24 March 2012

No-signature credit cards

| Deref
Join the conversation
42

Paying for petrol this morning, I stuck my card in the reader and entered my PIN – “incorrect PIN” came the message, so I tried again and, again, got the same message.

“Just tap it, buddy” said the attendant (risking a stern finger-wagging for the use of that appalling American appellation). Mistaking my chagrin at his “buddy” for confusion, he took my card, tapped it on the top of the reader, and the transaction was confirmed.

I know about these “tap to pay” cards and, understanding what an incredible security risk they are, refused to have one. But obviously my ordinary card already has the embedded proximity chip. So here was a clear indication that I might be using a dodgy card, but neither the attendant nor the machine gave a flying feck.

Who thought <i>that</i> was a good idea? Can I disable this idiocy or am I stuck with it?

Join the conversation

42
All Comments
  • All Comments
  • Website Comments
LatestOldest

Yawn, cut up the card and line up to see a bank teller for cash if you can be bothered keeping track of where your card is at all times.

My card only permits under $35 transactions to go through. To be honest I am really not bothered about someone stealing my card and going nuts with $35 transactions, good luck to them my card is nearly maxed out anyway (on a very low limit).

I’m more concerned by the local school bus running me over in the morning.

c_c said :

I don’t agree with the people who fear this technology, but in fairness I will say the banks a bit behind the times too.

I don’t exactly ‘fear’ the technology. I do however understand the risks and abuses that have been going on with the rfid chips within the credit cards. There’s already been cases of people skimming by way of RFID readers. Sure, you get the money back eventually but the hassle of having to wait to get it back along with all the hoops you have to jump.

Banks aren’t loveable entities who take your word for it that you just had your money stolen by an electronic pick pocket. They do take the “Sure buddy, sure you didn’t spend it…” attitude. Worst case scenario is accounts being locked and having little to no access to your own money while an investigation is done, that’s what people fear the most.

But yes, it seems they’ve rushed out the ‘convenience’ of this tech in credit cards without really putting in security features that balance out the ease of it.

You’ve all shamed me. I now see the error of my ways. How could I ever have doubted the Good and Benevolent banking industry? I now understand that they hold all of my best interests uppermost in their hearts and that everything they do has the sole purpose of making my life easier, more rewarding, safer and more secure. Thank you.

And thanks, too, for teaching me that replacing Australian slang with American slang is a wonderful thing that can only break down the barriers of identity that separate us from our Great and Powerful Friends.

I’m much obligated to y’all. And now I’m gonna mosey on down t’ the drug store to get me a soda pop and some candy. So long, podners.

Erg0 said :

quewastaken said :

Apparently you can wrap your card in tinfoil and it will prevent somebody walking past and skimming information. Don’t know how valid that is though.

Same applies to your brain, I hear.

Stops unscrupulous Reiki practitioners syphoning off your energy for use on horses too.

I don’t agree with the people who fear this technology, but in fairness I will say the banks a bit behind the times too.

Most of them still use older style 128bit encryption over the 256bit many commerce sites use. In fact the weakest link in financial security according to surveys isn’t the user, but wherever their details are handled, including banks, hospitals and educational institutions. Government agencies too are terrible with it. Some of the biggest breaches of security has been people getting into, or people accidentally leaking millions of records from government or bank systems.

I would also say though that the card system isn’t secured to it’s full potential. What about photos on bank/credit cards with holograms? What about finger print authentication? This isn’t way out technology anymore, my access ID has a photo and RFID. Public service has used photo+RFID cards for a decade or more.

Don’t you hate it when the service station employee knows something that you obviously don’t

quewastaken said :

Apparently you can wrap your card in tinfoil and it will prevent somebody walking past and skimming information. Don’t know how valid that is though.

Same applies to your brain, I hear.

I have a smartphone and online banking. The account my visa debit card is linked to (the only bankcard I have) never has more than about $20 in it. I’ve got a few bank accounts with the same bank, and my paycheck goes into one that can only be accessed by phone/internet banking. If I ever need to pay for something I just spend 30 seconds moving the money over before I get to a checkout/atm/eftpos machine. If someone ever does get a hold of my card or walks past with a scanner and gets my card info, they might be able to buy themselves some maccas before their spending spree ends.

I personally think it’s one of the worst ideas I’ve come across, but I have learnt to embrace my inner sloth and now use it regularly wherever it’s available.

Apparently you can wrap your card in tinfoil and it will prevent somebody walking past and skimming information. Don’t know how valid that is though.

Woody Mann-Caruso7:49 pm 25 Mar 12

How is “iron-clad” an americanism?

Was clicking the link too hard for you, buddy? Or do you just think you know more than the chums at the OED, pal?

Note. When the question of protecting ships of war, etc., by iron or steel armour first aroused general attention (c1859), various terms were used to describe ships so protected […] iron-clad, occasionally used in England before, appears to have come into common use at first in the United States, during the Civil War, and established itself as the preferred term c1862–3, its adaptability as a substantive facilitating its general adoption. But its official use in England dates from c1866.

