What’s the point? You then have to fanny around taking the card out of the wallet every time you want to use it

As I have 3 rfid cards it’s always best to take it out, still faster and easier than entering a pin and hardly a hassle.
What makes you so sure your phone is safe? Software can always be compromised.

I used a contactless card in a familiar place recently, where it was an almost-daily event. It didn’t work. The young lady behind the till said I needed to use it conventionally, with the pin, as a check that I’m really me. I think I passed. Maybe the system checks at intervals.

What’s the point? You then have to fanny around taking the card out of the wallet every time you want to use it,

I do that now, and only have one contactless card 😳
Never tried it with the card in the wallet.

The photo that’s going round isn’t exactly fake but it isn’t what it claims to be (bloke on the Underground / [insert your local town here]). It’s social media spam based on generating fear. Actually comes from an article about this in Russia, and anyway general conclusion is this is very rare.

http://www.snopes.com/fraud/identity/pickpocket.asp

Makes sense deadkenny. I think we have established you can read and clone the data with a modern smartphone which would be a lot less conspicuous than walking about with a POS terminal.

It’s a two way communication with the chip and only certain information can be transferred. You can generate transactions, but not clone the chip itself. The consumer is not liable for contactless fraud and will get the money back. That’s why banks limit the transactions to limit their liability.

Plus it will force a PIN request with a certain number of transactions, possibly more so in quick succession.

Reading with a smart phone, yes you can get apps to read the public data. That doesn’t give you much. Just identity of the chip and who made it essentially. I’ve messed about doing this while developing some RFID related software and was just curious if it would read my cards. Sure enough it did. Nothing of use though.

Interesting. I’ve not worked on any contactless systems yet so good to get a developer perspective. Smartphones can act as POS terminals can’t they, so presumably they can do the two-way communication with the cards for a challenge/response system?

That does rule out simple cloning though (and milky’s story).

By “the bank reckoned,” do you mean that some random person working at the bank guessed? Even if that scenario is exactly what happened, I’m at a loss as to how the bank could possibly ascertain that beyond speculation.

I would think they would know what kind of transaction was usde to process the charge but I dont know enough about banking to speculate. However to be honest I reckon the 200 odd consecutive charges all variously a few Cents under the maximum contactless payment limit gave it away.

Well deadkenny seems to know his stuff, and I suppose if he is happy that skimming is not a risk then I should be too.

Actually to clarify, it’s more the chips in credit cards don’t expose enough information to clone the card beyond card number and expiry which you could get traditional ways, and a POS device typically will read what it needs with one way communication and a bunch of encryption.

Everything else on the card needs two way to work, and depends on the card chip I believe whether it supports it.

Mobiles with contactless payment I think work two way, although depends again on the phone. Some require the phone to be working, relevant app and some communication back and forth, like Apple’s pay thing. Others can work without the phone being powered up and rely on the NFC chip that’s usually in the battery, which links to some data in a special payment enabled SIM. I believe EE’s payment stuff works this way.

What’s the point? You then have to fanny around taking the card out of the wallet every time you want to use it, in which case you may as well just stick it in the slot

You have to do that anyway don’t you? My credit card, debit card and oyster card are all contactless – if they’re next to each other in a wallet the readers just give an error as they normally pick up multiple signals.

Apart from the lack of a time machine, I’m sure it’s a simple task.

Pah, I was there for the launch of the first time machine in 2053. I cloned in onto my nuclear powered hoverboard in seconds and I’m back here in 2016 to launch a new standard that is going to be big I tell you – can’t say much at the moment, but something to do with b/b sizes 😉

I’m not concerned about skimming with POS terminals, but I am concerned about fraudsters ripping and emulating other people’s cards.

I did some research a few months ago in an attempt to emulate my work card using my phone. I found that was impossible, but stumbled across an app which allowed you to clone cards. You had to use two networked phones to get/send data from the two way system. It would look like you were paying with Apple pay but instead could be using someone’s stored card data. IIRC you could also ‘bridge’ a card between two phones, so have one phone near a victims card, and use the other phone to pay using that card at a POS terminal.

Thankfully banks are good at spotting fraudulent transactions, and the amounts are relatively small.

I’m guessing you’re referring to https://sourceforge.net/projects/nfcproxy/ – which I found when doing a bit of research last night. It appears totally feasible to use two phones as a proxy in the way they’re suggesting, though I’m not sure whether recording and replaying the transactions (which is effectively how they’re storing the card data) is a useful means of theft – anybody who knows more care to comment?