Contactless bank cards
igb at batten.eu.org
Wed Nov 17 08:54:08 GMT 2010
> Oh, well in small retailers my observation, and also as I understand
> it, reality, is that the merchant terminal is usually not connected to
> the till and you can put any number of transactions through without
> the till knowing anything about it.
But the purported fraud runs round in circles. We start off with, so far as I can say, an attack where the active party rings up a transaction to credit card but takes cash from the customer. They pocket the cash and then balance the books by making a fraudulent charge on someone's contactless card. I, and others, think this won't work for more than a few hours because the till will be short of cash. That the credit card terminal isn't linked to the till, as is indeed the case in small shops, makes the fraud harder, not easier: someone would have to ring credit transactions to balance the cash being stolen and, rather than being able to do so by hitting one button on the till, they'd have to use the unlinked machine. Keying the transaction. Without being spotted.
Moreover, the whole point about contactless cards is that they are faster. I've used Suica (== Oyster) in Tokyo to pay for food and drink: every shop that does small transactions and is close to a station (ie, every shop) has them linked to their tills. If they weren't linked to the till, so you have to trigger a separate transaction by keying the details into a separate machine, the advantage of contactless evaporates. If someone's going to have to key details, then slotting the card into the machine is the least of anyone's problems. So I suspect that contactless cards will only operate in thin transaction machines (those hooked to a till, with no means to initiate a transaction other than from the till) rather than as standalone devices.
More information about the ukcrypto