Contactless bank cards
igb at batten.eu.org
Tue Nov 16 07:31:36 GMT 2010
> The cardholder is unlikely to notice the rogue transaction on his bank statement; it is linked to a retail outlet he really has visited, so if he does notice it he probably reckons he really did do it and has since forgotten it. Especially since there will soon be hundreds of such transactions on his statement every month.
I'm not sure any of that's entirely right. Firstly, as I think Ross pointed out, the step change in the arms race with fraudsters was when they realised that by not putting the card through their own machine, rather just taking the details, they removed the point of correlation between multiple victims. Any attack which relies on a corrupt merchant actually processing the transactions leaves that point of connection, so unless the skimmers content themselves with a handful of transactions (which, at £10 each, seems a rather small crime) it will only take two or three people to notice out of hundreds for the merchant to be caught. And as the fraud requires the active connivance of the merchant, it's going to be hard for them to get out of criminal liability.
> In fact, thinking about it, I predict the next step: banks will soon stop listing card transactions under £10 in value on the bank statement. Rather like phone companies don't itemise cheap calls.
Phone companies do itemise cheap calls. They don't necessarily itemise free/bundled calls, although most will on request.
More information about the ukcrypto