[LINK] Bank turns London man into RFID-enabled guinea pig

Bernard Robertson-Dunn brd at iimetro.com.au
Mon Jan 28 09:52:07 AEDT 2008 

Bank turns London man into RFID-enabled guinea pig
Halifax customer bites back
By John Leyden
Sunday 27th January 2008 07:02 GMT
The Register
http://www.theregister.co.uk/2008/01/27/paywave/

The Halifax bank is enrolling unsuspecting customers in trials of a new 
generation of RFID-enabled bank cards, and trying to keep them in the 
program even if they have mis-givings about the wave and pay technology.

PayWave <http://www.visapaywave.co.uk/html/getit.html> allows punters to 
debit their account without having to enter a PIN or sign for goods 
valued at less than £10.

The RFID-based technology, backed by Visa, is being rolled out by UK 
banks Barclays and Halifax, as well as others 
<http://www.visaeurope.com/personal/paywave/apply/main.jsp> on the 
continent. Mastercard is backing a similar technology called PayPass.

Halifax is introducing the technology in London to a number of punters, 
including Reg reader Pete.

Pete, a current account holder at Halifax, was among those issued with a 
new card. He didn't want to use the unsolicited technology and his 
attempts to receive an alternative card, though ultimately successful, 
proved frustrating.

"I have to input my PIN the very first time I use this 'Paywave' card, 
but after that it is automatically authorised to work for all 
transactions under £10," Pete explained. "I put the new card straight in 
the bin - in fact, I shredded it and put it in several different bins. I 
don't want this highly insecure-sounding facility, and I never use a 
debit card for retail transactions anyway."

Pete thought no more of the card assuming his old plastic, which had 
months left to run, would continue to be useable. But when he went to 
his local bank in early December to get some cash the ATM refused the 
transaction and retained his card.

Bank staff, having verified Pete's identity, were not immediately able 
to work out why the card had been retained. They gave him back his card 
but, after other attempts to use his card failed, he was faced with the 
chore of getting his card replaced. After calling Halifax's helpline, 
Pete was told that the (unsolicited) issue of the contactless card had 
automatically cancelled his original card, something not mentioned in 
the paperwork that came with the old card, according to Pete.

"Halifax are cancelling peoples' bank cards without permission and 
without even telling them, and forcing them to use these new cards, 
which as far as I know nobody has asked for," Pete told El Reg

"Who wants these things? Not me. And is there no limit to the level of 
insecurity they want to introduce to their cards? I guess not, so long 
as the cardholder can be stuck with the liability," he added.

A replacement card also came with the unwanted contactless card 
technology. Curiously, Pete's wife didn't get a contactless card even 
though she is joint holder of the same Halifax account.

Ultimately, after complaining long and loud, Pete has now received a 
non-Paywave bank card from Halifax. The incident has left him far from 
satisfied. Halifax turned down Pete's request for compensation.

Halifax declined to speak about individual cases, but confirmed it was 
conducting a trial of the technology across London, prior to a 
nationwide rollout.

A spokesman for banking association APACS said whether customers had the 
ability to refuse new technologies was "card issuer dependant".

Barclays is also introducing the technology in the UK. A developer 
familiar with Barclays plans said it, like Halifax, is rolling out the 
technology in London in advance of the rest of the country, both as a 
test-bed for the technology and because Londoners are more used to using 
RFID-enabled technology in the form of Oyster travel cards.

Barclays has created a triple-function card (called OnePulse 
<http://www.barclaycard.co.uk/landing/BarclaycardOnePulse01.html?&TC=ASGLX16053>) 
that combines a traditional credit card with PayWave and also with 
Oyster on-board as a separate application.

"Barclays and a couple of other banks were bidding to effectively take 
over Oyster and subsume it into a larger payment scheme using the 
less-proprietary Visa and Mastercard technology, but these negotiations 
fell apart," he added.

Our source noted that the maximum transaction value for contactless 
purchases is typically £10, which mitigates the increased risk of using 
the cards.

"Major customer education issues still need to be overcome before 
everyone is happy to use this as a cash-replacement technology, which is 
what the banks and retailers want," he said. "It's certainly a very 
interesting privacy issue if banks are including the contactless chips 
in 'standard' credit cards without asking, especially since the 
transactions are effectively unsecured because no PIN is needed.

"On the privacy issue, there is likely to be a growing number of stories 
and attempts at hacking and skimming contactless cards, once they are 
out in the wild, and whether or not the risks to consumers are real, 
they need to understand the issues and risks."

Our source added that the situation created a market for niche security 
firms to develop products that protect contactless-enabled cards from 
"uninvited attempts to communicate with them", in response to security 
concerns about the possible misuse 
<http://www.guardian.co.uk/money/2007/nov/17/moneysupplement.consumeraffairs> 
of the technology to perpetrate fraud.

Whether the likes of Pete will be reassured by extra security controls 
on a type of card they have had forced on them in the fist place remains 
to be seen.

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list