Contactless Card Fraud

Leave a comment

This week a tweet of mine about contactless card fraud went a little bit viral. The goal was to create discussion, which it most certainly did!

I was contacted by half a dozen journalists asking to interview me about the matter. Despite having a great face for radio, I declined on the basis that I work in information security so suggested some folk in the industry who I knew would be much better than me at informing the public about this stuff.

24d45d6ea11aab

That’s a strange looking mobile phone.

However, I’ve had lots of messages from people (about 50% tin-foil-hat brigade and 50% calling me a conspiracy theorist or a liar), so here’s my personal views expanded from 140 characters. (Not those of my employer blah blah.)

First up, for the record, the picture in that tweet is not one I took, as many people seem to think. I saw it in a Russian news story that was doing the rounds at work. I can’t find it published prior to that, so presume that’s where the photo credit is due. Also, to the best of my knowledge, this was taken in Russia and not, as some newspapers are saying, on the London Underground.

The picture appears to show a person carrying a contactless EDC (Electronic Data Capture) or POS (Point Of Sale) card machine – the sort of thing you’d find in most shops. It lacks context and there is no proof that this person is committing any crime, but it is possible that the person could use this device fraudulently.

The method of the fraud would be to input a sale below the contactless limit (in the UK that’s currently £30) and then touch the device to the wallet-bulge in someone’s pocket, or to their handbag. The machine, if within range of a contactless card, could then complete the transaction without any further input. These transactions don’t need a pin number etc. to be entered or the card to be visible.

Once that has happened, the ‘electronic pickpocket’ could either complete the transaction or (if much more sophisticated) harvest the card details to potentially use in other, potentially larger transactions.

Most contactless card readers still require connection to a phone line, but some are now available with wifi or GPRS connections. With one of these, the fraud could happen almost anywhere.

So should you be worried?

No, not really. Relax. For a few good reasons.

The circumstances above have been created in test conditions. However, anecdotally, there have been very few reported cases of this fraud actually happening. I cannot find firm evidence of a single event that definitely had this modus operandi. In each case I’ve been able to find to look at, it seems just as likely that the card was skimmed or cloned during a legitimate transaction.

The card issuers are also really hot on spotting fraud. These companies are very tech savvy and have been investing heavily for a long time in transactional analysis which spots fraud very quickly and also has the useful byproduct of giving banks a massive volume of useful analytical data on their customers’ behaviour. All those clever maths whizzes have to do something since it’s now considered passé to go straight from Oxbridge to investment banking.

Importantly, you’re really well covered by your card issuer. The way their rules are set up are heavily in favour of the customer. They’ll refund you almost immediately and then put the onus on the vendor to prove that the transaction is valid. In the UK at least, you’re really well insured.

The globally regulated payment card industry (PCI) is also incredibly good at creating controls (including the Data Security Standard (PCI-DSS)) to screen card acquirers and processors in the payment chain. They’re vetted, then audited, with strenuous recertification requirements. It would be hard (but not impossible) for someone to set up an acquiring account with the specific goal of fraud. It is possible that someone could steal a machine linked to a legitimate account, but then laundering the funds from the fraud would have an extra step – getting the cash out from that supposedly innocent business. The data trail for any such transaction would be very strong, with info such as machine location etc. available to the police who could then link that up to CCTV records when investigating the crime. The fraudster might get away with it once or twice; but to make a living out of it would be onerous and high risk.

On top of all this, though, using this seemingly easy method would actually be tough to make work.

First up, those POS devices are pretty bulky, need to be held near the card for a solid couple of seconds and normally make a fairly recognisable ‘beep’ when the transaction completes. All the GPRS/Wifi ones I can see also have built in printers that would make a noise and give the game away. All of these factors mean that if you’re in a crowd of people who are at least partially aware of their surroundings, this is likely to get called out.

Secondly, if you’ve got more than one contactless card within range, the transaction will fail due to ‘card clash’, as TFL like to call it.

But if you’re still worried, what can you do to reduce your risk?

The single best thing that you can do is check your transactions regularly. You probably have a mobile banking app; use it to check when you’ve a moment spare. If you spot anything suspicious, contact your card issuer. They’re on your side.

