Does this PayWave disabling method work for NZ cards?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Does this PayWave disabling method work for NZ cards?

1 | 2

chiefie

I iz your trusted friend
5877 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#828700 31-May-2013 11:31

Be aware, the cards provided by the banks are the banks' properties... Do pay attention and read the Terms and Conditions.

Internet is my backyard...

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

Please read the Geekzone's FUG

MurrayM

2456 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#828701 31-May-2013 11:35

Does anyone else dislike that ad on TV? It makes everyone look like a robot, very de-humanising!

trevor

15 posts

Geek

#828781 31-May-2013 12:38

I'm concerned about neither. The bank's got my back.

Ever had a fraudulent transactions? They may have your back but it's a real pain in the arse.

My company AMEX got cloned whilst on a business trip and I had all sorts of low value transactions on it (I did not know AMEX also does one factor authentication with a swipe). Fortunately as it's my company AMEX I had kept all the receipts so I could claim my expenses, otherwise I would have had little proof that the three to four low value transactions per day (mainly Starbucks and other eating places) were not mine.

You have to prove you did not make the transaction, otherwise I could go on a business trip and just get all low value transactions voided.

They will not accept that I never drink Starbuck's crap coffee :-(

ajobbins

5052 posts

Uber Geek

Trusted

#828784 31-May-2013 12:49

trevor:

Ever had a fraudulent transactions? They may have your back but it's a real pain in the arse.

Yep, I've had two cards compromised in the last 5 or 6 years. In both cases they were not the result of an intercept, but simply a guess at the card number/expiry.

The luhn algorithm can be used to very easily generate a list of valid credit card numbers. Especially with well known and published card bin ranges available online.

If somewhere doesn't require a CVV, they then have about a 1/36 chance of getting your expiry right (based on a typical card life of 3 years). 1/36 is pretty damn good odds!

Basically the only way for my CVV to be compromised is by someone actually reading it off the card. It can't be skimmed or electronically read from the card. Therefore, retailers requiring CVV basically solves both the guessing of card numbers and the card cloning issue.

So, again. Really not worried. Cards get compromised, and its much more likely to be a guess at your card number than a physical compromise.

Twitter: ajobbins

Arnifix

6 posts

Wannabe Geek

#828929 31-May-2013 18:20

Ok, there are a number of things that never seem to get mentioned in these threads, so lets clear up some facts. This information comes from my time as a fraud analyst at a NZ bank, a position I vacated only recently, so this info is as up to date as any you will get.

The idea that you can use NFC to just skim a card and then make transactions is crap.

1: All big NZ banks have fraud detection systems in place. These systems work well.

2: Skimming via NFC will grab a copy of the current data on the card. To the best of my knowledge all newly issued NFC-enabled cards in NZ support DDA (dynamic data authentication) which means that each time the card is used, the data updates. So the data that is skimmed is good for precisely one $80 transaction. The return on investment simply doesn't make it worthwhile to conduct fraud in this fashion.

3: Whilst it is frequently reported that you can skim data via NFC and use it to make purchases online, this will not be possible once the card scheme mandates requiring CVV authentication on all card-not-present transactions take affect. If I remember correctly, this is sometime next year. The reason being, the CVV that is skimmed via NFC is not (or at least should not) be the same as the one on the back of the card.

4: The banks wear liability for fraudulently conducted transactions (per terms and conditions and scheme rules) made via NFC. It is not difficult to make a fraud report, and I would be surprised if you were to receive a run-around regarding transactions. In the vast majority of circumstances, you would not be required to provide “proof” that you didn’t make the transactions.

Some general thoughts on card fraud.

Approx. 80+% of fraud attempted on cards is card-not-present fraud. Fraud resulting from the theft of cards is tiny, generally something like 7% of all attempted fraud. Counterfeit fraud is at similar levels.

The idea that removing the requirement for a PIN or signature will increase fraud is only based on a lack of understanding of the reality of the criminal landscape. Simply put, a magstripe transaction without a PIN is less secure than a NFC transaction without a PIN. While a NFC transaction with a PIN would be more secure, the convenience is vastly more worthwhile.

