Credit Card "Contactless" Payments

There was a lot of discussion a couple of years ago when certain CC companies (notably Barclaycard, I think) introduced cards which could do small transaction (£10 or £20) just by waving them near a reader, without any need for a PIN. There was much disquiet at the time about the possibility of accumulating erroneous charges just by walking past a reader with a card in your pocket - quite apart from the prospect of anyone who stole your card being able to carry our multiple small transactions unfettered. There was talk of lead-lined wallets to avoid accidental use.
At the time, I cancelled my Barclaycard account because I didn't like the idea of contactless transactions.
Now - blow me - I've just received a replacement Capital One card with the same "feature". It was issued, even though the old one hadn't expired, on the pretext of guarding against some unspecified security risk, claiming that my card details "may" have fallen into the wrong hands. I suspect that this is simply an excuse to enable them to roll out the new type of card, since I can still use the old card until I validate the new one.
What are the current thoughts on this technology? Is it as risky as was first thought, or were the fears over-hyped? Do any of you have any experience - good or bad - of this feature?
Reply to
Roger Mills
You shouldn't wave them, and the publicity for them tries to make that clear (you also shouldn't wave Oyster, which uses the same physical layer technology, but most people think you have to!). The reader will get a much more stable signal if the card is not moving about.
The PIN will be requested every few transactions.
The range for a proper reader is only about an inch.
They can basically get the information printed on the front of the card,
but not the CVV.
At least, as tested with Oyster, kitchen style aluminium foil is quite sufficient. Lead is lower conductivity, so probably worse.
If you had been watching the adverts, you would have seen patches for mobile phones being promoted as well. Also a lot of smart phones can communicate with the terminals, although, as they are active, they are only responsive when the user wants them to be. On the other hand, it means they contain the technology needed to read the basic information form the passive cards.
> expired, on the pretext of guarding against some unspecified security
Reply to
David Woolley

What do the T&C say about unintended transactions? Will they automatically refund the rogue payment or do they wash their hands of it unless you can prove it wasn't genuine?
Adrian
Reply to
anonymous
In message , Roger Mills wrote
The card companies are not interested in customer security. I once had a credit card with my photo and signature embedded in the middle layers of the card so they couldn't be changed. Abbey National when they "inherited" the card claimed that their replacement was more secure - the classic card where you write your signature with a ball point pen.
Reply to
Alan
The leaflet announcing contactless payments says "Contactless payments use the same safe technology as chip and pin, and if your card is used without your knowledge, you're covered with the same fraud protection".
From the T&Cs, it appears that, for 'normal' transactions, your liability for misuse of lost or stolen cards is £50 until you report it lost - and then they cancel it so further transactions are not possible. *However*, it's much easier for a villain to carry out fraudulent contactless transactions, since they don't (usually) need a PIN. Also, it's not clear what happens in the case of an accidental transaction - where the card in your pocket gets too close to a reader without your knowledge.
Anyone know of a no monthly fee CC with a decent level of cashback, which doesn't have any of this 'contactless' nonsense? [Interest rate doesn't matter - I always pay it off in full each month].
Reply to
Roger Mills

That sort of fraud by the trader isn't considered the main risk. The trader has to have entered the amount into the till and set it in to ready to complete state, and the card needs less than about an inch above the terminal, and generally above and parallel to it, before a transaction could proceed.
The main risk is that you can do the equivalent of photographing the front of the card even when the card is in a pocket or wallet. The actual fraudulent transaction is likely to occur abroad, somewhere where chip and pin is not implemented.
You can use higher powers to read the card, so can do it at a greater distance, although I imagine most such fraud would be done with equipment designed for PoS use and therefore with very limited range.
Reply to
David Woolley
Do you think that there's any significant risk in owning such a card - or am I being unnecessarily paranoid? I can't see myself actually wanting to *use* this technology - I just see it as an unwanted (and maybe risky) feature of my card.
Reply to
Roger Mills
wrote:
Correct. C&P hasn't really helped security and VWV/3Dsecure is pretty much useless IMHO.
I've had several credit cards where they refused to disable ATM operations on the card.
I would probably refuse a card like the OP's.
Reply to
Mark
I have a result, of sorts. The story so far . . .
1. I emailed CapitalOne telling them that I didn't want their 'contactless' card, and didn't believe their bogus security-related reason for issuing it, believing instead that they were doing it for purely commercial reasons [1]
2. They replied, saying that all their cards were now contactless, and apologising for any inconvenience this may cause. They made no mention of the 'security' issue.
3. I emailed them again, telling them that I intended to destroy the new card and continue using my old card until it expired - giving me time to make other arrangements. I asked them to make their management aware of my disgust at the dishonest way in which they are rolling out these contactless cards.
4. One of their managers phoned me to try convince me that contactless cards are safe. She failed! When I questioned the bogus security reasons given for issuing new cards, she put me through to the security department.
5. The security bloke continued to peddle the "current card at risk" story, but couldn't explain why - if they believed my card details had been compromised - they hadn't blocked the card and asked me to verify or refute some 'suspicious' transactions, like they had done on previous occasions. Now the interesting bit . . .
6. He swore blind that the new cards which I had received were NOT contactless, but were 'regular' cards, which they had issued because of the security problem. I asked him how I could check. He said that contactless cards would carry a logo like a loudspeaker. There was nothing visible on my new card *until* I peeled off the label showing how to activate the card, when - as expected - there was the logo, hidden under the label. He was a bit non-plussed by this(!) and didn't want to believe me. I offered to photograph it and email it to him! He eventually believed me and then undertook to issue me with another new card - this time definitely a 'regular' one, without any contactless capability. Remember, they had previously said that they couldn't do this!
I am awaiting the arrival of my new 'regular' card, and will report back.
In my view, CapitalOne have lost all credibility as a result of this episode - if they ever had any, that is!
Reply to
Roger Mills

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.