Tin Foil
If I'm forced to adopt a contactless credit card upon renewal of a card I shall keep it wrapped in baking foil!
Channel 4 News has been bothering contactless bank cards again, and managed to wirelessly extract the customer's name from ANY Visa-branded card within a few centimetres. Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those. However ViaForensics (the company hired …
I would let the Reg off on this one. It's all about context. The Reg already mentioned "NFC cards". The quote is most probably from a long comment about NFC cards. So they are naturally going to, at some point in the conversation go "Visa cards" etc. They have told you they are talking about those with NFC already about 100 times. ;)
Besides, who would respond to "I'm taking the car to the shops" with "How dare you not take OUR car! You thief!"? Context implies you mean your car without mentioning the ownership already.
But the bank shoveled it down my throat "cos newer is better innit"?
Well the first day that I put it on the wallet I discover that it messes up with the Oyster card.
So currently I have it wrapped in tinfoil and still with the tinfoil it screws with the oyster readers from time to time.
This is a technology nobody asked or needed.
Now that explains something that puzzled me the other day. This chap on the Tube had two of those pocket chains on him on opposite sides of his waist, one attached to his wallet and the other to a separate holder for his oyster card. Maybe the interference thing is common.
Other way round, it's the Oyster card reader doesn't implement the bit of the protocol that allows it to pick one card to listen to. The underlying card system should allow multiple applications to share the same card, so my work ID card which lets me through doors could also be an NFC bank card and a travel card, but not an Oyster card despite them notionally being the same spec...
It is not just the oyster card reader the one that gets messed up, the card readers in the datacentre also get confused.
I carry now 4 wireless cards incompatible with each other.
And yeah vendors will never implement the latest version of the protocol, nor implement properly the old version.
Jumping the gun and selling new technology nobody asked for is "cool".
This technology might not have been asked for, but there's a reason why it's being deployed: because it helps the banks, it was never for our benefit as customers.
Remember: if your card is skimmed, the onus is on you to prove the card was used fraudulently, rather than on them to protect you. It's an increasing of the shift in liability from the banks to you.
Also, is it *any* Visa branded card or *any WIRELESS* Visa branded card? I don't see how they could skim the details off non-wireless cards.
When Barclays tried to foist one of these cards on me last year, replacing my debit card with a contactless one, it was quite difficult to reject. Nobody seemed to understand my concern, and the half dozen people I had to go through all said "Well, you don't have to use it if you don't want to..."
In the end the only alternative they could offer was the Debit card they give to customers they don't quite trust, which has to have every transaction verified by the bank before it will authorise. I suppose there's a sort of symmetry there - I don't trust them, so they don't trust me. Thanks a lot, Barclays.
viaForensics are pretty dumb not to have realised that this isn't a failure of any NFC or Non-NFC card. At the very least I would have expected them to test this with some other retailers, and they would have found the exact same scenario would have failed. But being selective with your facts should never get in the way of a good story I suppose.
It is the COMPLETE failure of AMAZON (and their acquirer) to process payments correctly. They should be passing the CVV/CVC with the transaction but dont because they probably dont want to have to go through expensive PCI-DSS certification (and the additional hassle of encrypting everything).
What AMAZON should be doing is EITHER checking the CVV/CVC and/or check the address of the customer using AVS (address verification). That way the goods can (or should) only ever be delivered to the cardholder address.
Again AMAZON fail because they still allow you to deliver to an alternative address. Issuers want retailers to deliver to their home address and if a retailers fails to deliver to a cardholders address then the issuer has chargeback rights. In all of the cases demonstrated so far it would be the Retailer/Merchant who would lose out when the cardholder sees a fraud on their account.
Unfortunately the way this has played out is there is some massive failure with all Visa cards when in fact its a very risky (and somewhat arrogant) position that Amazon have taken to ignore the procedures that have been put in place by schemes/issuers over the years to combat this type of fraud.
Amazon = Fail.
And yes, most if not all debit and credit cards (non-nfc) contain the card holders name, expiry date and card number on the chip and magstripe (but you cant sniff the cvc because that is printed on the back of the card) . That is the reason why its used with AVS checking.
I am available for hire by channel 4 if needed :o)
I disagree to some extent.
I really want to be able to have the goods sent to my work address, because that is where I will be during the 9-5 time period when couriers and Royal Mail deign to deliver physical goods.
If I don't do that, then I won't get my goods until the following weekend when I am able to go to the 'local' depot or sorting office and queue for a couple of hours.
Even if I was at home that day, half the time couriers just shove the 'You weren't in' card through the letterbox and run away. Presumably because the box was never loaded on the van.
