Royal Dutch Shell Group .com Rotating Header Image

The Guardian: Your Oyster is their world

You can pay for small items such as a coffee or a paper with a new ‘contactless’ card. Just wave it in front of a card reader and you’re done. But, the signal it sends is an invitation to hi-tech pickpockets

Saturday November 17 2007
 
Contactless cards have been heralded as the next big thing in retail and banking

Banks are rushing to roll out so-called “contactless” credit and debit cards which allow people to pay for low-value items such as their morning coffee or copy of the Guardian by simply waving their plastic over a reader at the till.

In London, you can even get a “three-in-one” card that combines a credit card, Oyster card and cashless payment facility.

But fears have been expressed that this new breed of plastic could put holders at risk of a hi-tech form of contactless pickpocketing.

The Halifax this week started to send out the first of its “Visa payWave” cards to thousands of customers across London ahead of a planned UK roll-out next year. They allow holders to make small purchases without keying in a pin number or using cash, by employing similar technology to the Oyster card that millions of London bus and tube travellers use daily.

But in Paris, just two-and-a-quarter hours away by the new fast Eurostar, delegates at Cartes 2007, the world’s biggest trade fair for the plastic card industry, were told that contactless cards could prove an easy target for criminals. You could be using your new card to buy a newspaper, blissfully unaware that its details are being captured, so you can be ripped off. Even worse, you could simply be in the street or queuing up for a coffee and have the card in your bag or pocket – it can still be read by a crook armed with a card reader.

Those attending Cartes 2007 heard of a world where criminals are already planning how to compromise the cards. The result is the same as if they put their hands into the pockets of those carrying them – and the thieves won’t even have to risk physical contact or being caught by CCTV.

Contactless cards are flagged as the next big thing in retail and in banking. They eliminate handling cash – with their risks of shopworker dishonesty – and do away with the need for pin numbers, thereby speeding up queues and making life easier for consumers.

Barclaycard has already brought out its OnePulse which combines a contactless card, usable at some London branches of eateries including Yo! Sushi and Coffee Republic, with an Oyster card and a credit card.

“The spread of contactless technology is undoubtedly a consumer benefit. It’s an ultra-fast, face-to-face payment solution,” says Georges Liberman, who works for Paris-based card technology manufacturer Xiring. “Everyone concerned wants this to spread successfully. But both promoters and users must be aware of weaknesses which can be exploited by criminals.”

Mr Liberman says the beauty of contactless cards is that not only do you not need a signature or pin, you don’t need to insert the card in a slot. “It just has to be held close to the contactless reader. This has an aerial which can pick up card details within a set range because the card emits signals,” he explains.

Machines offered by legitimate card reader makers are limited to a 10cm range – around four inches. “A criminal would have to get very close to you to pick up signals at this range, but it is possible. However, getting signals at a greater range is easy as all you have to do is to increase the radio frequency power of the reader,” he says.

Experiments by scientists at Royal Dutch Shell of Canada (similar technology is used in oil industry applications) found that powerful readers could detect a card at 65cms – more than two feet – while some cards designed with a 2cm read radius could be read from 15cm away. Someone in a busy shopping area armed with a 65cm-range reader hidden in a bag could capture details of thousands of cards an hour – especially on a busy Saturday.

In the US, where a less advanced technology is used, some card holders are now so worried by this that they keep cards in special metal holders. Cards in Europe, technically known as “RFID-enabled,” are always “on”.

Banks stress that even if the cards are read, it is only the contactless payment details that can be captured – information on the built-in credit or debit card cannot be swiped in this way. “There is a £10 limit on contactless card use,” says banking payments body Apacs. “And the technology requires that either by time period, amount of times used, or value of items purchased, holders have to re-enter their pin to verify transactions.” At Halifax, for instance, holders have to re-enter a pin after every £50 spent.

Mr Liberman concedes card data alone is of no help to criminals. “They need a dishonest retailer to process the payments. If credit cards are any guide, the internet will soon be full of sites telling people how to set up as a ‘retailer’ with Visa or Mastercard. You don’t need a shop or any other premises,” he says.

There is a second potential weakness of contactless technology, involving crooked shopkeepers. When customers use the cards, they should see the amount they will be debited on a screen. But dodgy shopkeepers could have under-the-counter machines which read the card details (via a link to the counter-top terminal) and then send the bank a different amount.

A dishonest retailer could add a small amount to all transactions – perhaps just 10p or 20p – adding up to a regular extra income.

Barclaycard and Halifax will send out usage details on monthly statements. But who will remember if they spent £2.50 or £2.70 at a sandwich bar four weeks ago – or bother to complain?

Apacs accepts these risks exist. But it believes fraudsters will not be bothered with collecting lots of small sums when they could garner more from other scams. Halifax says all banks will honour money-back guarantees if cards are compromised by fraudsters.

Xiring’s solution is a plastic cardholder which it hopes to sell for under £10, if it can’t find sponsors or advertisers to subsidise the cost.

“This will prevent skimming by the most powerful illegal card readers and it will show the real amount spent, so defeating dishonest retailers,” Mr Liberman says.

http://www.guardian.co.uk/money/2007/nov/17/moneysupplement.consumeraffairs

This website and sisters royaldutchshellplc.com, shellnazihistory.com, royaldutchshell.website, johndonovan.website, and shellnews.net, are owned by John Donovan. There is also a Wikipedia segment.

Comments are closed.