Contactless bank cards

Peter Mitchell otcbn at
Tue Nov 16 10:28:02 GMT 2010

David Walters wrote  on 16-11-10 09:08:
> On Tue, Nov 16, 2010 at 8:40 AM, Peter Mitchell <otcbn at> wrote:
>>> And as the fraud requires
>>> the active connivance of the merchant, it's going to be hard for them
>>> to get out of criminal liability.
>> It needn't be the actual merchant doing it. It could be a dishonest till
>> operator. You pocket cash out of the till, and make up the shortfall with
>> phoney card transactions. All the merchant knows is that he has sold 1000
>> doughnuts today and taken a total of £3,500 in cash and bank debits;he
>> can't check how each doughnut was paid for.
> Many years ago I had a Saturday job in a fairly old fashioned pet shop
> (lots of loose pet food sold by the lb in paper bags) and even then
> the boss knew how much cash he had taken and how much had been on
> credit cards. 

You've missed the point. Of course he knew that, but it doesn't help him spot that something is wrong. 

I will try to explain the fraud again, which is (or used to be) common in retailing.

Suppose you, as pet shop assistant, on one particular day sell £200 worth of rabbit food, of which £150 was paid for in cash and £50 by card. In your pocket you have some stolen debit cards along with their PINs. So you steal £50 cash from the till and make the total takings back up to £200 by putting through £50 worth of debit card transactions. You are £50 richer, the card owners are collectively £50 poorer. The shop owner never knows, his EPOS only shows him that he has received a total of £200 in various forms. If he does a stock check he will find that £200 worth of rabbit food has disappeared from his shelves, just as it should have done.

The same fraud can be done even more easily with contactless cards where the PIN is not needed. It can't be detected by an EPOS unless every item is barcoded and scanned as it is sold, which in many retail outlets does not and cannot happen. Even if it does the shop assistant can sometimes work round it. 

> Although he didn't know how many bags of rabbit food he
> had sold.
>>> They don't necessarily
>>> itemise free/bundled calls, although most will on request.
>> Doing it only on request [on bank statements] is probably enough for many
>> such frauds to succeed for a long time, since most people won't request it.
> I don't think any of the card companies are doing that though? I still
> get fully itemised statements.

No. I was speculating on what they may choose to do in future.

Pete Mitchell

More information about the ukcrypto mailing list