[LINK] itN: 'Can NSW commuters trust contactless card payments?'

[Roger Clarke]

[Comments embedded among some key extracts.]

Can NSW commuters trust contactless card payments?
By Paris Cowan
itNews
Apr 19, 2016 9:36AM
Security at the turnstile.
http://www.itnews.com.au/news/can-nsw-commuters-trust-contactless-card-payments-418302

NSW Transport Minister Andrew Constance has strived [whatever happened to 'striven'?] to reassure the state's commuters that tapping on at a turnstile with a credit or debit card will be no riskier than using PayPass to buy their groceries at the supermarket.

[i.e. risky:  http://www.rogerclarke.com/EC/CPS-12.html ]


Constance announced at yesterday's Future Transport Summit that the state government would begin trialling contactless payments in the place of Opal smartcards in 2017. Smartphone-based payments based on in-built NFC technology or Apple Pay will also form part of the pilot program.

The minister insisted that the same safeguards would be in place to protect payments on public transport as currently guard against the theft of financial data in any other retail transaction.

[The statement as written is false.  Most categories of payment, other than by NFC-chip, involve authentication of the authority of the person brandishing the token to use it to make payments.  (The credit-card operators softened up the public with PIN-less transactions in parking stations, so I have to say it's most, not all, categories).  

[The mooted use on NSW public transport includes no such authentication.  So the Minister's statement is false.

[Judging by the rest of the report, it's fairly clear that the Minister *meant* to say "as currently ... in any other [NFC-chip-based] retail transaction".

[That would be a true statement.  But not a fair one, because the safeguards are demonstrably inadequate.]


... the leap to tapping on and off with a phone becomes very simple, because the [contractor, Cubic's] system treats phone-based payments in the same way as credit cards.

[That's easily read as implying that users of NSW public transport will face the added impost of being played into borrowing money - at usurious rates, and in many cases without intent, and without need - instead of using their own funds to pay, through debit-card functionality.

[I suspect that the Cubic spokesperson didn't mean what he said.  (That may of course also be true of some other things he said.  The report is based on statements by one politician and one salesman after all).] 


The minister and the ticketing provider both worked hard to allay concerns that the new payments capability would open up yet another avenue for criminals to skim sensitive financial data from credit card users.

Constance pointed out that "across the retail sector there is already the ability to swipe your credit card at the counter".

[So the Minister is also inviting the interpretation of consumer rip-off through the imposition of, or default to, credit-card rather than debit-card transactions.]


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			             
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/ 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University