Monday, 9 August 2010

CBA PayPas - my email to the bank

Dear {redacted},


In response to your email, you are correct that I am not happy with the response provided as it did not in any way address any of the concerns I raised on the phone with you and your colleague.

I'll state again, this time in writing, what the concerns are.

I am concerned about PayPass from a personal safety perspective. I'm concerned that you as a bank have created a personal security issue for me that I cannot remove or reduce. You did this without my permission and you provide no way for me as a consumer to opt-out, decrease my exposure or remove any such concerns.

You have advised me that PayPass allows for individual transactions of up to $100 per transaction. In addition you advised me, there is no limit on the number of transactions allowed. This means that in effect I am carrying in my wallet the total credit limit of my card in cash. This means that anyone observing that I have a PayPass card has the ability to gain access to those funds without my authorisation or participation.

The unlimited access to funds that the PayPass system represents provides ample incentive for the criminal element to become interested.

My concern is not the funds which you keep telling me are protected; my concern is my personal safety if force was used to obtain my card without my permission. If I need to spell it out, a thief could sit in a coffee shop and observe that I have a PayPass card. They can follow me out the door and take my wallet from me and have unlimited access to my funds. Common sense continues to prevent me from carrying large amounts of cash and I'm not prepared to start now.

In addition, the access need not even be forceful or physical as outlined above. Since PayPass uses RFID technology, access could be achieved using wireless access and a few dollars of equipment. 30 minutes on the Internet gave me several research papers and suggestions on how this might be achieved and examples were available showing access to such cards. I have found several scenarios which allow unfetted access to my card. With no limits on the card, there is ample incentive to develop solutions to circumvent any security measures. Just because Mastercard says that it cannot be hacked, doesn't make it so.

I've been in the IT industry for too long to believe that security through obscurity is sufficient and I expect better from my bank.

In addition the the above, I also asked you what the impact would be of disabling the RFID chip in my card, by inserting my card into a microwave or power drill.

I look forward to your response.

Kind regards,
Onno Benschop

Friday, 6 August 2010

CBA PayPas - the response

Dear Mr Benschop

Thank you for your call, which to this office 30 July 2010. In regards to the issues you have raised regarding the PayPass function on your credit card, I have requested review from the product area and they have provided a response as follows:

PayPass functionality is included with all CBA issued MasterCard credit and debit cards, and cannot be turned off. However if a customer would not like to use the technology, they can continue to sign/enter a PIN through the terminal, and can simply avoid tapping against PayPass readers.

PayPass is an extremely secure payment method, and is not more vulnerable to fraud than any other form of payment (such as signing for transactions).

Mr Benschop, I understand that you have already been provided with this response and that you will not be happy with this decision.

If you wish to discuss this matter further please contact me


Commonwealth Bank
Customer Experience Consultant

Rapid Resolution Team

CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542