86 comments

[ 3.1 ms ] story [ 157 ms ] thread
Yet another reason why we can't have nice stuff. Sigh.
I have a two-factor auth device that requires that I physically activate it by touching it in a certain way. Why the hell aren't contactless credit/debit cards similar? Why should I need to keep them in a Faraday wallet when they shouldn't be active except in those few second windows when I explicitly want them to be?
There is no "point" to Contactless if you have to take the card out and touch it. At that point you may as well swipe it.

Contactless as an idea is probably ill-conceived though.

Its very, very convenient. More-so than cash.

1. I don't have to carry cash 2. I don't have to go to the bank to get cash 3. I don't have to count the cash when paying 4. No change to worry about. 5. Transaction logs via bank statement

The downside that this (OP) problem illustrates does need sorting and I was very sceptical of contactless before I used it, but its quite nice.

Most credit and debit cards are not contactless and can only be read when inserted into a reader. Why not use one of those?
These contactless cards can also be used on TFL (Transport for London) Underground entry points, directly debiting your bank account. There is no mechanical degradation associated with using a contactless card whereas in my experience swiping the mag-stripe is problematic.

However as many have pointed out, there are potentially a boat load of skimming issues.

In the UK, most new debit cards at least do have contactless payment. I'm not sure about credit cards, but it's probably the same.
I think the "point" of contactless is to make the transactions quicker. Where it used to (in the UK) take 30 seconds to put your card in the chip and pin machine, enter your pin number and wait for the transaction to be confirmed, now its literally 3 seconds. Over the course of a year that is a massive time saving for the retailer and so a cost saving (less staff).

With chip and pin the customer was liable for all transactions when their pin number was used. It was your responsibility to ensure it wasn't exposed.

Now with contactless there is no risk to the customer, the bank/retailer takes on the full risk of fraud for contactless payments. You will not be out of pocket for a fraudulent contactless transaction. This is why contactless transaction are limited to £30 (initially was £20), it limits the bank/retailers potential exposure to contactless fraud, its also handily set to just about the average card transaction in the UK.

Interesting. In the US most businesses use magnetic stripe readers which take ~1 second from swipe to approval.
We stopped using that for lack of security, plus I think signing the receipt (and carbon copy) is time consuming, right?
I don't do much legacy brick and mortar CC shopping anymore, but it seems completely random at Home Depot and Target if they want my signature or not. Maybe after X transactions in the last Y days they no longer need a sig. With a possible side dish of Z percent or lower of transactions are fraudulent from this store.
You can use swipe in some places in the UK, but then you have to wait for the receipt to print, the cashier to find a pen, you have to sign it and the cashier has to verify it, click on the terminal that they did, and get a final receipt printed. It's even more hassle than typing in a pin.
But then you usually have to sign as well. Chip and PIN transactions don't need a signature, and in my experience the total time to swipe+sign is about the same same as insert+pin.

Contactless payments don't need a signature or a PIN, so they're significantly quicker.

I rarely if ever have to sign for a purchase under $25.
In that sense, wouldn't it be just as easy to insert the card into a POS device and supply the PIN?

The point of contactless is to make it less bother to use cards. One of the tradeoffs for that is reducing the security – it's sort of a necessary condition. Losses are limited to maybe £150 in the UK (that's 5 transactions at the maximum of £30) without further authentication, and it's virtually certain that the card provider will refund these transactions too if your card is used without authorisation.

It's significantly easier to simply touch the card than to have to insert it into a device that provides a keypad, and then type a PIN into said keypad. The keypad approach is safer though, and I'd prefer that for lots of situations, but there's no situation in which I'd want to be able to have money leave my card without me at least touching the damn thing to activate it.
Contact less payments without verification is certanly not "nice stuff" but simply negligently and stupid.
Its nice because it makes payments significantly faster especially for small transactions.

When your in a busy shop getting lunch, or a bar, it saves a significant amount of time and effort.

It does save you some time, but is this time worth the security downgrade?

I guess it is up to each person to answer this question.

The main issue I have with this is that no one gave me a choice : I received my card with this feature turned on and absolutely no way to have a card without it (I asked at the bank).

I changed banks about things like this. My bank once thought that i have to have Online Banking with my account, while all i wanted (and still do) is absolutely no remote access except with the debit card. They also told me that their eTan is much safer than the classic Tan system via post so they stopped it.

I really think less is more when it goes about the safety of my money.

When it comes to my money, i want safe. not convenient.
Honestly i have the few extra seconds. My security and peace are fully worth that.

Also we have fingerprint scanners on android now. So contactless plus verification is not a issue at all.

Contactless without verification is just lazy. There is really nothing to argue.

If speed was a priority at restaurants, nobody would ever eat anything but McDonalds. Apparently speed is not the highest priority for food, at least for most people most of the time.

At more traditional retail, the cost of going to Target retail store is fifteen minutes rounding up the kids, sitting in the car for thirty minutes round trip, wandering thru parking lots and aisles for a half hour, waiting in line fifteen minutes, after ninety minutes of time a couple seconds at payment are a rounding error. If I'm in a hurry and not willing to invest ninety minutes to buy a frying pan, I can pull my phone out and amazon can deliver it with an investment of perhaps three minutes.

