[LINK] itNews: 'Westpac trials contactless mobile payments'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Aug 7 11:14:48 AEST 2012


At 9:33 +1000 7/8/12, Stephen Wilson wrote:
>>>If this application is using the tamper resistant "Secure Element" in
>>>the phone and if the software is carefully written, then this class of
>>>contactless payments is actually very secure.

On Mon, Aug 6, 2012 at 4:53 PM, Roger Clarke 
<<mailto:Roger.Clarke at xamax.com.au>Roger.Clarke at xamax.com.au> wrote:
>>Secure against which categories of threat?
>>Transactions that the individual wasn't aware of, even though they
had possession of the device at the time?

At 17:53 -0700 6/8/12, Scott Howard wrote:
>Yes, phones CAN protect against this one!  Obviously I haven't seen 
>the Westpac example, but Google Wallet forces you to set a 4 digit 
>PIN that must be entered before you can make a purchase, thus 
>completely removing the "wasn't aware of' transactions.

I was focussing on the Westpac scheme and the predecessor, ComBank Kaching.

As I understand it, they use, and allow, *no* authenticator, of any kind.


>>Transactions in an amount different from what the individual thought
they were paying?

>No different to any normal credit card.

With most categories of credit card transaction, you get a voucher. 
(With some Card Not Present / CNP transactions, particularly over the 
phone, that's not so).

With payment processes based on contactless cards / RFID / NFC chips, 
vouchers have increasingly become an option rather than being 
auto-generated, and the offer of a voucher is becominug less common 
and consumers have to ask for one.

A consumer who doesn't get a voucher is far less likely to notice the error.

In the absence of a voucher, they are also prevented from reconciling 
their statement, and - even if they find the error and contest it - 
they are unable to provide any evidence in support of their claim.

As rogue merchants become more aware of the new realities with these 
payment schemes, the incidence of 'errors' can be expected to 
increase.  And, unlike the current situation - in which errors may be 
too high or too low - the new breed of 'errors' will be almost always 
too high.


>>Processing of credits where the amount is recognised just after
processing to have been wrong?

>No different to any normal credit card.

Are you *sure* that Westpac and Kaching enable a credit back against 
re-presentation of the same card into the same read-zone?

Personally I'm not sure, which is why I had a question-mark there.


>>Transactions conducted by a person in possession of the device, but
not authorised to conduct transactions?

>Covered by the PIN code.

In order for a consumer to successfully make a claim under the Code, 
a number of conditions need to be fulfilled:
-   the consumer has to discover they've been dudded
     (How?  Reconciliation of statements becomes a nightmare, with masses of
     transactions, misleading data on many line-items, and fewer vouchers)
-   the consumer has to discover how to make a claim
-   the consumer has to satisfy whatever requirements the organisation
     places on claimants
     (Does Westpac accept assertions without question?  Or does it ask for
     vouchers?  Does it accept a stat dec in lieu of a voucher?  Does the
     average mug punter know what a stat dec is and how to submit one?)
-   the consumer has to be persistent and patient enough to go through
     the multiple iterations and weeks-if-not-months that banks build into
     their refund-claims processes in order to dissuade casual claimants

Sure, it's fine to say that it's up to the consumer to take action to 
protect their own interests.

But it's not fine to design a scheme that has massive security holes 
in it, and that therefore creates large numbers of instances of 
error, and, progressively, fraud.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list