Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Consumers Reporting Contactless Payment Errors

timothy posted about a year and a half ago | from the how-to-buy-a-hundred-subway-rides dept.

United Kingdom 193

leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."

Sorry! There are no comments related to the filter you selected.

Double payments (4, Insightful)

chromas (1085949) | about a year and a half ago | (#43762227)

sometimes paying twice when they have used another payment method.

Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

Re:Double payments (1)

Anonymous Coward | about a year and a half ago | (#43762271)

It could be a chicken/egg problem. If the card is far enough away, but swung near enough, to authorize/capture payment when the payer is bringing out their bill fold to pay in cash.

Only an assumption. But it makes me glad I live in the good ol' USA where we are scared of NFC and I have an RF blocking wallet.

Re:Double payments (1)

Anonymous Coward | about a year and a half ago | (#43762299)

Ah, after reading TFA, the summary is a bit off--this is slashdot afterall. The registers were accepting to plastic-type payments in some cases, others were paid by the NFC cards only (from greater than 4cm away).

Re:Double payments (2, Informative)

Anonymous Coward | about a year and a half ago | (#43763433)

Yes, the good old USA where we still have to use checks for many scenarios, have credit cards without even an attempt at authentication (yes, chip and PIN implementations have been flawed, but we don't even try here) and where anyone who knows your number can apparently charge on your card and all you can do is dispute the charges and get a new number (I've had to do this 3 times now over 30 years of having cards). I'd love to use Google Wallet on my phone. At least it makes you approve the transaction and isn't automatic. But of course even at the few retailers that accept it, it doesn't work about half the time.

We in the US are very backwards on payment systems. The idiotic companies claim it will cost too much to modernize. Sure, it must have cost too much everywhere else too - that's why they all stagnated. Oh, wait... They didn't. It is the same thing with measurement systems. We can't possibly modernize and use the new stuff. They always claim either that it costs too much or that we have too many stupid people or something. Idiots in charge...

Re:Double payments (4, Insightful)

Skapare (16644) | about a year and a half ago | (#43762273)

You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

Re:Double payments (1)

Anonymous Coward | about a year and a half ago | (#43762385)

I always thought that, even if there is server-side protection for it already, the final "click this button to pay" button should get disabled when you click it the first time, preferably with a processing icon or the like. That way you provide a visual clue that something is happening if they are on a slow connection.

Re:Double payments (0)

Anonymous Coward | about a year and a half ago | (#43762511)

I always thought that, even if there is server-side protection for it already, the final "click this button to pay" button should get disabled when you click it the first time, preferably with a processing icon or the like. That way you provide a visual clue that something is happening if they are on a slow connection.

And prevent them paying at all if they are on an unreliable connection that lost the packets first time around.

Re:Double payments (1)

Jesus_666 (702802) | about a year and a half ago | (#43762913)

You raise a good point. However, I would still silently disable the button for a short amout of time just to catch accidental double-clicks. A second should suffice.

Re:Double payments (1)

MrL0G1C (867445) | about a year and a half ago | (#43763413)

It's not a good point, if the packets were lost the first time round then they should simply be resent.

Re:Double payments (0)

Anonymous Coward | about a year and a half ago | (#43762615)

You can't guarantee anything for the client side, even with that protection sometimes it just happens.

Re:Double payments (1)

mjwx (966435) | about a year and a half ago | (#43762903)

I always thought that, even if there is server-side protection for it already, the final "click this button to pay" button should get disabled when you click it the first time, preferably with a processing icon or the like. That way you provide a visual clue that something is happening if they are on a slow connection.

Nope,

The server is handling 100 transactions a second or more. All through SSH sessions, or worse yet a proprietary protocol. Front end terminals are usually connected to a server in another location over VPN (or worse yet, a WAN link with an open port at the server side) and this server may be across the country. In almost all of the Point Of Sale software I've seen error checking is done locally and there is next to fuck all of that happening anyway as the goal of POS systems is to move as fast as possible. The customer hates waiting for the cash register to do its job properly.

Re:Double payments (1)

dalias (1978986) | about a year and a half ago | (#43763231)

That sure explains why they ask you for your phone number, email address, rewards card, and whether you want to apply for a new credit card (while 5 more people are waiting in line behind you) every time you check out...

Re:Double payments (1)

theshowmecanuck (703852) | about a year and a half ago | (#43763353)

Blame that on the store policy not the payment mechanism.