3. fig. (chiefly U.S.) Of an extremely strict or rigorous character; so framed as to be incapable of being evaded, as a regulation, agreement, etc.

ironclad oath: an oath characterized by the severity of its requirements and penalties; esp. applied to the rigorous oath required by the United States Government from certain official and other persons after the civil war of 1861–5. ( Cent. Dict.)

Suck it, cobber!

If you contact your card issuer you will find that the $30 transactions are only to the value of $100 per day – After this amount you need to either sign or put in your pin!

Sandman said :

I’m with the OP on this. I got a nasty shock the first time i put my eftpos card in a machine and it just approved it. I didn’t ask my bank for a Debit Mastercard either. I found it in a pile of mail that I had put down while walking through the garage and then rediscovered over 9 months later.

All cards now stay at home and I carry cash. Wouldn’t take long to empty my bank account with $30 transactions if I lost my card, and don’t the banks only cover the fraud occurring AFTER you’ve reported it stolen or lost?

Yes. I imagine that carrying around cash is far more secure than carrying around a card.

Woody Mann-Caruso said :

/lols at the berk* who thinks ‘buddy’ is an Americanism while using American English like ‘iron-clad’

*English enough for you, ‘mate’?

How is “iron-clad” an americanism?

As I understand it, the ironclad came out of the naval technology arms race between France and Britain, with the French building the first cuirassé in 1858, the British following up with one of their own in 1860.

I’m sure the Yanks try to take the credit for the technology, just as they have tried to do with the telephone, computer, flight, and all sorts of other technologies where they have a spurious revisionist history naming themselves as “first”.

dpm said :

I say we all go back to the convenience of cheque books, or as the Americans say, check books! They’re awesome!! Hahahaha!

What’s a cheque book?

I say we all go back to the convenience of cheque books, or as the Americans say, check books! They’re awesome!! Hahahaha!

I am assuming that you would be offered the same protection as for “normal” credit card transactions? I had someone pay over $1200 for various online car ads with my debit card details once. I had no problem at all getting that money back. I only noticed after it had been happening for a month, so only canceled my credit card then.

It didn’t put me off paying stuff over the phone with my card. There is obviously a significant risk, but I know the banks are willing to cover any losses, so I think it is a risk worth taking.

poetix said :

rosscoact said :

Get rid of your cards, get a passbook, make friends with your local tellers, only carry cash, don’t buy anything online, simple really

Encourage your local mugger.

too true, but I thought the OP was scared of new school muggers so old school would be ok.

Hey I know, give up your job, grow veggies and barter everything. Who ever heard of a mugger robbing you of a zucchini?

Op was embarrased because he needed assistance in using his credit card. Was overly offended at being called buddy by a petrol attendant. Decided to post a topic on the riot-act regarding modern technology & credit card security.

As JB said, you don’t really get a choice. Anyway, it has to be close to the reading device, and it can only be used with certain businesses (which seem to all have security cameras). With a maximum limit, the risk is low enough that the credit card companies aren’t too worried.

Clown Killer9:17 pm 24 Mar 12

I think you’ll find that the T&C for the card offer quite reasonable protections if the card is stolen – as long as you report it promptly. Naturally carrying hem with you is the best way to know where they are.

The bank also tracks those transactions and knows your spending patterns. If you have an established history of useing your card every day to buy lunch at a deli in town and on Friday to pay for a couple of rounds of drinks in a bar in Ainslie and suddenly you’re buying a case of Woodstock cans in Charnwood they’re going to know that’s not a regular transaction …

rosscoact said :

Get rid of your cards, get a passbook, make friends with your local tellers, only carry cash, don’t buy anything online, simple really

Encourage your local mugger.

Woody Mann-Caruso6:54 pm 24 Mar 12

/lols at the berk* who thinks ‘buddy’ is an Americanism while using American English like ‘iron-clad’

*English enough for you, ‘mate’?

Get rid of your cards, get a passbook, make friends with your local tellers, only carry cash, don’t buy anything online, simple really

ScienceRules said :

We also have indoor plumbing and clean water now, Deref. What an amazing new world, eh?

So, Mr Fancy Pants I-have-indoor-plumbing-and-clean-water-in-my-house…

ScienceRules said :

But seriously, why do you imagine that this is a security risk?

Why do you consider it’s not?

With a signature, it’s the vendor’s responsibility to check. If they don’t, your credit card provider will re-credit you with the money and, I assume, debit the vendor. PINs are much less secure. If someone takes money from your account using your PIN, you leave yourself open to accusations of losing or sharing your PIN – it happens all the time. With contactless transactions there’s no verification process whatsoever. If I steal your card I can make as many transactions as I like (under $100?) until you find out and cancel the card. Will your provider refund you? I don’t know. Good luck.

I don’t care how people want to do business – that’s entirely their…business. If you want to use contactless technology, go right ahead – enjoy it along with your fancy-schmancy indoor plumbing and fresh water. I have enough (professional) background in IT security to understand the risks and to distrust it. If you don’t have a background in IT security there are plenty of articles describing the problems available for Googling.

I’ll check with my bank and see if I can get an iron-clad guarantee from them that any charges I challenge will be automatically reimbursed, no questions asked. If I get that, I’m happy to use it. Otherwise they can stick it up their indoor plumbing.

