Contactless bank cards
Peter Tomlinson
pwt at iosis.co.uk
Mon Nov 15 18:38:54 GMT 2010
David Walters wrote:
> On Mon, Nov 15, 2010 at 5:06 PM, Marcus Williamson
> <marcus at connectotel.com> wrote:
>
>> On Mon, 15 Nov 2010 16:35:02 +0000, you wrote:
>>
>>> The banks aren't going to give up on this. Barclays has just sent one to my son, after he lost his old, contactful one. He didn't ask for a contactless one, naturally.
>>>
>> What's the technology behind it? A type of RFID?
>>
>
> Yes.
>
>> If so, what's to stop someone
>> reading the card without your son knowing and/or making small transactions without
>> his knowledge?
>>
> Not much although the risk is partly mitigated by requiring a PIN
> every few transactions and capping individual transactions at £15. I
> assume stolen or cloned credit cards are mostly used to withdraw cash
> or buy high value items that can be sold on which in theory you can't
> do with the data from the contactless bit.
These dual interface bank cards use a single microprocessor chip,
similar to the chips used in contact-only bank cards, but enhanced by
having both contact and contactless interface. The contactless interface
complies with ISO/IEC 14443, which is the same RF standard used by
Oyster and by the UK national spec bus concessionary travel cards - but
importantly the bank cards use a secure microprocessor, and most of the
bus passes use the Mifare Classic memory chips (but newly issued bus
passes and Oyster cards use the next generation Mifare DESFire).
Can you carry out bank card contactless transactions by stealth, without
the card holder knowing and without having an EMV terminal? I don't know
- but certainly you can power up the card and talk to it. Time for the
Cambridge crew to join this thread...
Peter
More information about the ukcrypto
mailing list