Contactless bank cards

Peter Mitchell otcbn at callnetuk.com
Tue Nov 16 10:28:56 GMT 2010 

Roland Perry wrote  on 16-11-10 09:28:
> In article <4CE24388.9060803 at callnetuk.com>, Peter Mitchell 
> <otcbn at callnetuk.com> writes
> 
>>> Any attack which relies on a
>>> corrupt merchant actually processing the transactions leaves that
>>> point of connection, so unless the skimmers content themselves with a
>>> handful of transactions (which, at £10 each, seems a rather small
>>> crime)
>>
>> Not to my son, who is paid minimum wage.
> 
> It's small to the criminal, not the victim. 

If the criminal is a shop assistant on minimum wage, then five fake transactions a day can double his income.

>>> And as the fraud requires
>>> the active connivance of the merchant, it's going to be hard for them
>>> to get out of criminal liability.
>>
>> It needn't be the actual merchant doing it. It could be a dishonest 
>> till operator.
> 
> It's not clear to me how a merchant or till operator can "execute an 
> unauthorised transaction". Won't the terminal simply refuse to process, 
> if it's one of those random transactions where the punter needs a PIN?

Yes, but only in that special case. All other transactions will go through automatically. 

If the terminal refuses to process it without a PIN, the shop assistant simply cancels the transaction. No-one ever knows. I suppose the system could be set up to ring alarm bells whenever this happens, but will it be? 


> And I'm unsure whether it's technically possible to "skim" a paywave 
> card and use that information to create a clone that can be used to buy 
> things.

I wasn't thinking of skimming and cloning but of remotely reading genuinecards in people's pockets or handbags. 

>> You pocket cash out of the till, and make up the shortfall with phoney 
>> card transactions. All the merchant knows is that he has sold 1000 
>> doughnuts today and taken a total of £3,500 in cash and bank debits; 
>> he can't check how each doughnut was paid for.
> 
> His EPOS system should tell him that.

How? 


>>>> In fact, thinking about it, I predict the next step: banks will
>>>> soon stop listing card transactions under £10 in value on the bank
>>>> statement. Rather like phone companies don't itemise cheap calls.
>>>  Phone companies do itemise cheap calls.
>>
>> Mine (BT) doesn't list calls under 40p.
> 
> Maybe you need a different sort of bill 

It doesn't matter what I personally need - I was simply pointing out that Ian's statement was incorrect. 

-- 
Pete Mitchell

More information about the ukcrypto mailing list