And don’t call me “buddy”, mate.

Sandman said :

All cards now stay at home and I carry cash.

Cash that you store under the mattress?

Trevar is on the money. If you read the work of the learned Bill Bryson, you might also be interested to find that in many cases the ‘American’ version of a word is in fact an olde English word. Not surprising when you think about how conservative our American cousins are. In any case, the price you pay for the ubiquity of English as a world language is that you cannot put the language in amber the way it was when you went to school and Mrs Hypen-whatsis looked down upon particular usages as somehow common if they were of American origin.
In other words, get over it buddy!

The bigger issue here is the attendant calling you “buddy”. I hope you beat him to within an inch of his life.

Were you really that upset that he called you buddy?

I’m with the OP on this. I got a nasty shock the first time i put my eftpos card in a machine and it just approved it. I didn’t ask my bank for a Debit Mastercard either. I found it in a pile of mail that I had put down while walking through the garage and then rediscovered over 9 months later.

All cards now stay at home and I carry cash. Wouldn’t take long to empty my bank account with $30 transactions if I lost my card, and don’t the banks only cover the fraud occurring AFTER you’ve reported it stolen or lost?

Firstly, what security risk? Obviously been reading to many of the click-bait articles out there predicting a doomsday of credit card fraud.

Secondly, the same tap to pay functionality is now available in a sense even if you don’t have a RFID enabled card. Woolworths, Maccas and so on are all now authorisation traditionally swipe/inset transactions without a pin or signature if they’re below a certain amount.

Welcome to twenty-first century Australia. Both the word buddy and proximity cards have arrived, albeit very late!

The word ‘buddy’, BTW, is a derivation of the British slang term ‘butty’, which is now as archaic as the word ‘appellation’. It was used until the 19th century in British English to describe a workmate or companion. In American and Australian English, the letter T when found in the middle of a word is usually quite homophonous with the letter D, so ‘buddy’ makes as much sense as an Australianisation of ‘butty’ as it does as an Americanisation of it, but either way, it’s origin is British, not American. I, for one, welcome the use of the word ‘buddy’ in the Australian language.

And at any rate, either paypass or PIN are a heck of a lot safer than a mere signature that no shop attendant was ever trained to assess, and few of them even looked at!

Yes, you can ring the credit card company at any time and ask them to disable the card.

If you have a Mastercard or Visa issued with a chip that was issued during the last 2 or 3 years, chances are pretty good that it is contactless payment enabled. You don’t really get a choice as to whether you get it, although I do know that some institutions are still issuing cards without chips (and as such without contactless payment ability).

ScienceRules said :

But seriously, why do you imagine that this is a security risk?

In addition to others being able to use your card without your signature or pin, devices to read and copy the information stored on your card’s chip are inexpensive, and work over considerable range. There is the potential for anyone standing within a metre or so of you to be wirelessly going through the information stored on the cards in your pocket.

What I don’t really understand is why you’d care if someone else managed to use your card. So long as you abide by their terms and conditions, most banks will bear the losses associated with any fraud committed with your accounts.

PayPass. Can only be used for amounts under $100.

They don’t accidentally put chips in people’s cards. But it can be disabled. Here’s how:

1. Cut your card up in to tiny pieces.
2. Enjoy your level of account security!

I’m not sure if you have ever noticed but the only thing required to use your current card without a pin is a signature that is written right there on the back of the card, and very rarely checked properly, and if your card is old and the signature is rubbed off, they will usually just put through the sale anyway.

As for the chip itself, it’s still easier to skim your card or just steal it than it currently is to perform a complicated attack by relaying your RFID or the like. People are concerned the technology to do that may become commonplace eventually, but right now you’re all ok on that front.

If you are still scared of having a chip in your card, tell your bank, ask if they can supply a non-NFC card, and if they can’t, it might be up to you to change banks.

Your stuck with it, but if it is over a certain amount you still have to put in a PIN, I think my last one was $80 and I had to put a PIN in.

It’s like mobile phones, hybrid cars and reality TV, this s*** will continue, just move with it.

ScienceRules11:58 am 24 Mar 12

We also have indoor plumbing and clean water now, Deref. What an amazing new world, eh?

But seriously, why do you imagine that this is a security risk? With credit cards being used more and more for transactions we used to pass cash around for, this is a welcome convenience. It can only be used on low value transactions and only works if you do actually touch the prox reader so what is your problem?

Devil_n_Disquiz11:51 am 24 Mar 12

I’ll stand corrected but aren’t these paypass cards signature free only up to a certain amount ??

I know its still a hassle but rest easy knowing that if someone does come into possession of your card they won’t be able to walk into a car show room and ‘tap & pay’, then drive out with a brand new *insert car of your choice*

I have a visa one. Seems the limit may be $35 http://www.lcu.com.au/visa-tap-and-go.html

Might be a market for lead lined wallets in the future.

Shinigami_Josh11:49 am 24 Mar 12

its also limited to transactions under $100 (or thereabouts). I also think they have further fraud prevention measures.

it’s the future, you don’t get a say in whether it comes or not.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.