purplecat | Contactless Payments

Egg has been bought out by Barclaycard. As a result I am to receive a barclaycard. I'm taking steps to remedy this but in the interim I've been reading the wee booklet they sent me and am struck by its assurances about contactless payments

"you'll be able to make contactless payments up to £15.

...

it's really safe to use so you can shop with confidence knowing your account is secure.

....

Instead of inserting your card in the Chip and PIN reader and entering your PIN, to make a contactless payment you simply hold your card near the reader. And that's it - off you go."

No, it obviously isn't "really safe" otherwise you'd let me spend more than £15 at a time with it. In fact I can see no protection at all, under this system, which prevents someone with the right kind of reader wandering around a crowded shopping centre quietly nicking £15 from every customer in range. I had hoped that, like Chip and PIN, you might at least need to confirm your purchase with a PIN number (even though there are security issues with broadcasting PIN numbers wirelessly between devices) but it doesn't look like you do.

I'm also imagining the chaos that will be caused when the person behind you in the queue accidentally pays for your shopping because they were standing too close and holding their credit card while you were fussing around in your bag.

Maybe I'm being overly pessimistic, but I can't see anything which suggests that contactless credit cards aren't the plastic equivalent of wandering around with your purse open and a sign on it saying "help yourself". Well, OK, you do need the right kind of card reader and then a way to quickly launder your ill-gotten gains but I have rather more confidence in the ingenuity of the criminal fraternity than I do in the forethought that has gone into preventing abuse of these things.

This entry was originally posted at http://purplecat.dreamwidth.org/55919.html.

Flat | Top-Level Comments Only

From:

lukadreaming.livejournal.com

This has just reminded me that I need to get a shift-on and find another credit card that isn't bloody Barclaycard. I'm rather miffed, as on the whole Egg were fine to deal with - if you ever phoned, you got real people in a UK call centre who tended to be helpful.

From:

purplecat

We've gone with Amazon credit cards, but we generally pay our bill off in full and so we were mainly shopping on the basis of the best overall cashback offer. I've no idea what their customer service may turn out to be like mind.

From:

lukadreaming.livejournal.com

I'll have a look at that. And I need to root around, as I have a Co-op Bank credit card I almost never use - I have a feeling that's a better offer. And I did have a Play.com one for their special offers, but I haven't used that in ages. I suppose I should turn it in or start using it instead of Egg.

From:

wellinghall.livejournal.com

Also Amazon - partly given how much of my credit card spending is there anyway ...

From:

purplecat

It does only win out in the cashback stakes if you assume you can use that many Amazon vouchers. I suspect the Tesco card may actually be the better deal, assuming you are good at maximising the value of your club card points - which we aren't, we tend just to use them to get money off Tesco shopping but our in-laws obviously get much better value from them by using them carefully for special offers, outings and air miles.

From:

bunn.livejournal.com

My problem with Amazon credit cards is that they keep turning off the Amazon bit and then Amazon moves to a new card scheme and if you want to go with you have to get a new card (and discover over the next 12 months how many small annual payments you used that card for that now need to be informed of your new details...)

The second time they did that I decided I was just too lazy to keep changing.

From:

purplecat

Ah! That does sound like a royal pain! I'm committed now but I guess I may be moving again in a year.

From:

philmophlegm.livejournal.com

I chose my last credit card on the basis of best cashback deal and the winner was American Express Platinum. This was about three years ago, so it might not be any more, but it would be worth checking out. On the other hand, you will need an alternative since so many places don't accept Amex.

From:

purplecat

I recall Amex was on the list - I think there may have been a spending threshold I didn't think I'd get over. This is the credit card that just gets used for personal items so its total spend is quite low.

From:

philmophlegm.livejournal.com

I must admit, the amount of cashback I get has diminished severely since JOLF implemented its ALL BUSINESS EXPENSES MUST BE PAID FOR WITH THE CORPORATE AMEX CARD policy.

From:

king-pellinor.livejournal.com

I completely agree. The whole thing falls down straight away as soon as you consider a person who has two credit cards. Which one does the magic box choose?

I'd far rather be able to say "this one" by putting it in the reader, and confirm that it's the one I meant by entering a PIN, and be able to spend more than £15 at a time.

Contactless cards have no use and many problems, as far as I can tell.

From:

purplecat

I'm assuming the readers (the official ones at least :/) will only have a very short range which will limit the chances for confusion, but I won't be at all surprised if they don't limit the chances enough to avoid confusion. But the fact that you could be entirely unaware that money was being taken from the card does worry me a lot.

From:

king-pellinor.livejournal.com

They can't possibly limit the confusion between two cards which are next to each other in the same wallet.

The only way to be sure you're using the right card is to open your wallet, take out the correct card, wave it at the reader, then put it back. I don't see why that is any better than putting the card in a contact reader. In fact it's worse, as you have to make sure you hold your wallet far enough away from the reader to avoid card 2 being read as you're waving card 1 near it.

From:

purplecat

yes.

From:

kargicq.livejournal.com

This is my experience -- I use my contactless card at the shops which accept it. It's so short range that you have to remove card from wallet and hold it next to the reader for about 2 seconds until it's acknowledged. I doubt it could pick up two at once.

The time saving aagainst putting in a PIN is about, oh, ten to twenty seconds. Probably not really worth it, but as I'm normally in a tearing hurry it feels as though I've saved more time than that!

From:

king-pellinor.livejournal.com

That sounds as though the time saving is that it doesn't confirm the transaction with the bank, but just automatically puts it through. I don't think it takes 2 seconds to put a card in a reader.

