[LINK] itNews: 'Westpac trials contactless mobile payments'
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Aug 7 11:14:48 AEST 2012
At 9:33 +1000 7/8/12, Stephen Wilson wrote:
>>>If this application is using the tamper resistant "Secure Element" in
>>>the phone and if the software is carefully written, then this class of
>>>contactless payments is actually very secure.
On Mon, Aug 6, 2012 at 4:53 PM, Roger Clarke
<<mailto:Roger.Clarke at xamax.com.au>Roger.Clarke at xamax.com.au> wrote:
>>Secure against which categories of threat?
>>Transactions that the individual wasn't aware of, even though they
had possession of the device at the time?
At 17:53 -0700 6/8/12, Scott Howard wrote:
>Yes, phones CAN protect against this one! Obviously I haven't seen
>the Westpac example, but Google Wallet forces you to set a 4 digit
>PIN that must be entered before you can make a purchase, thus
>completely removing the "wasn't aware of' transactions.
I was focussing on the Westpac scheme and the predecessor, ComBank Kaching.
As I understand it, they use, and allow, *no* authenticator, of any kind.
>>Transactions in an amount different from what the individual thought
they were paying?
>No different to any normal credit card.
With most categories of credit card transaction, you get a voucher.
(With some Card Not Present / CNP transactions, particularly over the
phone, that's not so).
With payment processes based on contactless cards / RFID / NFC chips,
vouchers have increasingly become an option rather than being
auto-generated, and the offer of a voucher is becominug less common
and consumers have to ask for one.
A consumer who doesn't get a voucher is far less likely to notice the error.
In the absence of a voucher, they are also prevented from reconciling
their statement, and - even if they find the error and contest it -
they are unable to provide any evidence in support of their claim.
As rogue merchants become more aware of the new realities with these
payment schemes, the incidence of 'errors' can be expected to
increase. And, unlike the current situation - in which errors may be
too high or too low - the new breed of 'errors' will be almost always
too high.
>>Processing of credits where the amount is recognised just after
processing to have been wrong?
>No different to any normal credit card.
Are you *sure* that Westpac and Kaching enable a credit back against
re-presentation of the same card into the same read-zone?
Personally I'm not sure, which is why I had a question-mark there.
>>Transactions conducted by a person in possession of the device, but
not authorised to conduct transactions?
>Covered by the PIN code.
In order for a consumer to successfully make a claim under the Code,
a number of conditions need to be fulfilled:
- the consumer has to discover they've been dudded
(How? Reconciliation of statements becomes a nightmare, with masses of
transactions, misleading data on many line-items, and fewer vouchers)
- the consumer has to discover how to make a claim
- the consumer has to satisfy whatever requirements the organisation
places on claimants
(Does Westpac accept assertions without question? Or does it ask for
vouchers? Does it accept a stat dec in lieu of a voucher? Does the
average mug punter know what a stat dec is and how to submit one?)
- the consumer has to be persistent and patient enough to go through
the multiple iterations and weeks-if-not-months that banks build into
their refund-claims processes in order to dissuade casual claimants
Sure, it's fine to say that it's up to the consumer to take action to
protect their own interests.
But it's not fine to design a scheme that has massive security holes
in it, and that therefore creates large numbers of instances of
error, and, progressively, fraud.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list