Free $80 - come and get ur moneyz!!

, posted: 20-Sep-2011 13:11

Recently I received a letter from ASB Bank about a replacement credit card with an embedded chip.

"Great" I thought. I'd been wondering when they would come out, as chip cards are supposed to be more secure.

Part of the letter explained about a new contactless payment system incorporated as part of the cards called PayPlus. This is MasterCards implementation of Near Field Communication based payments (see http://en.wikipedia.org/wiki/MasterCard#PayPass ).  The Visa equivalent I understand is called PayWave.

The letter explained that for transactions of less than $80 no pin was required.  Now of course you do have to find a retailer that would support this, but I would assume these would start appearing, and the concept is similar to my Snapper card I use occasionally for the bus.

But the idea of no pin, no signature linked to my credit card had me a bit worried. 

As snapper is effectively a cash replacement - and in some ways it is more secure than your wallet (where your cash normally resides)* Because of this, the balance kept on my snapper card is akin to what I'd hold in my wallet, not much more than $20.

But the idea of up to $80 payments possible off a household credit card gave me shivers down my spine.  How many people do not check their statements?  Or if they do, only when it's sent to you?  Ok sure, the card has to be out of your possession, and generally you'd cancel the card as soon as you realise it's gone, but it still left me feeling uneasy.  With a regular credit card loss, apart from McDonalds**, there was a modicum of security, someone would have to forge your signature (probably fairly easy to do) or gain access to your pin.

But the thought of someone just having to tap the stolen, or misplaced card on a terminal to have access to your funds seemed to be a lowering security.  I like to think of this contactless technology as a cash replacement...and therefore the value of cash transactions - generally fairly low....not being linked to an account with enough money to cover the household spending for a month.

I saw another user ask @ASBBank on twitter if the limit could be (I assumed) lowered...this was something I'd been thinking of, and I asked if it could it be disabled entirely, the answer was no to both questions.

I'm all for new features, and quite like the idea of contactless payments, don't get me wrong.  But I don't particularly want it attached to a credit card that I've purposely never put on the internet, because it's used for the household, and so it's limit is appropriate for household spending.  I have another card with a $500 limit that I use for internet based transactions.  A separate, opt in, card would have been, in my opinion, the preferable way of implementing this.

BTW this probably isn't so much a dig at ASB Bank, and I think this would be part of their membership to the card schemes, and I'd imagine all the NZ banks would be doing similar.  And all have the same sort of implementation.



* if you lose your snapper and it's registered, it can be stopped and/or refunded.  If you lose your wallet, you've probaby lost your money.

** McDonalds (and maybe others) has allowed no pin or signature on transactions valuing less than $15  Correction, apparently it's $35 - which I think is worse.

Other related posts:
eReceipts - Why don't we have them yet?
Contactless Payments - part 2






Comment by pebbles, on 20-Sep-2011 13:59

Just a wee correction - it's actually $35 for Mcdonalds


Author's note by davidcole, on 20-Sep-2011 14:01

That's a lot of big macs.....  Seems a bit excessive.


Comment by sorin, on 20-Sep-2011 15:08

David,

According to ASB's T&C, any fraudulent payment made *without* a PIN should be refunded to you if someone steals your card.

However, you are liable for any payment made with PIN or cash withdrawal at ATM.


Cheers.


Author's note by davidcole, on 20-Sep-2011 15:15

@sorin - Yes, similar to fradulent transaction made on your credit card transactions.  And ASB is pretty good at sorting this out, I've had it happen to me.  I guess the point is, why have we allowed things to get, in my mind, backwards, to the point where this condition is needed. 

I'd rather not take the risk, and have the feature disabled....but apparently I can't (maybe when I receive the card there will be more information on this).


Comment by graemeh, on 20-Sep-2011 15:19

@David, you're not taking the risk, the ASB or more likely the merchant is.

They are taking this risk because it allows them to process customers more quickly and the cost saving in doing this outweighs the potential loss from fraud.


Comment by adam, on 20-Sep-2011 15:57

I got a new ASB Debit Paywave card yesterday. Came with some info on the paywave system, but not more than is on their website.

Visa (and I must assume Mastercard) have insurance on transactions not made by you, entitling you to a full refund (unlimited time for credit card, only 30 days for visa debit). This is effectively your security. Admittedly, it too worries me that it requires no pin or signature, but we must rely on technology, as well as ASB and Visa (or mastercard) to monitor and make sure transactions are all made by us.

Working in a retail shop, I think 'tap and go' technology is great. Makes over-the-counter transactions faster, and the customer doesn't even have to let go of the card itself.

We will have to wait to see how often fraudulent transactions occur with these systems when they are more readily available. 

I guess it all eventually comes down to trust. Do you trust ASB and Mastercard?


Author's note by davidcole, on 20-Sep-2011 20:04

Trust the card schemes? Uh no, having worked on PCI DSS projects for the past 18 months they're hard work.

But I digress....I think I even have a new blog topic for tomorrow...


Comment by muppet, on 20-Sep-2011 20:04

It's fairly easy to disable these cards.  You just have to drill a small hole (or holes) through the right bit, usually the antenna.

Here's a snapper card for comparison.  You can see there where you'd drill through.

Probably not the solution you're hoping for, but a solution that works.

Tim


Comment by sbiddle, on 20-Sep-2011 20:52

Australia is around 3 years ahead of NZ in terms of a NFC rollout - somewhere along the lines of 6 million Paypass Mastercards are now in use in Australia, and over 50000 retailers have NFC terminals.

