Contactless Card Fraud

Leave a comment

This week a tweet of mine about contactless card fraud went a little bit viral. The goal was to create discussion, which it most certainly did!

I was contacted by half a dozen journalists asking to interview me about the matter. Despite having a great face for radio, I declined on the basis that I work in information security so suggested some folk in the industry who I knew would be much better than me at informing the public about this stuff.

24d45d6ea11aab

That’s a strange looking mobile phone.

However, I’ve had lots of messages from people (about 50% tin-foil-hat brigade and 50% calling me a conspiracy theorist or a liar), so here’s my personal views expanded from 140 characters. (Not those of my employer blah blah.)

First up, for the record, the picture in that tweet is not one I took, as many people seem to think. I saw it in a Russian news story that was doing the rounds at work. I can’t find it published prior to that, so presume that’s where the photo credit is due. Also, to the best of my knowledge, this was taken in Russia and not, as some newspapers are saying, on the London Underground.

The picture appears to show a person carrying a contactless EDC (Electronic Data Capture) or POS (Point Of Sale) card machine – the sort of thing you’d find in most shops. It lacks context and there is no proof that this person is committing any crime, but it is possible that the person could use this device fraudulently.

The method of the fraud would be to input a sale below the contactless limit (in the UK that’s currently £30) and then touch the device to the wallet-bulge in someone’s pocket, or to their handbag. The machine, if within range of a contactless card, could then complete the transaction without any further input. These transactions don’t need a pin number etc. to be entered or the card to be visible.

Once that has happened, the ‘electronic pickpocket’ could either complete the transaction or (if much more sophisticated) harvest the card details to potentially use in other, potentially larger transactions.

Most contactless card readers still require connection to a phone line, but some are now available with wifi or GPRS connections. With one of these, the fraud could happen almost anywhere.

So should you be worried?

No, not really. Relax. For a few good reasons.

The circumstances above have been created in test conditions. However, anecdotally, there have been very few reported cases of this fraud actually happening. I cannot find firm evidence of a single event that definitely had this modus operandi. In each case I’ve been able to find to look at, it seems just as likely that the card was skimmed or cloned during a legitimate transaction.

The card issuers are also really hot on spotting fraud. These companies are very tech savvy and have been investing heavily for a long time in transactional analysis which spots fraud very quickly and also has the useful byproduct of giving banks a massive volume of useful analytical data on their customers’ behaviour. All those clever maths whizzes have to do something since it’s now considered passé to go straight from Oxbridge to investment banking.

Importantly, you’re really well covered by your card issuer. The way their rules are set up are heavily in favour of the customer. They’ll refund you almost immediately and then put the onus on the vendor to prove that the transaction is valid. In the UK at least, you’re really well insured.

The globally regulated payment card industry (PCI) is also incredibly good at creating controls (including the Data Security Standard (PCI-DSS)) to screen card acquirers and processors in the payment chain. They’re vetted, then audited, with strenuous recertification requirements. It would be hard (but not impossible) for someone to set up an acquiring account with the specific goal of fraud. It is possible that someone could steal a machine linked to a legitimate account, but then laundering the funds from the fraud would have an extra step – getting the cash out from that supposedly innocent business. The data trail for any such transaction would be very strong, with info such as machine location etc. available to the police who could then link that up to CCTV records when investigating the crime. The fraudster might get away with it once or twice; but to make a living out of it would be onerous and high risk.

On top of all this, though, using this seemingly easy method would actually be tough to make work.

First up, those POS devices are pretty bulky, need to be held near the card for a solid couple of seconds and normally make a fairly recognisable ‘beep’ when the transaction completes. All the GPRS/Wifi ones I can see also have built in printers that would make a noise and give the game away. All of these factors mean that if you’re in a crowd of people who are at least partially aware of their surroundings, this is likely to get called out.

Secondly, if you’ve got more than one contactless card within range, the transaction will fail due to ‘card clash’, as TFL like to call it.

But if you’re still worried, what can you do to reduce your risk?

The single best thing that you can do is check your transactions regularly. You probably have a mobile banking app; use it to check when you’ve a moment spare. If you spot anything suspicious, contact your card issuer. They’re on your side.

You could invest in a shielded wallet or card sleeve. However, tests have demonstrated that they’re not always that effective. You could also wrap all your cards in tin foil for the same effect. And while you’re at it, make yourself a lovely hat with the rest of the roll.