Re:Double payments (0)

Anonymous Coward | about a year and a half ago | (#43763625)

Sounds like you've been to Toys-r-us!

Re:Double payments (3, Interesting)

mjwx (966435) | about a year and a half ago | (#43762787)

sometimes paying twice when they have used another payment method.

Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

Because the software is shit.

Having dealt with a few Point Of Sale systems I can say that the acronym POS is no accident.

A lot of systems are just Windows systems with a program like Pronto Xi running on top. It's not unusual for these terminals to be running Windows XP. The back end is usually pretty good but the software really suffers on the front end and the front end is where we tend to get most of the errors.

Re:Double payments (4, Informative)

ericloewe (2129490) | about a year and a half ago | (#43763269)

Some POS systems are not integrated with the card payment terminal. You click "visa" for instance, and the POS system assumes a valid card payment has been made. The payment is then made in a seperate terminal which issues a receipt for the payment, which should be kept with the purchase receipt.

tinfoil wallets (3, Interesting)

biodata (1981610) | about a year and a half ago | (#43762253)

Suddenly they are becoming popular - Icelandair are selling one on the inflight goodies list, as are various designer shops in Reykjavik.

Re:tinfoil wallets (1, Insightful)

Anonymous Coward | about a year and a half ago | (#43762381)

Was issued a "contactless" bank card, (one that I only carry as a backup), and promptly wrapped it in tinfoil. A few people laughed at me when I told them what I'd done. This is one of those validating "told you so" moments for me.

If any of the cards I use regularly are superseded by "contactless", they'll be contacting a pair of scissors and I'll go back to withdrawing cash (from inside the branch).

Re:tinfoil wallets (0)

Anonymous Coward | about a year and a half ago | (#43762639)

I zap it in an old microwave. Seems to destroy all the electronics but still allows me to make purchases online.

Re:tinfoil wallets (3, Interesting)

The Archon V2.0 (782634) | about a year and a half ago | (#43763249)

My bank rolled out contactless cards... by mailing one to me. No notification to me, preactivated, no PIN needed for purchases under $200.

I went there and bitched them out about it and they really could not understand why I was mad.

Coleman and Brookstone sell RFID-blocking wallets (1)

Burz (138833) | about a year and a half ago | (#43763303)

But the Brookstone one costs 4X as much, true to form...

Within 4 cm? (1)

Skapare (16644) | about a year and a half ago | (#43762259)

Someone must have gotten their units mixed up and used 4 inches.

Re:Within 4 cm? (0)

Anonymous Coward | about a year and a half ago | (#43762283)

And the award for the Most Sexually Frustrated Wife goes to...

Re:Within 4 cm? (1)

julesh (229690) | about a year and a half ago | (#43762541)

Someone must have gotten their units mixed up and used 4 inches.

So it turns out that like RFID tags, the assurances of limited range are absolute bullshit. A more powerful transmitter coupled with a more sensitive antenna than used in the reference design allow them to work from farther away. Who'd have thought it?

Re:Within 4 cm? (0)

Anonymous Coward | about a year and a half ago | (#43763495)

So, what you're saying, is that govt needs to outlaw better radio equipment?

Re:Within 4 cm? (1)

Z00L00K (682162) | about a year and a half ago | (#43763351)

The guaranteed distance for a successful reading is 4cm, but that doesn't mean that it has to be that close for a successful reading.

I'm toying around with NFC right now and the distance is 4cm+ for a reading. Our local public transportation company (Västtrafik [vasttrafik.se] ) uses NFC for the ticket system and there have been numerous accounts of accidental reading of the cards as well as missing to read. They have a system where you have to check in when boarding and check out when leaving - and if you don't check out you will pay for the trip to the end station for that line. And if you have two cards in your wallet it may read the "wrong" card and tax that too.

Tap And Go Bankrupt (4, Funny)

Anonymous Coward | about a year and a half ago | (#43762285)

Quick, buy stock in companies selling RF-blocking wallets and bags

And don't forget fashion - my electric-blue aluminium wallet pairs nicely with my neon-green tinfoil hat!

Payment without user confirmation (5, Insightful)

Hentes (2461350) | about a year and a half ago | (#43762327)

Who would've thought that it's a bad idea?

