Thursday, 14 October 2010

PayPass - what's the problem?

The system is encrypted, the bank says it cannot be hacked and my funds are protected against unauthorised use if I abide to their terms and conditions.

So what's the big deal, why not chill out and deal with it - or even change banking institution?

First of all, this idea is broken. It's broken on more levels than I can count. I've only been highlighting some of the issues.

Here's some scenarios to consider:

Scenario 1:
What if someone hits me over the back of the head to get my card because it's as good as cash. Does the bank protect against that?

Suggestions have been made that thieves aren't interested in $100. My experience of theft - as in being a victim of theft - tells me that any amount of free cash is desirable.

Scenario 2:
What if someone manages to make a clone of my card. The bank can claim that any purchase made with that cloned card is in fact my card, and thus I'm liable for a purchase made on that cloned card - I have no recourse because according to the bank, I made the purchase with my card. Since I still have my card, I cannot claim it was stolen.

The bank claims that cloning isn't possible, but I've been in the IT industry too long to rely on such an assumption. There is a good financial incentive to clone a card. Since this system uses RFID, a wireless techology, people can access my card just by being in range with a strong enough antenna.

This means that my card can be cloned without my knowledge or participation.

Scenario 3:
If this technology takes off, then the number of transactions on a credit card statement will increase significantly. Typically this means that less people are likely to sit down and check every single transaction on their statement, making it easier for fraudulent transactions to slip through.

Scenario 4:
To deal with the increased volume of transactions, the bank could create "smarter" software to detect fraudulent transactions.

This means that you might have other side effect issues like getting on a plane in the morning and trying to pay for a taxi at your destination in a different country.

The bank might decide that you have never been to Nepal and that this transaction is fraudulent. With real-time banking making inroads, this makes it likely that the transaction will be caught in real-time, making it impossible for you to pay for your completely valid taxi-ride from the airport to base-camp.

No comments: