Forgot your password?
typodupeerror
United Kingdom The Almighty Buck Technology

UK Consumers Reporting Contactless Payment Errors 193

Posted by timothy
from the how-to-buy-a-hundred-subway-rides dept.
leathered writes "The BBC reports that some customers of UK retailer Marks and Spencer have reported that the store's contactless payment terminals have debited their cards despite being in their bags or pockets, sometimes paying twice when they have used another payment method. The cards are supposed to work only when the card comes within 4cm of the terminal. Customers of fast-food chain Pret a Manger have been reporting similar problems, and in both cases cited the customers weren't even aware they had been issued with NFC-enabled cards by their bank."
This discussion has been archived. No new comments can be posted.

UK Consumers Reporting Contactless Payment Errors

Comments Filter:
  • Double payments (Score:5, Insightful)

    by chromas (1085949) on Saturday May 18, 2013 @11:22AM (#43762227)

    sometimes paying twice when they have used another payment method.

    Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

    • Re:Double payments (Score:5, Insightful)

      by Skapare (16644) on Saturday May 18, 2013 @11:29AM (#43762273) Homepage

      You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

      • by tlhIngan (30335)

        You mean like that stupidity of charging twice for the same shopping cart serial number when the final button is pressed twice? You get this shit when you let morons design it.

        You mean the brilliance of being able to ding a customer for twice their shopping cart value? Extra profit from stupid and/or impatient people.

        And when they chargeback, you can provide proof and cancel their order and still keep the other payment. And tie it up with confusion because you can easily switch which payment you're talking

    • Re:Double payments (Score:4, Interesting)

      by mjwx (966435) on Saturday May 18, 2013 @12:38PM (#43762787)

      sometimes paying twice when they have used another payment method.

      Why is the software even accepting a new payment? Shouldn't the balance already be 0 by then?

      Because the software is shit.

      Having dealt with a few Point Of Sale systems I can say that the acronym POS is no accident.

      A lot of systems are just Windows systems with a program like Pronto Xi running on top. It's not unusual for these terminals to be running Windows XP. The back end is usually pretty good but the software really suffers on the front end and the front end is where we tend to get most of the errors.

    • Re:Double payments (Score:5, Informative)

      by ericloewe (2129490) on Saturday May 18, 2013 @01:41PM (#43763269)

      Some POS systems are not integrated with the card payment terminal. You click "visa" for instance, and the POS system assumes a valid card payment has been made. The payment is then made in a seperate terminal which issues a receipt for the payment, which should be kept with the purchase receipt.

    • by jonbryce (703250)

      I'm not sure about those two stores, but in a lot of stores, especially ones owned by smaller companies, the credit card terminal is not linked to point of sale system. The checkout operator presses the button on the till for card or cash, nobody takes cheques any more, then if it is card, they enter the total amount into the card terminal, process the payment, and usually put the store copy of the card receipt in the till. It may well be that they thought the card terminal wasn't working, and put the pay

    • *Somebody* had to say it.

    • by AmiMoJo (196126) *

      It's operator error. The person on the till is confused by the customer trying to insert their card into the read even though it already appears to have made the transaction. They put it through again and the customer gets charged twice.

      It sounds too stupid to be true, but that is apparently what is happening.

  • tinfoil wallets (Score:4, Interesting)

    by biodata (1981610) on Saturday May 18, 2013 @11:27AM (#43762253)
    Suddenly they are becoming popular - Icelandair are selling one on the inflight goodies list, as are various designer shops in Reykjavik.
    • But the Brookstone one costs 4X as much, true to form...

    • I just bought one of these a couple of weeks back:

      http://www.thinkgeek.com/product/8cdd/ [thinkgeek.com]

      It's surprisingly good quality for $20, too.

      I decided to buy it after reading this:

      http://www.cbc.ca/news/canada/manitoba/story/2013/04/23/mb-smartphones-skimmer-credit-card-winnipeg.html [www.cbc.ca]

  • Someone must have gotten their units mixed up and used 4 inches.

