Contactless bank cards

Peter Tomlinson pwt at
Mon Nov 15 18:38:54 GMT 2010

David Walters wrote:
> On Mon, Nov 15, 2010 at 5:06 PM, Marcus Williamson
> <marcus at> wrote:
>> On Mon, 15 Nov 2010 16:35:02 +0000, you wrote:
>>> The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally.
>> What's the technology behind it? A type of RFID?
> Yes.
>> If so, what's to stop someone
>> reading the card without your son knowing and/or making small transactions without
>> his knowledge?
> Not much although the risk is partly mitigated by requiring a PIN
> every few transactions and capping individual transactions at £15. I
> assume stolen or cloned credit cards are mostly used to withdraw cash
> or buy high value items that can be sold on which in theory you can't
> do with the data from the contactless bit.
These dual interface bank cards use a single microprocessor chip, 
similar to the chips used in contact-only bank cards, but enhanced by 
having both contact and contactless interface. The contactless interface 
complies with ISO/IEC 14443, which is the same RF standard used by 
Oyster and by the UK national spec bus concessionary travel cards - but 
importantly the bank cards use a secure microprocessor, and most of the 
bus passes use the Mifare Classic memory chips (but newly issued bus 
passes and Oyster cards use the next generation Mifare DESFire).

Can you carry out bank card contactless transactions by stealth, without 
the card holder knowing and without having an EMV terminal? I don't know 
- but certainly you can power up the card and talk to it. Time for the 
Cambridge crew to join this thread...


More information about the ukcrypto mailing list