Contactless bank cards

[Roland Perry]

In article <4CE24388.9060803 at callnetuk.com>, Peter Mitchell 
<otcbn at callnetuk.com> writes

>>Any attack which relies on a
>> corrupt merchant actually processing the transactions leaves that
>> point of connection, so unless the skimmers content themselves with a
>> handful of transactions (which, at £10 each, seems a rather small
>> crime)
>
>Not to my son, who is paid minimum wage.

It's small to the criminal, not the victim. (I assume you don't mean 
that your son would be happy to defraud people £10 at a time!)

>> And as the fraud requires
>> the active connivance of the merchant, it's going to be hard for them
>> to get out of criminal liability.
>
>It needn't be the actual merchant doing it. It could be a dishonest 
>till operator.

It's not clear to me how a merchant or till operator can "execute an 
unauthorised transaction". Won't the terminal simply refuse to process, 
if it's one of those random transactions where the punter needs a PIN?

And I'm unsure whether it's technically possible to "skim" a paywave 
card and use that information to create a clone that can be used to buy 
things.

>You pocket cash out of the till, and make up the shortfall with phoney 
>card transactions. All the merchant knows is that he has sold 1000 
>doughnuts today and taken a total of £3,500 in cash and bank debits; he 
>can't check how each doughnut was paid for.

His EPOS system should tell him that.

>>> In fact, thinking about it, I predict the next step: banks will
>>> soon stop listing card transactions under £10 in value on the bank
>>> statement. Rather like phone companies don't itemise cheap calls.
>>  Phone companies do itemise cheap calls.
>
>Mine (BT) doesn't list calls under 40p.

Maybe you need a different sort of bill - my BT bill starts at 0p (for 
some geographic calls) then 12p (for some short 0845 calls <ouch>) and 
so on, upwards.
-- 
Roland Perry