Tap and pay cards?

Discussion in 'Technical Corner' started by Matthew, Jul 10, 2019.

  1. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    Our bank is sending replacement debit cards that have 3 payment option now: the old mag strip swipe and PIN method, the chip and PIN, and now they have the NFC tap and pay method.

    I just got it yesterday, how does tap-and-pay work from a security aspect? It doesn’t seem to require a PIN, so what prevents a lost or stolen card from being used?

    I haven’t checked with my bank yet to see what sort of protection they have, like max transaction limits or other.
     
  2. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    I was able to get hold of my bank: There is no PIN required, you just wave it at an enabled register and go.

    "What prevents someone from picking up the card if I drop it and then buying stuff?"
    "Nothing. You have 60 days to report fraudulent charges, just like what would happen if someone ran it through as a credit card that doesn't require a PIN."

    OK, so I have that going for me.
     
  3. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,246
    Display Name:

    Display name:
    asicer
    Since your card is able to draw power from the payment terminal via the RF signal, I'm pretty sure it isn't replaying the same number over and over again like a magnetic stripe would. So in that sense, it is more secure than a traditional card. I would estimate that it is approximately as secure as the chip that all cards are required to have nowadays.
     
  4. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    I guess my scenario would be: Use the card, drop it while putting it back in my wallet and not notice. Guy in line behind me sees that, picks it up, and then uses it to pay for his purchase with the tap and go function: no PIN required, and payment goes through. It's a debit card so funds are immediately withdrawn from my account, then he goes on a spending spree until our checking account is drained. Sure, we can deal with the fraud protection and get our money back, but once a debit charge goes through the funds are gone for that amount of time.

    The bank says a lost debit card can always be run as credit with no PIN necessary, so there is no difference. But are debit card charges, when run as credit, also immediately withdrawn? Maybe they are and I never really paid attention to that because I don't use it that way. If that's the case, then there isn't much difference in security between running a lost card as credit or doing the tap and pay trick.
     
  5. wayne

    wayne Cleared for Takeoff

    Joined:
    Mar 10, 2007
    Messages:
    1,269
    Location:
    Atlanta, GA
    Display Name:

    Display name:
    wayne
    That is why I don't like debit cards. I refused the debit/ATM card from the bank and got an ATM only card. Now they only do debit/ATM. :(
     
    skier and Matthew like this.
  6. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    Yeah, I might have to start keeping the debit card at home. They advertise how convenient it is to use, but it bypasses the middleman and gives direct access to the account.
     
  7. Ryan Klems

    Ryan Klems Pre-takeoff checklist

    Joined:
    May 21, 2018
    Messages:
    100
    Location:
    Tucson, AZ
    Display Name:

    Display name:
    Rowat
    I'm not a fan of using debit cards either, I keep my debit card locked up and never use it. On the rare occasion I need to get cash out, Chase now supports contactless methods, so I do have my debit card in my Apple Pay wallet for that occasion (or I go in to the branch and get cash).
     
  8. wayne

    wayne Cleared for Takeoff

    Joined:
    Mar 10, 2007
    Messages:
    1,269
    Location:
    Atlanta, GA
    Display Name:

    Display name:
    wayne
    Fortunately my debt/ATM card doesn't to tap yet. The PIN is required. I'm not sure to do if they put the NFC/tap on it. :confused:
     
  9. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,246
    Display Name:

    Display name:
    asicer
    Is that also the case that no PIN is necessary when the inserting the card into a chip reader? How about swiping the magnetic stripe?
     
  10. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    When you run it as debit it needs a PIN whether you use the mag strip or the chip.
     
  11. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,715
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    Jesse would be the real expert on this topic, but my hunch is that it's exactly as secure as a chip card; which in the case of a lost or stolen card would mean not at all as long as no PIN is required.

    I am not a fan of PIN-less transactions of any kind. My ex brother-in-law once charged an entire trip from Syracuse to South Carolina to a credit card of mine that he lifted from my desk drawer. Requiring a PIN would have prevented that. I've also had numerous fraudulent charges on various credit cards that were compromised because of vendor or POS hacks. I got reimbursed every time, but mandatory PINs would have prevented the fraud from ever happening even if the miscreants had the card numbers.