So the time saving isn't because it's contactless, but because it's a simpler transaction that drops the PIN check. You could get the same effect with a contact reader - why not just change Chip & PIN readers so they only require a PIN for transactions over £15? That would get the same effect as contactless cards at the cost of a software update, no new technology required.

From:

purplecat

Though that doesn't get around the problem that if your card gets stolen the thief can easily spend a lot more money than I would normally keep in my purse.

You obviously don't need the PIN anyway since the M6 Toll doesn't require PIN numbers (though obviously it does get a good look at your vehicle licence plate instead). I'm fairly sure PIN is used to let merchant's guarantee that the cardholder was present. I suppose I should have a look at what the T&Cs concerning fraud are on the card. If someone steals my card and uses it to buy stuff contactlessly, who is liable for the loss? If its the bank taking the hit then I guess that's their look out.

From:

king-pellinor.livejournal.com

Checking Barclaycard's website, it looks as though they'd ask for a PIN after a few transactions that haven't needed one. So the ability to make lots of £15 payments in a row is limited.

What I would probably do is have a record on the card of how much has been spent since it last required a PIN. For any transaction, if the amount is over £15 or the running total has reached say £50, then the card automatically insists that the PIN be entered and then resets the total to nil (assuming the PIN is right).

They say that you're protected provided you've not been negligent and you've reported the loss of the card, though I'm not sure what that means if it gets used before you've realised it's gone.

From my point of view, being able to use a card to make small payments without a PIN is a small convenience; the contactless bit is a bit of a red herring, though.

From:

purplecat

The contactless bit opens it up to a host of security exploits unless the card can tell how close the reader is to it (just making readers with limited range doesn't stop all sorts of "boost the signal" type exploits). However those sort of scams are possibly rather esoteric and the bank would almost certainly be clearly liable since a lot of people would be effected.

PINless opens up a different can of worms with the issue of card theft.

Contactless+PINless looks like a nasty combination to me but I suspect that banks will carry most of the burden if someone does find an exploit.

From:

king-pellinor.livejournal.com

Yes, I was forgetting that was my main objection to contactless. It's not just a red herring, it's opening up a lot of vulnerabilities for no apparent gain - other than that it uses new technology and so must ipso facto be better ;-)

From:

philmophlegm.livejournal.com

And what about the scenario where you are carrying two cards from the same provider but for absolutely, separate purposes? I'm not allowed to use my corporate Amex card for personal expenditure, but all business expenses have to go on it. Since I also have a personal Amex card, I can envisage multiple expense claim problems...

From:

wellinghall.livejournal.com

Snap (on all counts).

From:

purplecat

It worries me that the financial professionals on my flist don't like this either. Coming from a computer science perspective I know our concerns about weaknesses in security can turn out to be rather esoteric in practice...

From:

reggietate.livejournal.com

Apparently, this kind of thing is being introduced on some mobile phones, as well. If it's every to be safe, they do need some way to make it secure, and right now, I can't imagine how they'll do it. It's a great idea in principle, not so great in practice.

From:

purplecat

It seems to me that a lot of the security rests on the assumption that readers can't fall into the wrong hands and that their range can not be extended beyond a few centimetres. Both those assumptions seem flawed to me.

From:

reggietate.livejournal.com

*nods*

From:

bunn.livejournal.com

... and that the people taking payment will never assume permission or simply bugger things up.

I can just see it now : the checkout machine goes mad (or has had the wrong button pressed by Stacey-I-Never-Touched-It) and starts stealing £15 off everyone who walks past within range. Cue lamenting by all staff trying to work out how to stop it, a call to Head Office which will be dealt with next Tuesday, and the coning-off of Hal Checkout, which can now be safely approached only by pensioners carrying cash in their socks...

It should be entertaining to watch. I was thinking of moving to the cash in socks model anyway, as a staging post to the inevitable Turnip Economy we will be forced to adhere to once the petrol runs out.

From:

purplecat

It must be said I can't see myself carrying such cards around much until I see a clear explanation of how the security and/or liability is supposed to work. Cash-in-socks all round I suppose.

From:

lil-shepherd.livejournal.com

inamac has spent some time telling Barclaycard that she does not want this "service" and, as I understand it, had succeeded.

I have been with HSBC Mastercard for over 35 years and have only had two spats with them in that time, both of which they sorted in my favour immediately.

From:

purplecat

If I planned to keep it I might try to get the service removed, but this was really just the nudge I needed to go shopping for a better deal anyway. I don't think my Amazon card is contactless, though since I don't actually have it yet, I'm not sure. However I have a nasty feeling it will shortly become very difficult indeed to refuse the service. It would be nice to delay until any major teething problems have been sorted out though.

From:

mysteriousaliwz.livejournal.com

That sounds like the epitome of insecurity to me.

From:

purplecat

It seems completely ridiculous to me. Even assuming the readers and everything are secure and so forth if your credit card gets stolen someone could still quickly run up a few hundred in £15 chunks. There's a reason why a memorised PIN number of a signature have traditionally been required.

From:

knitekat.livejournal.com

It they are so sure if is secure, why limit it to £15. Bloody daft idea if they don't have good security on it.

From:

purplecat

I can see why they want a faster system than chip and PIN, but there's a reason I don't carry hundreds of pounds around in my pocket...

From:

knitekat.livejournal.com

*nods* It is the equivalent.

Flat | Top-Level Comments Only

S	M	T	W	T	F	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28

Page Summary

Active Entries

Style Credit

Expand Cut Tags