They don't all do that as often with corporate premises.
I would however much prefer it if the invoice were to be posted separately to the cardholder address, as Amazon imply, rather than stuffed in with the goods.
Totally agree with Richard the 12th.
Getting items delivered to work there is less chance of your fragile electronic goods being hoofed over a 6 foot fence, or even just abandoned on your doorstep (had that happen before!).
Couriers / Royal Mail deliver during working hours. During working hours I'm working. Therefore delivery to my place of work is a real bonus (I've actually gone through with a purchase before and cancelled it at the last screen as they demanded that the item only be delivered to the billing address!).
Invoice to the billing address is fair enough (and they usually show the invoice/billing address, although it is in the box with the item sent to the delivery address anyway).
Sigh... You cant have your cake and eat it to.
The retailer can verify your home address with your bank. That's a fair indication of where you want goods delivered to because you everyone in the chain can guarantee that the goods with proof of delivery have been delivered to the cardholders address. No fraud possible unless your mum/dad/brother/sister are ripping you off.
How exactly do Amazon know that your work address is actually valid and isn't the address of A.N.Fraudster ?
Answer THEY (Amazon) DONT. They are taking a big risk. The fact that they dont do any kind of CVC/CVV checking indicates they are even more lax in their security. But they dont care. Because they know cardholders will go whining (and blaming) to their bank. No ones blames the retailer.
I sincerely hope that Amazon and their acquirer are getting a good kicking over this one.
I don't give a shit what's easy for banks to verify, I want my goods delivered WHERE I CAN PICK THEM UP. Otherwise their cards are useless. I setup a specific mailing address for deliveries because I CAN'T get deliveries at work and am not home during normal delivery hours even for the non-governmental delivery services. Companies involved in selling things need to adjust to the same realities the rest of the world lives in. Given that they can check my Cxx, that's fine.
Oh, and even though I don't have one, I'd still put the bonk fail on the banks. They shouldn't have been processing the requests from Amazon without one of the two, preferably the Cxx.
There's a sensible reason why many companies insist on shipping only to the billing address. It helps prevent a stolen card (or stolen details) being used by a third party to get valuable goods delivered to themselves while billing you for them. Presumably you'd recognise that as a good idea if you stopped to think about it...
To be fair to Amazon, someone cloned my card (outside Amazon) and registered it against a different amazon account to mine, with a delivery address that wasn't one of my "listed delivery addresses". Amazon closed that fake account, cancelled its orders, and emailed me to tell me to talk to my credit card company way before even the card companies fraud detection kicked in.
I don't know the full ins and outs of it, but from what I've picked up:
Amazon do not charge your card until they actually dispatch the items to you (I think if they charge you before they do that, then they fall foul of the consumer credit act, which forbits companies from charging you credit for something they haven't done for you yet).
However, the Visa regs say that they are not allowed to store the CVV code. So even if you typed it into their website, they wouldn't still have it when they charge your card, and so couldn't use it.
It seems that some companies get around it; sort of; They either charge you immediately (I think that falls foul of the consumer credit act?) or by telling Visa that they are going to charge your card (but actually not) to verify the CVV code, but then when they actually place the payment, they don't check the CVV code.
As for Amazon failing because they let me buy things for people and get them sent to that person (possibly without even knowing their address), how is that a fail? Or considering the people who have more than 1 "registered" address (e.g. my parents' address, and whatever hotel I happen to be living in this week/month for work).
The COMPLETE AND UTTER fail of the Visa (mastercard/amex/jcb, etc.) system is that I have to give someone the number to buy something, but that same number can be used by anyone an unlimited number of times to buy anything. They then tell us that we should shred our receipts so people don't see the number, but we still have to give the number every time we use the card!
You're not that far off. I've had the pleasure (if you can call it that!) of working with various payment gateways over the years and there's no excuse for Amazon not to check the CVV (aka CV2, Security Code, and a few other acronymns)
When the card details are taken, the merchant (eg Amazon) can send them to the payment gateway and request an authorisation (which charges the card), or a pre-authorisation/shadow (which effectively reserves the money but doesn't take it from the account, but does all the same checks as an authorisation step), so this bit you pretty much got right. They could also pass a request to authorise say £1, and then immediately afterwards cancel that authorisation (so it wouldn't even show up on a statement as it would never hit the overnight batch processing step), just to check that the card details are valid (but of course this wouldn't check that you had enough funds to actually pay for the order when it ships).
