The system is encrypted, the bank says it cannot be hacked and my funds are protected against unauthorised use if I abide to their terms and conditions.
So what's the big deal, why not chill out and deal with it - or even change banking institution?
First of all, this idea is broken. It's broken on more levels than I can count. I've only been highlighting some of the issues.
Here's some scenarios to consider:
Scenario 1:
What if someone hits me over the back of the head to get my card because it's as good as cash. Does the bank protect against that?
Suggestions have been made that thieves aren't interested in $100. My experience of theft - as in being a victim of theft - tells me that any amount of free cash is desirable.
Scenario 2:
What if someone manages to make a clone of my card. The bank can claim that any purchase made with that cloned card is in fact my card, and thus I'm liable for a purchase made on that cloned card - I have no recourse because according to the bank, I made the purchase with my card. Since I still have my card, I cannot claim it was stolen.
The bank claims that cloning isn't possible, but I've been in the IT industry too long to rely on such an assumption. There is a good financial incentive to clone a card. Since this system uses RFID, a wireless techology, people can access my card just by being in range with a strong enough antenna.
This means that my card can be cloned without my knowledge or participation.
Scenario 3:
If this technology takes off, then the number of transactions on a credit card statement will increase significantly. Typically this means that less people are likely to sit down and check every single transaction on their statement, making it easier for fraudulent transactions to slip through.
Scenario 4:
To deal with the increased volume of transactions, the bank could create "smarter" software to detect fraudulent transactions.
This means that you might have other side effect issues like getting on a plane in the morning and trying to pay for a taxi at your destination in a different country.
The bank might decide that you have never been to Nepal and that this transaction is fraudulent. With real-time banking making inroads, this makes it likely that the transaction will be caught in real-time, making it impossible for you to pay for your completely valid taxi-ride from the airport to base-camp.
Showing posts with label commbank. Show all posts
Showing posts with label commbank. Show all posts
Thursday, 14 October 2010
PayPass - not so new kid on the block
It seems that the Commonwealth Bank has been playing with PayPass since 2006. I don't recall ever seeing any information about it, and only in the last couple of months have I seen TV advertising and seen readers sprouting like mushrooms in my neighbourhood.
There are others who have been raising concerns since 2009. Note that the statement on that page about Mythbusters has been retracted by Adam Savage.
There is also a ZDNet Patch Monday podcast (from 4'56" until 14'33") that discusses PayPas and PayWave (the Visa version of the Mastercard PayPass). They state $35 as the limit, which appears to be incorrect, I've been told $100. The podcast discusses some of my concerns - those to do with authentication and hack-ability. It also raises concerns about customer risk assesement, legal issues related to Card (Not) Present transactions, etc.
The podcast also goes on to discuss issues related to checking your statement, which contactless payments will make harder, since you're unlikely to get a receipt and the number of transactions per statement will increase markedly, making it even harder to spot an unsolicited transaction.
There are others who have been raising concerns since 2009. Note that the statement on that page about Mythbusters has been retracted by Adam Savage.
There is also a ZDNet Patch Monday podcast (from 4'56" until 14'33") that discusses PayPas and PayWave (the Visa version of the Mastercard PayPass). They state $35 as the limit, which appears to be incorrect, I've been told $100. The podcast discusses some of my concerns - those to do with authentication and hack-ability. It also raises concerns about customer risk assesement, legal issues related to Card (Not) Present transactions, etc.
The podcast also goes on to discuss issues related to checking your statement, which contactless payments will make harder, since you're unlikely to get a receipt and the number of transactions per statement will increase markedly, making it even harder to spot an unsolicited transaction.
Tuesday, 28 September 2010
CBA PayPas - the second response
Dear Mr Benschop,
I have again referred this matter to our Credit Card Product Team, the response is as follows:
Thank you for outlining your further concerns about the security of contactless payments, such as MasterCard PayPass. PayPass is a feature enjoyed by the majority of our customers due to the payment flexibility and convenience it provides PayPass has been designed to be as secure as other payment methods, such as magnetic stripe transactions. You will continue to be protected from liability on unauthorised transactions as long as you continue to adhere to the Conditions of Use.
