• after hacking contactless cards for bus trips, next for shopping

    Sometimes you can't believe your eyes when you read things. It happens over and over again. Fist they launch something and only later on they will discover the problems (or just neglect them) and than try to solve them.

    Using contactless cards for shopping is on the table with the 4 biggest banks in Belgium and Visa and mastercard. I am sure there will be very expensive engineers and consultants making huge expensive reports saying that there is no problem and that everybody shouldn't believe all these rumors and articles about the lack of security of these cards. Just sensationalism. These things will be fixed or are already fixed.

    I think that if they want to study the question really thoroughly they should put together a No team that would give all the arguments and proof why they shouldn't do it and contradict all the propaganda they receive from the vendors and associated research institutes. Hackers are in fact a reality check. When you see what happened with the contactless paycard in Holland, London and the VS you can imagine that wireless shoplifting will become a very interesting sport - especially in rough economic times.

    You don't have to be a professor to know that a contactless paycard or creditcard is just stupid because you take one level of identification and autorisation away that is essential, the pincode. Even if the pincode has some disadvantages and isn't perfect, taking it away creates a lot more problems. For starters how are you going to proof that the card was used by the holder when he says that he lost the card ? Now you can have a limited protection by the pincode. When it is contactless there is NONE. So the banks will say that they will take the costs of theft on them. That is not so, the additional costs of theft because a level of fundamental security has been lifted will be transferred to ALL the users. We will ALL pay the bill of this disaster in waiting. Secondly as the cards will be contactless it will be crucial to block the cards IMMEDIATELY (in minutes and not in hours) because every minute will count. For this you will need a bigger call center with more resources and you will have to invest more in awareness and response and detective teams. Also these cards will become naturally the prime targets of attacks. Imagine that you are a hacker and you have the choice of attacking a contactless card for shopping or a transportcard. Which one would you choose ?

    And using the cellphone for payments is a joke because the cellphone - nor its operators - have any security for the moment that is worth mentioning here. The procedures to get it blocked are even in Belgium not as easy as for your EID or visacard.

    So why would they absolutely need to do this ? To be fashionable ? To have more transactions faster (if their servers can follow...) ? To make it easier for the clients ? But that was the discussion with some online Belgian banks last year untill they saw the first real succesful attacks against their banks and upgraded security instead of thinking of usability for the clients. Security has some inconvenience but it has the advantage of adding trust (talking about trust in these times....).

    I wouldn't trust the card because I wouldn't trust the concept beside it and so I wouldn't use it and if every card would become like that, you can stick your cards in your dustbin. And if they really are that stupid to go ahead for no logical reason at all, they should leave the choice to desactivate it and keep the old pin code.

    Or they can do even better and change the pincode by a finterprint. It would also cost some money but it would diminish fraud with cards in shops worldwide and lower general costs and heighten trust and they would sell more cards because instead of having one card for a family each familymember would need one.

    We will be coming back on the discussion of these stupid smartcard ideas. There are better smartcard ideas but this is surely not one of them.