Contactless bank cards

Peter Mitchell otcbn at callnetuk.com
Tue Nov 16 08:40:40 GMT 2010 

Ian Batten wrote  on 16-11-10 07:31:
>> The cardholder is unlikely to notice the rogue transaction on his
>> bank statement; it is linked to a retail outlet he really has
>> visited, so if he does notice it he probably reckons he really did
>> do it and has since forgotten it. Especially since there will soon
>> be hundreds of such transactions on his statement every month.
> 
> I'm not sure any of that's entirely right.  Firstly, as I think Ross
> pointed out, the step change in the arms race with fraudsters was
> when they realised that by not putting the card through their own
> machine, rather just taking the details, they removed the point of
> correlation between multiple victims.   Any attack which relies on a
> corrupt merchant actually processing the transactions leaves that
> point of connection, so unless the skimmers content themselves with a
> handful of transactions (which, at £10 each, seems a rather small
> crime)

Not to my son, who is paid minimum wage. 

And the skimmers can milk the golden goose by concentrating on easy targets who will never notice the fraud; drunks, students, doddery old ladies who didn't even know their card was contactless. My son didn't notice it was contactless until I pointed it out. 

> it will only take two or three people to notice out of
> hundreds for the merchant to be caught.  

For the reasons I stated above I do not believe that many customers will ever notice a rogue transaction a month after the event. And if someone does, how will he prove that he didn't authorise it? The banks, as we know, will deny that there is any possibility that the card is insecure, and will probably accuse the cardholder of fraud if he disagrees. 

Anyway, I don't think it is a good answer to say that the fraud will eventually be detected. By the time it has been detected, thousands of people will have been defrauded. The only customers who get their money back will be the ones who actually noticed phoney transactions; the vast majority will never know.

> And as the fraud requires
> the active connivance of the merchant, it's going to be hard for them
> to get out of criminal liability.

It needn't be the actual merchant doing it. It could be a dishonest till operator. You pocket cash out of the till, and make up the shortfall with phoney card transactions. All the merchant knows is that he has sold 1000 doughnuts today and taken a total of £3,500 in cash and bank debits; he can't check how each doughnut was paid for. 

>> In fact, thinking about it, I predict the next step: banks will
>> soon stop listing card transactions under £10 in value on the bank
>> statement. Rather like phone companies don't itemise cheap calls.
> 
> Phone companies do itemise cheap calls.   

Mine (BT) doesn't list calls under 40p.

> They don't necessarily
> itemise free/bundled calls, although most will on request.

Doing it only on request [on bank statements] is probably enough for many such frauds to succeed for a long time, since most people won't request it. 

-- 
Pete Mitchell

More information about the ukcrypto mailing list