    • by julesh (229690)

      Someone must have gotten their units mixed up and used 4 inches.

      So it turns out that like RFID tags, the assurances of limited range are absolute bullshit. A more powerful transmitter coupled with a more sensitive antenna than used in the reference design allow them to work from farther away. Who'd have thought it?

    • by Z00L00K (682162)

      The guaranteed distance for a successful reading is 4cm, but that doesn't mean that it has to be that close for a successful reading.

      I'm toying around with NFC right now and the distance is 4cm+ for a reading. Our local public transportation company (Västtrafik [vasttrafik.se]) uses NFC for the ticket system and there have been numerous accounts of accidental reading of the cards as well as missing to read. They have a system where you have to check in when boarding and check out when leaving - and if you don't check

  • by Anonymous Coward on Saturday May 18, 2013 @11:30AM (#43762285)

    Quick, buy stock in companies selling RF-blocking wallets and bags

    And don't forget fashion - my electric-blue aluminium wallet pairs nicely with my neon-green tinfoil hat!

  • by Hentes (2461350) on Saturday May 18, 2013 @11:36AM (#43762327)

    Who would've thought that it's a bad idea?

    • by beelsebob (529313) on Saturday May 18, 2013 @11:38AM (#43762343)

      If I had mod points, you would get them... I really genuinely don't get why no one saw this coming.

      • I saw it coming... Before one of my banks put them on ALL their cards I got a survey about how much I would like them. All my asnwers were the most negative on their scale and multiple write-ins (in the write in space) to the effect of OMFG NO, worst idea ever!

        Sadly I was apparently the only one who thought so because now they do not have any credit cards that do not have NFC.

      • by click2005 (921437) * on Saturday May 18, 2013 @12:23PM (#43762667)

        Everyone saw this coming. The banks, card companies & shops just didn't care.
        Unlike purchases over £100 where the CC company is liable for half of all losses, you can bet we'll end up paying for any losses
        either directly or through price increases.

        • by AmiMoJo (196126) *

          In the UK the card issuer is liable for all the losses due to fraud or clerical errors.

          The £100 rule is that any item worth over £100 and paid for in whole or in part on credit card makes the card issuer liable as the vendor. In the event of a problem they have the same responsibility to sort it out as the seller does.

          The card issuers certainly do care because they want contactless payment to become popular. If it is abused or doesn't work people will carry on paying for small items

    • by cgimusic (2788705)
      Agreed. I really don't know what all the fuss with contactless payments is. The main benefit is that they are instant and you don't have to type in a PIN, not the fact that you don't have to put a card in the reader. Why not just make it so that any purchase under £15 doesn't require a PIN or bank confirmation and then you have the convenience of contactless without as many issues like this.
  • Tinfoil is your friend. Always has been, always will be.

  • Why (Score:5, Insightful)

    by markdavis (642305) on Saturday May 18, 2013 @11:41AM (#43762363)

    And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

    It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

    Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

    • by Jmc23 (2353706)

      Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

      Hate those stupid gas pumps. Useless if your card is from outside the US.

      • Re:Why (Score:4, Informative)

        by willb (34706) on Saturday May 18, 2013 @11:58AM (#43762475)

        Hate those stupid gas pumps. Useless if your card is from outside the US.

        Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

        • by julesh (229690)

          Hate those stupid gas pumps. Useless if your card is from outside the US.

          Actually there is a way to use this even if your card is from outside the US. For example I have cards from Canada and the convention is to use the numbers from your postal code and add 00 at the end. It works well. If yours is from another country google around, they might have a convention on how to get the "ZIP" code you're supposed to use.

          Yep; in the end, they're just checking AVS which just checks the numbers in your postal code. Same should work for at least UK-issued cards, and probably all major European issuers as well.

