Contactless bank cards
Peter Mitchell
otcbn at callnetuk.com
Tue Nov 16 10:28:56 GMT 2010
Roland Perry wrote on 16-11-10 09:28:
> In article <4CE24388.9060803 at callnetuk.com>, Peter Mitchell
> <otcbn at callnetuk.com> writes
>
>>> Any attack which relies on a
>>> corrupt merchant actually processing the transactions leaves that
>>> point of connection, so unless the skimmers content themselves with a
>>> handful of transactions (which, at £10 each, seems a rather small
>>> crime)
>>
>> Not to my son, who is paid minimum wage.
>
> It's small to the criminal, not the victim.
If the criminal is a shop assistant on minimum wage, then five fake transactions a day can double his income.
>>> And as the fraud requires
>>> the active connivance of the merchant, it's going to be hard for them
>>> to get out of criminal liability.
>>
>> It needn't be the actual merchant doing it. It could be a dishonest
>> till operator.
>
> It's not clear to me how a merchant or till operator can "execute an
> unauthorised transaction". Won't the terminal simply refuse to process,
> if it's one of those random transactions where the punter needs a PIN?
Yes, but only in that special case. All other transactions will go through automatically.
If the terminal refuses to process it without a PIN, the shop assistant simply cancels the transaction. No-one ever knows. I suppose the system could be set up to ring alarm bells whenever this happens, but will it be?
> And I'm unsure whether it's technically possible to "skim" a paywave
> card and use that information to create a clone that can be used to buy
> things.
I wasn't thinking of skimming and cloning but of remotely reading genuinecards in people's pockets or handbags.
>> You pocket cash out of the till, and make up the shortfall with phoney
>> card transactions. All the merchant knows is that he has sold 1000
>> doughnuts today and taken a total of £3,500 in cash and bank debits;
>> he can't check how each doughnut was paid for.
>
> His EPOS system should tell him that.
How?
>>>> In fact, thinking about it, I predict the next step: banks will
>>>> soon stop listing card transactions under £10 in value on the bank
>>>> statement. Rather like phone companies don't itemise cheap calls.
>>> Phone companies do itemise cheap calls.
>>
>> Mine (BT) doesn't list calls under 40p.
>
> Maybe you need a different sort of bill
It doesn't matter what I personally need - I was simply pointing out that Ian's statement was incorrect.
--
Pete Mitchell
More information about the ukcrypto
mailing list