[LINK] Contactless Credit Cards in Oz

Roger Clarke Roger.Clarke at xamax.com.au
Wed Jan 6 15:50:15 AEDT 2010 

(Thanks to link and privacy list subscribers for their pointers, on 
and off list!  I've flung together the following quick analysis).


The two competing offerings are Mastercard Paypass and Visa PayWave:
http://en.wikipedia.org/wiki/Paypass#PayPass
http://en.wikipedia.org/wiki/Visa_Inc.#New_services.2C_security

These are indeed being implemented by several banks in Australia.

The functionality is in a substantial number of credit-cards already.

It appears that the schemes of CommBank, NAB and HSBC/Woolworths may 
already be operational, and that ANZ's may be shortly.

See this article of 9 Nov 2009:
http://www.creditcards.com.au/news/2009/11/9/more-banks-now-introducing-contactless-credit-cards-payment-systems/

The following notes consider the consumer protection aspects.  (There 
are also anti-competitive aspects, because the terminals abandon the 
any-card/any-terminal arrangement that ushered in the EFTPOS era. 
The ACCC appears to be letting that happen).


Summary

Overall, based on a very brisk assessment ...

Consumer protections may be far too weak.

Until now, Card Present transactions required some form of 
authentication that the person presenting the card was authorised to 
use the card.

Card Not Present transactions lacked the authentication requirement, 
but consumers were protected (provided that they reconciled their 
accounts, and went to the effort of working through the bank's 
procedures).

That's because CNP transactions that were disputed were essentially 
always credited back to the consumer and charged back against the 
merchant.

I wonder what the Consumer EFTS Code says about this new form of 
unauthenticated Card Present transaction:
http://www.fido.gov.au/fido/fido.nsf/byheadline/Electronic+Funds+Transfer+%28EFT%29+Code+of+Conduct?openDocument
http://www.fido.gov.au/asic/pdflib.nsf/LookupByFileName/eft-code-nov2008.pdf/$file/eft-code-nov2008.pdf

[It's a non-trivial exercise to apply the Code to this situation, and 
I'm not about to attempt it 'on the fly'!]

And I wonder what consultations ASIC, Visa, MasterCard, Woolworths 
and each of the banks have had with consumer and privacy advocacy 
organisations about this.

_____________________


1.  Consent

Unlike a contact-based chip, a contactless chip and antenna are 
generally not visible, because they are embedded inside the card.

Is there something on every Mastercard Paypass card and every Visa 
PayWave card that clearly communicates to the cardholder that the 
card contains a contactless chip?

There's a consent issue of a serious nature:
-   is each card-holder informed of this functionality?
-   is the functionality by default switched off?
-   does the card-holder have to consent before it's switched on?
-   does the card-holder have adequate information that they can
     appreciate the nature of the service before they switch it on?
-   is there a way in which a card-holder can test whether there is
     switched-on contactless-card functionality in their card?


2.  Consumer Protection and Visa PayWave

http://www.visa-asia.com/ap/au/cardholders/paywave/how-it-works.html
(a horrible, over-engineered not-really-a-web-page)

"You don't have to sign anything or enter a PIN for purchases under $100"
"For purchases over A$100 a signature or PIN is required.
(My memory is that the original discussions were about a $25 limit)

"Hold your card within 5 cm of the secure contactless reader.
"Your card has to be waved within 5 centimetres of the card reader 
for more than half a second

[That sounds too much like magic.

[And it begs the question about what prevents a rogue terminal, 
whether within 5cm or in the grey zone beyond 5cm, generating a 
transaction based on its conversation with the contactless card.

"EMV chip technology ... provides both data protection and 
transaction security via the use of keys and the latest encryption 
technology.
"Visa payWave-enabled cards are just as secure as any other Visa chip 
card and carry the same multiple layers of security protection, 
including Zero Liability, which ensures you are not responsible for 
fraudulent or unauthorized transactions. In addition, with Visa 
payWave, you retain control of your card during the transaction, 
which reduces the risk of fraud.

[Authentication and encryption processes are necessary;  but they're 
not easy to implement because of the processor power and time 
constraints.  The information provided in the FAQ is inadequate. 
Where's the pointer to the certification written by an independent 
security consultancy and backed up by warranties and indemnities?]

"You can then remove your card and the transaction will be complete.
[i.e. consent is given to the transaction merely by placing the card 
inside the relevant field - which is stated to be within 5 cm / 2 
inches from the reader, i.e. about the card's height]

"You can choose to have a receipt, but this is optional.

" ... the transaction is automatically routed through the credit 
button, whether you're making the purchase on a Visa Credit, Debit or 
Prepaid card. So there's no need to press any buttons. The 
transaction will automatically be routed to the transaction account 
or line of credit linked to your card.

[I find the proposition quite amazing that a non-credit card could 
generate a credit-card transaction.  Perhaps they mean that it won't 
work if you don't have a credit-card;  but if you have a credit-card 
as well as a debit-card or prepaid-card, you still generate a credit 
transaction!?]


3.  Consumer Protection and MasterCard's PayPass

MasterCard's page is much harder to find:
http://www.mastercard.com/au/merchant/en/solutions_resources/paypass/index.html

At a quick glance, the primary difference is that MC have slid the 
threshhold up to $35 rather than all the way up to $100 as done by 
Visa.

But if Ivan's daughter has "had one since June from the same bank, 
but used as a debit card", maybe MasterCard permits transactions 
directly against a person's bank account rather than against 
revolving credit??

That would also be a first, and would raise additional, and very 
serious, questions about the protections available to consumers.


4.  Other Resources

Here's NAB's page:
http://www.nab.com.au/paywave
"NAB will reimburse you 100% of any amount fraudulently removed from 
your account if, despite our defences, you're a victim of fraud. Of 
course your responsibilities when operating your account still apply."
[But is that a term imposed by the law, or at least by a strong Code 
that is enforceable and actually enforced;  or is that a term that 
the NAB can modify or cancel as it sees fit?]

Here's Commbank's page:
http://www.commbank.com.au/personal/credit-cards/paypass.aspx

Here's Woolworth's/HSBC ePump program, which would appear to be an 
application of MasterCard PayPass, limited to petrol pumps? only at 
present?
https://www.everydaymoney.com.au/edm/wps/portal/money/aboutthecard

Here's a promo at a major location:
http://www.macquarie.com.au/au/creditcards/platinum/visa_paywave.htm


[I co-wrote a somewhat relevant piece on consumer device insecurity here:
http://www.rogerclarke.com/II/ConsDevSecy.html


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list