Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Consumers Reporting Contactless Payment Errors

Posted by timothy on from the how-to-buy-a-hundred-subway-rides dept.

leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."

21 of 193 comments (clear)

  1. Double payments by chromas · · Score: 4, Insightful

    sometimes paying twice when they have used another payment method.

    Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

    1. Re:Double payments by Skapare · · Score: 4, Insightful

      You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

      --
      now we need to go OSS in diesel cars
    2. Re:Double payments by mjwx · · Score: 3, Interesting

      sometimes paying twice when they have used another payment method.

      Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

      Because the software is shit.

      Having dealt with a few Point Of Sale systems I can say that the acronym POS is no accident.

      A lot of systems are just Windows systems with a program like Pronto Xi running on top. It's not unusual for these terminals to be running Windows XP. The back end is usually pretty good but the software really suffers on the front end and the front end is where we tend to get most of the errors.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    3. Re:Double payments by ericloewe · · Score: 4, Informative

      Some POS systems are not integrated with the card payment terminal. You click "visa" for instance, and the POS system assumes a valid card payment has been made. The payment is then made in a seperate terminal which issues a receipt for the payment, which should be kept with the purchase receipt.

    4. Re:Double payments by Jesus_666 · · Score: 3, Insightful

      The question is how often you want to resend the packets. What happens if the connection is genuinely down for, say, five minutes? Do you keep resending packets until eternity? Do you just have the user redo everything up until the purchase screen? Depending on the intended target audience the latter might not be an acceptable answer.

      For example, at my company we do most of our business with tech-unsavvy businesses. The people who make the buying decisions are usually impatient and capricious and very averse to entering their data more than once. Also, any problem is attributed to us, even if it's a network outage on their end. If their connection to us goes down they expect to continue the ordering process exactly where they left off or they will reconsider the entire deal. Some will take weeks to make room in their apparently ultra-busy schedules to go through our (phone-assisted) ordering process once. If there is a problem that they can't trivially recover from that means waiting for a few weeks more. "Just have them redo the last few steps" comes with an unspoken "and lose a few sales".

      The problem is that you're facing (potential) customers. Just like in every customer-facing situation that means that you end up dealing with a number of people who don't want to bother actually having realistic expectations. Depending on your business, these potential customers may be expendable or they may be critical to your success. If the latter applies then you have to bend over backwards to allow behavior that we consider wrong but they consider logical.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  2. tinfoil wallets by biodata · · Score: 3, Interesting

    Suddenly they are becoming popular - Icelandair are selling one on the inflight goodies list, as are various designer shops in Reykjavik.

    --
    Korma: Good
    1. Re:tinfoil wallets by The+Archon+V2.0 · · Score: 3, Interesting

      My bank rolled out contactless cards... by mailing one to me. No notification to me, preactivated, no PIN needed for purchases under $200.

      I went there and bitched them out about it and they really could not understand why I was mad.

  3. Tap And Go Bankrupt by Anonymous Coward · · Score: 4, Funny

    Quick, buy stock in companies selling RF-blocking wallets and bags

    And don't forget fashion - my electric-blue aluminium wallet pairs nicely with my neon-green tinfoil hat!

  4. Payment without user confirmation by Hentes · · Score: 5, Insightful

    Who would've thought that it's a bad idea?

    1. Re:Payment without user confirmation by beelsebob · · Score: 3, Informative

      If I had mod points, you would get them... I really genuinely don't get why no one saw this coming.

    2. Re:Payment without user confirmation by click2005 · · Score: 4, Insightful

      Everyone saw this coming. The banks, card companies & shops just didn't care.
      Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
      either directly or through price increases.

      --
      I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
  5. Why by markdavis · · Score: 5, Insightful

    And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

    It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

    Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

    1. Re:Why by CrashandDie · · Score: 3, Interesting

      A lot of credit cards in the UK have the Chip'n'Pin system, which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.

      The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.

    2. Re:Why by willb · · Score: 4, Informative

      Hate those stupid gas pumps. Useless if your card is from outside the US.

      Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

    3. Re:Why by JustOK · · Score: 4, Funny

      I thought in the UK chips were called crisps.

      --
      rewriting history since 2109
    4. Re:Why by kav2k · · Score: 4, Interesting

      And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

      Contactless payments differ a lot from magnetic stripe swiping, invisible barcodes etc.

      They are not static information but an active challenge-response authentication system. You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses. You can trick it into authorizing a purchase you don't want if you're in physical proximity, which is happening here, but you cannot save that authorization for later use, since the bank is issuing the challenge here, just like with a chip-and-pin purchase. The whole point is to ensure that this is really the actual card.

      So the main problem is the lack of user interaction to go ahead with the purchase. A touch button on the card itself would help, but would destroy part of the convenience.

  6. Security Concern by Capt.Albatross · · Score: 4, Insightful

    While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

  7. in Soviet Russia by FudRucker · · Score: 4, Funny

    retail stores shoplift YOU!

    --
    Politics is Treachery, Religion is Brainwashing
  8. Re:Wisdom of the paranoid ages by Lee_Dailey · · Score: 3, Informative

    howdy y'all,

    is tin foil available any more? i looked the other day and only found aluminum foil. i have an old roll of tin foil stashed in the back of one of my closets that i got from my mom when i 1st went to college. i aint seen any _tin_ foil in decades ...

    take care,
    lee

  9. Not a security breach? by Okian+Warrior · · Score: 4, Insightful

    While these incidents do not involve a security breach...

    A vendor's machine can take money from me without my consent or knowledge.

    Apropos of nothing, what would constitute a security breach in your model?

    1. Re:Not a security breach? by julesh · · Score: 4, Insightful

      When they say it does not involve a security breach, what they mean is "it doesn't breach *our* security." Why do you think they give a shit about *your* security, exactly?