UKC

I've had my main Payment card voided and replaced with a contactless version. I've been told I can have it replaced with a non-contactless one if I want.

I have 3 questions I've been unable to resolve and so wondered if anyone here could answer.

I'm led to believe that after a number of transactions the card will ask you to use the PIN terminal to check that you are the authorised user. What happens if this PIN check happens when waiting for a Night Bus? Cash isn't valid any more so are you left stranded? or do you have to bring along an oyster card just in case. If that is the case then it sort of screws up the benefit of capping.

Also if my card is stolen or lost and used without my consent for say 5x£20 transactions am I liable for this until I tell the issuing bank or are ALL unauthorised purchases covered if you tell the bank of not?

How do people deal with a wallet full of contactless cards? I'm guessing you still have to get the card out to place it on the reader its just that you don't need to input your pin..... correct? It;s not like the original Oyster where you can touch your wallet to the reader.
Thanks

In reply to Indy:

1. I don't think PIN checks happen with TFL. They do things a bit differently to everyone else; you don't get charged when you swipe your card, instead they add everything up for the day, apply capping, and put a charge through at the end of the day.

2. I don't know.

3. You should take the card you want to use out of the wallet. That applies to Oyster too - if you touch your wallet and there is an Oyster card and a contactless card in there, it might use one to enter the tube and one to exit, which would either charge 2 x maximum fares or not let you out. There's been a lot of publicity about avoiding "card clash" recently. However if the cards are registered online TFL do seem to join the dots and apply refunds to sort it out, in my experience.

In reply to Indy:

When I got sent a contactless card three years ago, I couldn't get adequate answers to my security concerns, so I insisted on having a conventional card requiring me to enter a PIN. I could see lots of ways the system could be abused*. It took four attempts to get such a card.

The message must have got through, because the recent replacement was conventional.

* I've heard of any of them being exploited yet, so maybe I'm just living up to my nom-de-net...

In reply to captain paranoia:

Paranoid. Do you remember before we had pin. You handed the card over, they swiped and you could just put a cross on the paper. Contactless is less risky than that.

In reply to Philip:

But you had to hand the card over. With contactless, your card could be charged without you doing anything.

In reply to captain paranoia:
how? You have to be very close to the machine at the right time.

In reply to MG:

I always wondered if one could have a contactless payment system built into a portable device, and could go round a crowded street tapping people on the bum with it to read the card in their back pocket. Whether you could do that without getting done for sexual harrassment I don't know. Perhaps a nightclub would be a better choice than a street...

In reply to MG:


Only because legitimate readers have been designed that way...

In reply to captain paranoia:

You do know the card doesn't just contain a single ID that it transmits? You can't just read the card a playback.

This is what makes you seem crazy, you've misjudged the likelihood and probably misjudged the impact. It's why risk is such a hard thing to judge, but I bet more people get mugged for their cards after the PIN is observed than are scammed by people cracking the encryption on the contact less cards. And either way, the bank covers you.

In reply to Philip:
Yes, I do know that. But, essentially, the transaction is performed via a short range RF link. My concern was that a terminal could be adapted to increase that range. The fact that this hasn't been reported suggests I'm unnecessarily cautious. But not crazy to ask reasonable questions.

If I'm mugged for my card, I know I've been mugged and my card is vulnerable. But small amounts of money skimmed from many contactless cards would probably go unnoticed, just as the unsolicited premium rate text spams do. But those small amounts soon add up. Exploiters would need a legitimate bank account to collect monies to, and be able to extract monies untraceably before they're rumbled.

Banks for a long time claimed that chip & pin was infallible, and refused to refund fraudulent transactions (except as 'goodwill gestures'), but they've had to accept that there are technical methods by which this fraud can be accomplished, mostly by subversion and modification of readers to log PINs, and the ability to create cards.

PS. Whilst I accept your point that the risk is vanishingly low (and I grant you, makes me rather odd in that I prefer the more active authorisation of entering a PIN, when not paying by cash...) a quick google suggests that there are demonstrated technical vulnerabilities along the lines I'd considered.

In reply to MG:


Given the range achieved with the RFID chips in passports I wouldnt feel so confident about that.

In reply to captain paranoia:
There have been reports that the range can be increased, with a larger ariel and an amp. The problem comes with the real time element. As far as I'm aware, there is a 2 way hand shake between the card and reader. An exchange of certificates. Encryption of the transaction and real time verification that the transaction is valid.

In a crowded tube, for instance, you could probably start the hand shake with several cards. But as the encryption key is ephemeral, it changes every session, it wouldn't do you much good unless you also had a merchant account and network access. Not impossible hurdles to overcome, but not quite as straight forward as a replay attack.

If you were paranoid, you could keep an old oyster card, or even a bit of tinfoil either side of your bank cards. That would be a provable way of defeating any such skimming.(If you go into a shop, wave your wallet, and the transaction fails, then you're safe.)

What I find more interesting about these NFC cards is that lots of phones have readers. Lots of office workers use similar cards for entry. Lots of phones have gps. So if I hack your phone, can I see where you work, from the gps, then perhaps glean details about your door card. I expect that they are not nearly as funky as the bank cards, in terms of security. Not to make you paranoid, or anything...

In reply to MG:


Like this?

youtube.com/watch?v=elBWoMXt3WY&