We do not recommend any attempt at manipulation of your card plastic.
Regards
Commonwealth Bank
{redacted}
Customer Experience Consultant
Rapid Resolution Team
CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542
I have again referred this matter to our Credit Card Product Team, the response is as follows:
Thank you for outlining your further concerns about the security of contactless payments, such as MasterCard PayPass. PayPass is a feature enjoyed by the majority of our customers due to the payment flexibility and convenience it provides PayPass has been designed to be as secure as other payment methods, such as magnetic stripe transactions. You will continue to be protected from liability on unauthorised transactions as long as you continue to adhere to the Conditions of Use.
We do not recommend any attempt at manipulation of your card plastic.
Regards
Commonwealth Bank
{redacted}
Customer Experience Consultant
Rapid Resolution Team
CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542
Monday, 9 August 2010
CBA PayPas - my email to the bank
Dear {redacted},
{redacted}
In response to your email, you are correct that I am not happy with the response provided as it did not in any way address any of the concerns I raised on the phone with you and your colleague.
I'll state again, this time in writing, what the concerns are.
I am concerned about PayPass from a personal safety perspective. I'm concerned that you as a bank have created a personal security issue for me that I cannot remove or reduce. You did this without my permission and you provide no way for me as a consumer to opt-out, decrease my exposure or remove any such concerns.
You have advised me that PayPass allows for individual transactions of up to $100 per transaction. In addition you advised me, there is no limit on the number of transactions allowed. This means that in effect I am carrying in my wallet the total credit limit of my card in cash. This means that anyone observing that I have a PayPass card has the ability to gain access to those funds without my authorisation or participation.
The unlimited access to funds that the PayPass system represents provides ample incentive for the criminal element to become interested.
My concern is not the funds which you keep telling me are protected; my concern is my personal safety if force was used to obtain my card without my permission. If I need to spell it out, a thief could sit in a coffee shop and observe that I have a PayPass card. They can follow me out the door and take my wallet from me and have unlimited access to my funds. Common sense continues to prevent me from carrying large amounts of cash and I'm not prepared to start now.
In addition, the access need not even be forceful or physical as outlined above. Since PayPass uses RFID technology, access could be achieved using wireless access and a few dollars of equipment. 30 minutes on the Internet gave me several research papers and suggestions on how this might be achieved and examples were available showing access to such cards. I have found several scenarios which allow unfetted access to my card. With no limits on the card, there is ample incentive to develop solutions to circumvent any security measures. Just because Mastercard says that it cannot be hacked, doesn't make it so.
I've been in the IT industry for too long to believe that security through obscurity is sufficient and I expect better from my bank.
In addition the the above, I also asked you what the impact would be of disabling the RFID chip in my card, by inserting my card into a microwave or power drill.
I look forward to your response.
Kind regards,
Onno Benschop
{redacted}
In response to your email, you are correct that I am not happy with the response provided as it did not in any way address any of the concerns I raised on the phone with you and your colleague.
I'll state again, this time in writing, what the concerns are.
I am concerned about PayPass from a personal safety perspective. I'm concerned that you as a bank have created a personal security issue for me that I cannot remove or reduce. You did this without my permission and you provide no way for me as a consumer to opt-out, decrease my exposure or remove any such concerns.
You have advised me that PayPass allows for individual transactions of up to $100 per transaction. In addition you advised me, there is no limit on the number of transactions allowed. This means that in effect I am carrying in my wallet the total credit limit of my card in cash. This means that anyone observing that I have a PayPass card has the ability to gain access to those funds without my authorisation or participation.
The unlimited access to funds that the PayPass system represents provides ample incentive for the criminal element to become interested.
My concern is not the funds which you keep telling me are protected; my concern is my personal safety if force was used to obtain my card without my permission. If I need to spell it out, a thief could sit in a coffee shop and observe that I have a PayPass card. They can follow me out the door and take my wallet from me and have unlimited access to my funds. Common sense continues to prevent me from carrying large amounts of cash and I'm not prepared to start now.