Contactless solves A problem, unfortunately its the wrong problem.

The implementation of these is deliberately intended to make it less effort for small transactions. The risk of fraud is relatively low, the scope limited, and the impact minimal.

Contactless providers have obviously made the decision that the risk of fraud and the associated costs will be lower than the additional revenue received be encouraging people to use contactless cards more. In contrast to being negligent and stupid, it's actually pretty thoroughly thought-out.

And who pays for the fraud? The consumer. Thats already a huge issue with credit cards, if this now gets normal as well...

I am so glad nobody looks strange in my country when you pay with cash. Most people do, its efficient, depending on the currency fast enough, has privacy in mind and is as safe as myself.

Only in an indirect sense. AFAIK all UK banks will reimburse any fraudulent transactions; they've decided that the increased use is worth more than the costs of fraudulent transactions.

Obviously the public feels there is a benefit using contactless cards over cash, or we wouldn't be using them.

And that's why the value of the transaction is limited
Yes, but the reason isn't what you suggest it is. The reason is that people like the OP on Facebook, whoever posted it here, and whoever up-voting it, are happy to feed the fear of strangers by propagating these kinds of stories. This story will probably make it into the tabloids tomorrow thanks to having gone viral.

A lie gets halfway around the world before the truth has a chance to get its pants on.

If you connect your card to Apple Pay you get an immediate notification every time your card is charged (might depend on the bank), which is useful for detecting this sort of thing.

Actually I'm not sure why Apple Pay should be necessary--if you have the bank's app installed that should generate notifications on "purchase" as well.

I'm not sure how many UK banks send them. Mine certainly doesn't.

It's also been the slowest to roll out Apple Pay support.

Something I thought was interesting, I have a friend who banks with česká spořitelna, and she gets an SMS for each transaction. Nothing fancy, no app, no 'platform', just .. better banking in eastern europe than in the UK.
The UK has Mondo coming soon (https://getmondo.co.uk/) which looks very promising.

For the Eurozone, there's Number26 (https://number26.eu/). I've been using them. They took a long time to send me their card but overall they're a million times better than any other bank in Europe. (If you want more info, email me)

I only seem to get the notification on the phone if it was a transaction initiated with Apply Pay. I don't get them when just using the contactless card.

(I think 'modern banking with apps and notifications' is what new UK banks like Mondo[1] and Atom[2] are aiming to do)

1: https://getmondo.co.uk/ 2: https://www.atombank.co.uk/

>(I think 'modern banking with apps and notifications' is what new UK banks like Mondo[1] and Atom[2] are aiming to do)

Yep, I'm a customer of https://number26.eu and I often get a push notification about online payments even before I'm redirected back to the merchant's site.

Google Wallet / Android Pay users are similarly very familiar with the chirp emitted for every transaction.
(comment deleted)
(comment deleted)
I don't get this. Credit Card fraud is used to acquire goods from unsuspecting traders. This requires a trader to have a POS and money is not usually credited for 1-4 weeks, by which time his/her account will be frozen and the police on the way.
Misleading title.

He wasn't spotted "skimming contactless cards" he was spotted holding an object and doing nothing else with it.

No kidding. If you're collecting payments through a credit card processor, this sort of scam would be shut down and reversed almost immediately, since the credit card company is directly in the middle of the transaction.
While you're mostly correct, it doesn't prevent people from "trying" this sort of scam. IIRC Square had to fight many battles like this, where fake "merchants" would open a Square account, swipe stolen cards, move the money away from Square and close their account. It's many small time crooks, not one big operation (it doesn't take a genius to figure this out), so it's actually really hard to fight.
There was a presentation at 32C3 this year where it was demonstrated, live on stage, just how woefully easy it is to get an eBay bought PoS device working with someone elses merchant account. Once you've done so, all you have to do is issue a 'refund' to a card you control, perhaps already stolen itself, and then go and withraw the cash. Another method, that was actually demonstrated, was to issue a mobile phone topup, which many of these multi-function terminals can do.

Like most exploits, cybercrime isn't going to be enacted through a single flaw, but through systemic failure in the industry to give a shit before rolling any of this crap out.

wait, so there is no pin that you have to enter?
nope, just swipe. It doesn't even verify the transaction with the bank because there is a £30 limit on transactions.
(comment deleted)
For contactless payment, no. But the transactions are limited in amount (according to the article in UK it is 30 GBP and here in France it is 20 EUR). You can also pay only a certain amount before having to use "standard" method with chip & pin.
I'm fairly certain you don't need to use chip, but you do need to use the PIN.
In the UK at least, PIN-challenges for contactless payment are random. I've heard it's supposedly approx 1 in 10 payments require the PIN, but I've been using contactless payment for just over 6 months, and it hasn't asked once (I've also used it a few times in mainland Europe, again, no PIN needed).
Sadly in France for any transaction over 20EUR you have to use the chip. I know that in several other countries you only need the PIN.

Apparently this actually depends on the terminal configuration so I hope that once Apple Pay comes here it will not suffer from the same useless limitation.

