[LINK] refusing contactless cards

Harry McNally harrymc at decisions-and-designs.com.au
Fri Aug 2 15:32:00 AEST 2013 

Hi Paul and thanks for encouraging me to check this.

On 02/08/13 10:04, Paul Brooks wrote:
> On 2/08/2013 11:15 AM, Ivan Trundle wrote:
>>
>> It would seem to me that banks have a major risk (and liability) on their
>> hands.
>>
>> I imagine that once the media begins reporting this type of fraud more
>> frequently than bag snatching, then a reversal of thinking and processes
>> will occur.
>>
>> I cannot see how any bank would endorse this technology if the risks are
>> realised and unable to be mitigated without regressing to the previous
>> technology. What am I missing here?

[snip bank defence and media scrutiny]

> Perhaps that the media are not reporting this as happening to any great
> frequency means it actually isn't, or no more than using the previous
> technology?

Perhaps the journalist couldn't explain the technology to the barmaid so it 
isn't news, Mr Rutherford.

From:
http://www.anz.com/contactless/#faqs
"
How do I know that my transaction is secure?

ANZ Contactless transactions use the latest encryption technology, and are 
processed through the same, reliable payment network as chip card transactions 
- making them just as secure.
"

I don't know what is in the cards but I had assumed it's passive RFID that 
returns a fixed stream of data. If so then the card is easily copied.

If the RF actually powers the contact terminal chip and performs some 
challenge and response thingami then I assume it can't be copied.

But those contactless transactions are -really- fast and inserting the cards 
is really quite slow so I assumed the encryption happening on the card 
stretches the computational performance of the chip (and needs a fair bit of 
energy). So encryption of the RFID transaction seemed unlikely to me.

Can someone confirm whether copying the new cards via RFID is possible ?

> (yeah, I know its not fashionable to defend business on this august list,
> but its Friday, and I have a relative in the banking risk management area,
> with which I've talked robustly over this issue several times over while
> taking the standard-linker-stance - and I've been on the receiving end of
> dealing with a suspected fraudulent transaction, and have received calls
> from the bank on occasion checking that I knew whether a sub-$50
> transaction was ok within 12 minutes of walking out of the restaurant they
> had on a watch-list or didn't fit my usual pattern (it was ok).

So Falcon can detect an aberration in my consumption habits and enact a 
response in 12 minutes ?

> is there a risk?

- My card RFID is read and the card RFID response is duplicated in another card
- The copied card is used at LongWoods (a local brothel) for a $99 PayWave 
special (whatever that may be)
- My business partner wants to know why we have an entry for Joes Tires P/L 
and, after alerting Falcon, is assured that the entry is a valid payment
- Wife and business partner asks where the new tyres are
- We check that I still have my card
- ...
- Non hilarity ensues
-

Someone could do this without ever being in contact with my card and for 
whatever purpose. Privacy and reputation and very little money.

> Back to work...

Thanks. I did get to work and rang NAB who explained that they do not offer 
VISA without PayWave or Mastercard without PayPass. I explained that I thought 
ANZ had an opt-out and the NAB guy was helpful and tried to reach the ANZ web 
page for me to see if that was correct. But, as I said to him, ANZ aren't 
going to advertise an option to opt out if the bank research suggests they can 
reduce their costs with the technology. He agreed and we left it at that.

Then fortuitously my ANZ business advisor rang to see if I wanted a meeting. 
So I explained that I was concerned about my business VISA card having RFID 
technology that allowed the card to be copied without my knowledge and 
transactions made that could compromise my business in some way.

He explained that I can opt out of PayWave by filling in a form at my branch 
and that a new card would be issued. After some convivial discussion I asked 
if that also applied to my personal cards and it does. I'll drop in to the 
branch and check that today. I exchanged a MasterCard with them last year for 
a non-PayPass one so neither of my ANZ cards presently have RFID.

So there appear to be options Craig. I'll check and let you know about ANZ. 
I'd be interested to know if Bendigo will issue non-RFID cards too.

If my assumptions are wrong about the RFID then I've just been overly cautious 
while minding my own business but it would be interesting to know about this.

I don't own shares in the ANZ or any bank or credit business, btw.

All the best
Harry

More information about the Link mailing list