In addition, the access need not even be forceful or physical as outlined above. Since PayPass uses RFID technology, access could be achieved using wireless access and a few dollars of equipment. 30 minutes on the Internet gave me several research papers and suggestions on how this might be achieved and examples were available showing access to such cards. I have found several scenarios which allow unfetted access to my card. With no limits on the card, there is ample incentive to develop solutions to circumvent any security measures. Just because Mastercard says that it cannot be hacked, doesn't make it so.
I've been in the IT industry for too long to believe that security through obscurity is sufficient and I expect better from my bank.
In addition the the above, I also asked you what the impact would be of disabling the RFID chip in my card, by inserting my card into a microwave or power drill.
I look forward to your response.
Kind regards,
Onno Benschop
Friday, 6 August 2010
CBA PayPas - the response
Dear Mr Benschop
Thank you for your call, which to this office 30 July 2010. In regards to the issues you have raised regarding the PayPass function on your credit card, I have requested review from the product area and they have provided a response as follows:
PayPass functionality is included with all CBA issued MasterCard credit and debit cards, and cannot be turned off. However if a customer would not like to use the technology, they can continue to sign/enter a PIN through the terminal, and can simply avoid tapping against PayPass readers.
PayPass is an extremely secure payment method, and is not more vulnerable to fraud than any other form of payment (such as signing for transactions).
Mr Benschop, I understand that you have already been provided with this response and that you will not be happy with this decision.
If you wish to discuss this matter further please contact me
Regards
Commonwealth Bank
{redacted}
Customer Experience Consultant
Rapid Resolution Team
CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542
Thank you for your call, which to this office 30 July 2010. In regards to the issues you have raised regarding the PayPass function on your credit card, I have requested review from the product area and they have provided a response as follows:
PayPass functionality is included with all CBA issued MasterCard credit and debit cards, and cannot be turned off. However if a customer would not like to use the technology, they can continue to sign/enter a PIN through the terminal, and can simply avoid tapping against PayPass readers.
PayPass is an extremely secure payment method, and is not more vulnerable to fraud than any other form of payment (such as signing for transactions).
Mr Benschop, I understand that you have already been provided with this response and that you will not be happy with this decision.
If you wish to discuss this matter further please contact me
Regards
Commonwealth Bank
{redacted}
Customer Experience Consultant
Rapid Resolution Team
CBA Group Customer Relations
Group Sales & Service Support Team
Level 19, 150 George Street
Parramatta NSW 2150
P: 1800 805 605
F: 1800 028 542
Friday, 30 July 2010
CBA PayPas
Today I found out that the Commonwealth Bank has a new "feature" called PayPass or Tap 'n Go. I'd recently seen it advertised on TV and wondered what the implementation was like.
The idea behind this technology is that you can make a transaction without needing to sign or enter your PIN when making a purchase. You just wave your card in front of a reader and the transaction is complete. There is no physical contact between your card and the reader - in fact you don't even need to take your card out of your wallet.
I learnt the following:
I asked the bank why I was unable to limit my exposure to this "feature" since I was concerned about my personal security as well as issues relating to RFID. The bank's response was: "You don't need to take your card with you, you can just leave it at home."
I asked to escalate the call and ended up speaking with a team leader in the Rapid Resolution Team who after some discussion began to understand my concerns and they created a case for me.
I've been promised a response in writing.
The idea behind this technology is that you can make a transaction without needing to sign or enter your PIN when making a purchase. You just wave your card in front of a reader and the transaction is complete. There is no physical contact between your card and the reader - in fact you don't even need to take your card out of your wallet.
I learnt the following:
- The transaction limit is $100 per transaction.
- There is no limit to the number of transactions.
- You cannot set a limit.
- You cannot opt-out.
I asked the bank why I was unable to limit my exposure to this "feature" since I was concerned about my personal security as well as issues relating to RFID. The bank's response was: "You don't need to take your card with you, you can just leave it at home."
I asked to escalate the call and ended up speaking with a team leader in the Rapid Resolution Team who after some discussion began to understand my concerns and they created a case for me.
I've been promised a response in writing.
Subscribe to:
Posts (Atom)