![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Visa have announced a new contactless payment system called payWave (I bet whoever though of the lower case 'P' thinks they're really trendy). The basic idea is that rather than having to go to all the trouble of swiping your card, or inserting into a reader, you can just hold it in close proximity to the reading device. This is to make paying for things easier and quicker, and one of the features I note is "No signature [and presumably no PIN] is required for most purchases under $25".
Now, while that should make payments easier and quicker, I can't help wondering will it also make getting ripped off easier and quicker? You bump into someone in the street, and suddenly fund your card has been charged $25 - or worse, someone has managed to clone your card and make hundreds of small payments against it.
Another possible exploits I can think of is leaving portable readers hidden in places where unwitting suspects are likely have their wallets in close proximity - wedged in the seat lining of a pub is one possibility. It would then collect card details of anyone who came close enough and either transmit them or store them for later collection. If they could be made small and cheap enough, criminals could distribute thousands of them at almost no risk to themselves.
Of course, Visa assure us the technology is secure, presumably with multiple layers of encryption, but how many security technologies based on encryption have been compromised in the past? Pretty much every one of them. Once they send readers out to retail outlets, you can be pretty sure some will "disappear", and it won't be long before the criminals know exactly how it works. And while it often takes far too much computing power to be practical to try breaking the encryption when these technologies first appear, in a few years advances in computing are likely to render this practical before too long - just look at the "unbreakable" 128-bit encryption in widespread use on secure websites.
Visa also assure us that we will not be charged for fraudulent transactions, but one of the aims of the card is to get us using it for smaller payments. Will you remember every individual corner store transaction? More importantly, will you notice if your small transactions increase by 10%? Someone could keep a stack of cloned cards going for quite some time by rotating them and only charging small amounts to each one. A lot of people will check their major payments, but will skip past a lot of the smaller ones if they "look okay".
It's also worth noting that with chip-and-PIN, they have been trying to move the onus on proving a transaction is fraudulent back to the cardholder. If someone gets hold of your PIN it must be your fault. I haven't heard any stories of the keypads used to enter PINs being compromised yet, but I'm sure it's only a matter of time.
Usually I'm all for new technologies, but in this case I think the Luddites might be on to something.
Now, while that should make payments easier and quicker, I can't help wondering will it also make getting ripped off easier and quicker? You bump into someone in the street, and suddenly fund your card has been charged $25 - or worse, someone has managed to clone your card and make hundreds of small payments against it.
Another possible exploits I can think of is leaving portable readers hidden in places where unwitting suspects are likely have their wallets in close proximity - wedged in the seat lining of a pub is one possibility. It would then collect card details of anyone who came close enough and either transmit them or store them for later collection. If they could be made small and cheap enough, criminals could distribute thousands of them at almost no risk to themselves.
Of course, Visa assure us the technology is secure, presumably with multiple layers of encryption, but how many security technologies based on encryption have been compromised in the past? Pretty much every one of them. Once they send readers out to retail outlets, you can be pretty sure some will "disappear", and it won't be long before the criminals know exactly how it works. And while it often takes far too much computing power to be practical to try breaking the encryption when these technologies first appear, in a few years advances in computing are likely to render this practical before too long - just look at the "unbreakable" 128-bit encryption in widespread use on secure websites.
Visa also assure us that we will not be charged for fraudulent transactions, but one of the aims of the card is to get us using it for smaller payments. Will you remember every individual corner store transaction? More importantly, will you notice if your small transactions increase by 10%? Someone could keep a stack of cloned cards going for quite some time by rotating them and only charging small amounts to each one. A lot of people will check their major payments, but will skip past a lot of the smaller ones if they "look okay".
It's also worth noting that with chip-and-PIN, they have been trying to move the onus on proving a transaction is fraudulent back to the cardholder. If someone gets hold of your PIN it must be your fault. I haven't heard any stories of the keypads used to enter PINs being compromised yet, but I'm sure it's only a matter of time.
Usually I'm all for new technologies, but in this case I think the Luddites might be on to something.
