Results 1 to 10 of 23
I have just received an updated debit card which has a built-in rfid chip for contactless payment. Mail order catalogues nowadays include aluminium wallets for these cards to prevent black ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 08-23-2013 #1
Are contactless bank cards safe?
I have just received an updated debit card which has a built-in rfid chip for contactless payment.
Mail order catalogues nowadays include aluminium wallets for these cards to prevent black hats from reading your card details. Now I know that these catalogues contain a lot of fruitloopery, such as detergent-free wash balls that supposedly generate ionised oxygen, but I don't know enough about near field communication to know if this is a genuine threat or just FUD.
Can anyone set my mind at rest?"I'm just a little old lady; don't try to dazzle me with jargon!"
- 08-23-2013 #2
- Join Date
- Jun 2013
I think there would be a lot more victims if they could scan your card on your person. Your pin is broadcast when you select debit. Run all purchase as credit not debit and sign if it is more than $25. If they asked for the security code on the back of the card during transaction then maybe they could scam you.
- 08-24-2013 #3
- 08-24-2013 #4
I work with smartcards for my day job. I'm not certain if this is how the banks do it, but they'd be bonkers not to.
Generally, the pin on the card isn't released anywhere - normally you have a signing key on the card, and when you carry out a transaction, it would be signed using the on-card key - but this is done on the card, you'd submit a data blob for the transaction to the card, it'd need your pin to access the private key which it then uses to sign the transaction, before returning the signature to the calling device. Unless someone has access to your chip and your pin, they can't get at your signing keys.
We set these things up normally so that the keys are generated on the card, and never go anywhere else. Of course, the public key is exported and held by the organisation so they can prove that you signed a transaction using your card. We'd normally not let the card disclose it's pin either - although I'm not sure how banks would be able to do this and be able to show you the pin either through a reminder letter or on any internet banking website.
Generally speaking, the private key never leaves the card and all signing operations are carried out in its hardware. For nfc transactions, of course, there'd be no pin entry. If I were setting this up, I'd do it with a second key - one that you didn't need the pin to access, and for (very) small transactions allow it to be used. The bank would know which key was used, and they'd be able to reject transactions signed with the small transaction key if it were for too much money. But even in this scenario the signing operation would happen on the card, and you'd not release the keys to anyone.
Perhaps someone who knows a little more could tell us exactly how the banks handle it?
- 08-25-2013 #5
- Join Date
- Jun 2013
- 08-25-2013 #6
In any transaction someone could steal your credit card details and then use it to order pizza. What happens if you hand your card over to a waiter in a restaurant and he takes it away to be rolled or swiped - while it's out of your sight, he could copy the number off the front and the security code on the back. Its more dangerous than buying on the Internet in that scenario. At least when you buy from a big internet co like Amazon, there is no human involved, and they want you coming back time and time again, so they aren't going to steal pizza money from you.
- 08-25-2013 #7
I don't think the banks do it that way, Roxoff.
I believe my wife's card has the chip and the strip, she still has to input the PIN on the keypad at the ATM, of coarse we use as credit in face to face store purchases.
But, as you say, surely the banks plan to switch fully to what you describe when the chip goes full time, supposedly by 2015.
Most identity theft comes from phishing, stealing your purse/wallet, dishonest store employees and digging through trash.
Just be cautious where you use your card.
- 08-25-2013 #8
Is the technology bullet-proof - no.
Is there potential for it to be abused - yes.
Should the fact the transactions are small compared with others you can make using the same card make you feel any better - personal opinion.
Is it worrying the detail can be read without actually making physical contact with the card - personal opinion.
Will wrapping the card in tin foil stop it being read - possibly., check it out next time you go to your local store with a reader. If the foil prevents the reading you have a cheap solution, and if it does not then you know the metal container must be at least thicker than tin foil !
Peoples views about whether it is acceptable for non contact reading of information and payment will be influenced by who is liable for mistakes.
I don't have one of these cards at the moment ... but when I do end up with one ... I'll be the guy at the front of the checkout queue unwrapping my card to make a payment
- 08-26-2013 #9
But common sense won't defend you against the possibility that someone in the crowd around you might simply be able to read the details off your card without you even knowing. If they can actually read your PIN, they could use it for more than small purchases. And how could you prove afterwards that you hadn't given them the PIN?"I'm just a little old lady; don't try to dazzle me with jargon!"
- 08-27-2013 #10
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
I recently got a passport card (US) that has an RFID chip in it. It came with a "faraday sleeve" that is supposed to block access to the chip unless you remove it from the sleeve. I also have a signal blocking wallet for my regular passport, which also has an RFID chip. Anyway, these sleeves are available from a number of sources, including Amazon.com.Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!