    More recently, I dropped my Speedway MasterCard (great rewards, but don't finance anything on it) in the parking lot of the Sparrow Fart Speedway station. Fortunately, another customer was honest enough to bring it inside and give it to the cashier.

    What we have in the United States is fraud reimbursement. When my card numbers were stolen in the various hacks and breaches I've been caught up in, it never costed me a penny in the end. But I'd still rather have fraud prevention in the form of at least the option to require a PIN for any card, credit or debit.

    I find it hard to believe that the cost of implementing mandatory PINs (or at least the consumer option to disable PIN-less transactions) wouldn't pay for itself in the form of reduced fraud reimbursement payouts. I'd think the banking industry would embrace that with open arms. Again, I suspect Jesse would be the one who knows why this isn't the case.

    Rich
     
    TCABM likes this.
  12. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser! PoA Supporter

    Joined:
    Feb 23, 2005
    Messages:
    16,992
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    Meaning you and I pay for every theft/scam/fraudulent transaction even if it is caused by consumer carelessness.
     
    1RTK1, RJM62 and Cap'n Jack like this.
  13. Heftiger

    Heftiger Pre-takeoff checklist

    Joined:
    Nov 13, 2013
    Messages:
    282
    Display Name:

    Display name:
    Heftiger
    There was some backlash when the chip and pin legislation first started. Retailers complained that the transaction time length would increase and would cause them to lose business. They pressured enough to change the legislation to not include pin. Stupid idea IMO. Chip and pin would be way better.
     
    RJM62 likes this.
  14. EppyGA

    EppyGA Touchdown! Greaser!

    Joined:
    Jan 6, 2009
    Messages:
    10,585
    Location:
    Hoschton, GA
    Display Name:

    Display name:
    Let's Fly
    Had a CC compromised a couple of weeks ago. It is a card only used at two hosting companies and occasionally at Amazon. Someone bought gas in Philly with the number, not entirely sure how you do that without a physical card. I've contacted both hosting companies and got a "it would never happen with us, yada yada" from one company and crickets from the other company. Both have offices in the NE.
     
  15. gkainz

    gkainz Final Approach

    Joined:
    Feb 23, 2005
    Messages:
    7,917
    Location:
    Arvada, CO
    Display Name:

    Display name:
    Greg Kainz
    I had a card compromised a month or 2 ago and all the fraudulent charges were gas stations. Agreed - how do they do that without a card? Maybe print their own mag stripe with my numbers on a dummy card?
     
  16. Skip Miller

    Skip Miller Final Approach

    Joined:
    Feb 22, 2005
    Messages:
    5,003
    Location:
    New York City
    Display Name:

    Display name:
    Skip Miller
    I had my Visa compromised two weeks ago. The next day the Visa fraud department called about $12,000 worth of fraudulent charges. The big ticket item seems to have been a $4,000 big screen TV purchased in London, England. The charge is still listed as 'in review' but I expect it to be removed shortly...
     
  17. Ghery

    Ghery Final Approach

    Joined:
    Feb 25, 2005
    Messages:
    9,766
    Location:
    Olympia, Washington
    Display Name:

    Display name:
    Ghery Pettit
    We've had cards "compromised" according the BoA (or potentially compromised) and they quickly send out a replacement. The only times I had fraudulent charges were a few years ago when my wife left her wallet in the unlocked car and someone helped themselves to it, 24 years ago when someone ran up some fraudulent charges on an Amex card that had never left my wallet (still don't know how they got the number, and getting Amex to reverse the charges was like pulling teeth, never having an Amex card in my name again) and 40 years ago when a chain of gas stations in California sent a card in my name to an address where we no longer lived and the new occupants used the card (briefly).

    That said, the only things I use my ATM card for are purchases at Safeway and getting cash from an ATM (in the US or overseas). Credit card for everything else (if I'm not paying cash). Very few problems over the years, but a little paranoia can be a healthy thing.
     
  18. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    17,050
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    Most contact cards (chip) don't require pin in the US either so there's not a whole lot of difference in the contact vs. contactless transaction. I've only got one contactless card in my wallet. I've had my several other cards compromised. One I suspect got skimmed at a urban-area gas pump. The others were compromised in ways unrelated to the physical card itself.

