Contactless bank cards

Francis Davey fjmd1a at
Tue Nov 16 10:37:26 GMT 2010

On 16 November 2010 10:28, Peter Mitchell <otcbn at> wrote:
> Suppose you, as pet shop assistant, on one particular day sell £200 worth of
> rabbit food, of which £150 was paid for in cash and £50 by card. In your
> pocket you have some stolen debit cards along with their PINs. So you steal
> £50 cash from the till and make the total takings back up to £200 by putting
> through £50 worth of debit card transactions. You are £50 richer, the card
> owners are collectively £50 poorer. The shop owner never knows, his EPOS
> only shows him that he has received a total of £200 in various forms. If he
> does a stock check he will find that £200 worth of rabbit food has
> disappeared from his shelves, just as it should have done.

I (as a lawyer) have been involved in cases of "double keying" where
the assistant makes unauthorised cashback payments which they pocket -
the customer being poorer and the retailer being unaware unless and
until customers complain (after the fact it can be difficult to trace
the assistant(s) involved).

> The same fraud can be done even more easily with contactless cards where the
> PIN is not needed. It can't be detected by an EPOS unless every item is
> barcoded and scanned as it is sold, which in many retail outlets does not
> and cannot happen. Even if it does the shop assistant can sometimes work
> round it.

Actually my first worry on seeing these things advertised was
something entirely legal. Along the lines of an unobtrusive sign
saying "entrance fee £5" or something like that. Auto charge people as
they walk in (does contactless have that range? Or will it) and then
have plausible deniability for a criminal charge. Obviously some
customers will complain and have a reasonable argument for restitution
of the sum taken, but who cares.

More complex and similar scams involving relatively obscure surcharges
and so on can also be carried out.

Francis Davey

More information about the ukcrypto mailing list