they could not) or issue me a card without it one activated (again, claimed that they could not).

So it sits unused in my desk drawer as I told them it would, and another less high-handed card issuer gets my transactions.

(They did the same with my business VISA, but when I phoned to complain and asked them to disable NFC they said "yes" which means they were probably lying either then, or when they told me they could not disable it on my personal card.)

Rgds

Damon

Re:tinfoil wallets

[innocent_white_lamb]

I just bought one of these a couple of weeks back:

http://www.thinkgeek.com/product/8cdd/

It's surprisingly good quality for $20, too.

I decided to buy it after reading this:

http://www.cbc.ca/news/canada/manitoba/story/2013/04/23/mb-smartphones-skimmer-credit-card-winnipeg.html

Re:tinfoil wallets

[thegarbz]

The antenna goes around the outside of the card. Cut a notch with scissors about 5mm into the card (opposite side of the magnetic stripe) and you've disabled the contactless portion.

Re:tinfoil wallets

[ranulf]

I actually quite like contactless payment when I have had the chance to use it ...

I quote like it too, when I only had one card - I could just wave my wallet over the machine and it'd work. Now every bank card I own has been upgraded without me having any say in the matter, they interfere with each other when they're all in my wallet and now I have to take the card out to use it. Once I've done that, I might as well also enter the PIN and prove it's me.

I too really hate the fact that these cards were sent to me in the post, pre-activated, without even informing me they were coming and in one case with over 9 months left on my existing card. They could easily have been intercepted and I'd never even have known as I'd have just carried on using the old card.

Tap And Go Bankrupt

Quick, buy stock in companies selling RF-blocking wallets and bags

And don't forget fashion - my electric-blue aluminium wallet pairs nicely with my neon-green tinfoil hat!

Payment without user confirmation

[Hentes]

Who would've thought that it's a bad idea?

Re:Payment without user confirmation

[beelsebob]

If I had mod points, you would get them... I really genuinely don't get why no one saw this coming.

Re:Payment without user confirmation

[click2005]

Everyone saw this coming. The banks, card companies & shops just didn't care.
Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
either directly or through price increases.

Re:Payment without user confirmation

[AmiMoJo]

In the UK the card issuer is liable for all the losses due to fraud or clerical errors.

The £100 rule is that any item worth over £100 and paid for in whole or in part on credit card makes the card issuer liable as the vendor. In the event of a problem they have the same responsibility to sort it out as the seller does.

The card issuers certainly do care because they want contactless payment to become popular. If it is abused or doesn't work people will carry on paying for small items in cash instead of generating revenue for the card issuer.

Wisdom of the paranoid ages

[macraig]

Tinfoil is your friend. Always has been, always will be.

Re:Wisdom of the paranoid ages

[Lee_Dailey]

howdy y'all,

is tin foil available any more? i looked the other day and only found aluminum foil. i have an old roll of tin foil stashed in the back of one of my closets that i got from my mom when i 1st went to college. i aint seen any _tin_ foil in decades ...

take care,
lee

Re:Wisdom of the paranoid ages

[BasilBrush]

I've got some tin foil stored in a steel tin.

Re:Wisdom of the paranoid ages

[Beardo+the+Bearded]

You can get adhesive copper foil. That's the better tool for this.

Why

[markdavis]

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

Re:Why

[Jmc23]

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

Hate those stupid gas pumps. Useless if your card is from outside the US.

Re:Why

[CrashandDie]

A lot of credit cards in the UK have the Chip'n'Pin system, which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.

The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.

Re:Why

[gl4ss]

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

plenty of countries have gone pretty much all chips. you stick the card in, put in the pin and the payment is done.
nothing wrong with that, except if for bus fares etc.. if you need extremely fast throughput of people then contactless is nice.

contactless without pin for your usual every day big money card though.. that's just fucking stupid. like having all your money in cash in your pocket. which geniuses came up with that?

Re:Why

[willb]

Hate those stupid gas pumps. Useless if your card is from outside the US.

Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

Re:Why

[JustOK]

I thought in the UK chips were called crisps.

Re:Why

[kav2k]

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

Contactless payments differ a lot from magnetic stripe swiping, invisible barcodes etc.

They are not static information but an active challenge-response authentication system. You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses. You can trick it into authorizing a purchase you don't want if you're in physical proximity, which is happening here, but you cannot save that authorization for later use, since the bank is issuing the challenge here, just like with a chip-and-pin purchase. The whole point is to ensure that this is really the actual card.

So the main problem is the lack of user interaction to go ahead with the purchase. A touch button on the card itself would help, but would destroy part of the convenience.

Re:Why

[dadelbunts]

Not only that, but its come to the point where paying cash is faster. I go to walgreens, swipe my card, before i even enter my pin it asks me if i want to donate to something. Then i get to enter my pin and tell it if i want cash back or not. Then i get to verify the amount and press another button. Or i can just give the cashier a 10 dollar bill and be done with it.