    Of course, there's a niche industry selling RF proof wallets to the gullible. I always like the fact they show the chip contacts as the sign of a vulnerable card (I pointed out to a friend that those contacts are NOT the RF part, the only way you can tell if you have an NFC card is if they printed the little wave logo on it).
     
  19. Shawn

    Shawn En-Route

    Joined:
    May 6, 2013
    Messages:
    3,654
    Location:
    Santa Cruz, CA
    Display Name:

    Display name:
    Shawn
    I never use debit card for any purchases for one simple reason: A charge is direct access to YOUR money in your account and immediately removed. If there is fraud you have to fight to get your money back. With a Credit Card, you are paying with the bank's money...and if there is fraud, they freeze your payment on that charge while they investigate the fraud...you are never out a dime.

    Alway play with the House's money!

    I don't even really carry my Debit card for cash withdrawls since Wells Fargo has a one time ATM access code you can enter off their App to access all your accounts.

    The NFC tap is no different from the chip or swipe. If the merchant does not check ID...does not matter how the reader receives the info.

    Now there is a whole industry of RFID blocker wallets because someone brushing up against you with a scanner and reading you cards is actually a thing.
     
    Last edited: Jul 12, 2019
  20. Shawn

    Shawn En-Route

    Joined:
    May 6, 2013
    Messages:
    3,654
    Location:
    Santa Cruz, CA
    Display Name:

    Display name:
    Shawn
    It is super easy to skim info from the stripe with a micro reader and reprint that onto another card. You can buy the stuff off Amazon, it is not proprietary technology. That is why cards are going to the chip and NFC.
     
  21. Matthew

    Matthew Touchdown! Greaser!

    Joined:
    Apr 18, 2005
    Messages:
    15,493
    Location:
    kojc, kixd, k34
    Display Name:

    Display name:
    Matthew
    My wallet has one of those RFID shields. I don't know if it does any good or not, but I do know that it will always trigger a metal detector.
     
  22. Shawn

    Shawn En-Route

    Joined:
    May 6, 2013
    Messages:
    3,654
    Location:
    Santa Cruz, CA
    Display Name:

    Display name:
    Shawn
    It is kinda like what are the odds that you get pick pocketed...but as the RFID/NFC technology becomes more prevalent, the technology already exists to pickpocket you simply by getting close enough without having to reach in to your physical pocket anymore.
     
  23. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,246
    Display Name:

    Display name:
    asicer
    I'm pretty sure that NFC cards are not replaying the same sequence each time. Or are they?

    If it's a 2-way handshake or even a rolling code, how would the scanner be of use?
     
  24. JGoodish

    JGoodish Cleared for Takeoff

    Joined:
    Jun 10, 2006
    Messages:
    1,332
    Display Name:

    Display name:
    JGoodish
    There is no doubt that chip + PIN is more secure than chip or contactless alone, but chip or contactless is far more secure than the traditional magnetic stripe cards. The chip cards will provide protection in the event of a theft of account data on the merchant side, but of course not against theft of the card.

    I have one contactless-enabled card in my wallet, but it doesn’t always seem to work as contactless on terminals enabled for it. When it does work, it usually has to be held in physical contact with the terminal. It’s usually just faster to insert the chip.

    I have been using Apple Pay more frequently where accepted, and it works much better with contactless terminals and is always secured with a PIN (passcode).
     
  25. flyingron

    flyingron Touchdown! Greaser!

    Joined:
    Jul 31, 2007
    Messages:
    17,050
    Location:
    Catawba, NC
    Display Name:

    Display name:
    FlyingRon
    Yep, the fraudulent RFID wallet commercial show a fake device showing your "personal information" lifted from the card. There actually is some of that on the mag stripe (pretty much same stuff that's printed on the card itself plus a few more bits. But the chip is pretty secure. The easier way to compromise that is to tap into the reader's communications line going to the POS unit or the card processor.
     
  26. asicer

    asicer En-Route

    Joined:
    Jan 1, 2015
    Messages:
    4,246
    Display Name:

    Display name:
    asicer
    Well either a leading multinational cyber security firm is issuing fake news or an infomercial is issuing fake news...

    https://usa.kaspersky.com/blog/contactless-payments-security/5705/

    Screenshot_2019-07-12-14-34-31-410.jpeg