Home
JAQForum Ver 24.01
Log In or Join  
Active Topics
Local Time 01:43 26 Nov 2024 Privacy Policy
Jump to

Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me.

Forum Index : Other Stuff : "Tap and Go" EFTPOS and VISA cards...

     Page 1 of 2    
Author Message
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 02:27pm 02 Feb 2013
Copy link to clipboard 
Print this post

NZ has introduced new "Tap and Go" payment methods for processing EFTPOS and CC transactions. You no longer need to swipe the card or enter a PIN.

I think this is limited to less then $100, so you can't use this for large expensive items, only cheap things, but to me - where is the security in this idea?

http://eftpos.co.nz/contactless-payments

It would seem to me, that if someone steals your card(or many people's cards), they can then use them all over the place, as there is no PIN to enter, so as long as the card is valid, and there are funds in the account, it works.

Seems dangerous to me. While stolen cards could only be used for low value purchases, if the theif uses the card in ten different shops, or any shop they can use the card in at all, they could rip you off for thousands of bucks in very little time.

Does anyone know about this technology and how can you possibly have any security on a Tap and Go type card?Edited by Grogster 2013-02-04
Smoke makes things work. When the smoke gets out, it stops!
 
grub
Senior Member

Joined: 27/11/2007
Location: Australia
Posts: 169
Posted: 10:23am 03 Feb 2013
Copy link to clipboard 
Print this post

I have been reading about this kind of card on news forums and the thieves don't even have to steal your card. They set up the "shop" side of things via a computer program in a laptop and walk the streets and shops where these types of cards are likely to be found and then, when they get close enough, hit you with a "bill" and take the money. There are now special wallets that stop the signals when the card, or a phone, is in it thus stopping unwanted "transactions". There are even "how to" manuals on methods to kill the rfid chip so that it will never work again.
Cavet Emptor (buyer beware)
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 01:15pm 03 Feb 2013
Copy link to clipboard 
Print this post

So, you are confirming then, that there is absolutely no security on these cards?

If that really is the case, then they are extremely DANGEROUS to own - I sure won't be getting one or recommending anyone I know have or use one.

EDIT: You know what they really need to develop? Finger or thumb print ID for payment transactions. Finger-print recognition already exists for high security installations, and the technology must be getting cheaper by now, so this would be the way to do it, as everyone's print is unique, and also, it would allow them to build up a database of any crims who try to rip people off.Edited by Grogster 2013-02-04
Smoke makes things work. When the smoke gets out, it stops!
 
Downwind

Guru

Joined: 09/09/2009
Location: Australia
Posts: 2333
Posted: 02:34pm 03 Feb 2013
Copy link to clipboard 
Print this post

Perhaps, that might start thieft of thumbs then, and a little hard to get sent a replacement if you loose one.

What ever happened to that method of yesteryear called CASH?

All that any credit card do is allows you to be tracked like a dog, with what you buy, where and when you buy it, your average location, etc.
Sometimes it just works
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 02:37pm 03 Feb 2013
Copy link to clipboard 
Print this post

...and make lots of money for the banks through interest on the CC.
Smoke makes things work. When the smoke gets out, it stops!
 
MOBI
Guru

Joined: 02/12/2012
Location: Australia
Posts: 819
Posted: 02:53pm 03 Feb 2013
Copy link to clipboard 
Print this post

  grogster said  Finger or thumb print ID for payment transactions


As an extra on the finger print sevurity, it should be up to the card holder to pick which finger/thumb they use. That way there is a degree of randomness to the print particularly if it was a finger not normally used in daily "handling of things) life.
David M.
 
yahoo2

Guru

Joined: 05/04/2011
Location: Australia
Posts: 1166
Posted: 04:23pm 03 Feb 2013
Copy link to clipboard 
Print this post

I was very surprised when I used a credit card in a parking automated pay machine and it didn't need a PIN, after doing a bit of investigating it have found that retailers can opt in for a thing called "swipe and Go". Apparently they can choose to waive the requirement for a PIN on purchases up to $35 on a regular credit or debit card.

I understand it was originally used in highway toll booths but is now very widespread.

I use thumbprint scanners a bit, they are only as secure as you make them. If you wind the settings up to the max, it can take multiple tries to get recognized, and that pisses people off, if you leave them low there is a fair chance of a false positive.

As for forensic matching Hmmmm a good tool under the right conditions, but by no means foolproof.
  wikipedia said   In 1995, the Collaborative Testing Service (CTS) administered a proficiency test that, for the first time, was "designed, assembled, and reviewed" by the International Association for Identification (IAI).The results were disappointing. Four suspect cards with prints of all ten fingers were provided together with seven latents. Of 156 people taking the test, only 68 (44%) correctly classified all seven latents. Overall, the tests contained a total of 48 incorrect identifications


I'm confused, no wait... maybe I'm not...
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 05:19pm 03 Feb 2013
Copy link to clipboard 
Print this post

Looks like I might have been on the wrong track with the finger/thumb-print ID then...
Smoke makes things work. When the smoke gets out, it stops!
 
sPuDd

Senior Member

Joined: 10/07/2007
Location: Australia
Posts: 251
Posted: 01:41am 04 Feb 2013
Copy link to clipboard 
Print this post





Problem solved.