        • by Jmc23 (2353706)
          Well thank you, it would have helped more if any of the employees at any of the gas stations were aware of that. Made driving across the US irritating, well, that combined with the lower fuel efficiency of the crappy ethanol blends.
    • Re:Why (Score:4, Interesting)

      by CrashandDie (1114135) on Saturday May 18, 2013 @11:55AM (#43762447)

      A lot of credit cards in the UK have the Chip'n'Pin system [pcmag.com], which requires a physical connection to be made to the payment terminal. Simply "swiping" becomes less and less common, so people have to type their PIN every 5 minutes to pay for a few quid worth of $product. I used to work in the industry, and there was a certain amount of pressure from consumers to be able to do something as quickly and effortlessly as possible, but the magstrip simply isn't deemed secure enough.

      The idea was to use NFC, so people could just wave their card for any purchase under 10 or 20 quid, and be on their merry way.

      • Re:Why (Score:5, Funny)

        by JustOK (667959) on Saturday May 18, 2013 @12:34PM (#43762751) Journal

        I thought in the UK chips were called crisps.

      • by toby34a (944439)
        The chip-and-pin system is the stupidest thing in the world for small amounts of money. For example, take my cafeteria line in my building. The queue occasionally builds to 4-5 students, each spending £3-4. Each time they pay by card, each transaction takes a few minutes, as the cashier has to hand over the card reader to the customer, the customer inserts their card, types in their PIN, and then hands the device (with the card in it) to the cashier again who then inputs the price, holds the machin
        • £3-4? Isn't that what cash is for?

          Actually, my office has one of these NFC systems. It's acceptable givent there's never more than £10 in the account it's linked to, which is completely separate from my bank account. No way in hell would I trust my main bank account to a system like that.

      • My Norwegian bank issued me a chip and pin card. I like it. The waitress or the teller never touches my card. I put it in the terminal when I see the total I am being charged. I punch in the PIN and the card verifies with the bank and the term. prints a receipt. In a restaurant the server brings a wireless terminal to the table and I do the same thing. The protocol allows for a gratuity to be added. As long as no thug or dip looks over my shoulder and sees my PIN I fell pretty safe from fraud. I use this ca
        • by DamonHD (794830)

          Not only is remembering endless new passwords and PINs very hard, but I don't want to entrust the PIN for a bank card with a direct call on my current account (for example) to retailers who are notoriously cheap when it comes to security measures.

          The only thing I want to use a PIN on a bank card for is an a bank ATM to withdraw cash or as part of 2-factor authentication for on-line transactions.

          Rgds

          Damon

    • by gl4ss (559668)

      And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

      It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

      Yet we still don't address the MAIN problem with [credit] cards [at least in the USA]- the lack of confidential PIN codes to secure them from unauthorized use- and all us consumers are paying for that. At least I have noticed gas pumps and some other devices asking me for my zip code.... better than nothing I suppose.

      plenty of countries have gone pretty much all chips. you stick the card in, put in the pin and the payment is done.
      nothing wrong with that, except if for bus fares etc.. if you need extremely fast throughput of people then contactless is nice.

      contactless without pin for your usual every day big money card though.. that's just fucking stupid. like having all your money in cash in your pocket. which geniuses came up with that?

    • by b4dc0d3r (1268512)

      If you do it your way, it's slower. Most people with a phone have it on already, with no locking. If you do it the way people who use payment apps do it, it can be a lot faster.

      You could argue that this method is a lot slower: stare at the cashier, wait for the total, dig in your purse to find stray bills, decide you don't have enough cash, find a checkbook, hand the blank to the cashier so the register prints it, enter the amount and balance your checkbook.

      Yes people do it that way, but most people avoid

      • by markdavis (642305)

        If you think it is an exaggeration, then you need to watch the typical people around you. SLOW.

        I am always fast, and I can almost guarantee I can use a swipe credit card just as fast as any "phone" user.... unless the cashier puts obstacles in my way...

    • So you don't have to touch the pad or the community pen?

      If it cuts 1/2-1 minute off a transaction, a line of 50 people will save a half hour. That's a lot more customers for a morning coffee run.

    • by drinkypoo (153816)

      It's a good idea because magstrips are easy to erase and contacts are easy to destroy. It's unfortunate that this implementation is so crap, but that doesn't invalidate the concept.