3810077717_da5629a5c2_b

Nice hat. Also good for roasting chicken.

If you’re truly paranoid and absolutely must disable the contactless feature of your card, it’s also pretty easy to do. The RFID ‘antennae’ runs in a loop around the edge of the card a couple of millimetres in. If you cut a small notch in the edge of your card, about 5mm square, or trim the corner of your card off, that should break the circuit and stop it working. But that’s very extreme.

Apple Pay and similar mobile-device payment systems are not affected by this fraud, as they require approval for each transaction e.g. with your fingerprint or PIN.

In summary, this picture is interesting as a discussion point but not good evidence of anything you need to be worried about. Contactless payment is a cool technology and the convenience is nice. Enjoy it. Relax. But check your transactions regularly.

Advertisements

Google are literally trolling

Leave a comment

Pedants on the web have been all het up this week as Google added this definition of the word ‘literally’ to its annals.

Literally

This second definition, for clarity, being the meaning used by ignoramuses who don’t know the word ‘figuratively’.

Used to acknowledge that something is not literally true but is used for emphasis or to express strong feeling.

Let us just look at this second meaning; where the definition requires use of the word that it itself is trying to define, in order to define it. The recursive nature of the phrase should immediately have alarm bells ringing and show that the definition is spurious and worthy of skepticism.

So we pause and read it again and see that not only is the phrasing recursive, but it negates itself. The statement is of the logical form “x = not x”. This definition cannot even be logically correct. It is just plain wrong.

Now it may be that the meaning it is trying to describe is indeed in such prevalent use as to be considered a correct meaning, but that does not justify the slapdash work of Google in describing the apparent dichotomy. We already have words in the English Language that have meanings that are their own opposite. Cleave for instance, means both to split apart and to join together. Google seem to cope perfectly well with that one.

 cleave

The more I think about this, the more I worry that the problem isn’t the decline of English; languages will always evolve and Canutes like us will continually, futilely attempt to resist the tide.

The reference guides that are the formal record of matter for such things have a duty to present not only the de facto usage of words, but also the etymology and responsibly, accurately describe where there are issues. Here, for instance, there is a problem when Google (surely, these days, this organ must have a duty of care to the quality of information it propagates) allows a definition of a word to be logically inconsistent. Were a user of Google to rely on it for dispute resolution (eg, to reference it within a company’s style guide), then this will obfuscate instead of clarifying.

So whilst I rail against the abuses of language, my real despair is that this particular case calls into question the veracity and reliability of the supposed backstops of the facts of the matter. What next; will we find that Wikipedia isn’t really peer reviewed by academic experts?

Bread & Roses

Leave a comment

For two brutally cold winter months of 1912, the textile workers of Lawrence, Massachusetts went on strike. The strike was over the usual things; wages, hours and conditions. Due to the large number of women (average life expectancy – 26!) involved (about 20,000), the brutal tactics against families used by the bosses and the children of strikers being evacuated from Lawrence to sympathisers all over New England, the message from this strike was that life is not only about being able to live, on a basic level, but being able to live decently. The Lawrence textile strike became known, then as the Bread and Roses strike. The slogan originated in a 1911 speech given by Rose Schneiderman; “The worker must have bread, but she must have roses, too.”

I think of this strike (or more specifically, I remember the brilliant Utah Phillips/Ani DiFranco song about it) when my friends or I are going through a rough patch. It’s important to ‘problem solve’ and try to deal with whatever it is that’s getting you or your friend down. You probably do need to try and understand what happened (or as the Americans say ‘get closure’.) but when you are trying to understand other people’s behaviour that is not always possible.  People want to talk things through, and that’s really important. But life isn’t just about bread, it’s about roses, too. Sometimes, whilst you do need to get to the bottom of whatever your ailment or situation is, you shouldn’t forget to do those things that make life feel good.

When stuff happens – a relationship breakdown, a setback at work, a tough time at home or another bump in life’s road – we often feel as if we are permanently changed by it, we are not the same person we were.  It is important, then, to reconnect with yourself and to remind yourself that you are still you.  Do the helpful things that have always worked for you.  Take a walk in the park, go to the gym, go for a run, have a (sensible) drink, socialise with friends, have good sex, get great hugs, have a wank, get fresh air (possibly not those last two at the same time) go on dates, do something good for someone else, whatever it is you need personally to get your serotonin and dopamine levels up. You shouldn’t feel guilty for a moment about finding time to enjoy life when things are tough, however hard that may seem. Do it for yourself. Help your friends do it.

