I went in with some dry cleaning which came to £11 or so. I took out my MasterCard and put it in the terminal, punched in my PIN and then waited a while for it to dial up and authorise. While this was going on, I noticed that the terminal was a new Ingenico i-series terminal with contactless interface. So, as an experiment, I bought £7 of shoe polish: the chap keyed in the transaction and sure enough the contactless interface lit up: I paid with my Visa contactless card which, since it was offline DDA, was instant. Excellent.
I asked the chap if many people used the new contactless cards and he said no. I asked him why not — like he would know — and he said he thought it might be because they are worried about security. That is, and this is the scenario that he put forward, if you don’t notice your card missing for a while then people might be able to go and buy things with it. But as I pointed out to him, the UK issuers have already said that customers are covered.
There is a risk of fraud with any form of card transaction, and contactless transactions are no different. But risk is limited by the security measures put in place. Banks are also required to refund any losses incurred by cardholders unless the bank can prove that the cardholder actually made the transaction themselves.[From Are contactless payments safe? | This is Money]
But it seems that the reassurances from the banking sector have less impact on the public than the scare stories about contactless security that are becoming tediously regular. Here’s a typical example from the US, which ought to be called “man demonstrates that contactless payment cards work as per specification”.
Using just an off-the-shelf card reader he bought online for less than $100 and a Netbook computer, Augustinowicz explained, he could swipe credit card numbers, expiration dates, and in some cases, even people’s names. People who thought there was no way their pocket could be picked without laying a hand on them, soon learned they were wrong.[From Credit Cards At Risk from High-Tech Pickpockets? – CBS News]
But later on in the article, we read that
Experts at the San Diego-based Identity Theft Resource Center told WREG that they’ve never seen a case of RFID skimming used to steal information.[From Credit Cards At Risk from High-Tech Pickpockets? – CBS News]
Well, quite. It’s hardly “pickpocketing” since all you can do is send the money to a merchant acquiring account by setting up a bogus POS terminal. Pointless, since you’ll get caught. A marginally better crime would be to scan the cards using your bogus POS terminal and use the data to carry out some other fraud. But that doesn’t work either. If you scan my Barclays debit card, the data that you get from the contactless interface is not sufficient to create a cloned EMV card (contact or contactless) because it’s a DDA (dynamic data authentication) card and you need the private key to forge it. The data isn’t sufficient to create a cloned magnetic stripe card because it gives up the ICVV and not the CVV. The data isn’t sufficient to use the card online because it doesn’t give up the CV2. So all you can get, even if I don’t notice you waving a POS terminal an inch from my arse, is the name, card number and expiry date (none of which are secret).
Personally, I think issuers should go even further and remove the name from both the contact and contactless interfaces, and what’s more I think they should do what American Express does and have the contactless interface deliver an alias PAN as an additional safety mechanism.
The BBC “Moneybox” programme recently had a report on contactless cards, and it invited the public to comment. Now, I don’t care what the public think about anything, least of all contactless cards (don’t forget that a quarter of them think that Sherlock Holmes was a real person) but I thought it might be mildly amusing to read through the comments. One of them caught my eye:
This is just the thin end of the wedge. It is the first step towards abolishing cash. Once these pin-less cards have got rid of cash, we will be totally at the mercy of the bankers and financiers. To say nothing of all sorts of petty officials. Once there is no cash, your ability to function in the world is at their discretion. Cards? Well, ultimately the chip will probably be implanted in your wrist[From BBC News – Have Your Say: Contactless Cards]
Lyn from Glastonbury clearly doesn’t understand that cash is less than 3% of the UK money supply and that we are tragically already at the mercy of bankers and financiers. But it was her comment about implanting the chip in your wrist that got me thinking. Why? (I asked this on the Moneybox web site but I’m afraid they didn’t publish any of my questions). The only thing I can think of is that Lyn thinks that contactless cards are the mark of the beast from the Book of Revelations, in which case nothing that the industry says will matter to her. On another point: one of the other public comments was that
I have a Barclaycard One Plus Oyster which I use when visiting London and use by ‘swiping’ my wallet. Whilst I would find a contactless debit card useful how will the machine discriminate between which one I am using. Will my debit card be Oyster compatible?[From BBC News – Have Your Say: Contactless Cards]
I thought this was a fascinating comment, given the money that was spent on marketing and communications. The Barclaycard OnePulse (which is what the person is talking) is an excellent product but the Visa credit contactless interface is is distinct from the Oyster interface: the terminal has no need to discriminate between the two because POS terminals only see the Visa interface and the TfL terminals only see the Oyster interface (although, as I blogged recently, the TfL terminals will soon be able to accept contactless payment cards).
One key point that I think is missed in the current reporting of contactless is that contactless is not an end in itself but a stepping stone to non-card form factors, of which the most immediate and probably most important is not bionic wrist implants but… well, let’s back up….
Among a number of other readers to contact Your Money is Paul Adkins, who researched electronic payment systems when he worked for electronics’ giant Philips in the early 80s. “We discovered the best security would be offered by giving people a calculator-like device where the user had control over the keypad for entering the PIN,” he says. “But this was perceived to be too expensive, and we ended up with chip cards. But who knows what is happening behind the keypad and the display? We have to take it on trust that the terminal is not compromised.”[From Contactless cards: the pros and cons of new payment technology – Spend & Save , Money – The Independent]
Mr. Adkins is, as it happens, entirely correct. It would be much more secure to have customers enter their PINs into their own devices, since one of the major sources of fraud at the moment is bogus terminals that steal PINs. Anyway, the “calculator-like device” that Mr. Adkins foresaw is now with us — we call it the mobile phone — and represents a step-change in the security of payments. It won’t be as good as it could be until mobile phones are more secure, but going contactless isn’t only about low-value cash replacement, speed and convenience: it’s about building the rails for a new generation of payment devices to run on.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]