It's perfectly fine for the merchant to request a shadow, passing the CVV and card details at the time the order is placed, and getting an authorisation code that can later be passed back to the payment gateway and in almost 100% of cases will successfully charge the card (commonly referred to as "fulfillment") at that later date, with the usual time limit being 30 days (the ones that fail tend to be cards that expire before the period is up, or are registered lost/stolen by the card holder prior to authorisation). After 30 days are up, or the fulfillment step fails, the norm is to simply send a new authorisation request with the card details, with or without the CVV - if the initial check was done then the CVV will still match the card, so really there's no need to do it again as that check had already been done.
If the BERR (probably not called than any more, used to be DTI before that) guidelines still stand, merchants shouldn't charge before shipping goods but they did allow for up to 28 days from charging to shipping. The DSR may have different rules, but I've forgotten most of it bar the cancellations/refunds sections which are pretty much burned into my brain!
The PCI DSS rules also allow the storage of the CVV until the order has been fufilled, so it's also again perfectly acceptable to hang on to that number until the order has shipped and charge the card using it at the time of shipping, and then discarding it. I don't know of any companies that do hang onto it though, and if they do it should be stored securely well away from the card details it goes with, with a lot of controls in place to prevent anyone pulling the data together.
Unless payment gateways have changed radically in the past couple of years, I seem to remember that unless the CVV is passed to a gateway with the card number, expiry, and address numerics (the interbanking payment system is so out of date that it still can't handle letters, only numerics are passed around, most payment systems take the whole address but strip out just the numbers when passing the details to the banks for verification), then the address numerics aren't checked either - so a lack of passing CVV should also mean that Amazon have no idea if the card is even registered at the address given by the buyer.
Given that Amazon aren't even checking the CVV number it sounds like they've pretty much crippled most of their chances of detecting the common fraud attempts, so either must have a lot of other fraud checks in place (maybe along the lines of a centralised database of known problem addresses/numbers, and/or matching usage patterns associated with known previous fraudulent users during the checkout), or have decided that the amount of money they lose in chargebacks is less than the amount they'd have to pay to implement CVV/AVS properly.
Does any bank allow you to register your work address with them, and allow the AVS to succeed with either your home or work postcode? If this is allowed, then it would be handy for those with one fixed place of work , how many people work out of multiple offices?
Neither are Santander (who I've moved to). I've also heard NatWest give the user the option. Personally totally agree with drilling the antenna, and would have done it myself but I felt I needed to make some form of statement (yes, incy wincy in terms of how bank views me) which is why I moved.
I do not care if the merchant or the bank is at fault here.
The point is that a wireless bank card will "talk" with whatever reader is on proximity whether you want or not. Encrypted or not it will talk without my permission. That means that if someone manages to decode my card's data they can make payments on some faulty merchant, thanks to a stupid bank.
I do not want that, I did not asked for that, and I swear to god that I'll build some form of sleeve that will stop the card from working wirelessly.
I still remember when the banks refused to encrypt the data in the magnetic bands decades ago because they had to update the ATMs and it was too expensive for them.
So somebody walks past you, scans your wallet and then send your name to the accomplice who can then stop you with "Good morning (your real name here)". Makes social engineering so much easier when you start with "proof" that you know the target.
Is that even needed?
I don't have a contactless card, but from what I have seen from people using it for transactions less than £10, you just swipe without giving a name.
What is to stop someone walking around with a swipe machine with an upgraded signal, getting everybodys contactless card to give them £9.99?
(Excuse my ignorance on these matters).
@AC 0821 - What stops them is the requirement for the money to have somewhere to go. You may have a merchant machine, but it's useless if it's not linked to a bank's systems and a merchant account. If you have a merchant account and machine linked to it (usually bank supplied) they know who you are, where you live, what your business is and they have profiles of the amounts of money that are usually spent at your business. You will get caught, even if individuals don't notice that they've had small amounts of money taken from them.
A contactless terminal can authorise without a PIN for transactions <£10, but there is a chance that it will ask for the PIN. I'm not sure if it is the card, the terminal, or the bank that controls this, but I'd guess it is the card. If the PIN isn't provided, I'd hope that the card locks into PIN-required until it is provided.
Anybody who stops me with "Good morning (your real name here)." that I don't immediately recognize is more likely to generate a call to the coppers than get more info from me. For my roomie, it'll be even worse. I haven't met a stranger yet who pronounces her name correctly from only a script.
... there's also the fact (a "known issue") that Barclays Visa Debit "wave and pay" cards won't work with certain types of mobile payment terminal.
I found this out last October when I took a payment which appeared to go through successfully, but I didn't notice until later that the Merchant Copy of the payment slip said "Declined" instead of "Pin Verified" meaning I lost £28 (fortunately it wasn't more!)