Re:Payment without user confirmation (3, Informative)

beelsebob (529313) | about a year and a half ago | (#43762343)

If I had mod points, you would get them... I really genuinely don't get why no one saw this coming.

Re:Payment without user confirmation (0)

Anonymous Coward | about a year and a half ago | (#43762383)

Did someone mis-mod this? How is this flamebait?

Re:Payment without user confirmation (0)

Anonymous Coward | about a year and a half ago | (#43763063)

Because "me too" posts like this add nothing to the discussion. Maybe the mod wanted to hit them in the karma and send a message.

Re:Payment without user confirmation (1)

isopropanol (1936936) | about a year and a half ago | (#43762429)

I saw it coming... Before one of my banks put them on ALL their cards I got a survey about how much I would like them. All my asnwers were the most negative on their scale and multiple write-ins (in the write in space) to the effect of OMFG NO, worst idea ever!

Sadly I was apparently the only one who thought so because now they do not have any credit cards that do not have NFC.

Re:Payment without user confirmation (4, Insightful)

click2005 (921437) | about a year and a half ago | (#43762667)

Everyone saw this coming. The banks, card companies & shops just didn't care.
Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
either directly or through price increases.

Re:Payment without user confirmation (1)

Takatata (2864109) | about a year and a half ago | (#43762345)

Bad idea for whom?

Re:Payment without user confirmation (1)

julesh (229690) | about a year and a half ago | (#43762681)

Bad idea for whom?

For the merchants accepting the payments, because they'll have to bear the cost of chargebacks on transactions that were otherwise perfectly valid but cannot be proven to have been authorised by the cardholder.

Re:Payment without user confirmation (1)

Takatata (2864109) | about a year and a half ago | (#43762763)

True. But how many don't check their accounts regularly? How many double charges remain unnoticed? Maybe it pays for the merchant?

Re:Payment without user confirmation (1)

Takatata (2864109) | about a year and a half ago | (#43762785)

Oh, an yes, there is one party, for which this problem definitely pays: The bank. Getting money for each transaction and getting money for chargebacks.

Re:Payment without user confirmation (1)

mjwx (966435) | about a year and a half ago | (#43762865)

Bad idea for whom?

For the merchants accepting the payments, because they'll have to bear the cost of chargebacks on transactions that were otherwise perfectly valid but cannot be proven to have been authorised by the cardholder.

In addition to the fees for accepting the transaction.

Yes, a merchant pays a fee for accepting payment via card. Fees for accepting a credit card range from 1-5% of the transaction amount. Paying with debit (your own money) is usually under 1% of the transaction.

Wisdom of the paranoid ages (2)

macraig (621737) | about a year and a half ago | (#43762339)

Tinfoil is your friend. Always has been, always will be.

Re:Wisdom of the paranoid ages (3, Informative)

Lee_Dailey (622542) | about a year and a half ago | (#43762465)

howdy y'all,

is tin foil available any more? i looked the other day and only found aluminum foil. i have an old roll of tin foil stashed in the back of one of my closets that i got from my mom when i 1st went to college. i aint seen any _tin_ foil in decades ...

take care,
lee

Re:Wisdom of the paranoid ages (0)

Anonymous Coward | about a year and a half ago | (#43762619)

Not only that, aluminum foil isn't what is claims to be, it can be well under 50% aluminum.

Re:Wisdom of the paranoid ages (2)

BasilBrush (643681) | about a year and a half ago | (#43762649)

I've got some tin foil stored in a steel tin.

Re:Wisdom of the paranoid ages (0)

Anonymous Coward | about a year and a half ago | (#43762655)

Then you, sir, have been infiltrated.

You should have stockpiled back in the early eighties like the rest of us, when the first reports came in.

I have to run now - They are at the fron-- NOOO! I TOLD HIM NOTHI--

*TRANSMISSION INTERRUPTED*

Re:Wisdom of the paranoid ages (2)

Beardo the Bearded (321478) | about a year and a half ago | (#43762729)

You can get adhesive copper foil. That's the better tool for this.

Why (5, Insightful)

markdavis (642305) | about a year and a half ago | (#43762363)

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

Re: Why (0)

Anonymous Coward | about a year and a half ago | (#43762395)

NFC?

Re:Why (2)

Jmc23 (2353706) | about a year and a half ago | (#43762407)

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

Hate those stupid gas pumps. Useless if your card is from outside the US.