      • by forkazoo (138186)

        It's a good idea because magstrips are easy to erase and contacts are easy to destroy. It's unfortunate that this implementation is so crap, but that doesn't invalidate the concept.

        I'm sorry, but no. The concept of contactless payment is just inherently broken. It's really obviously, blatantly, completely invalid. Making it possible for me to pay from a distance wirelessly without having to do anything specific with the payment card/source/token, means that I can be robbed without noticing it. It just t

    • Re:Why (Score:5, Interesting)

      by kav2k (1545689) on Saturday May 18, 2013 @01:24PM (#43763155)

      And I will just repeat what I said when they first came out- why do we need this? Swiping a card is not difficult nor time consuming. Yet contactless is more expensive, more complex, and has remote "skimming" possible issues. It is far enough distance to be potentially dangerous, but not enough to be REALLY convenient (like leaving it in your pocket or purse). Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something.

      Contactless payments differ a lot from magnetic stripe swiping, invisible barcodes etc.

      They are not static information but an active challenge-response authentication system. You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses. You can trick it into authorizing a purchase you don't want if you're in physical proximity, which is happening here, but you cannot save that authorization for later use, since the bank is issuing the challenge here, just like with a chip-and-pin purchase. The whole point is to ensure that this is really the actual card.

      So the main problem is the lack of user interaction to go ahead with the purchase. A touch button on the card itself would help, but would destroy part of the convenience.

      • by Richy_T (111409)

        I'm one of those Bitcoin-heads and have been interested in some of the discussions of hardware wallets. What all the designs I have seen in common have is some way to display the charged amount on the device and a button to be pressed for user confirmation. It is such an obvious requirement for anyone who takes a moment to think about it so I can only think that it has not been implemented in this case because it detracts from the "gee-whiz" aspect of the technology. Marketing over design.

      • You cannot clone the chip; it has an internal cryptographic secret it does not allow you to access, only challenge responses.

        Yeah, you're making two claims here, neither of which I believe.

        Yes, this is how the system is designed to work. But it's a very complicated system that was designed by humans. People make mistakes in implementation, and tomorrow people will know things they don't know today. I've seen too many claims similar to yours fail in the past to really believe the designers of NFC thought of everything.

        • by kav2k (1545689)

          Well, my point wasn't that the original card is impossible to clone given physical access to the card. My point is that using only radio communication with the chip, it is not possible to clone it. I imagine that NFC stuff and the crypto module are isolated, and the hardware crypto module quite literally has only one command exposed, to generate a response to a challenge. So neither passive (when you hear the challenge and the response) nor active (when you can submit challenges yourself) attacks can give y

      • by markdavis (642305)

        +1 informative

        Yours is one of the best replies yet. Yes, the idea of having a button or some other technology that confirms intent is what would be needed to "fix" the situation.

    • Not only that, but its come to the point where paying cash is faster. I go to walgreens, swipe my card, before i even enter my pin it asks me if i want to donate to something. Then i get to enter my pin and tell it if i want cash back or not. Then i get to verify the amount and press another button. Or i can just give the cashier a 10 dollar bill and be done with it.
      • by Richy_T (111409)

        I was once standing a line in front of someone who complained quite loudly about the (marginal) extra time it took to process card transactions. That was about 20 seconds before someone turned up with a bunch of change to be sorted into the cash drawer. He was oddly quiet after that.

        Card processing terminals vary but some do it right. Typically, at Walmart, I have all the card business done by the time the checker is still swiping the last items and I have the cart loaded by the time the receipt is ready.

    • by zazzel (98233)

      Meanwhile, the only problem with the old [card] tech has been reliance on magnetic strips that can and do wear out or get erased. So replace them with invisible IR barcodes or something. Or maybe *contact-full* chips that require touching something

      Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip).

      I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip on my German card then...)

      • by Richy_T (111409)

        Username/password with my bank.

      • by markdavis (642305)

        >"Uh, so you don't already HAVE chips?! My EC card has had them for years. All ATMs use the chip, and magnetic strips only work as a fallback option (though there are safeguards against simply using a copied card without chip)."

