Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
208 posts

Master Geek


  Reply # 641536 15-Jun-2012 17:55

A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been adequately resolved.

Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.




FLOSS'er

19761 posts

Uber Geek
+1 received by user: 1512

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 641564 15-Jun-2012 18:53 Send private message

freakalad:
Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.


Except the basis of every bank is risk management. Every single task is about evaluating risk.

I would suggest you really read up about the changes being made as EMV and NFC are rolled out in the US. I'd pick after this you'll probably want to avooid going anywhere near a credit card.


838 posts

Ultimate Geek
+1 received by user: 36


  Reply # 641953 16-Jun-2012 21:44 Send private message

Curious with all these scary posts about the horrible things that could happen when a NFC card is stolen, has anyone actually been a direct victim to pay pass / pay wave ?

The last reported incident was skimming EFTPOS cards by Canadians rather than exploiting NFC technology.

gzt

4596 posts

Uber Geek
+1 received by user: 244

Subscriber

  Reply # 641961 16-Jun-2012 22:14 Send private message

No. But banks do not publicize fraud. Successful fraud even less so.




Energy saving and monitoring devices available in NZ: www.energymonitor.org.nz

19761 posts

Uber Geek
+1 received by user: 1512

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642005 17-Jun-2012 09:26 Send private message

The introduction of chip and PIN in Australia along wkith NFC has seen credit card fraud levels drop substancially. Banks don't publicise fraud levels because they're a risk based % at the end of the day, but it's safe to say the new technology is resulting in downwards movement, not upwards.

Those who keep saying NFC is risky need to remember as I keep pointing out that in the US you have never needed a pin or signature for low value credit card purchases, so the move to NFC changes nothing.

1770 posts

Uber Geek
+1 received by user: 68


  Reply # 642020 17-Jun-2012 10:30 Send private message

freakalad: A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been?adequately?resolved.

Saying the merchant/bank will simply absorb the risk is?unacceptable, when not being exposed to begin with is a better solution.

This sounds like the same concerns folk first had when credit cards were introducted...
Why do I want one? Someone could steal it and copy my signature.

You signed up for a Credit/debit card under the banks T's & C's... and guessing you didnt have an issue with that.
NFC is simply the next iteration of making it easier for you to cycle your money thru transaction systems. As folk have said, the risk lies with the banks (it's their system). The responsility lies with you, same way you're currently responsible for your credit/debit cards

208 posts

Master Geek


  Reply # 642039 17-Jun-2012 11:25

not quite the same - with both magstripe+sign & chip+PIN, you have to give explicit auth, and is a token control on the holder's part. if the merchant or bank do not have their act together in validating that auth, then the onus falls on them, since I've done what I reasonably could on my end.

on RFID it's nowhere the same thing - even if the card does not leave my wallet, pocket or bag, the data (i.e. the important, juicy bits) still leak outside of my control, and there is no additional auth validation involved.

saying that this is the same data that's used for online purchases is one of the weakest cop-outs I've heard - if they can completely eliminate online fraud & the black-market in carding has been decimated, *then* that argument might have merit.

if the system as it is has merit, then I should be able to print that data (maybe in QR-code format) on a t-shirt & walk around with that - at least that way I might have a better idea who's picking up the data by virtue of a camera pointing at me.




FLOSS'er

19761 posts

Uber Geek
+1 received by user: 1512

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642041 17-Jun-2012 11:31 Send private message

I suggest you cancel your credit cards.

You want a complete redesign of the entire system to move from a risk based one to a fully secure system that completey eliminates fraud. This isn't ever going to happen. At the same time you may as well get rid of cash because it can easily be stolen..



208 posts

Master Geek


  Reply # 642323 18-Jun-2012 07:49

I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.




FLOSS'er

11113 posts

Uber Geek
+1 received by user: 543

Trusted
Subscriber

  Reply # 642393 18-Jun-2012 10:24 Send private message

If you want to limit your exposure then lose the debit card and get a credit card where you only have a max of $50 exposure and that is never enforced anyway.

debit cards are the worst idea ever, you lose the interest free period, shoulder the risk with your own money and the merchants are still paying the same fees.




Richard rich.ms

208 posts

Master Geek


  Reply # 642401 18-Jun-2012 10:36

good idea, thanks.




FLOSS'er

19761 posts

Uber Geek
+1 received by user: 1512

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642420 18-Jun-2012 11:04 Send private message

freakalad: I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.


Debit cards are bad, very bad. For somebody who's so paranoid getting rid of this would be the first thing I'd do! Smile

The biggest issue is that if you have any fraud you're going to have the money taken from your account and then the bank will have to put it back, whereas with a credit card you've never actually paid for the fraudulent charges. You also can't use them at many hotels and rental car companies, and if you can it's your money being held for the pre auth rather than simply a hold put on the credit card itself.

At the end of the day provising you're not breaking your bank terms and conditions your money it safe, but there are some majoer downsides to debit cards

208 posts

Master Geek


  Reply # 644597 22-Jun-2012 10:35

I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader




FLOSS'er

11113 posts

Uber Geek
+1 received by user: 543

Trusted
Subscriber

  Reply # 644645 22-Jun-2012 11:41 Send private message

If you have taken all steps to protect it then you are not liable.

Why try to fix a problem that is not yours? the problem goes back to the merchants that accept the fraudulent cards, and to banks that allow withdrawals using the fake cards. Not you. Not your problem to fix.




Richard rich.ms

19761 posts

Uber Geek
+1 received by user: 1512

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 644660 22-Jun-2012 12:06 Send private message

freakalad: I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader


I have far greater concerns from a risk perspective that my credit card number, name and expiry date is printed on the front of my card. This can be viewed by staff at every store I visit that doesn't have a pinpad allowing self swiping/inserting of my card and requires me to hand them my card.

You're pointing out a very low risk compromise that reastically can't be done without physical access to the card. Despite people making all sorts of claims about capturing RFID data at a distance the reality is this doesn't work very well at all.

I'm pointing out a very valid risk that is incurred every time I use my card. What do you perceive as the greatest risk?


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Snap have failed our company!
Created by dafman, last reply by kornflake on 21-Oct-2014 23:04 (23 replies)
Pages... 2


Spark Socialiser
Created by freitasm, last reply by Flickky on 21-Oct-2014 22:10 (21 replies)
Pages... 2


Another Trade Me competitor: SellShed
Created by freitasm, last reply by jonathan18 on 21-Oct-2014 23:12 (32 replies)
Pages... 2 3


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


Overcharged by Slingshot for months - warning to existing customers
Created by dusty42, last reply by richms on 21-Oct-2014 19:15 (27 replies)
Pages... 2


Why would Suresignal calls be worse quality than non-Suresignal calls from the same location?
Created by Geektastic, last reply by froob on 21-Oct-2014 08:21 (41 replies)
Pages... 2 3


Just bought a TiVo online. No wireless adaptor. Will a standard one work? Or do I need the TiVo one ?
Created by Limerick, last reply by graemeh on 20-Oct-2014 16:03 (11 replies)

Spark Socialiser and new plan
Created by saeran, last reply by eXDee on 21-Oct-2014 21:52 (10 replies)


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.