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43762421)

Hate those stupid gas pumps. Useless if your card is from outside the US.

Then go inside and pay like you would everywhere else you make purchases. It's not hard, and you rarely have to queue. I guess, being a 'murican, you're either too fat or too lazy to waddle over to the door.

Re:Why (1)

gl4ss (559668) | about a year and a half ago | (#43762479)

Hate those stupid gas pumps. Useless if your card is from outside the US.

Then go inside and pay like you would everywhere else you make purchases. It's not hard, and you rarely have to queue. I guess, being a 'murican, you're either too fat or too lazy to waddle over to the door.

would make more sense for the gas pump to support pin on cards which have pin. I mean, asking for zip code is the stupidest verification right after touchscreen signatures. do wallet stealers have a powerful washington lobby or what the fuck?

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763509)

They take pin if you're using the debit card portion. Not all credit cards have that though I understand. When you travel internationally, things get a little complex sometimes.

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43763289)

Even then my UK cards were not accepted despite a phone call with VISA! In the end I had to pay cash for the Petrol.

This was 2 weeks ago in Poway, San Diegeo.

Everywhere else I've used that card in the world it has been accepted. Places like South Africa, Jordan, Dubai, India, Malaysia, China, Kuwait, Mozambique, Kenya, Egypt, Chile, Brazil etc.

Now you Americans, do you really think that you are on top of the game when it comes to technology? Isn't VISA essentially an American Company? PAh, Mega fail.
Don't even get me started on the US Immigration Inquisition. 2hrs explaining why I'd given up my US Citizenship. I was Born in Nashua NH. You guys have really lost the plot and 11th Sept is no excuse because things were going wrong long before that.

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763549)

Just tell them you didn't want to have to file with the IRS every year even though they have no jurisdiction over your earnings. That's the main reason I'm putting off becoming a citizen (should I ever change my mind about returning to the UK).

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763491)

Why would you assume he's American when he's talking about cards from outside the US? (Looks like he isn't if the other post above is from him).

Note that this zip code requirement has only been brought in in the last 5-7 years. Largely, I think, due to the high rise in gas prices. When you could fill a tank for 20-30 dollars, not an issue. Now even my relatively small car takes 60-70 to fill up on occasion.

Re:Why (4, Informative)

willb (34706) | about a year and a half ago | (#43762475)

Hate those stupid gas pumps. Useless if your card is from outside the US.

Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

Re:Why (1)

julesh (229690) | about a year and a half ago | (#43762557)

Hate those stupid gas pumps. Useless if your card is from outside the US.

Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

Yep; in the end, they're just checking AVS which just checks the numbers in your postal code. Same should work for at least UK-issued cards, and probably all major European issuers as well.

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763559)

UK postal codes include letters and numbers.

Re:Why (1)

Jmc23 (2353706) | about a year and a half ago | (#43762671)

Well thank you, it would have helped more if any of the employees at any of the gas stations were aware of that. Made driving across the US irritating, well, that combined with the lower fuel efficiency of the crappy ethanol blends.

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43763459)

I'm from Canada, but you'd think I live in 90210. I'll say hi to Shannon Doherty for you!

Re:Why (3, Interesting)

CrashandDie (1114135) | about a year and a half ago | (#43762447)

A lot of credit cards in the UK have the Chip'n'Pin system [pcmag.com] , which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.

The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43762587)

When Oyster was the only NFC card in my wallet I could wave my wallet over the reader. Nice and easy.

But now I have several NFC cards I have to remove the one I want to use. So why not use the existing system of inserting the card into a reader, but don't ask for a PIN if it's a low value purchase?

Why does the industry pretend that a PIN-less transaction requires NFC?

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43762743)

When Oyster was the only NFC card in my wallet I could wave my wallet over the reader. Nice and easy.

But now I have several NFC cards I have to remove the one I want to use. So why not use the existing system of inserting the card into a reader, but don't ask for a PIN if it's a low value purchase?

That's basically what's happened in the US excpt substitute "swipe the card without signing" for now, because it combines the benefits of verifying card present with low deployment cost with low transaction friction to encourage more card use.

Re:Why (4, Funny)

JustOK (667959) | about a year and a half ago | (#43762751)

I thought in the UK chips were called crisps.