For the record device is Verifone VX 680.

This must be the dumbest thief ever. They practicality signed their theft. With their real name.

For the record device is Verifone VX 680.

This must be the dumbest thief ever. They practicality signed their theft. With their real name.

For the record device is Verifone VX 680.

This must be the dumbest thief ever. They practicality signed their theft. With their real name.

"And I would have gotten away with it, too, if it weren't for you meddling kids!" - Guy carrying POS device
Naive person here: if this is a thing that works, how did it escape notice as an attack vector in the stages in which this technology was debated and standardized?
It didn't. This is a known attack vector; the decision has been taken that the costs of cancelling fraudulent transactions are less than the benefits from allowing easier payment.
It did not escape. That is why the contactless payment has very low limits, so the damage is not that big. Also, my card has to be really close to the terminal to work. (And I have a shielded wallet anyways)
(comment deleted)
Maybe someone else can confirm, but that doesn't look like any TFL carriage i know. In fact, it looks a lot more like moscow: http://thumbs.dreamstime.com/z/inside-modern-subway-car-1214...

and was posted on EnglishRussia a week ago: https://twitter.com/EnglishRussia1/status/697017291494596608

It may have existed before this...

You're correct its definitely not a London Underground I dont think its a UK train either
yes that's not TFL by the looks of it.
Agreed.

That metal pole should be coloured (dark blue, dark red, or yellow) if it were a London Underground train. I even Google Image Searched it, and cannot find a train that looks like that. Plus the shape of the pole is all wrong...

Definitely not a UK train.
It is indeed a carriage from one of the Russian underground systems. I vaguely recall having seen this story sometime ago, and back then it was reported that this guy was spotted in Moscow underground, but these kinds of carriages can be seen in Moscow, St. Petersburg, Kiev and possibly other cities.
Whether this post is accurate is really irrelevant to whether or not this attack is feasible.
What this guy can take advantage will be victims don't check their bank statements carefully and he can get away with the money, or else he will be in pretty bad shape to handle all the charge-backs. I will say the chance of a stolen POS is low as his goal is to get the money. If he borrows the POS from his merchant friend for this purpose, then that is not cool at all.

To me this is not a serious security threat to ordinary people.

Charge a penny and then refund it to capture the details for a recurring charge. 30 days from then you can hit the card with a $5 charge using some ambiguous merchant name like "Card validation services".

90% of people don't inspect their bank statements close enough to notice something like this. Get 1000 people and that's a healthy sum for a criminal to live off of.

> 90% of people don't inspect their bank statements close enough

But 10% of people is more than enough (by a substantial margin) to get the operation shut down, the money (all of it) returned, and probably land the guy in jail.

I doubt he's actually skimming cards.

The risk-reward is pretty terrible. It's hard to subtly press it up against someone's pocket, and the range is pretty bad, and the first time anyone notices your account is frozen and you'll be prosecuted

Exact same photo was making rounds in Russian Facebook few weeks ago, judging by the door and the handle I bet it is indeed Moscow, not London.

As in this case, no one saw the guy actually skimming cards. Also if he was doing really that, why not hide POS in a bag or his pocket?

This was my reaction.

If you're skimming cards, you probably want to make sure your target is unaware of what you're doing less someone sees you and notifies transit cops or some other authorities and you get arrested.

For those inclined, you can get neat little leather sleeves that have two pockets, one protected, one not, here https://www.faradaystore.com/rfid-blocking/wallets/.

Helps me keep my debit/credit card safe(?), but if nothing else, stops it clashing with my Oyster, which can otherwise be a pain.

At this price it might be cheaper to ship it from ThinkGeek (although they seem only only have the S.H.I.E.L.D. model nowadays...): https://www.thinkgeek.com/product/1d95/
yea there is sod all choice outside of the US from what I've seen.

most RFID wallets seem to be an extension of Kickstarter's obsession with them a couple of years ago, and most manufacturers and sellers seem to be North American-based.

One can make an RFID shield for a folding wallet fairly easily. Take a manila folder or something similar and cut it to tightly fit in the outside pocket. Cover that with aluminum foil, then cover that with packing tape.

Place this in the outside pocket of the wallet, fold it so the RFID shield covers the contents, and cards inside are protected.

Of course this is possible. Sign up for a Stripw account, feed it a PAN (credit card number), and charge it. With anti fraud mechanisms however, you're not going to get very far.
I'm definitely NOT buying an RFID-blocking wallet if they have to do marketing with hoaxes like this
Why would anyone ever pull a scam like this? To get a POS terminal, don't you have to submit a lot of personal information? And then, how would you anonymously get the money from the bank? It's not like you could do this over a long time lime where you slowly accumulate < $30 charges and then one day withdrawal all of the money. You would surely get flagged?
This is Russia. I have no difficulties believing it's genuine.
Other commenters have pointed out that this does not appear to be on the London Tube. The post mentions nothing saying that the poster took the photograph or that it was on the London Tube, the London-Tube association of the HN headline seems to be mis-inferred from the poster's location, Edinburgh, United Kingdom, although that's quite a ways from London...