23 October 2012

Is NAB Visa pay wave secure?

| xcskier
Join the conversation
20

Last week, my NAB visa debit and credit cards were stolen. The thief used the debit card at Woolies in Dickson using the pay wave facility and then proceeded to Hungry Jacks for a nice meal afterwards.

I’ve never used the pay wave facility on the cards, but I have now learned the hard way how easy it is for a thief to quickly drawn down your funds. My particular thief used the paywave facility 4 times, with 2 transactions close to the NAB paywave limit of $100 each, within one hour. According to NAB, even though there is a per pay wave transaction limit of $100, a person can use the facility up to their total daily withdrawal limit (in my case $1000).

When I asked NAB if I could opt out of pay wave they said it was now a standard feature of the cards they issue. I’m not sure if the other banks offer this facility, but I don’t like it. It might be convenient and fast, but the lack of security is troubling.

Has anyone else had a similar experience ?

Join the conversation

20
All Comments
  • All Comments
  • Website Comments
LatestOldest

davo101 said :

JC said :

Yes paywave allows people to make unauthorised transactions, however if your card is stolen then Visa will pick up the tab for any unauthorised transactions so YOU are protected.

From the NAB terms and conditions:

15.2 Your liability
You remain liable for any cash advance or purchase made by any other person before you notify NAB of the loss or theft up to a maximum of:
(a) in relation to all the uses of the card through an extra facility – the amount determined under
the terms and conditions for the extra facility (if any);

(b) in relation to all other uses of the card– a total amount of $150.

They are NABs standard conditions. Pay wave is slightly different in that Visa offers the guarantee so you should read their terms and conditions. In fact that is the major difference. Oh you will also find the low value transactions that don’t need a pin or signature are also part of pay wave and the MasterCard equivalent.

davo101 said :

c_c™ said :

For over a year now, many retailers including Woolies and Maccas have allowed swiped/chip cards to process transactions below a certain amount without a pin or signature. At Woolies, it was below $75.

Do you know if this is the same thing as the easy payment service? It seems to have only a $35 limit. I did laugh at the security provided:

Visa small ticket transactions are for low value purchases of $35 or less, which makes them an
unattractive target for fraud.

Seems to be, $35 is lower than I recall.

Then again Woolies did claim to disable certain functions on it’s card terminals, even put signs up saying so, but as anyone who continued to use those functions found, they hadn’t really.

arescarti42 said :

Don’t most credit cards not require a pin for purchases under a certain amount irrespective of whether you swipe/insert/paypass it? If security is your concern then I suspect bank card/eftpos card with a pin might just be your best bet.

That’s true. It seems to be around $30-75 depending on the store/partnerships with visa.

I reckon others are right that the risk is ATM skimming. A low value bank account with only a few hundred, and the rest in another bank account that only allows transfers between linked accounts is your best bet.

c_c™ said :

For over a year now, many retailers including Woolies and Maccas have allowed swiped/chip cards to process transactions below a certain amount without a pin or signature. At Woolies, it was below $75.

Do you know if this is the same thing as the easy payment service? It seems to have only a $35 limit. I did laugh at the security provided:

Visa small ticket transactions are for low value purchases of $35 or less, which makes them an
unattractive target for fraud.

JC said :

Yes paywave allows people to make unauthorised transactions, however if your card is stolen then Visa will pick up the tab for any unauthorised transactions so YOU are protected.

From the NAB terms and conditions:

15.2 Your liability
You remain liable for any cash advance or purchase made by any other person before you notify NAB of the loss or theft up to a maximum of:
(a) in relation to all the uses of the card through an extra facility – the amount determined under
the terms and conditions for the extra facility (if any);

(b) in relation to all other uses of the card– a total amount of $150.

Yes paywave allows people to make unauthrosied transactions, however if your card is stolen then Visa will pick up the tab for any unathorised transactions so YOU are protected.

So in ways it is better than having cash stolen because no will will cover the cash but Visa will cover transactions on a stolen card.

So really a good convienant product with enough safeguards to protect your money.

Deref said :

I got severely finger-wagged here when I suggested the same thing a couple of months back. I was reminded in no uncertain terms how the banks would never do anything that might risk the security of our private information or our money. I was grateful to be corrected. Stop being the ungrateful panic merchant that I was – embrace the technology and remember that they have nothing but our best interests at heart.

Oh shut up – you don’t know what you’re talking about! 🙂

How does the pay wave facility differ to the previous method of securing a credit card with a signature? It doesn’t, as long as you have the card, you can use it as the signature is surprise surprise on the back of the card. Pay wave on credit cards is just as secure as using a card with a swipe and signature. If someone has your card that doesn’t have a pay wave on it, they’ll have access to your signature and can swipe away.

A small metal shield around your card wont stop someone from stealing the information on your card, but thankfully in Australia it is mandated that the data is encrypted and it actually is. With a powerful enough radio you will get the data back from the card. But there is no point in doing this as its cheaper, easier and you get more cards by skimming them at the point of sale or in an ATM.

JonahBologna is on the right track, but there are no losses from fraud from the bank. They make money from consumer fraud, not only do the banks get the money back from the point of sale, they charge the merchant for the investigation and money recovery. Its brilliant.

The bank bears the risk with the paywave payments, therefore as long as you go through the correct process to report the cards stolen, you shouldn’t have a problem.