Re:Why (1)

mcpheat (597661) | about a year and a half ago | (#43762911)

No, in the UK chips are what what you call French Fries

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763567)

The potato product invented in Belgium

Re:Why (1)

toby34a (944439) | about a year and a half ago | (#43763355)

The chip-and-pin system is the stupidest thing in the world for small amounts of money. For example, take my cafeteria line in my building. The queue occasionally builds to 4-5 students, each spending £3-4. Each time they pay by card, each transaction takes a few minutes, as the cashier has to hand over the card reader to the customer, the customer inserts their card, types in their PIN, and then hands the device (with the card in it) to the cashier again who then inputs the price, holds the machine as it calls the bank, confirms the transaction, prints the reciept, which is then handed back with the card. All of this BS, for what in the US is solved by a simple swipe of the card. Absolutely asinine to have the system as it is now for small purchases.

Re:Why (2)

gl4ss (559668) | about a year and a half ago | (#43762467)

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

plenty of countries have gone pretty much all chips. you stick the card in, put in the pin and the payment is done.
nothing wrong with that, except if for bus fares etc.. if you need extremely fast throughput of people then contactless is nice.

contactless without pin for your usual every day big money card though.. that's just fucking stupid. like having all your money in cash in your pocket. which geniuses came up with that?

Re:Why (1)

b4dc0d3r (1268512) | about a year and a half ago | (#43762547)

If you do it your way, it's slower. Most people with a phone have it on already, with no locking. If you do it the way people who use payment apps do it, it can be a lot faster.

You could argue that this method is a lot slower: stare at the cashier, wait for the total, dig in your purse to find stray bills, decide you don't have enough cash, find a checkbook, hand the blank to the cashier so the register prints it, enter the amount and balance your checkbook.

Yes people do it that way, but most people avoid it if possible. Have your method of payment ready when it's time to pay, no matter what system you use.

You're worse than those people on infomercials who can't figure out how to change a light bulb, or get frustrated because they use every product in their house the wrong way. Don't be incompetent [youtube.com] . And if you're going to argue against something, be realistic. Exaggeration of the sort found in infomercials is at best disingenuous, and more like outright falsification/

Re:Why (1)

Beardo the Bearded (321478) | about a year and a half ago | (#43762747)

So you don't have to touch the pad or the community pen?

If it cuts 1/2-1 minute off a transaction, a line of 50 people will save a half hour. That's a lot more customers for a morning coffee run.

Re:Why (0)

Anonymous Coward | about a year and a half ago | (#43762791)

Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use-

This would fix the relatively rare problem of the physical card actually being stolen and used. I'm guessing in most cases this is a family member using the codes and the money gets paid or the items get returned (rather than charges being pressed).

Most of the fraud is from things like skimmers or hacked websites. They collect all the data and use it to use the card without the physical card being present. So adding an extra piece of data does nothing.

A better system would be a chip on the card that communicates (itself) directly with the server through an encrypted channel. It could be powered and connected via a terminal at the POS. Ideally the same could be done at home for online purchases, with the vendor never needing your credit card details at all, except for maybe some method for them to know the payment confirmation they received is for your particular purchase.

Re:Why (1)

drinkypoo (153816) | about a year and a half ago | (#43763127)

It's a good idea because magstrips are easy to erase and contacts are easy to destroy. It's unfortunate that this implementation is so crap, but that doesn't invalidate the concept.

Re:Why (4, Interesting)

kav2k (1545689) | about a year and a half ago | (#43763155)

And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

Contactless payments differ a lot from magnetic stripe swiping, invisible barcodes etc.

They are not static information but an active challenge-response authentication system. You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses. You can trick it into authorizing a purchase you don't want if you're in physical proximity, which is happening here, but you cannot save that authorization for later use, since the bank is issuing the challenge here, just like with a chip-and-pin purchase. The whole point is to ensure that this is really the actual card.

So the main problem is the lack of user interaction to go ahead with the purchase. A touch button on the card itself would help, but would destroy part of the convenience.

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763659)

I'm one of those Bitcoin-heads and have been interested in some of the discussions of hardware wallets. What all the designs I have seen in common have is some way to display the charged amount on the device and a button to be pressed for user confirmation. It is such an obvious requirement for anyone who takes a moment to think about it so I can only think that it has not been implemented in this case because it detracts from the "gee-whiz" aspect of the technology. Marketing over design.