The idea of customers being able to customise this stuff is not reasonable in most situations. It creates an arbitrary level of complication and would delay the authentication of transactions massively. Whilst it might be technically possible, it would be a massive cost for something the vast majority of customers would not use. Honestly, your bank could spend the tens (if not hundreds) of millions to make a system capable of doing this. Wouldn’t it be better to have them actually creating useful products for a significant portion of their customer base?

Ajobbins: I would be exceedingly surprised if your cards were compromised as the result of a brute force (BIN) attack. It is very easy to detect these kinds of attacks and consequently, they are very rare (in over 4 years, I saw one or two and they were abject failures). It is more likely that it was compromised at a merchant that you had use and had subsequently been hacked.

Happy to try and answer any questions people may have.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#829024 31-May-2013 20:32

It's good to see somebody with knowledge bring some common sense to the debate.

All we keep hearing is Kyle Gibson spreading FUD at Kiwicon, and more recently Fair Go about how insecure NFC is.

Having spend the last week in the US you realise how vastly superior our credit card processing systems are.

ajobbins

5052 posts

Uber Geek

Trusted

#829062 31-May-2013 22:14

Arnifix:Ajobbins: I would be exceedingly surprised if your cards were compromised as the result of a brute force (BIN) attack. It is very easy to detect these kinds of attacks and consequently, they are very rare (in over 4 years, I saw one or two and they were abject failures). It is more likely that it was compromised at a merchant that you had use and had subsequently been hacked.

Happy to try and answer any questions people may have.

Just going by what they told me on the phone when it happened. This was NBNZ. In one instance, I got a call from a rep and they said something like "Did you just make a $2000 purchase at a printing company in Istanbul?". Of course, I hadn't, so they said it's likely they had guessed the card details, and it wasn't that uncommon. Cancelled the card and sent me a replacement. I'd never used that card online, but if it was skimmed, it seems odd they tried to use it in Istanbul rather than somewhere closer to here.

I can't remember the details of the second time.

Twitter: ajobbins

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

dacraka

766 posts

Ultimate Geek

ID Verified

Trusted

#829078 31-May-2013 23:02

They didn't need to drill two holes, all they needed to do was break the connection between just one of the many loops of thin wire and it will stop working. E.g. Just one drill would have been way more than enough.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#829104 1-Jun-2013 07:53

trevor:
Up until NFC my credit card has always been two factor authentication, i.e. I need the card and the PIN (or the correct signaure - but who does that anymore?)

With these new system it's gone down to one factor and this is therefore less secure than it use to be.

With the move to EMV (whether this be chip and PIN or NFC) your card is now more secure than it was before.

Your existing plastic card with your name, full card number and CVV code on it can be copied by anybody who sees this - if you hand it over at a café for them to swipe it in their terminal they've got full access to your card details and could make unauthorised purchases using this data. Despite having to enter the PIN or sign your security has been breached.

EMV (meaning chip and PIN and NFC) use DDA (and sometimes CDA and SDA) which effectively creates unique transaction data for each transaction. You can't clone a EMV chip, but even if you read the NFC data (essentially just the layer 2 data from the mag stripe) and clone this to a new card this can only be used for a single transaction, and because the person who captured the data wouldn't necessary have the CVV code they're very limited as to what they could do with it.

I've noticed that many retailers here in the US now have to manually enter the CVV codes into their POS systems to authenticate a credit card transaction. I've noticed things have changed a lot in the past couple of years since I was last here, back then you didn't even need to sign for most low value transactions, you simply swiped the card.

Credit cards are all about risk, and if you fail to understand risk you're going to completely miss the point when it comes to card security. The EMV standard includes multiple methods of cardholder verification, of one or a combination are used depending on the value and risk associated with the transaction or retailer.

Providing you didn't break your card terms and conditions you carry absolutely no risk of having to foot the bill for fraud.

1 | 2