Tap and pay cards?

[Matthew]

Our bank is sending replacement debit cards that have 3 payment option now: the old mag strip swipe and PIN method, the chip and PIN, and now they have the NFC tap and pay method.

I just got it yesterday, how does tap-and-pay work from a security aspect? It doesn’t seem to require a PIN, so what prevents a lost or stolen card from being used?

I haven’t checked with my bank yet to see what sort of protection they have, like max transaction limits or other.

 

[Matthew]

I was able to get hold of my bank: There is no PIN required, you just wave it at an enabled register and go.

"What prevents someone from picking up the card if I drop it and then buying stuff?"
"Nothing. You have 60 days to report fraudulent charges, just like what would happen if someone ran it through as a credit card that doesn't require a PIN."

OK, so I have that going for me.

 

[asicer]

Since your card is able to draw power from the payment terminal via the RF signal, I'm pretty sure it isn't replaying the same number over and over again like a magnetic stripe would. So in that sense, it is more secure than a traditional card. I would estimate that it is approximately as secure as the chip that all cards are required to have nowadays.

 

[Matthew]

Since your card is able to draw power from the payment terminal via the RF signal, I'm pretty sure it isn't replaying the same number over and over again like a magnetic stripe would. So in that sense, it is more secure than a traditional card. I would estimate that it is approximately as secure as the chip that all cards are required to have nowadays.

I guess my scenario would be: Use the card, drop it while putting it back in my wallet and not notice. Guy in line behind me sees that, picks it up, and then uses it to pay for his purchase with the tap and go function: no PIN required, and payment goes through. It's a debit card so funds are immediately withdrawn from my account, then he goes on a spending spree until our checking account is drained. Sure, we can deal with the fraud protection and get our money back, but once a debit charge goes through the funds are gone for that amount of time.

The bank says a lost debit card can always be run as credit with no PIN necessary, so there is no difference. But are debit card charges, when run as credit, also immediately withdrawn? Maybe they are and I never really paid attention to that because I don't use it that way. If that's the case, then there isn't much difference in security between running a lost card as credit or doing the tap and pay trick.

 

[wayne]

That is why I don't like debit cards. I refused the debit/ATM card from the bank and got an ATM only card. Now they only do debit/ATM.

 

[Matthew]

That is why I don't like debit cards. I refused the debit/ATM card from the bank and got an ATM only card. Now they only do debit/ATM.

Yeah, I might have to start keeping the debit card at home. They advertise how convenient it is to use, but it bypasses the middleman and gives direct access to the account.

 

[Ryan Klems]

I'm not a fan of using debit cards either, I keep my debit card locked up and never use it. On the rare occasion I need to get cash out, Chase now supports contactless methods, so I do have my debit card in my Apple Pay wallet for that occasion (or I go in to the branch and get cash).

 

[wayne]

Fortunately my debt/ATM card doesn't to tap yet. The PIN is required. I'm not sure to do if they put the NFC/tap on it.

 

[asicer]

I guess my scenario would be: Use the card, drop it while putting it back in my wallet and not notice. Guy in line behind me sees that, picks it up, and then uses it to pay for his purchase with the tap and go function: no PIN required, and payment goes through. It's a debit card so funds are immediately withdrawn from my account, then he goes on a spending spree until our checking account is drained. Sure, we can deal with the fraud protection and get our money back, but once a debit charge goes through the funds are gone for that amount of time.

The bank says a lost debit card can always be run as credit with no PIN necessary, so there is no difference. But are debit card charges, when run as credit, also immediately withdrawn? Maybe they are and I never really paid attention to that because I don't use it that way. If that's the case, then there isn't much difference in security between running a lost card as credit or doing the tap and pay trick.

Is that also the case that no PIN is necessary when the inserting the card into a chip reader? How about swiping the magnetic stripe?

 

[Matthew]

Is that also the case that no PIN is necessary when the inserting the card into a chip reader? How about swiping the magnetic stripe?

When you run it as debit it needs a PIN whether you use the mag strip or the chip.

 

[RJM62]

Jesse would be the real expert on this topic, but my hunch is that it's exactly as secure as a chip card; which in the case of a lost or stolen card would mean not at all as long as no PIN is required.

I am not a fan of PIN-less transactions of any kind. My ex brother-in-law once charged an entire trip from Syracuse to South Carolina to a credit card of mine that he lifted from my desk drawer. Requiring a PIN would have prevented that. I've also had numerous fraudulent charges on various credit cards that were compromised because of vendor or POS hacks. I got reimbursed every time, but mandatory PINs would have prevented the fraud from ever happening even if the miscreants had the card numbers.

More recently, I dropped my Speedway MasterCard (great rewards, but don't finance anything on it) in the parking lot of the Sparrow Fart Speedway station. Fortunately, another customer was honest enough to bring it inside and give it to the cashier.

What we have in the United States is fraud reimbursement. When my card numbers were stolen in the various hacks and breaches I've been caught up in, it never costed me a penny in the end. But I'd still rather have fraud prevention in the form of at least the option to require a PIN for any card, credit or debit.

I find it hard to believe that the cost of implementing mandatory PINs (or at least the consumer option to disable PIN-less transactions) wouldn't pay for itself in the form of reduced fraud reimbursement payouts. I'd think the banking industry would embrace that with open arms. Again, I suspect Jesse would be the one who knows why this isn't the case.

Rich

 

[Let'sgoflying!]

What we have in the United States is fraud reimbursement.

Meaning you and I pay for every theft/scam/fraudulent transaction even if it is caused by consumer carelessness.

