[LINK] refusing contactless cards
Harry McNally
harrymc at decisions-and-designs.com.au
Fri Aug 2 15:32:00 AEST 2013
Hi Paul and thanks for encouraging me to check this.
On 02/08/13 10:04, Paul Brooks wrote:
> On 2/08/2013 11:15 AM, Ivan Trundle wrote:
>>
>> It would seem to me that banks have a major risk (and liability) on their
>> hands.
>>
>> I imagine that once the media begins reporting this type of fraud more
>> frequently than bag snatching, then a reversal of thinking and processes
>> will occur.
>>
>> I cannot see how any bank would endorse this technology if the risks are
>> realised and unable to be mitigated without regressing to the previous
>> technology. What am I missing here?
[snip bank defence and media scrutiny]
> Perhaps that the media are not reporting this as happening to any great
> frequency means it actually isn't, or no more than using the previous
> technology?
Perhaps the journalist couldn't explain the technology to the barmaid so it
isn't news, Mr Rutherford.
From:
http://www.anz.com/contactless/#faqs
"
How do I know that my transaction is secure?
ANZ Contactless transactions use the latest encryption technology, and are
processed through the same, reliable payment network as chip card transactions
- making them just as secure.
"
I don't know what is in the cards but I had assumed it's passive RFID that
returns a fixed stream of data. If so then the card is easily copied.
If the RF actually powers the contact terminal chip and performs some
challenge and response thingami then I assume it can't be copied.
But those contactless transactions are -really- fast and inserting the cards
is really quite slow so I assumed the encryption happening on the card
stretches the computational performance of the chip (and needs a fair bit of
energy). So encryption of the RFID transaction seemed unlikely to me.
Can someone confirm whether copying the new cards via RFID is possible ?
> (yeah, I know its not fashionable to defend business on this august list,
> but its Friday, and I have a relative in the banking risk management area,
> with which I've talked robustly over this issue several times over while
> taking the standard-linker-stance - and I've been on the receiving end of
> dealing with a suspected fraudulent transaction, and have received calls
> from the bank on occasion checking that I knew whether a sub-$50
> transaction was ok within 12 minutes of walking out of the restaurant they
> had on a watch-list or didn't fit my usual pattern (it was ok).
So Falcon can detect an aberration in my consumption habits and enact a
response in 12 minutes ?
> is there a risk?
- My card RFID is read and the card RFID response is duplicated in another card
- The copied card is used at LongWoods (a local brothel) for a $99 PayWave
special (whatever that may be)
- My business partner wants to know why we have an entry for Joes Tires P/L
and, after alerting Falcon, is assured that the entry is a valid payment
- Wife and business partner asks where the new tyres are
- We check that I still have my card
- ...
- Non hilarity ensues
-
Someone could do this without ever being in contact with my card and for
whatever purpose. Privacy and reputation and very little money.
> Back to work...
Thanks. I did get to work and rang NAB who explained that they do not offer
VISA without PayWave or Mastercard without PayPass. I explained that I thought
ANZ had an opt-out and the NAB guy was helpful and tried to reach the ANZ web
page for me to see if that was correct. But, as I said to him, ANZ aren't
going to advertise an option to opt out if the bank research suggests they can
reduce their costs with the technology. He agreed and we left it at that.
Then fortuitously my ANZ business advisor rang to see if I wanted a meeting.
So I explained that I was concerned about my business VISA card having RFID
technology that allowed the card to be copied without my knowledge and
transactions made that could compromise my business in some way.
He explained that I can opt out of PayWave by filling in a form at my branch
and that a new card would be issued. After some convivial discussion I asked
if that also applied to my personal cards and it does. I'll drop in to the
branch and check that today. I exchanged a MasterCard with them last year for
a non-PayPass one so neither of my ANZ cards presently have RFID.
So there appear to be options Craig. I'll check and let you know about ANZ.
I'd be interested to know if Bendigo will issue non-RFID cards too.
If my assumptions are wrong about the RFID then I've just been overly cautious
while minding my own business but it would be interesting to know about this.
I don't own shares in the ANZ or any bank or credit business, btw.
All the best
Harry
More information about the Link
mailing list