I got severely finger-wagged here when I suggested the same thing a couple of months back. I was reminded in no uncertain terms how the banks would never do anything that might risk the security of our private information or our money. I was grateful to be corrected. Stop being the ungrateful panic merchant that I was – embrace the technology and remember that they have nothing but our best interests at heart.

You should know where your card is at all times. If you don’t, cancel or suspend the card ASAP.
Any fraudulent transactions should be covered by the bank if you follow correct process.

Paywave is safer than cash or cheque.

Paywave is not the only way to use a credit card without a pin or signature.
For over a year now, many retailers including Woolies and Maccas have allowed swiped/chip cards to process transactions below a certain amount without a pin or signature. At Woolies, it was below $75.

Phenomenally insecure. Someone could literally be stealing your credit card details whilst you’re standing next to them in line. I personally don’t care because my bank foots the bill so long as I’ve taken reasonable care not to divulge information, and I love the convenience.

Henry82 said :

dominic_mhd said :

If you want to disable the chip I believe a hammer in the right spot will work.

‘If i try and swipe my card that has the chip. The pad always tells me to use the chip and enter the card

In my experience, if the card reader returns an error, It’ll prompt you to swipe it with the magnetic stripe. So you could smash the chip, but it’d be inconvenient.

Don’t most credit cards not require a pin for purchases under a certain amount irrespective of whether you swipe/insert/paypass it? If security is your concern then I suspect bank card/eftpos card with a pin might just be your best bet.

I too dislike the idea of transactions under $100 being easily done simply by using PayWave ( I am with NAB as well).
Unfortunately, no bank will issue any Visa|Mastercard debit/credit cards without RFID chip.The least they can do is allow for their customers to be able to set their own limit, before entering PIN is required (say $30-40).

xcskier, I hope that they catch the asshole who stole your cards.They should have CCTV footage.

dominic_mhd said :

If you want to disable the chip I believe a hammer in the right spot will work.

‘If i try and swipe my card that has the chip. The pad always tells me to use the chip and enter the card

JonahBologna said :

Credit cards have RFID (Radio Frequency Identification) chips implanted in them. These chips are completely INSECURE. People should only be able to read them within 30cm, but with a non-standard reader (higher voltage and better antenna) they can be read across the street. The Mythbusters wanted to show people how insecure they are but were shut down by the credit card companies:
http://www.engadget.com/2008/09/02/mythbusters-rfid-hacking-episode-canned-by-credit-card-company-l

RFID chips are becoming incredibly cheap and found in a lot of places:
MyWay cards (basically the same technology as credit cards)
Passports (only contains a unique code, no plain text identifiers or information)
consumer products (for inventory and tracking)
pets (same technology can be used to identify lost dogs)

The credit card companies have done the sums and they realise that making it incredibly easy to pay with the card (instead of cash) is more profitable than any losses from fraud. I don’t like having the liability, but the choice was made for me.

You can disable the RFID chip on your credit card. There is no consensus, but it seems like a hammer is the best way (but you need to know where in the card it is). Try an internet search for “disable credit card RFID”.

Thanks for that – I might look into it.

You’ll find most banks either offer PayWave (Visa) or PayPass (MasterCard)

http://www.commbank.com.au/personal/credit-cards/making-payments/paypass/
http://www.anz.com/contactless/
http://info.westpac.com.au/contactless/
http://ingdirect.com.au/everyday/Contactless.htm
http://www.mebank.com.au/personal/transaction_accounts/paypass.html

List goes on…

Will the NAB reinburse your stolen funds?

I don’t have a problem with it. I love it. Quick and easy.

The stolen transactions are subject to dispute proceedings. NAB told me I must wait several weeks for a refund and that I have to pay interest on the transactions in the meantime.

JonahBologna11:54 am 23 Oct 12

Credit cards have RFID (Radio Frequency Identification) chips implanted in them. These chips are completely INSECURE. People should only be able to read them within 30cm, but with a non-standard reader (higher voltage and better antenna) they can be read across the street. The Mythbusters wanted to show people how insecure they are but were shut down by the credit card companies:
http://www.engadget.com/2008/09/02/mythbusters-rfid-hacking-episode-canned-by-credit-card-company-l

RFID chips are becoming incredibly cheap and found in a lot of places:
MyWay cards (basically the same technology as credit cards)
Passports (only contains a unique code, no plain text identifiers or information)
consumer products (for inventory and tracking)
pets (same technology can be used to identify lost dogs)

The credit card companies have done the sums and they realise that making it incredibly easy to pay with the card (instead of cash) is more profitable than any losses from fraud. I don’t like having the liability, but the choice was made for me.

You can disable the RFID chip on your credit card. There is no consensus, but it seems like a hammer is the best way (but you need to know where in the card it is). Try an internet search for “disable credit card RFID”.

I think the banks consider the convenience of spending worth the risk of a stolen card, you should be able to retrieve your money easily from them. They have insurance to be able to wear a certain amount of losses.

If you want to disable the chip I believe a hammer in the right spot will work.

I love how the NAB issues their Visa Paywave cards then says, “to protect yourself from unauthorised transactions, press CR when making a payment.”

Paywave cards are not secure from an information security perspective. They are less safe than cash, since when your card gets stolen the thief has access to all your money, not just the cash you happened to have in your wallet at the time.

FWIW you can protect your Paywave card from snooping with a metal gift card tin like Bunnings used to use for their gift cards.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.