When you’re in a tough place, it is easy to make really bad decisions. It is important when things are in a spin not to change your routine too much; make sure you keep doing the things that you knew you were comfortable doing before. Stick with the friends you know you can trust, don’t expose yourself to unhelpful behaviours or people who will take advantage (and there are a lot of those); now is not the time to suddenly change everything (or indeed take up historic unhelpful distracting behaviours!) Talk to your good friends, share with them when you think you’re making bad decisions. Think about life’s stress factors and don’t exacerbate the tough place you’re in by making things harder.  One of the things some people do after a foul-up is to get back to the life they had before they entered that relationship or situation – this is one of the reasons why long-married people will, after a divorce, sometimes be tempted to go out with someone the age they were when they entered the recently-ended relationship.  We revert to old patterns – people who have long eschewed smoking will suddenly remember that 15 years ago they used to smoke and that ‘helped’ with stress, so they develop an unhelpful thinking style that suggests ‘I’m a person who needs a cigarette when I am very stressed’.  This is actually just old-school superstition, and very few people thrive in a life governed by this.  We revert to random behaviours that we have imbued with meaning, as if they can help us, but they can’t. We are all grown-ups and, in the dead of night when it is just us and our ticking minds, we know what we are doing.

Humans are delicate things, but we are bouncy although some of us are easily bruised and take a while to bounce back. Don’t forget to laugh. Look out for yourself and your friends. Problem solving is great, sure, learning from situations is vital; the human must have bread, but must have roses, too.

Much love to all my friends having a tough time. xxx

On Bullshit

Leave a comment

Marianne shared this excellent link today. In the article, Henry Scowcroft (a communicator for Cancer Research UK) argues that economics communicators should be more like science communicators and, well, communicate.

I’ve blogged before that economists, accountants, politicians, tax bods and so forth, need to speak plain English, stop obfuscating and let the people who are affected by decisions understand decisions made in their names. We shouldn’t be afraid to stop experts and ask them to explain their terminology. This stuff should be simple.

Sure, some communication is at a very high level and techie, such as in academic media or at a conference, but I’m talking about when these people turn up on Newsnight, in the papers, in your local pub or similar. At that point, they should respect the audience and think about what message they’re trying to get out.

If you don’t own the knowledge, you can’t inform the decision and you can be bloody sure that someone else without your best interests at heart will clue themselves up and get involved instead.

The only message most ‘communicators’ are giving at the moment is that these difficult things are just too darn complicated for you poor little children. We’re going to have a few talking heads talk above your understanding just to show you with jolly long words that you really don’t get it. You’d best toddle off now and let the grownups carry on with the adult stuff.

And that isn’t on. Invariably this is your money, your body, your country. You’re not children (unless you are, in which case, hi, sorry for the swearing!) Everybody needs to challenge the experts to be more accessible, because there really are some amazing communicators out there, whether they’re a physicist, a doctor, an economist or whatever. Seriously – here Brian Cox explained quantum theory to a bunch of celebs and he made it so simple. Everyone can either do that, or get out of the way for someone who can.

Next time you see someone chucking long words around like bullshit artillery, ask yourself what their goal is; because if it isn’t to communicate, it’s almost certainly to hoodwink or rip you off.

And then pull out your bullshit shield of obstinate scepticism. (This looks and sounds rather like just saying ‘why?’ a lot, to the casual observer.) Once someone has offered to communicate with you, make them do just that. Close the door, sit them down, and jolly well interrogate them until you are happy that either you understand enough to form an educated opinion or enough to know that you really don’t care.

Rental agent fees

2 Comments

My personal first choice of charity to support is usually Shelter. They do amazing work. Many people think that they work with the homeless to get them under a roof, but in fact many of their campaigns are to make the housing market fairer for those already in a home.

Current campaigns, for instance include building more affordable housing, fighting the incredibly unfair bedroom tax and dealing with rogue landlords.

But I have noticed that some people are tweeting about a campaign that they currently have to end letting agent fees. This tweet from @KellyMarieLD is a good example:

1 in 7 renters who used a letting agency paid more than £500 in fees. Sign @Shelter’s petition #endlettingfees http://t.co/Mzbjth4HUO

— Kelly-Marie Blundell (@KellyMarieLD) July 2, 2013

This particular campaign, I think, is ill thought through.