        None of my USA credit cards have chips.
        My Bank of America debit/ATM card also has no chip.

        >"I am curious, what are the options for online banking in the US today? When I was a customer of Citibank in the US in 2001, it was just username/password (I had an HBCI encryption chip o

    • It reminds me of the phone pay-with-phone thing. I have to carry a wallet anyway for ID and other important documents (and yes, cash, which is the ultimate fall-back and non-tracking/anonymous payment method). Yes, I will also carry my phone. So it is somehow faster and more convenient to take my phone out of my holster, turn it "on", unlock it, launch a payment app, enter some stuff, position it correctly on a terminal, press some confirmation keys, turn it back off, and put it back into its holster. That is faster?

      Wait... You keep your phone in a holster? And off?

      Your issues with the payment app system aren't really anything that affects most other people. My phone, for example, is in my pocket - and on. Getting at it isn't any more work than pulling my wallet out of a pocket, and launching an app is as fast as finding the correct card somewhere in my wallet.

      Heck, my wallet isn't even in my pocket, more often than not. It's usually buried in my computer bag.

      • by markdavis (642305)

        Being in a holster is no less accessible or slower than being in a pocket.

        No, it is not "off", the SCREEN is off, you have to press the button to turn the screen on

      • I make all my phonecalls and texts with a Nokia 6015i "dumbphone" http://www.cellphones.ca/cell-phones/nokia-6015i/specs/ [cellphones.ca] Yes, I do have a "smartphone", but the greedy asshole cell carriers insist on an extra "data plan" charge for smartphones. So I don't bother getting a sim card or a plan for it. I leave it off except when I'm using it. The smartphone is a mediocre mp3-player/FM-radio/ebook-reader/web-browser/etc, but I'm *NOT* going to pay extra for connecting it versus the Nokia.

    • by jonbryce (703250)

      In Europe, and most of the rest of the world, we use smart-chips when we aren't using contactless. There is a magnetic stripe on the card, that that is only so that the card can be used in the USA and other similarly backward countries.

  • Security Concern (Score:5, Insightful)

    by Capt.Albatross (1301561) on Saturday May 18, 2013 @11:43AM (#43762377)

    While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

  • by FudRucker (866063) on Saturday May 18, 2013 @11:43AM (#43762379)
    retail stores shoplift YOU!
  • The hardware having the wrong range is probably pretty hard to avoid due to variance between terminals and problems keeping them all tuned over their lifetime.

    However, the NFC reader shouldn't be active until the customer told the cashier he/she will be using a contactless card for payment and the cashier enabling the reader.

    It wouldn't prevent reading the wrong card if the customer has several NFC cards, but it would at least prevent the kind of surprises shown in the article.

  • I'd be willing to bet that 90% of the time this happens it's because a woman's put her handbag on the counter to get the wallet out, it's brushed up close against the sensor and activated it. Contactless is designed to be able to be used in a wallet, guessing distance is the big limiting factor, not having a couple of layers of cloth between them.
  • there are two ways. my favourite is the first.

    1) put passport / credit card on a plate
    2) put small amount of water on top of NFC chip
    3) put plate into microwave oven
    4) set for 3 seconds on HIGH
    5) press button and watch pretty sparks
    6) open door VERY QUICKLY and put out anything that's smoking or on fire
    7) smile and relax, knowing that you are secure from being phished.

    the other way is perhaps less risky:

    1) obtain a 50,000 volt electrocution device aka "stun gun"....

    • by Takatata (2864109)
      You forgot:
      8) Throw card away since it is useless now.

      No idea how it is in the USA, but in Europe the magnet strip is hardly used anymore. Too insecure. Some people even destroy it on purpose. Instead a chip in the card used. Not a NFC chip. So, how do you destroy one chip in a microwave oven, but leave another chip on the same card intact?
      • Someone else in this discussion suggested cutting a notch in the edge of the card to destroy the antenna.

  • Use cash in stores and leave the card at home. The only place you need to take it is the ATM.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.

Working...