Re:Why

[zazzel]

Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something

Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip).

I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)

Re:Why

[kav2k]

Well, my point wasn't that the original card is impossible to clone given physical access to the card. My point is that using only radio communication with the chip, it is not possible to clone it. I imagine that NFC stuff and the crypto module are isolated, and the hardware crypto module quite literally has only one command exposed, to generate a response to a challenge. So neither passive (when you hear the challenge and the response) nor active (when you can submit challenges yourself) attacks can give you the required key, even if you can find a bug in NFC that you can exploit.

As for complex protocols. I'm a logician working with proof theory. There have been precedents of full formal verifications of such protocols that, given a set of assumptions about the hardware, can exclude any possibility of a flaw in the protocol itself. Example 1, example 2. It's usually very hard, but can be done, and gives the same rigor as normal mathematical proofs.

Smart card security isn't new. So it's a reasonably mature concept, but it has usability problems in this application.

Re:Why

[jonbryce]

In Europe, and most of the rest of the world, we use smart-chips when we aren't using contactless. There is a magnetic stripe on the card, that that is only so that the card can be used in the USA and other similarly backward countries.

Re:Why

[markdavis]

No credit cards have that because you are talking about a debit card. I will not own a debit card with a credit card logo- it is just ASKING for trouble.

If I want to use a credit card, I use a real credit card- which is using SOMEONE ELSE'S money until I pay for it. There is zero risk of my bank account being instantly drained for who knows how long.

Re:Why

[markdavis]

>"Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip)."

None of my USA credit cards have chips.
My Bank of America debit/ATM card also has no chip.

>"I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)"

I can only speak to home/consumer use with Bank of America. They use a login, site image ID, and password for verification. The only other option is that F**KING "Rapport Trusteer" S**T software for MS-Windows-only that takes over your whole computer like a virus. BTW- we are *FORCED* to use that with SunTrust at work and it is a total NIGHTMARE, especially since we are nearly 100% Linux based. I have already recommend to the CFO and CEO we need to change banks because of it.

Security Concern

[Capt.Albatross]

While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

in Soviet Russia

[FudRucker]

retail stores shoplift YOU!

The NFC terminal shouldn't be active until needed

[soramimicake]

The hardware having the wrong range is probably pretty hard to avoid due to variance between terminals and problems keeping them all tuned over their lifetime.

However, the NFC reader shouldn't be active until the customer told the cashier he/she will be using a contactless card for payment and the cashier enabling the reader.

It wouldn't prevent reading the wrong card if the customer has several NFC cards, but it would at least prevent the kind of surprises shown in the article.

Not a security breach?

[Okian+Warrior]

While these incidents do not involve a security breach...

A vendor's machine can take money from me without my consent or knowledge.

Apropos of nothing, what would constitute a security breach in your model?

Re:Not a security breach?

[julesh]

When they say it does not involve a security breach, what they mean is "it doesn't breach *our* security." Why do you think they give a shit about *your* security, exactly?

Re:The NFC terminal shouldn't be active until need

[Richy_T]

The confirmation method has to be attached to the card otherwise it leaves open the option for rogue devices to drain your money.

I am currently living in Europe.

[bdwoolman]

My Norwegian bank issued me a chip and pin card. I like it. The waitress or the teller never touches my card. I put it in the terminal when I see the total I am being charged. I punch in the PIN and the card verifies with the bank and the term. prints a receipt. In a restaurant the server brings a wireless terminal to the table and I do the same thing. The protocol allows for a gratuity to be added. As long as no thug or dip looks over my shoulder and sees my PIN I fell pretty safe from fraud. I use this card all over the continent. My US cards work, but they are less secure and I get a nasty foreign transaction fee and a disadvantageous exchange rate. Chip and PIN rocks. Hard to believe consumers wearied of punching in a little PIN. Besides, for small purchases cash works. Near Field Communication payment is an idea whose time is yet to come. I do not want an experimental-stage NFC. It will be cool when all my products are fitted with rfid tags and my NFC payment fob is in my pocket. I walk out of the store with my basket, pause at a terminal to visually scan the inventory for which I am being charged (or not), confirm, then get the receipt beamed to my fob or smart phone. Until then the chip and pin is fine. I was wondering at the profusion of stainless steel wallets on Travel Smith. They were not all passport sized. Now I understand. It makes me wonder if my current chip and pin is NFC too. Feh! Makes me want to return to the good old days of cowrie shells.

Re:how to get rid of NFC on a passport or credit c

[Takatata]

You forgot:
8) Throw card away since it is useless now.

No idea how it is in the USA, but in Europe the magnet strip is hardly used anymore. Too insecure. Some people even destroy it on purpose. Instead a chip in the card used. Not a NFC chip. So, how do you destroy one chip in a microwave oven, but leave another chip on the same card intact?