Now I have to put through payments with these cards as "Cardholder not Present" as it's the only way to get them to work properly.
Look after your stuff better...
And if you weren't paying attention, what they've got now is more than previously. What happens when they break the whole thing open? "Oh, it's just all my important data being slurped from inside my jacket by some guy on the other side of the train. What's the big moan?"
"The myth of someone sitting at the entrance to a shopping centre and harvesting everyone's details, is just that: A myth."
I think the same things were said about RFID in passports etc., then people started seeing how far away they could actually read them, some guy managed to read them at over 200 feet with $2,500 of hardware.
http://www.networkworld.com/news/2010/072910-black-hat-rfid-passports.html
NFC is fundamentally different from RFID, in that the transmitter in the card is actively powered from an induced current from the reader. The reader can't induce a current that far away, probably more than 20cm, admittedly, but not that far. Crucially, though the transmitter in the card won't transmit above its design and subsequently they don't work over more than about 10-20cm.
10-20cm is more than enough in any kind of busy environment.
That's further away than pickpockets work, with the added bonus of not having to actually touch the mark.
It's quite normal for someone to come that close on a bus or train, even a nearly empty one (eg aisle seats) and normal for people to be that close on the high street, in a shopping centre etc.
Here's a game for you to play:
Next time you go out shopping in somewhere busy (New York in Lincolnshire doesn't count), try to count the number of people who come within 20cm of your wallet or handbag during the journey there and back and the actual shopping experience.
So, given that you could clone the name and card numbers of all those people, you've got rather a lot of data you could sell to overseas criminal gangs - or use on any online retailers that's not checking CVV!
In a single day you could get hundreds if not thousands of valid name/CCN pairs with no risk of being detected whatsoever. Flog 'em to some gan to use, and you've got yourself a pretty penny with no risk.
I can see this kind of fraud becoming rather popular over the next few years. Well done banks, you've only gone and broken it again!
Also, it's a shame to see someone so taken in by marketing.
These are in fact the same technology.
Have a Wikipedia article (it's not outright wrong)
NFC is simply the branding of a set of RFID standards aimed at this kind of 'cash' and 'ID' usage.
If you've got a PCSC-compliant smartcard reader (you can obtain contactless-only ones for ~£30 - and contact-only ones are even cheaper), and access to a (virtual) machine running Linux, then you can easily read data from EMV cards using extremely easy to find Open Source tools.
Obviously, the EMV specifications are freely-available to the public; and all EMV-based cards will happily provide at least some plain-text data related to what's embossed or printed on the face of the card.
>but banks do have sophisticated anti-fraud systems
What he said. Plus cardholder would simply need to request a chargeback for all and any fraudulent charges to be null and voided. Then it would be up to the banks and their insurers as to how heavy handed they came down on the merchants and/or acquirers concerned.
Don't really know what all the fuss is about here... for years your names were available encoded on the TRACK1 of the Magntic Stripe of your cards - this is the NFC equivalent of this field.
This is media hype! The vast majority of Contactless Cards use Dynamic Card Verification Values which ensure that (in the unlikely event data is wirelessly sniffed from the card) any attempt to create a cloned transaction is fruitless...
Yup. I assume you're of the opinion that this simply doesn't matter in the slightest? Mastercard and Visa appear to disagree enough to try to keep it vewwy qwiet.
Name and CCN is enough to make a transaction in many countries around the world, and even in the EU it's still often enough to make an online or phone transaction.
Actually - most of the Issuers that do a "proper" job of Issuing and Implementing Contactless provide the Contactless Application a completely separate PAN. If (for whatever reason) a transaction is received by the Card Management System that is formatted as anything other than a Contactless Transaction using the Contactless PAN the Transaction is simply declined and a Customer Service Representative normally contacts the cardholder to investigate and possibly issue another card if appropriate.
Anyway - regardless of this - even if people do capture a workable PAN, Expiry Date and Customer Name - they will not have the CVV2/CSC2 with which to Process a successful Customer Not Present or PAN Key Entered Transaction - any Acquirer processing this transaction will automatically be on a sticky wicket when it comes to the Fraud/Dispute/Chargeback Case subsequently raised.
I stand by my original comment - this is pure media hype. Stick to ramping fuel and pasties...
The floorlimit is £20 quid in the UK - anything higher will prompt you to dip the chip...
There is a know issue at certain coffee chains where they [the terminals] cannot format correct the Contactless EMV Data correctly resulting in the Card Declining the transaction.