Re:Why (2)

dadelbunts (1727498) | about a year and a half ago | (#43763235)

Not only that, but its come to the point where paying cash is faster. I go to walgreens, swipe my card, before i even enter my pin it asks me if i want to donate to something. Then i get to enter my pin and tell it if i want cash back or not. Then i get to verify the amount and press another button. Or i can just give the cashier a 10 dollar bill and be done with it.

Re:Why (1)

Richy_T (111409) | about a year and a half ago | (#43763637)

I was once standing a line in front of someone who complained quite loudly about the (marginal) extra time it took to process card transactions. That was about 20 seconds before someone turned up with a bunch of change to be sorted into the cash drawer. He was oddly quiet after that.

Card processing terminals vary but some do it right. Typically, at Walmart, I have all the card business done by the time the checker is still swiping the last items and I have the cart loaded by the time the receipt is ready.

Re:Why (2)

zazzel (98233) | about a year and a half ago | (#43763337)

Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something

Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip).

I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)

chips (1)

cmurf (2833651) | about a year and a half ago | (#43763451)

My first Amex Blue for Business had a chip on it. It wasn't compatible with chip and pin, it was a separate system. Now it has an RFID chip, ExpressPay. And Visa has payWave. And MasterCard as PayPass. They're all separate systems. If a merchant terminal supports contactless, they tend to support all three systems. Google Wallet on Android phones mostly use PayPass. A few earlier ones used payWave. As for online banking, HSBC business requires a fob. I've asked for them to support Google Authenticator instead so I don't have to keep that fob around with me all the time. None of my other banks do this. UBS now emails or robo calls you with a one time passcode used for MFA in addition to the password. For CitiBank it's username/password only.

That's funny (1)

fustakrakich (1673220) | about a year and a half ago | (#43762369)

Like at an auction, when you scratch an itch on your nose, you find that you just bid 2 mil for a painting of Bea Arthur

Security Concern (4, Insightful)

Capt.Albatross (1301561) | about a year and a half ago | (#43762377)

While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

Re:Security Concern (1)

Titus Groan (2834723) | about a year and a half ago | (#43762599)

I would argue that the additional distances quoted in TFA is a security breach. this increases the danger of skimming if the cards can be read from so far away.

Not a security breach? (4, Insightful)

Okian Warrior (537106) | about a year and a half ago | (#43762643)

While these incidents do not involve a security breach...

A vendor's machine can take money from me without my consent or knowledge.

Apropos of nothing, what would constitute a security breach in your model?

Re:Not a security breach? (4, Insightful)

julesh (229690) | about a year and a half ago | (#43762701)

When they say it does not involve a security breach, what they mean is "it doesn't breach *our* security." Why do you think they give a shit about *your* security, exactly?

in Soviet Russia (4, Funny)

FudRucker (866063) | about a year and a half ago | (#43762379)

retail stores shoplift YOU!

The NFC terminal shouldn't be active until needed (2)

soramimicake (593421) | about a year and a half ago | (#43762403)

The hardware having the wrong range is probably pretty hard to avoid due to variance between terminals and problems keeping them all tuned over their lifetime.

However, the NFC reader shouldn't be active until the customer told the cashier he/she will be using a contactless card for payment and the cashier enabling the reader.

It wouldn't prevent reading the wrong card if the customer has several NFC cards, but it would at least prevent the kind of surprises shown in the article.

Re:The NFC terminal shouldn't be active until need (1)

Anonymous Coward | about a year and a half ago | (#43762789)

Wouldn't just having a button/contact pad on the card be much much simpler? You must press the button to connect the antenna/battery/collector? Press button on card, swipe. On your way?

Re:The NFC terminal shouldn't be active until need (0)

Anonymous Coward | about a year and a half ago | (#43762897)

And the card is in a wallet, pressed up against other cards? This is still not the way...

Any instances of money being credited accidentally (0)

Anonymous Coward | about a year and a half ago | (#43762405)

QUESTIONMARK

NFC - A disaster waiting to happen (0)

Anonymous Coward | about a year and a half ago | (#43762409)

I will never use this tech. If I find out that I've been issed with an NFC Card I'll return it to the issuer with a few choice words.

Frankly, I see this as just the tip of the proverbial IceBerg.

