[LINK] refusing contactless cards

Roger Clarke Roger.Clarke at xamax.com.au
Thu Aug 1 08:53:17 AEST 2013 

At 11:40 +1000 31/7/13, Craig Sanders wrote:
>my bank, Bendingo Bank, just sent me a MasterCard PayPass debit card - I
>didn't ask for it, and I don't want it.
>does anyone know what is the best way to refuse the card and get myself
>on the bank's "don't issue contactless card" list, even if they have to
>invent such a list just for me?

My understanding from people within the industry is that Visa and 
MasterCard have 'mandated' member banks to issue contactless cards by 
some date not very far away.

What 'mandated' means is a good question though.  It may mean 'as a 
condition of continuing to have access to the Visa/MasterCard 
networks'.  If so, then it's arguably an abuse of market power.

I'm told that Amex and EPAL *don't* force the issue of contactless cards.


>is there any ACCC or Banking Industry or other regulations I can refer
>to when I call/write to the bank to save myself a lot of argument with
>low-level employees who aren't allowed to make decisions.

It's been suggested to me that the best option is to get ASIC to 
force optionality through the ePayments Code.

The Banking Industry Ombudsman is generally pretty useless on 
anything of consequence, but it's possible that they may accept this 
as a dispute that they can mediate on.

I understand that the ACCC is currently being asked by Visa and 
MasterCard to permit them to force PINs on transactions generally, 
and to withdraw the signature option from most contexts of use.

So has ACCC already agreed to allow Visa and MasterCard to foist an 
*insecure* option on consumers, whether they want it or not??  So 
maybe ACCC should be asked what the situation is, and how consumers 
can protect themselves.


>The accompanying letter says to call them to activate it (and accept the
>terms and conditions) once it has safely arrived - I have no intention
>of doing that.

I checked on this, because the contactless technology contains no 
concept of an on-switch or off-switch.

It appears that all cards are withheld from the list of valid 
card-numbers until the card-holder has contacted the issuer to say 
they've received it.  So, until such a card is 'activated' by the 
card-holder, none of the mag-stripe, contact-based or contactless 
functions should operate.

But that's of no use to the many people who want to use the 
(relatively secure) mag-stripe and contact-based functions (i.e. with 
signature or PIN), but do *not* want the highly insecure contactless 
function.  We want to be able to turn mag-stripe and contact-based 
on, and turn contactless off.


>>  there is an embedded multi-turn wire coil/antenna around
>>  the edge of the card - this is visible in the slightly translucent
>>  Commonwealth Bank card.
>>  A single scissor cut of 6mm into the card
>>  anywhere around the edge would disable the RFID functions of the card.
>>  Probably a cut with a knife to the top surface would do the trick too,
>>  since the wires seem to be near the top surface.
>>  [And make it look like an accident, because your terms of contract
>>  with the card-issuer say that you aren't supposed to damage the card.]

You'd certainly expect that disabling the induction coil like that 
should render the contactless function inoperable.

I haven't been able to find out whether the mag-stripe and 
contact-based functions will continue to operate.  But quite possibly 
they would.

I understand that damaging the chip itself not only disables both 
contact-based and contactless functions, but may also render the 
mag-stripe functionality inoperable, at least in some circumstances.


So the tenable approaches to overcoming the banks' idiotic behaviour are:

1.  Disable the induction coil 6mm inside the edge of the card.
     It should only need one clean break.  Minimise the harm to the card.

     Then try using it in contactless mode, and if it still works,
     increase the damage until it doesn't work any more.

2.  Explain the problem to ASIC, and request a change to the ePayments Code
     to force card-issuers to:
     (a)  provide card-holders with the option to prevent their card from
          conducting a transaction without authentication, or
     (b)  provide card-holders with the option to have a card without the
          contactless feature being operable

3.  Complain to the Banking Industry Ombudsman, as in 2.

4.  Request the ACCC to take action to stop Visa and MasterCard mandating
     that card-issuers must issue contactless chip-cards to card-holders.


I'd appreciate feedback on the above, preparatory to upgrading the paper at:
http://www.rogerclarke.com/EC/CPS-12.html


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list