Monday, May 20, 2013

"Swipeless" credit cards getting charged even if you don't "swipe" them

"Swipeless" credit cards use a new technology called Near Field Communications - sort of like a super short range WiFi.  Just wave your card near the reader and the charge gets made.  "Near the reader" is supposed to be "within a couple inches".

Well, it looks like the range is longer than anyone thought:
Analysis High-street socks'n'frocks chain Marks and Spencer is accused of quietly taking money from shoppers' contactless bank cards at the tills.

The accusations come from Radio 4's Money Box listeners, who called in to report that M&S had billed cards in purses and handbags over the air, unbeknownst to customers who had intended to pay for stuff another way.

It seems the money was unexpectedly taken from bank cards that can do pay-by-wave with compatible tills using Near Field Communications (NFC). One simply has to wave the card near the machine - within a few centimetres - for the transaction to take place over the air by radio wave.

But customers complained this was happening over a much greater distance with the tills that M&S recently installed in its UK stores.
Marks & Spencer to their credit have not just reimbursed customers who complained, but actively dug through their database to identify double charges that hadn't been reported, and reimbursed those.  So well done, M&S.

But this whole situation gives me the willies.  Click through for the rest of El Reg's article, which is important stuff if you have one of these Satan's Spawn.

4 comments:

Rev. Paul said...

RFID wallets. That's all I'm saying.

B said...

THis could easily be fixed. Simple engineering. A single membrane key to enable the NFC circuitry. if you aren't pressing the key, the nothing happens.

Easy Peasy. And simple and cheap.

Rick C said...

I have an NFC-capable phone, a recent-model Galaxy S. Right there in the top-level settings is an on/off switch for NFC, and it defaults to Off. Wanna make sure[1] this can't happen? Leave it disabled unless you want to use it, just like with Bluetooth.

[1] barring some kind of hacking, although that would probably require managing to stealthily root the phone.

Jake (formerly Riposte3) said...

Like Rick, I have an NFC-capable phone (Galaxy Nexus). I actually do use the NFC with Google Wallet to make payments, but I've also taken some basic precautions:

1) The NFC is only active when the screen is on and unlocked (this is built in).

2) I have a pattern lock set on the phone (which you should do anyway).

3) Google Wallet requires a PIN to access the account.

4) The check card linked to my Google account has Visa's "fraud detection". This has previously saved me from fraudulent charges once before, and an erroneous charge another time.

5) The checking account linked to that card is my "exposed" account. Even if everything above fails, my bill money is separate and secure, and I have enough emergency money set aside that I can get by until my bank can make things right.

I consider this to be more secure than an actual credit card. Even if someone physically has my phone, they have to get through two separate passcodes before they can steal my money, and they have to do that before I can get to a computer and nuke it remotely. OTOH, if someone has my credit card, they have my money.

But I would never, ever have an "always on" NFC card like that (or would have a shielded wallet if I didn't have any choice), and what happened in this story is almost exactly why.