Gold looking lines between holes are the RFID coils. Hold the card
up to a bright light if you don't have a transperent edge. Mark it
and drill through the wires. They pick up power & comms in the RFID
field, just works as a normal card without it.

You can blow holes in anything except the magnesium swipe and the
smart chip.


sPuDd..


It should work ...in theory
 
Tinker

Guru

Joined: 07/11/2007
Location: Australia
Posts: 1904
Posted: 04:02am 04 Feb 2013
Copy link to clipboard 
Print this post

Interesting...
I was under the impression these cards (and I have one too) are passive devices, IOW, they do not constantly "send" out a signal that could be picked up from the street.

Think about it, transmitting a signal over distances requires power and for that there needs to be a battery in the card. Yes, there possibly exist tin small batteries these days but I doubt they will hold charge for the 4+ years until the card expires. Anybody spotted any charging terminals on the card?

So, what I think is they work similarly as the anti theft labels on expensive items but have a far more sophisticated data exchange.
There is a 'field' around the tap & go box that interrogates the normally passive antenna loop in the card. A small charge is generated that powers up the on card chip to transmit its data and do the 'banking'.
Once away from the very limited 'field around the reader box the card becomes numb and passive again. I doubt it works further than, say, 0.5m from the box.

The train passes on our Perth train use intelligent cards, just tapping the wallet (with card inside) on the reader books the fare and also lets you know how much money is left on it.

For security reasons its wise to handle the card as one would handle cash. Except, if somebody nicks your cash there is buckleys chance to get it back unless one records all the serial numbers and the thief is caught.

With a nicked card, yes, the thief could make several purchases below $100 but you would have a good chance to get your money back, especially if you can show that you always keep the dockets for legit purchases and can prove to the bank you did not buy those things. Also, remember that you are most likely on CCTV camera and recorded as you use your card - as would be the thief.

They keep a good record of your electronic shopping and were on the ball in my case when somebody overseas made purchases on my card that was way out of normal. As I was on holiday on a yacht at that time they stopped the card until I contacted them after they left a phone message. I got the money refunded about 6 weeks later.

Anyway, you could do what I do, have a card with a rather low limit for such shopping, also good for e-bay etc. I think the lowest limit is $500.


Klaus
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 11:27am 04 Feb 2013
Copy link to clipboard 
Print this post

  Tinker said   Interesting...
I was under the impression these cards (and I have one too) are passive devices, IOW, they do not constantly "send" out a signal that could be picked up from the street.


They don't.

  Tinker said  Think about it, transmitting a signal over distances requires power and for that there needs to be a battery in the card. Yes, there possibly exist tin small batteries these days but I doubt they will hold charge for the 4+ years until the card expires. Anybody spotted any charging terminals on the card?


They don't have charge terminals, as they don't have any internal battery.

  Tinker said  So, what I think is they work similarly as the anti theft labels on expensive items but have a far more sophisticated data exchange.
There is a 'field' around the tap & go box that interrogates the normally passive antenna loop in the card. A small charge is generated that powers up the on card chip to transmit its data and do the 'banking'.
Once away from the very limited 'field around the reader box the card becomes numb and passive again. I doubt it works further than, say, 0.5m from the box.


Absolutely correct.
That is precisely how they work - magnetic induction to induce a flea-power voltage in the pickup coils in the card, which supply power to the PIC embedded in the card.

You are 100% correct on how they work.

  Tinker said  For security reasons its wise to handle the card as one would handle cash. Except, if somebody nicks your cash there is buckleys chance to get it back unless one records all the serial numbers and the thief is caught.


Yes, good point.
People SHOULD treat a CC or EFTPOS card like cash - but they don't!

  Tinker said  With a nicked card, yes, the thief could make several purchases below $100 but you would have a good chance to get your money back, especially if you can show that you always keep the dockets for legit purchases and can prove to the bank you did not buy those things. Also, remember that you are most likely on CCTV camera and recorded as you use your card - as would be the thief.


Good point...
Edited by Grogster 2013-02-05
Smoke makes things work. When the smoke gets out, it stops!
 
Georgen
Guru

Joined: 13/09/2011
Location: Australia
Posts: 462
Posted: 02:22pm 05 Feb 2013
Copy link to clipboard 
Print this post

If it works up to 0.5m then thief doesn't have to even brush against us if is in posession of 'wave card' reader.

Looks to me that some kind of metal shield might be good for extra security.
Might start with thick al-foil.

Would it work and be enough to protect 'wave card' owner?
George
 
Dogalot
Newbie

Joined: 26/03/2013
Location: United States
Posts: 2
Posted: 09:11am 27 Mar 2013
Copy link to clipboard 
Print this post

Hey there...

