Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
228 posts

Master Geek


  #641536 15-Jun-2012 17:55

A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been adequately resolved.

Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.




FLOSS'er


29124 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #641564 15-Jun-2012 18:53
Send private message

freakalad:
Saying the merchant/bank will simply absorb the risk is unacceptable, when not being exposed to begin with is a better solution.


Except the basis of every bank is risk management. Every single task is about evaluating risk.

I would suggest you really read up about the changes being made as EMV and NFC are rolled out in the US. I'd pick after this you'll probably want to avooid going anywhere near a credit card.


 
 
 
 


1245 posts

Uber Geek


  #641953 16-Jun-2012 21:44
Send private message

Curious with all these scary posts about the horrible things that could happen when a NFC card is stolen, has anyone actually been a direct victim to pay pass / pay wave ?

The last reported incident was skimming EFTPOS cards by Canadians rather than exploiting NFC technology.

gzt

11545 posts

Uber Geek

Lifetime subscriber

  #641961 16-Jun-2012 22:14
Send private message

No. But banks do not publicize fraud. Successful fraud even less so.




Signature goes here.

29124 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #642005 17-Jun-2012 09:26
Send private message

The introduction of chip and PIN in Australia along wkith NFC has seen credit card fraud levels drop substancially. Banks don't publicise fraud levels because they're a risk based % at the end of the day, but it's safe to say the new technology is resulting in downwards movement, not upwards.

Those who keep saying NFC is risky need to remember as I keep pointing out that in the US you have never needed a pin or signature for low value credit card purchases, so the move to NFC changes nothing.

1923 posts

Uber Geek


  #642020 17-Jun-2012 10:30
Send private message

freakalad: A second-factor auth via PIN would be slightly more comforting (along with SMS/TXT notification for every transaction), but I still have some trouble understanding why an uncontrolled radio broadcast that could be picked up via some pretty easy-to-acquire hardware with little to no vetting is more secure than a sustem I have better control over (nevermind the massive privacy issues being completely ignored).

* http://www.nfc.cc/2012/04/02/android-app-reads-paypass-and-paywave-creditcards/
* http://www.shmoocon.org/2012/videos/CreditCardFraud.m4v (Paget @ Shmoocon 2012)

Admittedly we shouldn't believe everything we read online, but I do not see why I should be forced to adopt something that I do not need or have any intention to use.
I am not alone in these concerns, so either there is an issue with user-education/adoption, or there are still technical/security issues that have not been?adequately?resolved.

Saying the merchant/bank will simply absorb the risk is?unacceptable, when not being exposed to begin with is a better solution.

This sounds like the same concerns folk first had when credit cards were introducted...
Why do I want one? Someone could steal it and copy my signature.

You signed up for a Credit/debit card under the banks T's & C's... and guessing you didnt have an issue with that.
NFC is simply the next iteration of making it easier for you to cycle your money thru transaction systems. As folk have said, the risk lies with the banks (it's their system). The responsility lies with you, same way you're currently responsible for your credit/debit cards

228 posts

Master Geek


  #642039 17-Jun-2012 11:25

not quite the same - with both magstripe+sign & chip+PIN, you have to give explicit auth, and is a token control on the holder's part. if the merchant or bank do not have their act together in validating that auth, then the onus falls on them, since I've done what I reasonably could on my end.

on RFID it's nowhere the same thing - even if the card does not leave my wallet, pocket or bag, the data (i.e. the important, juicy bits) still leak outside of my control, and there is no additional auth validation involved.

saying that this is the same data that's used for online purchases is one of the weakest cop-outs I've heard - if they can completely eliminate online fraud & the black-market in carding has been decimated, *then* that argument might have merit.

if the system as it is has merit, then I should be able to print that data (maybe in QR-code format) on a t-shirt & walk around with that - at least that way I might have a better idea who's picking up the data by virtue of a camera pointing at me.




FLOSS'er


 
 
 
 


29124 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #642041 17-Jun-2012 11:31
Send private message

I suggest you cancel your credit cards.

You want a complete redesign of the entire system to move from a risk based one to a fully secure system that completey eliminates fraud. This isn't ever going to happen. At the same time you may as well get rid of cash because it can easily be stolen..



228 posts

Master Geek


  #642323 18-Jun-2012 07:49

I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.




FLOSS'er


23462 posts

Uber Geek

Trusted
Subscriber

  #642393 18-Jun-2012 10:24
Send private message

If you want to limit your exposure then lose the debit card and get a credit card where you only have a max of $50 exposure and that is never enforced anyway.

debit cards are the worst idea ever, you lose the interest free period, shoulder the risk with your own money and the merchants are still paying the same fees.




Richard rich.ms

228 posts

Master Geek


  #642401 18-Jun-2012 10:36

good idea, thanks.




FLOSS'er


29124 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #642420 18-Jun-2012 11:04
Send private message

freakalad: I don't have a credit card, but a debit card (oddly enough I can get a special-order CC without RFID; probably old stock), to limit risk.
I only have as much money in my wallet & the account linked to the card as I'm willing to loose at any given time - a mitigation factor I've introduced myself & something I can have control over.

This is not just a whinge about getting things my way, but a need to limit my risk & exposure, and not having to take on more than is absolutely necessary. A few $$$ I'm willing to part with - but not the data.

Being told that "it's all OK because we say it's so" is no good.


Debit cards are bad, very bad. For somebody who's so paranoid getting rid of this would be the first thing I'd do! Smile

The biggest issue is that if you have any fraud you're going to have the money taken from your account and then the bank will have to put it back, whereas with a credit card you've never actually paid for the fraudulent charges. You also can't use them at many hotels and rental car companies, and if you can it's your money being held for the pre auth rather than simply a hold put on the credit card itself.

At the end of the day provising you're not breaking your bank terms and conditions your money it safe, but there are some majoer downsides to debit cards

228 posts

Master Geek


  #644597 22-Jun-2012 10:35

I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader




FLOSS'er


23462 posts

Uber Geek

Trusted
Subscriber

  #644645 22-Jun-2012 11:41
Send private message

If you have taken all steps to protect it then you are not liable.

Why try to fix a problem that is not yours? the problem goes back to the merchants that accept the fraudulent cards, and to banks that allow withdrawals using the fake cards. Not you. Not your problem to fix.




Richard rich.ms

29124 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #644660 22-Jun-2012 12:06
Send private message

freakalad: I can appreciate that there are a number of shortcomings & vulnerabilities in all these systems, but what I want to to address & get a modicum of control over this one issue/"feature" - RFID.

Maybe I'm paranoid... maybe not:
* http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx
* https://github.com/thomasskora/android-nfc-paycardreader


I have far greater concerns from a risk perspective that my credit card number, name and expiry date is printed on the front of my card. This can be viewed by staff at every store I visit that doesn't have a pinpad allowing self swiping/inserting of my card and requires me to hand them my card.

You're pointing out a very low risk compromise that reastically can't be done without physical access to the card. Despite people making all sorts of claims about capturing RFID data at a distance the reality is this doesn't work very well at all.

I'm pointing out a very valid risk that is incurred every time I use my card. What do you perceive as the greatest risk?


1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
View this topic in a long page with up to 500 replies per page Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.