Contactless card fraud is too easy, says Which?

[Arachno 1D]

 

Consumers who use contactless debit and credit cards to buy goods or services could be unwittingly opening their bank account up to fraudsters, according to an investigation by Which?

Researchers bought cheap, widely available card scanners from a mainstream website to see if they could

[n_K]

I think the upcoming new standard that people say apple pay uses is meant to help avert this because it forces encryption and you can't just read any plantext data, though I could be wrong?

[The Evil Overlord]

Not to fearmonger, but this is the reason why I preferred the old signature method, I know the pin codes for both my wife, and my elderly mother's cards. Ok it's a convenience thing in regards to my mother as she's lost a great deal of dexterity, but as I also know the pin codes for my wife, and she knows my codes, the cashier is completely oblivious to who's card is being used.

 

(I'm guessing theoretically, a contactless card could be stolen, and used to make small purchases without the cashier ever knowing the card is stolen until it is reported, <same as chip and pin>)

[FloatingFatMan]

They -really- need to implement biometrics into cards and scanners, as well as full encryption...  It's a lot harder to clone someone's card if you've gotta cut a finger off too!

 

As for internet orders, it should be a legal requirement for all traders to ONLY ship to the cardholders verified address.

[n_K]

They -really- need to implement biometrics into cards and scanners, as well as full encryption...  It's a lot harder to clone someone's card if you've gotta cut a finger off too!

 

As for internet orders, it should be a legal requirement for all traders to ONLY ship to the cardholders verified address.

No I don't agree. If I want to buy a gift for someone I have to have it delivered to my address and then I have to pay additional postage (not to mention more time wasted) to send it to them?

[WelshBluebird]

They -really- need to implement biometrics into cards and scanners, as well as full encryption...  It's a lot harder to clone someone's card if you've gotta cut a finger off too!

 

As for internet orders, it should be a legal requirement for all traders to ONLY ship to the cardholders verified address.

 

So goodbye to people being able to get packages delivered to work then!

[FloatingFatMan]

So goodbye to people being able to get packages delivered to work then!

 

Register your work address with the card issuer.

No I don't agree. If I want to buy a gift for someone I have to have it delivered to my address and then I have to pay additional postage (not to mention more time wasted) to send it to them?

 

You can't have both card security and freedom of delivery.  Letting them deliver anywhere is just asking for trouble when your card gets cloned.

[WelshBluebird]

Register your work address with the card issuer.

 

You can't have both card security and freedom of delivery.  Letting them deliver anywhere is just asking for trouble when your card gets cloned.

 

But that isn't my home address. And would then mean I couldn't get stuff delivered to my home if I wanted to!

[FloatingFatMan]

But that isn't my home address. And would then mean I couldn't get stuff delivered to my home if I wanted to!

 

I have two addresses registered with my card issuer...

[remixedcat]

Mine doesn't let me have two addresses. Only 1. I wanted my mum's as an alt and they said I would have to have a biz acct to have multiple addresses.

[(Account no longer active)]

A friend with a USB contactless card reader was easily able to read data on his bank card. His metro card was a different story (well secured).

[Mando]

I have two addresses registered with my card issuer...

As do I, infact 3 authorised addys, home, parents and my permanent place of work.

 

im surprised this is even news, what did people think, that the makers would give a flying chuff about these items, that's the responsibility of the card issuers really.

 

internet ordering really needs revised, its scary how easy it is to order stuff say using your parents CCard if you know the card number n expiry date, no real checks require further verification.

you know the age old work around "Purchaser not present" on receipt, or other words anyone could have placed this order.

 

the only time the card issuer will act on this kind of security lapse is when the cost of reimbursement due to online and CC fraud is higher than the cost to develop and implement security checks, until then they'll just compensate affected customers.

[FloatingFatMan]

Mine doesn't let me have two addresses. Only 1. I wanted my mum's as an alt and they said I would have to have a biz acct to have multiple addresses.

 

Then respectfully, your card issuer is a frelling idiot. It's in their own best interests to enforce things like this, and letting you register several authorised addresses is a pretty basic step.

[remixedcat]

it's my freakin bank and they are meh but not many physical bank choices where I'm at so... only like 3-4 and they are all bad so pick yah poison

[FloatingFatMan]

Well, your bank is a frelling idiot, too!

[ATLien_0]

Had my credit card and debit card numbers skimmed a few weeks ago by one of these scanners. The idiots that did this racked up $100 at a subway and another $100 at a McDonalds go figure.  Basically Chase told me that for now I should get on of those blocking cards for my wallet that prevents this. They need to come up with better protection for these chips on the card, thought these were supposed to be more secure than the stripe

[Brian M. Veteran]

I think this study is a little scaremongering by which.

 

For online shopping what do you need? The card number, the expiry date and the security code - all of which are printed on the card. Unless the card is transmitting the customers physical address via NFC, there is no further information that'd be useful for online shopping. What is the point of securing information which is printed on the damn thing?

 

If you're close enough for a contactless read of the card, you're close enough to get the card itself.

[FloatingFatMan]

I think this study is a little scaremongering by which.

 

For online shopping what do you need? The card number, the expiry date and the security code - all of which are printed on the card. Unless the card is transmitting the customers physical address via NFC, there is no further information that'd be useful for online shopping. What is the point of securing information which is printed on the damn thing?

 

If you're close enough for a contactless read of the card, you're close enough to get the card itself.

 

Which is why online companies should only be allowed to deliver to registered cardholder addresses, nowhere else.

 

No point in stealing someone's card if you can't get the stuff you're trying to order.

[n_K]

Register your work address with the card issuer.

 

You can't have both card security and freedom of delivery.  Letting them deliver anywhere is just asking for trouble when your card gets cloned.

I'll stick with freedom over an illusion of safety.

[FloatingFatMan]

I'll stick with freedom over an illusion of safety.

 

I see what you did there... badly.

[Torolol]

Carders aren't always use the card data they obtained to buy physical objects, which in that case make holder address restriction meaningless for them.