Our local news station did a report on just this subject:

http://www.wthr.com/story/14001597/the-risk-inside-your-cred it-card

I like the last suggestion on how to protect yourself -- cheapest is wrapping the card in aluminum foil...

 
TronicSavyyJohn
Newbie

Joined: 31/03/2012
Location: Australia
Posts: 20
Posted: 08:37pm 27 Mar 2013
Copy link to clipboard 
Print this post

bet me to it, A simple old schoo compass and a few stab marks later. presto! no more NFC.
I read an article also where they have these mobile phone looking NFC readers and swipe and go past you, a teenager in a night club netted over $10k on night.

Not my card
 
Downwind

Guru

Joined: 09/09/2009
Location: Australia
Posts: 2333
Posted: 09:00pm 27 Mar 2013
Copy link to clipboard 
Print this post

  Quote  A simple old schoo compass and a few stab marks later. presto! no more NFC.


From what i understand, 10 seconds in the microwave kills almost all RFID tags.

It was from another news coverage on shoplifting some years back, where the skilled thieves would take a set of say, Nike shoes and visit the kitchen appliance section of the department store, and use a demo microwave for 10 seconds on the shoes, then put them on their feet and walk out through the RFID scanners. Free $200.00 shoes?

If someone has a expired card and willing to give it a microwave test, i would be interested to know what happens.
Most card replacements overlap in expiry date by about a month, so to test the theory of nuking the chip would be interesting.

Pete.
Sometimes it just works
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 10:31pm 27 Mar 2013
Copy link to clipboard 
Print this post

I really can't understand the logic in this idea.

Quick and easy, yes, but doubly so for those trying to steal your card details or just plain rip you off by charging lots of small amounts to as many cards as they can find in range.

Perhaps this idea should have had a bit more of a rethink before they pushed it out?
Smoke makes things work. When the smoke gets out, it stops!
 
Georgen
Guru

Joined: 13/09/2011
Location: Australia
Posts: 462
Posted: 01:49pm 02 Apr 2013
Copy link to clipboard 
Print this post

  Grogster said  ...
Perhaps this idea should have had a bit more of a rethink before they pushed it out?


I think that there should be left something in a form of password, I know takes longer and is almost as it was before, but doesn't go through reader, so little improvement here.

We would need better cooperation between banks, as money goes somewhere and somebody stands behind every bank account, so not that hard to investigate if there is enough will to catch the offender/s.
George
 
Grogster

Admin Group

Joined: 31/12/2012
Location: New Zealand
Posts: 9306
Posted: 01:56pm 02 Apr 2013
Copy link to clipboard 
Print this post

I know that I won't be using any card like that, and I will disable it with the drill holes through the aerial coils as indicated in an earlier post, if I am ever sent one of these cards.

I currently don't have any such card, but I guess that in time...
Smoke makes things work. When the smoke gets out, it stops!
 
JohnS
Guru

Joined: 18/11/2011
Location: United Kingdom
Posts: 3801
Posted: 09:45pm 28 May 2014
Copy link to clipboard 
Print this post

  Grogster said  
  Tinker said   People SHOULD treat a CC or EFTPOS card like cash - but they don't!


Following on via a thread in the uC forum...

With cash you can limit your max loss by not carrying much cash. With these wretched cards the banks limit your loss to a biggish figure :(

I have N cards (N > 1) so the figure is the total of the cards. I'd never carry so much in cash but have this imposed on me!

JohnEdited by JohnS 2014-05-30
 
MacGyver

Guru

Joined: 12/05/2009
Location: United States
Posts: 1329
Posted: 01:18am 29 May 2014
Copy link to clipboard 
Print this post

Crew

Before leaving California (read that, regaining my sanity) I was told several municipalities had installed roadside "readers" that had the ability to read passing vehicles embedded with RFID chips. A tech buddy of mine, who purchased an FJ Cruiser, told me his new vehicle had no less than 9 of these chips and removing them disabled important stuff like the charging circuit, ignition circuit and transmission.

That being said, the California DMV (Department of Motor Vehicles) began issuing drivers licenses with RFID chips embedded in them as well. They said it was so traffic officers could learn your life history when they pulled you over for a driving violation.

I personally "cooked" my new California Drivers License in the microwave for about 5 seconds twice, so I didn't maybe melt the entire thing; some plastics heat up in a microwave oven just to be on the 'safe' side and sure as I'm a foot tall, I got pulled over for going too slow (wouldn't you know?) and the traffic officer told me my drivers license needed to be replaced, as he could not access my personal information from the card.

So, apparently, the microwave oven trick works. Did I get a new drivers license? Hell no! I took it one step beyond all that; I moved to Texas!


. . . . . Mac
Nothing difficult is ever easy!
Perhaps better stated in the words of Morgan Freeman,
"Where there is no struggle, there is no progress!"
Copeville, Texas
 
     Page 1 of 2    
Print this page
© JAQ Software 2024