Why am I so anti this tech?
Well, I am one of those who has had their identity stolen. IT took me a really long time to get rid of the damage it did to my credit and other ratings. I see this tech as a really good way to start that whole process off.

their paying me too (0)

Anonymous Coward | about a year and a half ago | (#43762411)

Many customers have also reported paying me, even though they've never met me! Because see, I have this device that can read their contactless cards at at least a metre away. I also use it to steal their passport details.

Criminals are awesome. But I only say that 'cause I'm a criminal.

Re:their paying me too (1)

Z00L00K (682162) | about a year and a half ago | (#43763557)

It is possible to successfully read the data exchanged with a NFC card up to 2 meters away. Just have a decent snooping device in your backpack or handbag and you can sniff the transactions of other people.

You can have a transmitter with decent power at 13.56MHz that you turn on when you get in an area with NFC readers and see how many checkouts that fails to work.

There are a few other listed security issues too with NFC cards here: MMN-o | Blog [mmn-o.se] , for those that aren't able to read Swedish - use the online translator.

Yet more reading:
Study on Public Transport Smartcards – Final Report [europa.eu]
Do contactless cards expose you to fraud? [which.co.uk]

Anyway - when it comes to NFC there are different types of cards, some are simple and doesn't have any encryption at all (E.g. Mifare Ultralight), some have an encryption which is very weak and is cracked within minutes (Mifare Classic) and some are running DES, but I expect that it has a few weaknesses too since the exchange between the card and reader is easy to snoop.

Worse than worthless (0)

Anonymous Coward | about a year and a half ago | (#43762543)

These contactless payment things are idiotic. Proximity to a reader is not the same as accepting to pay. Pressing a few buttons is not a problem, unless you have no fingers, in which case you should have a pointer device attached to your hand anyway.
Contactless payment is yet another stupid "innovation" that makes life worse. Who comes up with this crap?

Why am I totally not surprised by this. (0)

Anonymous Coward | about a year and a half ago | (#43762573)

Companies are always looking for a way to make paying for stuff 'smoother' or quicker, when the payment methods we already have (cash for one, swiping a credit card for another) work just fine. Of course, there's an ulterior motive IMHO. The faster you can pay for something, the faster you can impulsively buy things without, you know, actually THINKING about out it.

Get rid of the nfc (0)

Anonymous Coward | about a year and a half ago | (#43762577)

stick it in the microwave for 1 sec on the lowest setting

Handbags (1)

abigsmurf (919188) | about a year and a half ago | (#43762589)

I'd be willing to bet that 90% of the time this happens it's because a woman's put her handbag on the counter to get the wallet out, it's brushed up close against the sensor and activated it. Contactless is designed to be able to be used in a wallet, guessing distance is the big limiting factor, not having a couple of layers of cloth between them.

Re:Handbags (1)

julesh (229690) | about a year and a half ago | (#43762719)

Right, and why is a second payment then accepted in another way?

Re:Handbags (0)

Anonymous Coward | about a year and a half ago | (#43763009)

Contactless is designed to be able to be used by idiots who don't mind throwing their financial credentials around to anyone within a meter of them.

ftfy.

Time to space out the queues (0)

Anonymous Coward | about a year and a half ago | (#43762613)

Imagine if I'm buying something and the person behind me gets charged. Wouldn't that be awesome? /me wraps wallet in tinfoil to avoid being the berson behind

I have never trusted the "N" (0)

Anonymous Coward | about a year and a half ago | (#43762693)

The "N" in NFC is for "Near." I have never trusted it, knowing that someone in line behind me could easily read the card without having to do anything I would be able to notice.

For this reason, I had my bank send me replacement credit cards without NFC chips in them.

I don't go to those silly places that require it, so I will continue to function in a world where only the merchant and the entire network behind him are putting me at risk, instead of also inviting everyone who passes within a few feet of me to participate.

Cards without chips (0)

Anonymous Coward | about a year and a half ago | (#43762771)

I requested that my bank issue me a card with out a chip. And they did.

Re:Cards without chips (1)

Z00L00K (682162) | about a year and a half ago | (#43763587)

The cards with a visible chip aren't the problem, it's the cards with hidden chips that communicates with radio that are.

The contact-chips have a different set of problems and attack vectors but they are safer than the magnetic strip. Recently some skimming equipment has been found for the chip cards. As for NFC cards you can be further away to skim them.

And they called me paranoid... (0)

Anonymous Coward | about a year and a half ago | (#43763159)

I finally have a use for my tinfoil wallet! [rpi-polymath.com]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?