Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
194 posts

Master Geek


  Reply # 641536 15-Jun-2012 17:55

A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been adequately resolved.

Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.

18571 posts

Uber Geek
+1 received by user: 736

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 641564 15-Jun-2012 18:53 Send private message

freakalad:
Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.


Except the basis of every bank is risk management. Every single task is about evaluating risk.

I would suggest you really read up about the changes being made as EMV and NFC are rolled out in the US. I'd pick after this you'll probably want to avooid going anywhere near a credit card.


757 posts

Ultimate Geek
+1 received by user: 17


  Reply # 641953 16-Jun-2012 21:44 Send private message

Curious with all these scary posts about the horrible things that could happen when a NFC card is stolen, has anyone actually been a direct victim to pay pass / pay wave ?

The last reported incident was skimming EFTPOS cards by Canadians rather than exploiting NFC technology.

gzt

3767 posts

Uber Geek
+1 received by user: 109

Subscriber

  Reply # 641961 16-Jun-2012 22:14 Send private message

No. But banks do not publicize fraud. Successful fraud even less so.




Energy saving and monitoring devices available in NZ: www.energymonitor.org.nz

18571 posts

Uber Geek
+1 received by user: 736

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642005 17-Jun-2012 09:26 Send private message

The introduction of chip and PIN in Australia along wkith NFC has seen credit card fraud levels drop substancially. Banks don't publicise fraud levels because they're a risk based % at the end of the day, but it's safe to say the new technology is resulting in downwards movement, not upwards.

Those who keep saying NFC is risky need to remember as I keep pointing out that in the US you have never needed a pin or signature for low value credit card purchases, so the move to NFC changes nothing.

1649 posts

Uber Geek
+1 received by user: 32


  Reply # 642020 17-Jun-2012 10:30 Send private message

freakalad: A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been?adequately?resolved.

Saying the merchant/bank will simply absorb the risk is?unacceptable, when not being exposed to begin with is a better solution.

This sounds like the same concerns folk first had when credit cards were introducted...
Why do I want one? Someone could steal it and copy my signature.

You signed up for a Credit/debit card under the banks T's & C's... and guessing you didnt have an issue with that.
NFC is simply the next iteration of making it easier for you to cycle your money thru transaction systems. As folk have said, the risk lies with the banks (it's their system). The responsility lies with you, same way you're currently responsible for your credit/debit cards

194 posts

Master Geek


  Reply # 642039 17-Jun-2012 11:25

not quite the same - with both magstripe+sign & chip+PIN, you have to give explicit auth, and is a token control on the holder's part. if the merchant or bank do not have their act together in validating that auth, then the onus falls on them, since I've done what I reasonably could on my end.

on RFID it's nowhere the same thing - even if the card does not leave my wallet, pocket or bag, the data (i.e. the important, juicy bits) still leak outside of my control, and there is no additional auth validation involved.

saying that this is the same data that's used for online purchases is one of the weakest cop-outs I've heard - if they can completely eliminate online fraud & the black-market in carding has been decimated, *then* that argument might have merit.

if the system as it is has merit, then I should be able to print that data (maybe in QR-code format) on a t-shirt & walk around with that - at least that way I might have a better idea who's picking up the data by virtue of a camera pointing at me.

18571 posts

Uber Geek
+1 received by user: 736

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642041 17-Jun-2012 11:31 Send private message

I suggest you cancel your credit cards.

You want a complete redesign of the entire system to move from a risk based one to a fully secure system that completey eliminates fraud. This isn't ever going to happen. At the same time you may as well get rid of cash because it can easily be stolen..



194 posts

Master Geek


  Reply # 642323 18-Jun-2012 07:49

I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.

10170 posts

Uber Geek
+1 received by user: 271

Trusted
Subscriber

  Reply # 642393 18-Jun-2012 10:24 Send private message

If you want to limit your exposure then lose the debit card and get a credit card where you only have a max of $50 exposure and that is never enforced anyway.

debit cards are the worst idea ever, you lose the interest free period, shoulder the risk with your own money and the merchants are still paying the same fees.




Richard rich.ms

194 posts

Master Geek


  Reply # 642401 18-Jun-2012 10:36

good idea, thanks.

18571 posts

Uber Geek
+1 received by user: 736

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 642420 18-Jun-2012 11:04 Send private message

freakalad: I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.


Debit cards are bad, very bad. For somebody who's so paranoid getting rid of this would be the first thing I'd do! Smile

The biggest issue is that if you have any fraud you're going to have the money taken from your account and then the bank will have to put it back, whereas with a credit card you've never actually paid for the fraudulent charges. You also can't use them at many hotels and rental car companies, and if you can it's your money being held for the pre auth rather than simply a hold put on the credit card itself.

At the end of the day provising you're not breaking your bank terms and conditions your money it safe, but there are some majoer downsides to debit cards

194 posts

Master Geek


  Reply # 644597 22-Jun-2012 10:35

I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader

10170 posts

Uber Geek
+1 received by user: 271

Trusted
Subscriber

  Reply # 644645 22-Jun-2012 11:41 Send private message

If you have taken all steps to protect it then you are not liable.

Why try to fix a problem that is not yours? the problem goes back to the merchants that accept the fraudulent cards, and to banks that allow withdrawals using the fake cards. Not you. Not your problem to fix.




Richard rich.ms

18571 posts

Uber Geek
+1 received by user: 736

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 644660 22-Jun-2012 12:06 Send private message

freakalad: I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader


I have far greater concerns from a risk perspective that my credit card number, name and expiry date is printed on the front of my card. This can be viewed by staff at every store I visit that doesn't have a pinpad allowing self swiping/inserting of my card and requires me to hand them my card.

You're pointing out a very low risk compromise that reastically can't be done without physical access to the card. Despite people making all sorts of claims about capturing RFID data at a distance the reality is this doesn't work very well at all.

I'm pointing out a very valid risk that is incurred every time I use my card. What do you perceive as the greatest risk?


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Telecom introduces unlimited broadband data plan
Created by freitasm, last reply by NonprayingMantis on 23-Apr-2014 23:13 (93 replies)
Pages... 5 6 7


Stonedine
Created by Lizard1977, last reply by surfisup1000 on 23-Apr-2014 21:27 (58 replies)
Pages... 2 3 4


Telecom has started metering their TiVo customers' broadband usage (WITHOUT PRENOTIFICATION)
Created by Peteriv, last reply by mxpress on 23-Apr-2014 14:22 (69 replies)
Pages... 3 4 5


Forms of government for New Zealand
Created by charsleysa, last reply by KiwiNZ on 23-Apr-2014 20:57 (169 replies)
Pages... 10 11 12


Parallel imported product
Created by Wills1, last reply by joker97 on 23-Apr-2014 21:01 (53 replies)
Pages... 2 3 4


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by joker97 on 23-Apr-2014 22:37 (737 replies)
Pages... 48 49 50


Labour MP Shane Jones to step down
Created by jeffnz, last reply by jeffnz on 23-Apr-2014 20:41 (32 replies)
Pages... 2 3


Upcoming Freeview Restack AUCKLAND
Created by Brunzy, last reply by richms on 23-Apr-2014 21:05 (13 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.