You could invest in a shielded wallet or card sleeve. However, tests have demonstrated that they’re not always that effective. You could also wrap all your cards in tin foil for the same effect. And while you’re at it, make yourself a lovely hat with the rest of the roll.

3810077717_da5629a5c2_b

Nice hat. Also good for roasting chicken.

If you’re truly paranoid and absolutely must disable the contactless feature of your card, it’s also pretty easy to do. The RFID ‘antennae’ runs in a loop around the edge of the card a couple of millimetres in. If you cut a small notch in the edge of your card, about 5mm square, or trim the corner of your card off, that should break the circuit and stop it working. But that’s very extreme.

Apple Pay and similar mobile-device payment systems are not affected by this fraud, as they require approval for each transaction e.g. with your fingerprint or PIN.

In summary, this picture is interesting as a discussion point but not good evidence of anything you need to be worried about. Contactless payment is a cool technology and the convenience is nice. Enjoy it. Relax. But check your transactions regularly.

Advertisements

On Bullshit

Leave a comment

Marianne shared this excellent link today. In the article, Henry Scowcroft (a communicator for Cancer Research UK) argues that economics communicators should be more like science communicators and, well, communicate.

I’ve blogged before that economists, accountants, politicians, tax bods and so forth, need to speak plain English, stop obfuscating and let the people who are affected by decisions understand decisions made in their names. We shouldn’t be afraid to stop experts and ask them to explain their terminology. This stuff should be simple.

Sure, some communication is at a very high level and techie, such as in academic media or at a conference, but I’m talking about when these people turn up on Newsnight, in the papers, in your local pub or similar. At that point, they should respect the audience and think about what message they’re trying to get out.

If you don’t own the knowledge, you can’t inform the decision and you can be bloody sure that someone else without your best interests at heart will clue themselves up and get involved instead.

The only message most ‘communicators’ are giving at the moment is that these difficult things are just too darn complicated for you poor little children. We’re going to have a few talking heads talk above your understanding just to show you with jolly long words that you really don’t get it. You’d best toddle off now and let the grownups carry on with the adult stuff.

And that isn’t on. Invariably this is your money, your body, your country. You’re not children (unless you are, in which case, hi, sorry for the swearing!) Everybody needs to challenge the experts to be more accessible, because there really are some amazing communicators out there, whether they’re a physicist, a doctor, an economist or whatever. Seriously – here Brian Cox explained quantum theory to a bunch of celebs and he made it so simple. Everyone can either do that, or get out of the way for someone who can.

Next time you see someone chucking long words around like bullshit artillery, ask yourself what their goal is; because if it isn’t to communicate, it’s almost certainly to hoodwink or rip you off.

And then pull out your bullshit shield of obstinate scepticism. (This looks and sounds rather like just saying ‘why?’ a lot, to the casual observer.) Once someone has offered to communicate with you, make them do just that. Close the door, sit them down, and jolly well interrogate them until you are happy that either you understand enough to form an educated opinion or enough to know that you really don’t care.

Rental agent fees

2 Comments

My personal first choice of charity to support is usually Shelter. They do amazing work. Many people think that they work with the homeless to get them under a roof, but in fact many of their campaigns are to make the housing market fairer for those already in a home.

Current campaigns, for instance include building more affordable housing, fighting the incredibly unfair bedroom tax and dealing with rogue landlords.

But I have noticed that some people are tweeting about a campaign that they currently have to end letting agent fees. This tweet from @KellyMarieLD is a good example:

1 in 7 renters who used a letting agency paid more than £500 in fees. Sign @Shelter’s petition #endlettingfees http://t.co/Mzbjth4HUO

— Kelly-Marie Blundell (@KellyMarieLD) July 2, 2013

This particular campaign, I think, is ill thought through.

Let me just be absolutely clear: estate agents are indeed not a nice lot, are venal and generally a dishonest, short-termist, hateful bunch of BMW Mini-driving oiks.

But regardless of how much we dislike them, they perform a role (however inefficiently) in the process of linking the UK’s 9 million privately renting tenants with their landlords. They perform various services for the landlords, such as showing prospective tenants round flats  (compact and bijou, Mostyn, compact and bijou), performing credit checks, gathering references etc. They might do a generally slapdash and awful job of this and charge an absolutely scandalous amount for it, but that’s a separate matter. The market has driven itself to the bottom and stayed there for many years; but these services are provided, however badly. And for that, these bottom-feeders do require some recompense.

Unfortunately.

At the moment they are paid by the tenants. The market has set the rate for these services, however high and profiteering that may be. This is the value that the market has set on the agents’ time and effort.

Now Shelter feels that these fees are totally unfair and should be made illegal.

But if the tenant doesn’t pay them, the agent will still want to be paid and the only other party in this contract is the landlord. But the landlords themselves are a profiteering bunch of capitalists. What they will do with costs is incorporate them into their financial model, add an uplift for opportunity cost of that money and raise rents accordingly.

The landlord, rationally, will spread this over the normal tenancy (probably 12 months), but not give a discount after this.

The result of Shelter’s proposal, I suggest, is likely to be an increased overall cost to anyone renting more than 12 months, who will effectively be paying those inflated fees on an annualised basis, but to the landlord instead of the agent.

Now I know that fees are illegal in Scotland, but have not seen any good studies on the effect on long term rents, compared to the similar time period in England where fees are still allowed.

But I know one thing for sure; those agents aren’t going to do that work for free and in the end the only income stream either the landlord or agents have is the tenants.

Maybe the solution is not to ban the fees, but better regulate landlords and agents, and set some centralised fees to provide equilibrium in the market?

What is wealth?

9 Comments

My good buddy Michael Story posted the following tweet this morning:

World Income Inequality: The poorest 5% of Americans are richer than the richest 5% of Indians marginalrevolution.com/marginalrevolu…

— Michael W Story (@MWStory) June 6, 2013

Which started a little debate as to what ‘wealth’ means.

Which of these following 4 people do you think is the ‘wealthiest’?

a)      A person who earns £100k per year but due to circumstances has no outgoings. They pay no tax, no mortgage or rent. Their food is paid for. Every penny of gross income is disposable income.

b)      A person who earns £100k per year but due to circumstances has (reasonably) unavoidable outgoings in excess of £100k per year. Their net income is below zero.

c)       A person who has no income but has gross assets worth £1m. They have liabilities (debts etc) in excess of £1m. They must generate income from or divest themselves of assets in order to live including servicing liabilities.

d)      A person who has no income but has gross assets worth £1m. The assets are entirely unencumbered. They have no liabilities. They must generate income from or divest themselves of assets in order to live.

Many articles, including the one linked in the tweet above treat gross income as synonymous with wealth.

They are not.

Wealth is a measure of net assets, not of gross income. To conflate the two is pure hyperbole. Just because one has a high paying job or living in a big house does not make one wealthy.

A story of two taxpayers

7 Comments

Imagine the following situation: you and your friend work for different companies, you both work hard and for your efforts in very similar jobs have secured mid-tier positions with decent salaries and reasonable but not incredible bonus packages. The bonus packages, as is normal, are linked to the performance of the company overall; to incentivise you to go the extra mile at work.

In other words, you’re just like a large number of people in this country.

The end of the year comes and your firms announce their results. The headline figures are really good, everyone’s worked hard, and profits before tax are very healthy at both companies. You are looking forward to a nice bit extra to maybe pay off some debt, or take the family on a nice holiday.

But your company, unlike your friend’s employer, has bowed to the pressure put on the industry by Margaret Hodge, UKuncut, some press hacks and some left-wing tax ‘experts’. As such, your company has elected to pay more than its fair share of tax. It has not elected to take advantage of any of the perfectly legitimate tax loopholes designed to help companies in your industry. It has not structured its corporate arrangements to take best advantage of legal tax jurisdictions around the world. It has not paid an advisor to help it pay exactly its legal fair share of tax; instead, it has just paid a high headline rate and not sought to minimise this in any way. A large slice of the pre-tax profits go to The Revenue instead of into the bonus pool.

So your end of year pay packet is significantly less than that of your friend. In fact, because, as is normal, the bonus pool targets are industry benchmarked, you don’t get a bonus at all. Your friend, though, gets a lovely bonus. They choose to take the family off on holiday and let you know how nice it is with some pictures on Facebook.

When the companies’ annual results are announced to the market, it is clear that your company and that of your friend have both been really busy, with healthy turnover figures, but that your board of directors has chosen to pass the rewards of your hard work to HMRC, instead of in dividends to the shareholders who own the company.

The shareholders are absolutely livid. Some sell their shares in fury, making the share price go down. Others object at the AGM, causing chaos with the company brand as the shareholders are clearly at odds with their board of directors. Because of the this, the share price falls further.

As is usual, some of your bonus is paid in shares, to incentivise you to hang around longer at the firm. Now your share options are almost worthless. You only get a long term incentive plan payout if the shares rise in value. Instead of adding share value, your company is tanking. Your friend, however, is really pleased. Because of their post-tax results, their share options are worth a healthy sum. When they pay out, your friend pays off their mortgage early and moves to a big new house with a with a nice garden and a lovely new car on the drive. You can’t afford to do that.

But, you think, at least you work for an ethical company that chooses to act in a socially responsible manner. You can always feel good about that. Apart from that your employer now has much less cash in the bank so cuts back dramatically on non-core activity, such as its outreach, education and CSR programs. Your friend’s employer has increased all of their CSR, giving more back into the community, to support some social programs that the government austerity measures have axed. Your company’s extra tax paid for a little slice of Trident missile. You feel less worthy about that.

Your friend also likes being ethical and generously donated a large portion of their bonus to charity. You have had to cut back on your charity donations, because fuel has gone up, inflation is rife and frankly, bread is more important than roses. You really would love to help some worthwhile causes, but not this year. This year you’ll have to turn a blind eye & hope your need to heat the house doesn’t cost someone else too much. There’s always next year. Let’s hope that the government is spending that extra tax wisely on things that matter, like A&E departments.

Times are tough. People would love to vote with their money and shop ethically, but in these austerity years people are trimming back. They used to value the ethics of a brand but to be honest simply can’t always afford to do that any more. Instead, they buy the product from your friend’s firm, which because it pays only the legally required amount of tax, can afford to be a little bit cheaper than your company, but still maintain its bottom line. So your sales start falling. It doesn’t matter how hard you work, you’re just not as competitive.

If you even still have a job, that is.

In the mean time, politicians remain ignorant of the real-life effect that their proselytising has and continue to pass judgement on companies that follow the letter of the law, putting pressure on consumer focussed brands to pay more tax than they need to, making large employers uncompetitive.

But your employer was never doing anything wrong; and nor now is your friend’s employer. As the old adage goes, tax evasion is when you do something wrong; tax avoidance is when the government does something wrong.

Rather than change the law and maintain a level playing field between your employer and that of your friend, the politicians remain ignorant of the real-life effect that their words have and continue to pass public judgement on companies that follow the letter of the law, putting pressure on companies that are scared of the negative headlines to pay more tax than they need to. It is a hell of a lot easier for a politician or a hack to pick on the easy target than try to understand real tax law. Tax law is complex. Let’s just churn out sound bites about big brands. let mob justice rule, rather than do any hard work fixing the system.

By doing this, making the public focus on brands they know, they wilfully distract from little known companies like Stemcor, which pays only 0.01% tax. Stemcor, that is, that is owned by Margaret Hodge’s family.

The way to make things fair between you and your friend is to make sure that tax law is simple, that every company can easily pay a rate of tax that reflects their position in the economy, that gives incentives to certain industries and structures that as a country we have chosen to champion, that allows the companies to compete on a level playing field.

Then, when hypocrites like Margaret Hodge or the Guardian start spouting on about what is a fair amount of tax or not, you and your friend’s employers can both tell them to push off and focus on the people who can really make tax fair – the politicians.

Tax law is complex, unjust, and not accessible to all. The only way to fix this iniquity is to change the law. Not to give media time to hypocritical, narrow-minded ignoramuses. Next time someone attempts to lecture you as if they’re an expert on tax, be skeptical and make sure they are actually an expert on tax.

Cameron’s all froth on tax

1 Comment

Today, at Davos, in a frothy speech, David Cameron, our not-so-skinny mug of a Prime Minister unsubtly took a tall-size pop at Starbucks for creaming off profits to lower tax-regimes as a tax avoidance measure.

See, David, I can make crap coffee related puns, too!

Cameron expressed a wish to make challenging tax avoidance a pillar of Britain’s G8 presidency. He stated “Individuals and businesses must pay their fair share”.

This soundbite is meaningless popularism, reflecting perceived public pressure on companies and richer people to pay mare tax. Cameron is not making this speech because he for even one minute thinks that large corporates should pay more; he’s making the speech because some focus group has told him to.

If Cameron really wanted companies to pay more tax, he would take his best mate Osborne, the dunce in charge of economics and simply tell him to raise the corporation tax rate. But in fact, George is doing the exact opposite, arguably to support his pals in The City.

So what is going on here, really?

More

Pantechnicon

Leave a comment

Is the pantechnicon a museum piece?

This week I am following with half an eye the goings-on at the World Economic Forum in Davos (Twitter hashtag #WEF).

I find particularly interesting the futurist ideas that are coming out of the event. There are fascinating tweets on the feeds of @AdamBates_KPMG, @SteveForbesCEO, @Davos, @lheron and of course the unmissable @Competia about various predictions. There are brilliant debates about the distance we travel to work, shared vehicles, resource use, the obligatory 3D printing and some really cool analyses of the differences between growth prospects of the different parts of the world.

Some of the things I find most interesting are the little tidbits that drop out, rather than the big concepts such as the fact that the median age of the world’s population is now 27½ and that the age is trending up in all regions out to 2100, with exception of Europe which peaks in 2040 and falls away as the baby boomers die. (Consider the implications of that one for a minute…)

One little throwaway was the prediction that babies born now are unlikely to ever own a wallet. It’s a small fact, but think about what that is really saying. It is suggesting that in as little as a decade and a bit, we wont need physical ID, money, non-fiat payment cards, coffee reward cards, receipts, BHA membership card, spare passport photos, business cards, rail ticket stubs… (these are just some of the things in my wallet today.)

So this rekindled another thought I had recently about how much useless physical crap we all cart about through our lives. I moved house this month and realised as I was carrying the second vehicle load of boxes up the stairs that much of the back-breaking shit just wont figure in the house-moves of future generations.

Easy to lose of course are the heavy books, CDs and DVDs, which are already disappearing in favour of digital media, which in turn is moving to the cloud from physical local storage, making the home footprint near nil.

A lot of the larger items are already ‘losing weight’. Think of a CRT TV from ten years ago against a slim LCD, or the big fancy separates hi-fi system we had a decade ago compared to the skinny iPod dock we all now have. We used to have games and toys, but invariably after the age of toddler now such things are digitised. Trivial Pursuit is no longer a 2 kilo box, but  question-set we access via our mobile device and view on the TV.

In time maybe even things like pots and pans will disappear as we all get food replicators and along with them will go the fridge, oven and hob!

So what’s left to make the house move still a chore?

I guess the things that can’t shrink are those linked to the size of our bodies. The big furniture items and maybe clothes… but can we lose them too? On The Bottom Line podcast recently, I heard Simon Woodroffe talking about his new project, Yo! Home!, which is a compact multifunctional living space idea where much of the furniture is built-in (and designed to be flexible). So maybe we can lose much of the furniture. I suspect that 3D printing will make many small items such as clothes impractical to store for long. Indeed, whilst it is only a bikini, the first boutique printed clothes are already available. Household decorations are likely to go the same way, except for maybe the most personal trinkets.

So what’s left? Will a house move in future be a rucksack full of personal belongings that we take to the new multifunctional pad, where our subcutaneous RFID chip with our personal ID makes available our film, book and music libraries, where a 3D printer replicates our wardrobe on a print-to-wear basis and our meal cooked to our taste is already steaming in the food replicator?

Let’s extrapolate this then. Can we can rock up to a new space each night in a new city and instantly access all the home comforts?

Never mind asking whether the pantechnicon of today’s house-move is already a museum piece, but if all the above is true, how long then until the concept of home itself is obsolete? Maybe Paul Young was right; except that of course we don’t wear hats anymore…