After having a discussion with somebody involved with this recently they have said there has been absolutely no noticeable difference in the levels of credit card fraud as a result of the change, factoring in that NFC card use has had exponential growth since the mass rollout of cards in 2009.


Comment by Kyanar, on 21-Sep-2011 09:21

@muppet

It's not just the RFID enabled cards that can do it though. Your old magstripe debit/credit card is also able to process the transaction without a PIN or signature as well. I had this happen to me at a KFC one time, and I raised hell with the staff. Funny, it no longer seems to happen there.

@graemeh

Unfortunately if you're using a debit card, the merchant may be taking a risk but so are you. With a credit card, disputed transactions mean the bank is out the disputed amount until the investigation's over. With a debit card, you are instead out that amount while the investigation proceeds because the funding source is your primary checking account, not some imaginary number in ASB/Westpac/Visa's systems.


Comment by graemeh, on 21-Sep-2011 10:29

@kynar

I totally agree, if it's a debit card it's your problem because you lose the use of the money.

The original post was about a credit card.

Just use Muppet's suggestion and break the aerial.


Comment by CruciasNZ, on 21-Sep-2011 11:22

Get yourself a loaded card then and leave your main card at home safe.

http://www.loadedcard.co.nz/

It's prepaid Visa but it's accepted by all e-retailers that accept normal Visa. Great for spend control too. Not a perfect solution, but still.


Comment by Bung, on 22-Sep-2011 12:23

"* if you lose your snapper and it's registered, it can be stopped and/or refunded. "

It takes time to stop the Snapper and you only get refunded what the finder or thief hasn't managed to spend. If you've only got a few dollars on your card it might be worth waiting to see if the current user adds money before stopping it.


Comment by ASBBank, on 22-Sep-2011 16:56

Hi David, thanks for your blog about contactless cards and highlighting some of the issues that have come to mind. Rest assured that if your card is lost or stolen it is treated in exactly the same way as all ASB credit cards - cardholders are covered for unauthorised transactions.

If you would like a card without the contactless technology,  you can opt for a Visa Classic card.

We've also added more FAQs to our ASB website about contactless cards to explain how they work https://www.asb.co.nz/story23906.aspx

Simone McCallum
ASB Bank


Comment by ASBBank, on 22-Sep-2011 20:13

Hi David, it is not only the card number that is required to authenticate a contactless transaction - a dynamic CVV number is also required (and changes for each transaction). ASB also has extensive tools in place to monitor and control fraud that occurs on credit cards and mitigates the risk of fraud occurring on credit cards.

We are very pleased with the speed that contactless transactions are being processed but we are always looking to ensure that the transaction speed increases for a typical dip transaction. Offline PIN is certainly one of the things we are looking at.
Options like biometrics may also be considered in the future, once they become more cost efficient. 

Thanks for all your feedback on contactless cards, it is great to hear your thoughts on this.


Simone McCallum


Author's note by davidcole, on 22-Sep-2011 20:45

Thanks Simone

The explanations are very helpful.  I dont mean to be directly digging at ASB as I imagine that the directive would have come from the card schemes.  But you are my bank, so I'm glad that a conversation was able to be started.

So the dynamic CCV is used so that skimmed signals off the cards cannot be used to place a repeat transaction?

Thanks for the explanation.

David


Comment by ASBBank, on 22-Sep-2011 22:56

Yes, exactly right - a transaction submitted using skimmed credentials would be invalid due to the dynamic CVV.

Thanks again for all the feedback - we welcome the opportunity to engage in dialogue with our community whether on Twitter, Facebook or here! 

Simone McCallum
ASB Bank


Comment by oxnsox, on 23-Sep-2011 09:52

Most of this is really about a 'mindshift' in how we view the way e-transactions work. And reading past the initial offering and seeing the whole thing in context, which means including the secuity measures.

When I lived overseas a few years back it was accepted practice there to give utility companies and landlords access to your bank account, simply by passing over the account number. (No autopayment authorisations and paperwork).  That was hard for a Kiwi to accept, but when we understood that we could stop and reverse any payments, without question, with a simple phone call, we got our heads around it.


Author's note by davidcole, on 23-Sep-2011 10:05

@oxnsox I agree on the mindshift bit.  But what I brougt up in a subsequent post: http://www.geekzone.co.nz/davidcole/7805 was that a system is being implemented (and is already implemented when you look at how existing credit cards can and are used) that requires the use of fraud protection and insurance.

It would be nice if the systems could be implemented so that we (as customers) dont have to pay for this type of protection.


Comment by Cliff, on 25-Sep-2011 20:37

So what if my son sneaks my card from my wallet, heads off to Maccas and shouts for his mates - and then puts the card back in the wallet? Whose is responsible; me? M/card? the bank, the retailer?

It is an example of a huge double standard. When I first encountered this, I cancelled the card transaction and paid in cash. However, the retailer wanted my PIN and signature before the transaction went through. In other words, THEY wanted THEIR security, but were not concerned about mine. I suspect I'm being shafted, but I can't prove it!


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

davidcole's profile

davidcole Cole
Lower Hutt
New Zealand


Been thinking it would be nice to have a blog but not sure if I have enough to say.

I'm an I.T worker from Wellington New Zealand.

I like my toys so this will probably have posts about my dealings with those.

My Cellphone is an iPhone 5s

I run a NextPVR based PVR at home to replace my video recorder, DVD player and to host all my music. I'm also really big on Plex, for centralising all my music, videos and I've written a plugin or two for it.


Music is a big thing for me and you can check me out on my Last.FM Profile.

For all your smart DNS needs I use: UnblockUS - Unblock your freedom - smart DNS



Follow me on Twitter