Top Shows

Tap and wave and go - does it feel right to you?

By Gordon Harcourt

Published: 7:29PM Wednesday May 15, 2013 Source: Fair Go

Try this. Take all your cards out of your purse or wallet, and have a look - there might be a surprise in store.

You might already have what they call a contactless payment card - the Visa PayWave or the MasterCard Paypass.

Inside that card is a tiny aerial that transmits your card details to the terminal (if 4cm or closer), no PIN or signature needed.

It's whizzy and fast, but is it secure?

Steve the plumber has his doubts. He got some coffees and paid with his EFTPOS card, $12.80. He's got a Paypass card, but he swears it stayed in his wallet. Ping, ping - $12.80, $12.80 on the Paypass card.

So he paid the same amount three times at the same place at about the same time - twice with a card he says never left his wallet.

We took this up with MasterCard. They are adamant it's just not possible for the transaction to be accidental. Albert Naffah is MasterCard's man in New Zealand. He's "100 per cent confident".

What if I'm leaning on a bar with my wallet near the terminal - might I be shouting free drinks for the whole bar? No, says Albert, there's "no risk".

He says the technology is safer than the 40 or 50 year old magnetic stripe technology on your EFTPOS card. The ENV encryption technology is the" latest and most secure form of passing information between a card and a terminal."

But what about "electronic pickpocketing"? Your new contactless card transmits its details, and we've got a rather unnerving American news story which shows a guy wandering around an airport with a scanner, getting people's credit card numbers.

He then uses that information to create and use a new card.

Wellington IT security guy Nick von Dadelszen from Lateral Security says "someone could swipe the card while you're walking down the street". Nick can even get your card details with an app he's created on his phone! Spooky.

Yes it's technically possible says Albert, but effectively useless. Each individual contactless transaction has got its own unique fingerprint, "so you might be able to get some information off a card contactlessly but you can't use it more than once".

Ok, but you don't need to use that information contactlessly, points out Nick Dadelszen. The guy in the American video clones a card and uses it the old fashioned way, and you can use card information on websites without needing that extra security number on the back, the CVV number.

Steve has been refunded his $26, but that's not what it's about. He's concerned about how it happened and how often. Basically, MasterCard says it didn't happen inadvertently and it can't.

For more information here are links to the Visa and MasterCard pages. There is a genuinely amusing set of videos on the MasterCard page.

Who have known a credit card company could be funny?


MasterCard (scroll down to find the comedian)

Most Popular