A few days ago the NO2ID forum was warned of the problems inherent in touch and pay (the same as used in the Oyster card) technology:
They are now working with major bank card issuers like Barclaycard and Royal Bank of Scotland to trial credit and debit card functions within contactless RFID-chip cards, such as the TfL Oyster card scheme. This scheme will see contactless Oyster transport cards combined with payment card functions, so that consumers can use them for small-value purchases in places like newsagents, coffee shops etc. RBS is already trialling a scheme for its UK workers whereby they use contactless RFID cards for small payments at the RBS HQ.
Barely had the correspondent’s keyboard cooled down, than Aunty carries the same story:
UK consumers will soon be able to settle bills of less than £10 with a touch of their credit and debit cards.
The system, which is being led by Visa and Mastercard, will be running from September, said payment group Apacs.
Instead of swiping their cards and entering a security code, or signing a receipt, users will only have to hold them against a special secure reader.
Being something of a geek and always prepared to consider anything that would make my life easier, I should in theory be welcoming something that will make carrying cash a thing of the past – I hate cash, I’ve either not got enough or my pockets are jangling with the stuff.
But… But… This is Oyster we are talking about:
Critics have questioned whether the system will be secure enough and warned it may lead to a rise in card fraud.
So far as I am aware, no one has bothered to clone an Oyster card. Who would want to, anyway? As an aside, there are civil liberties objections to Oyster, but it’s not one I’ve concerned myself with too much as it is possible to buy them anonymously, so journeys logged on the system could have been anyone’s.
Cloning someone’s credit card offers richer pickings than an illicit Oyster card; unless our crim wants to spend all day traversing the Bakerloo line… Well, it takes all sorts, I guess. Given that RFID technology has been comprehensively breached I’m mildly surprised at APACS continuing to trumpet it:
The system is extremely easy to use; all a customer needs to do is hold their card up to the contactless card reader. Although making a contactless payment does not routinely require a PIN to be entered, the chip on your card will track activity and as a security feature will request a PIN from time to time. Each time a PIN is used it re-affirms that the cardholder is in possession of their card.
The cynic might add that it will also be extremely easy to clone… Although not a perfect system (despite the banks telling us otherwise) CHIP and PIN does at least offer some form of verification for each transaction, this one doesn’t. It’s almost as if the card has “steal me” written on it. It strikes me that the banks are in such a rush to make a profit from small transactions that they are willing to use discredited technology to do so rather than take their time and come up with something that benefits their customers and is reasonably robust in the process.
Or is that too much to ask?
Proper digital cash, which this isn’t is possible. But it’s very hard to do which is why they aren’t doing it. Maybe the security will be haft decent since if it is to be used like a credit card the banks will have to be the ones picking up the tab for fraud. But still I wouldn’t want one without a shielded wallet.
Personally I like cash, it makes it easy to budget with. I take out a certain amount and as it goes down I can see it going down and so how much I have left.
About ten years ago, they trialled the Mondex card in Swindon. It didn’t catch on, so died a death. That proposal at least required cards to be charged up with cash. Something along these lines would be preferable as, like a wallet containing cash, losses are limited to what is on the card. Linking it to credit and debit cards gives any thief carte blanche until the theft is reported.
I’ll not be taking this one up.