 

[Heftiger]

I find it hard to believe that the cost of implementing mandatory PINs (or at least the consumer option to disable PIN-less transactions) wouldn't pay for itself in the form of reduced fraud reimbursement payouts. I'd think the banking industry would embrace that with open arms. Again, I suspect Jesse would be the one who knows why this isn't the case.

Rich

There was some backlash when the chip and pin legislation first started. Retailers complained that the transaction time length would increase and would cause them to lose business. They pressured enough to change the legislation to not include pin. Stupid idea IMO. Chip and pin would be way better.

 

[EppyGA]

Had a CC compromised a couple of weeks ago. It is a card only used at two hosting companies and occasionally at Amazon. Someone bought gas in Philly with the number, not entirely sure how you do that without a physical card. I've contacted both hosting companies and got a "it would never happen with us, yada yada" from one company and crickets from the other company. Both have offices in the NE.

 

[gkainz]

I had a card compromised a month or 2 ago and all the fraudulent charges were gas stations. Agreed - how do they do that without a card? Maybe print their own mag stripe with my numbers on a dummy card?

 

[Skip Miller]

I had my Visa compromised two weeks ago. The next day the Visa fraud department called about $12,000 worth of fraudulent charges. The big ticket item seems to have been a $4,000 big screen TV purchased in London, England. The charge is still listed as 'in review' but I expect it to be removed shortly...

 

[Ghery]

We've had cards "compromised" according the BoA (or potentially compromised) and they quickly send out a replacement. The only times I had fraudulent charges were a few years ago when my wife left her wallet in the unlocked car and someone helped themselves to it, 24 years ago when someone ran up some fraudulent charges on an Amex card that had never left my wallet (still don't know how they got the number, and getting Amex to reverse the charges was like pulling teeth, never having an Amex card in my name again) and 40 years ago when a chain of gas stations in California sent a card in my name to an address where we no longer lived and the new occupants used the card (briefly).

That said, the only things I use my ATM card for are purchases at Safeway and getting cash from an ATM (in the US or overseas). Credit card for everything else (if I'm not paying cash). Very few problems over the years, but a little paranoia can be a healthy thing.

 

[flyingron]

Most contact cards (chip) don't require pin in the US either so there's not a whole lot of difference in the contact vs. contactless transaction. I've only got one contactless card in my wallet. I've had my several other cards compromised. One I suspect got skimmed at a urban-area gas pump. The others were compromised in ways unrelated to the physical card itself.

Of course, there's a niche industry selling RF proof wallets to the gullible. I always like the fact they show the chip contacts as the sign of a vulnerable card (I pointed out to a friend that those contacts are NOT the RF part, the only way you can tell if you have an NFC card is if they printed the little wave logo on it).

 

[Shawn]

I never use debit card for any purchases for one simple reason: A charge is direct access to YOUR money in your account and immediately removed. If there is fraud you have to fight to get your money back. With a Credit Card, you are paying with the bank's money...and if there is fraud, they freeze your payment on that charge while they investigate the fraud...you are never out a dime.

Alway play with the House's money!

I don't even really carry my Debit card for cash withdrawls since Wells Fargo has a one time ATM access code you can enter off their App to access all your accounts.

The NFC tap is no different from the chip or swipe. If the merchant does not check ID...does not matter how the reader receives the info.

Now there is a whole industry of RFID blocker wallets because someone brushing up against you with a scanner and reading you cards is actually a thing.

 

[Shawn]

how do they do that without a card? Maybe print their own mag stripe with my numbers on a dummy card?

It is super easy to skim info from the stripe with a micro reader and reprint that onto another card. You can buy the stuff off Amazon, it is not proprietary technology. That is why cards are going to the chip and NFC.

 

[Matthew]

Now there is a whole industry of RFID blocker wallets because someone brushing up against you with a scanner and reading you cards is actually a thing.

My wallet has one of those RFID shields. I don't know if it does any good or not, but I do know that it will always trigger a metal detector.

 

[Shawn]

My wallet has one of those RFID shields. I don't know if it does any good or not, but I do know that it will always trigger a metal detector.

It is kinda like what are the odds that you get pick pocketed...but as the RFID/NFC technology becomes more prevalent, the technology already exists to pickpocket you simply by getting close enough without having to reach in to your physical pocket anymore.

 

[asicer]

Now there is a whole industry of RFID blocker wallets because someone brushing up against you with a scanner and reading you cards is actually a thing.

I'm pretty sure that NFC cards are not replaying the same sequence each time. Or are they?

If it's a 2-way handshake or even a rolling code, how would the scanner be of use?

 

[JGoodish]

There is no doubt that chip + PIN is more secure than chip or contactless alone, but chip or contactless is far more secure than the traditional magnetic stripe cards. The chip cards will provide protection in the event of a theft of account data on the merchant side, but of course not against theft of the card.

I have one contactless-enabled card in my wallet, but it doesn’t always seem to work as contactless on terminals enabled for it. When it does work, it usually has to be held in physical contact with the terminal. It’s usually just faster to insert the chip.

I have been using Apple Pay more frequently where accepted, and it works much better with contactless terminals and is always secured with a PIN (passcode).

 

[flyingron]

Yep, the fraudulent RFID wallet commercial show a fake device showing your "personal information" lifted from the card. There actually is some of that on the mag stripe (pretty much same stuff that's printed on the card itself plus a few more bits. But the chip is pretty secure. The easier way to compromise that is to tap into the reader's communications line going to the POS unit or the card processor.

 

[asicer]

Yep, the fraudulent RFID wallet commercial show a fake device showing your "personal information" lifted from the card.

Well either a leading multinational cyber security firm is issuing fake news or an infomercial is issuing fake news...

https://usa.kaspersky.com/blog/contactless-payments-security/5705/