Let me just be absolutely clear: estate agents are indeed not a nice lot, are venal and generally a dishonest, short-termist, hateful bunch of BMW Mini-driving oiks.

But regardless of how much we dislike them, they perform a role (however inefficiently) in the process of linking the UK’s 9 million privately renting tenants with their landlords. They perform various services for the landlords, such as showing prospective tenants round flats  (compact and bijou, Mostyn, compact and bijou), performing credit checks, gathering references etc. They might do a generally slapdash and awful job of this and charge an absolutely scandalous amount for it, but that’s a separate matter. The market has driven itself to the bottom and stayed there for many years; but these services are provided, however badly. And for that, these bottom-feeders do require some recompense.

Unfortunately.

At the moment they are paid by the tenants. The market has set the rate for these services, however high and profiteering that may be. This is the value that the market has set on the agents’ time and effort.

Now Shelter feels that these fees are totally unfair and should be made illegal.

But if the tenant doesn’t pay them, the agent will still want to be paid and the only other party in this contract is the landlord. But the landlords themselves are a profiteering bunch of capitalists. What they will do with costs is incorporate them into their financial model, add an uplift for opportunity cost of that money and raise rents accordingly.

The landlord, rationally, will spread this over the normal tenancy (probably 12 months), but not give a discount after this.

The result of Shelter’s proposal, I suggest, is likely to be an increased overall cost to anyone renting more than 12 months, who will effectively be paying those inflated fees on an annualised basis, but to the landlord instead of the agent.

Now I know that fees are illegal in Scotland, but have not seen any good studies on the effect on long term rents, compared to the similar time period in England where fees are still allowed.

But I know one thing for sure; those agents aren’t going to do that work for free and in the end the only income stream either the landlord or agents have is the tenants.

Maybe the solution is not to ban the fees, but better regulate landlords and agents, and set some centralised fees to provide equilibrium in the market?

Support these foolish people

Leave a comment

I don’t often ask much of my friends. I’m fairly low maintenance really. Stand your round and putting up with my being a tosser from time to time is normally as hard as it gets. So when I do ask for something, I really hope you realise it’s worth paying attention to. Especially when I’m asking for someone else…

I would really love it if you could support (financially and emotionally and by sharing this video) my good friend Sam, who this weekend is part of a team of six doing The Three Peaks Challenge in aid of The Stable Family Home Trust*. The challenge is to climb the three highest peaks in each of the UK countries in a 24 hour period. This will kick off at 10pm on Saturday at Ben Nevis, before tackling Scafell Pike and finishing at Snowdon.

Shitty UK weather for 15/6/13

To make things harder, the weekend they’ve picked looks like the kind of weather that has sane people inside with a log fire, not climbing a mountain in pissing down rain in the middle of the night.

Quite frankly, there is not enough Kendal Mint Cake in the world to make me do what they’re doing!

Every penny raised will go direct to the service users of the charity. The entire cost of the challenge has been covered by generous local businesses. The charity will not use any funds raised for administrative costs; these donations will be ringfenced to enable the charity to enrich the quality of life and lifestyle of the people the charity cares for.

A talented friend of the charity has made this amazing video to spur them on. I loved it – it’s very very clever and well executed. Please do go watch it and then donate!

3 Peaks Challenge SFHT team

* The Stable Family Home Trust supports people with a learning disability to lead ordinary lives with some extraordinary moments. The charity provides a range of support services including residential care, day services and domiciliary support and a wealth of opportunities and activities for individuals. They believe that anyone can do and achieve anything as long as they have the right support.

Necessarily annoyed

1 Comment

Is the idiomatic grammatical battlefield for ‘literally’ now metaphorically as dead as a dodo? Are syntax pedants mixing metaphors by picking battles on a sinking ship? Should we make like a cowboy and change simile horses mid-stream?

What is the next problem area?

I propose, following a particularly linguistically frustrating meeting, that it is very important to me that people stop abusing the word necessary.

Necessity is logically the statement that something cannot fail to be true; it is always the case in all possible worlds, or it is a statement that is required for something else to be true.

It is necessary that 2+2=4. It is necessary that for whole numbers greater than 2, even numbers cannot be prime. It is necessary that all humans are mammals.

It is not, I assert therefore, necessary that I perform a task for someone by their arbitrary deadline.

Nor is it necessary that this given person take that task and forcibly place it in a darkened personal space.

What is annoying you today, fellow pedant?

Older Entries