![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lostcarparkVisa have announced a new contactless payment system called payWave (I bet whoever though of the lower case 'P' thinks they're really trendy). The basic idea is that rather than having to go to all the trouble of swiping your card, or inserting into a reader, you can just hold it in close proximity to the reading device. This is to make paying for things easier and quicker, and one of the features I note is "No signature [and presumably no PIN] is required for most purchases under $25".
Now, while that should make payments easier and quicker, I can't help wondering will it also make getting ripped off easier and quicker? You bump into someone in the street, and suddenly fund your card has been charged $25 - or worse, someone has managed to clone your card and make hundreds of small payments against it.
Another possible exploits I can think of is leaving portable readers hidden in places where unwitting suspects are likely have their wallets in close proximity - wedged in the seat lining of a pub is one possibility. It would then collect card details of anyone who came close enough and either transmit them or store them for later collection. If they could be made small and cheap enough, criminals could distribute thousands of them at almost no risk to themselves.
Of course, Visa assure us the technology is secure, presumably with multiple layers of encryption, but how many security technologies based on encryption have been compromised in the past? Pretty much every one of them. Once they send readers out to retail outlets, you can be pretty sure some will "disappear", and it won't be long before the criminals know exactly how it works. And while it often takes far too much computing power to be practical to try breaking the encryption when these technologies first appear, in a few years advances in computing are likely to render this practical before too long - just look at the "unbreakable" 128-bit encryption in widespread use on secure websites.
Visa also assure us that we will not be charged for fraudulent transactions, but one of the aims of the card is to get us using it for smaller payments. Will you remember every individual corner store transaction? More importantly, will you notice if your small transactions increase by 10%? Someone could keep a stack of cloned cards going for quite some time by rotating them and only charging small amounts to each one. A lot of people will check their major payments, but will skip past a lot of the smaller ones if they "look okay".
It's also worth noting that with chip-and-PIN, they have been trying to move the onus on proving a transaction is fraudulent back to the cardholder. If someone gets hold of your PIN it must be your fault. I haven't heard any stories of the keypads used to enter PINs being compromised yet, but I'm sure it's only a matter of time.
Usually I'm all for new technologies, but in this case I think the Luddites might be on to something.
Now, while that should make payments easier and quicker, I can't help wondering will it also make getting ripped off easier and quicker? You bump into someone in the street, and suddenly fund your card has been charged $25 - or worse, someone has managed to clone your card and make hundreds of small payments against it.
Another possible exploits I can think of is leaving portable readers hidden in places where unwitting suspects are likely have their wallets in close proximity - wedged in the seat lining of a pub is one possibility. It would then collect card details of anyone who came close enough and either transmit them or store them for later collection. If they could be made small and cheap enough, criminals could distribute thousands of them at almost no risk to themselves.
Of course, Visa assure us the technology is secure, presumably with multiple layers of encryption, but how many security technologies based on encryption have been compromised in the past? Pretty much every one of them. Once they send readers out to retail outlets, you can be pretty sure some will "disappear", and it won't be long before the criminals know exactly how it works. And while it often takes far too much computing power to be practical to try breaking the encryption when these technologies first appear, in a few years advances in computing are likely to render this practical before too long - just look at the "unbreakable" 128-bit encryption in widespread use on secure websites.
Visa also assure us that we will not be charged for fraudulent transactions, but one of the aims of the card is to get us using it for smaller payments. Will you remember every individual corner store transaction? More importantly, will you notice if your small transactions increase by 10%? Someone could keep a stack of cloned cards going for quite some time by rotating them and only charging small amounts to each one. A lot of people will check their major payments, but will skip past a lot of the smaller ones if they "look okay".
It's also worth noting that with chip-and-PIN, they have been trying to move the onus on proving a transaction is fraudulent back to the cardholder. If someone gets hold of your PIN it must be your fault. I haven't heard any stories of the keypads used to enter PINs being compromised yet, but I'm sure it's only a matter of time.
Usually I'm all for new technologies, but in this case I think the Luddites might be on to something.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-04-28 01:06 pm (UTC)Your not a luddite if you don't want new tach for the sake of new tech!
no subject
Date: 2007-04-28 03:13 pm (UTC)no subject
Date: 2007-04-28 03:35 pm (UTC)Perhaps with piling the merchandise by the register, so they're forced to file it back on the shelves, thinking in the meantime of the missed purchase.
Crazy(and agreeing with you - and I'm not really a Luddite, either - deeply lazy about new tech, but I adopt what works for me)Soph
no subject
Date: 2007-04-28 09:38 pm (UTC)Or will it be like Revelation where we won't be able to make purchases unless we have the devil's mark on our forehead or our right hand?
no subject
Date: 2007-04-29 03:40 pm (UTC)Crazy(Sweet dreams to you, now!)Soph
no subject
Date: 2007-05-02 02:39 pm (UTC)Why not charge low priced items to your card? Is it speedy and convenient with a wave or tap so it gets you out of the store faster and you probably earn rewards like points or miles or cash back—especially if you use it at merchant that give you extra rewards. Clearly you have to be disciplined in your record keeping.
Chip and PIN is really only applicable to Europe. And yes the onus comes back to the cardholder in those transactions as how many people other than you know your PIN.
Visa is very late to this game. MasterCard has branded their contactless payment product as PayPass for years and it has a high rate of adoption by merchants. MasterCard is even in trial with putting PayPass in mobile phones—Visa can’t say that on a widespread basis.
It is all about branding in this business and Visa branded their product too late and MasterCard already has their contactless market share cut out and it is growing.
I will say my mobile phone with MasterCard PayPass is great --- I love all the shocked cashier looks I get at check-out. You have to be a really good Citibank MasterCard customer to get one of these.