Monday, 9 August 2010

CBA PayPas - my email to the bank

Dear {redacted},


In response to your email, you are correct that I am not happy with the response provided as it did not in any way address any of the concerns I raised on the phone with you and your colleague.

I'll state again, this time in writing, what the concerns are.

I am concerned about PayPass from a personal safety perspective. I'm concerned that you as a bank have created a personal security issue for me that I cannot remove or reduce. You did this without my permission and you provide no way for me as a consumer to opt-out, decrease my exposure or remove any such concerns.

You have advised me that PayPass allows for individual transactions of up to $100 per transaction. In addition you advised me, there is no limit on the number of transactions allowed. This means that in effect I am carrying in my wallet the total credit limit of my card in cash. This means that anyone observing that I have a PayPass card has the ability to gain access to those funds without my authorisation or participation.

The unlimited access to funds that the PayPass system represents provides ample incentive for the criminal element to become interested.

My concern is not the funds which you keep telling me are protected; my concern is my personal safety if force was used to obtain my card without my permission. If I need to spell it out, a thief could sit in a coffee shop and observe that I have a PayPass card. They can follow me out the door and take my wallet from me and have unlimited access to my funds. Common sense continues to prevent me from carrying large amounts of cash and I'm not prepared to start now.

In addition, the access need not even be forceful or physical as outlined above. Since PayPass uses RFID technology, access could be achieved using wireless access and a few dollars of equipment. 30 minutes on the Internet gave me several research papers and suggestions on how this might be achieved and examples were available showing access to such cards. I have found several scenarios which allow unfetted access to my card. With no limits on the card, there is ample incentive to develop solutions to circumvent any security measures. Just because Mastercard says that it cannot be hacked, doesn't make it so.

I've been in the IT industry for too long to believe that security through obscurity is sufficient and I expect better from my bank.

In addition the the above, I also asked you what the impact would be of disabling the RFID chip in my card, by inserting my card into a microwave or power drill.

I look forward to your response.

Kind regards,
Onno Benschop

No comments: