LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Android application reads credit card data over NFC (The H)

Android application reads credit card data over NFC (The H)

Posted Jun 23, 2012 10:54 UTC (Sat) by tialaramex (subscriber, #21167)
In reply to: Android application reads credit card data over NFC (The H) by rich0
Parent article: Android application reads credit card data over NFC (The H)

The contactless systems are designed for low-value transactions.

The rationale is that these aren't a major target for fraud.

Previous experience says that there will be some serious holes resulting from bad assumptions in the banks, card companies, payment providers and consumer businesses. The main thing I'd worry about would be whether any of those holes impact the consumer, next after that whether they affect the retailer, and I have no interest at all in whether the banks, card companies or payment providers take a hit.

Examples of things the system is supposed to do, and how they'll probably go wrong:

1. These aren't normal credit cards. Data from a touch transaction shouldn't be valid for larger transactions and the card company should reject larger transactions

1a. But it probably won't. Sooner or later a bank is going to tell a customer that their $15 limit touch token bought $15000 of diamond jewellery in a country they've never visited.

1b. Lots of small transactions add up. Somebody's off-line transaction system or broken fraud pattern spotting will allow criminals to put thousand of dollars onto someone's card by keeping each purchase under $5

2. Some fraction of transactions are supposed to be checked. This should make small-scale fraud too risky because you'll be caught after a relatively small number of attempts

2a. But retailers are notoriously non-compliant on such checks. Given the choice between "possibly inconvenience a real customer" and "lose millions of dollars to fraud" apparently the second choice is always preferred.

2b. Small-scale fraud often involves insiders anyway. The same low-paid shop workers who agree to turn a blind eye to the use of a card in the name of "Mrs Jia Wong" used without a PIN by a 17 year old white guy with no ID to buy $500 of brand name spirits can be "persuaded" not to perform the manual check when the proximity card reader requests it.

3. Local laws should protect consumers so that the banks have to eat the cost of their own mistakes

3a. But repeated practical experience shows that judges and juries believe whatever they're told by the man in a smart suit from the bank, even when outsider engineers can see that it's completely bogus. So there's a good chance the bank can legally pin someone else's fraud on you by insisting that its systems work even if you have proof they don't. Increased scepticism towards the banks by the general public might help here, but don't count on it.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds