Tap ‘n’ Go

Contactless bank cards are on their way.

The disappearance of cash came a step closer this week with the launch of bank cards that allow shoppers to pay for items worth less than £10 without having to use a PIN or signature.

The new contactless technology, backed by Visa and MasterCard, is designed to replace the need for loose change and speed electronic payments. You will not even receive a reciept, unless you ask for one.

It sounds great. However… There’s always a however, isn’t there? In this case, the however centres around the technology being used; RFID.

Contactless payment cards use short-range radio to exchange payment information with terminals at till points and do not need to be inserted or swiped.

Ah, yes, the little spy that follows you around the London Underground system. Of course, banking is different to the Oyster system; whereas you should be able to travel anonymously and Oyster creates an accessible record of your journeys, we tend to want to keep records of our financial transactions. My worry here is that RFID is relatively simply exploited. I don’t doubt that the banks will assure us in soothing words that this just couldn’t happen to their system, just like it couldn’t happen to Chip ‘n’ PIN. There is no such thing as an entirely secure system and the banks appear to be embracing one of the least secure.

How safe is it? The £10 transaction limit is the first and most obvious safeguard. The second is a limit on the number of consecutive contactless transactions that cardholders can make before having to key in a PIN. The limit will vary between individual banks, but Apacs says that it will be capped at a “handful” of transactions.

Okay, so if a “handful” is five, then that’s fifty quid the hapless client has lost. I don’t know about you, but I don’t consider losing fifty quid trivial.

The company has tested PayPass on key fobs, mobile phones and even wristwatches, which can be tapped or waved in front of a till-point reader in the same way as a card. For the moment, at least in the UK, it will be restricted to debit and credit cards.

Here we go… let’s take something that is really, really insecure and put it in something “cool” like a mobile phone – that will never be nicked, will it? Yes, sticking to credit and debit cards is, perhaps the sensible thing to do.

Robert Kenly, of Money-supermarket.com, the comparison website, believes that some people will be wary of a payment card that does not require any proof of identity, but that many others will be won over by the convenience.

The convenience may be tempting – indeed, I recall a decade or so ago being interested in the outcomes of the Mondex experiment in Swindon. The proof of identity nonsense is not what worries me, nor am I afraid to embrace technology, far from it. I am concerned about embracing this technology. It seems the banks have swallowed the same propaganda that government swallowed when it decided to put these things into passports, thereby weakening the security of a perfectly secure document.

He says: “There will be a number of checks in place and so long as cardholders remember to report lost cards immediately, they will always have any losses refunded.”

And how much wriggle room with the banks be leaving themselves, I wonder?

For some people it will perhaps seem too risky but, as with anything new, once people have tried it they may find that they actually like it.

I’ll pass on this one, I think. I can still get cash out for small purchases and use my debit card as I do now for some of them. Indeed, I nipped into Boots recently and topped up on anti-histamines for less than a tenner on my current debit card. It is a Chip ‘n’ PIN unfortunately, so not as secure as I’d like, but nothing like as insecure as an RFID chip.

—————————————————————————-

Update: There’s an interesting piece on Spychips about this. The US Senate Banking Committee expresses concern about this technology:

A member of the Senate Banking Committee denounced RFID “no-swipe” credit cards at a press conference Sunday. Senator Charles Schumer (D-NY) said contracts for the cards should have warning boxes disclosing “the known weaknesses of the technology.” He cautioned cardholders about their vulnerability to identity thieves, commenting you “may as well put your credit card information on a big sign on your back.”

“No-swipe” or “contactless” credit cards contain RFID microchips that communicate account information silently and invisibly by radio waves. These microchips have earned the nickname “spychips” because the information they contain can be read without an individual’s knowledge or consent.

Well, quite. Now take a look at the date on that press release: December last year.

3 Comments

  1. Your bit here about RFID is invaluable. Must admit I was worried when you wrote “sounds great” but knowing you, the scorpion’s tail followed and it was a good sting.

    Since the surprising post by Gavin Ayling on the RIP Act which is quite frankly amazing in its “unknownedness” in the larger sphere, you’ve been the main source on these things.

    Unfortunately, I’m having a little trouble with the arithmetic sum in your verification but I’ll knit the brows and give it a go.

  2. Actually, the convenience would be right up my street. I rarely have much cash on me, so a card for small amounts does sound like a great idea. I had hoped the Mondex experiment would have paid off. That relied on being loaded with cash, so no access to the bank account; it was the equivalent of an electronic wallet, so rather more secure than the new plans.

    The other thought that goes through my mind is that retailers are loathe to accept cards for small purchases because the charges wipe out their profit.

Comments are closed.