---

@nyancat wrote:

---

@Anonymous wrote:

---

@nyancat wrote:

---

@Luscher wrote:

swiping is soo much quicker. It takes twice as long at walmart. but in the end I guess its safer

---

Walmart's EMV was incredibly slow, it has got much better. That said, it'll always be a little slower... well worth it for a massive safety improvement. Contactless offers speed AND security, but American banks and merchants generally refuse to support it.

---

 

 

For a dummy, could you explain what "contactless" means? And why do American companies refuse to support it? Costs?

Thanks

---

Contactless means tap-and-pay. The reasons are varied, for banks:

 

1. The cards cost more

2. Most customers who get them don't use the contactless feature

3. Some customers get extrmely vocal and angry because they PERCEIVE it as insecure, since it is contactless - despite it actually being much more secure

 

Why spend money on something that at best doesn't get used, and at worst gets an angry customer? But we can vote with our wallets, literally. I have one card available contactless - an American Express Blue Cash Everyday. I requested a chip and contactless version and I tap it everywhere I can, even if another card would have better rewards.

 

For merchants:

 

1. Sometimes it is cost of equipment, if they don't already have contactless readers

2. Sometimes it is fee disputes, they want contactless incentives due to it being more secure, and potential debit routing issues (Best Buy when they first disabled contactess was for this reason)

3. For many merchants, it is disabled due to their membership in MCX

4. For some, it's not really obvious. Barnes and Noble has contactless capable terminals that are disabled, ULTA disabled theirs but they used to be enabled, and Staples just enabled theirs but they were disabled for years.

---

I too plan on contacting AMEX to request chip and contactless version of my BCE card. As I'am noticing a few of the merchants I shop with weekly have the hardware to support it.

As for Staples, I guess their most recent security breach motivated them to reenable theirs.

Great info nyancat, you seem to be the residential expert in this type of field!!

---

@nyancat wrote:

---

@Anonymous wrote:

ah, i remember when I got a debit card with paypass feature, waving card at a register because scanning didn't work that well, and people standing behind looking at me like "what the hell is that idiot doing? doesn't know how to use a credit card?"

---

If it works, it should be really quick and seamless. Hold card for a couple seconds, done. At McDonald's they're usually surprised cause they never see me do it - of course I deliberately stealth it to catch them off-guard

---

this was when paypass first came out, like 7 or 8 years ago? and it wasn't working flawlessly, heck I even left the card on the scanner itself, still didn't register.

---

@Anonymous wrote:

---

@Shock wrote:

Contact is not safe. Anybody can walk up and put an RFID reader by your wallet and get your information.

---

That's why you get a wallet with RFID protection like this or one of the other brands that have RFID protection.

 

---

or completely de-magnetize your card, and force cashiers to manually type in credit card numbers every time

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Shock wrote:

Contact is not safe. Anybody can walk up and put an RFID reader by your wallet and get your information.

---

That's why you get a wallet with RFID protection like this or one of the other brands that have RFID protection.

 

---

or completely de-magnetize your card, and force cashiers to manually type in credit card numbers every time

---

Hahaha can you imagine that at the speed checkout lane lol

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Shock wrote:

Contact is not safe. Anybody can walk up and put an RFID reader by your wallet and get your information.

---

That's why you get a wallet with RFID protection like this or one of the other brands that have RFID protection.

 

---

or completely de-magnetize your card, and force cashiers to manually type in credit card numbers every time

---

Hahaha can you imagine that at the speed checkout lane lol

---

when I was working at office depot, there was this guy who frequently shopped there with de-magnetized card, and he never got it replaced (I think it's because he hates cashiers for some reason), but thanks to him I can type in credit card numbers very quickly

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Anonymous wrote:

---

@Shock wrote:

Contact is not safe. Anybody can walk up and put an RFID reader by your wallet and get your information.

---

That's why you get a wallet with RFID protection like this or one of the other brands that have RFID protection.

 

---

or completely de-magnetize your card, and force cashiers to manually type in credit card numbers every time

---

Hahaha can you imagine that at the speed checkout lane lol

---

when I was working at office depot, there was this guy who frequently shopped there with de-magnetized card, and he never got it replaced (I think it's because he hates cashiers for some reason), but thanks to him I can type in credit card numbers very quickly

---

LOL

---

@nyancat wrote:

---

@Shock wrote:

Contact is not safe. Anybody can walk up and put an RFID reader by your wallet and get your information.

---

Ah, the American paranoid of contactless is alive and well. For one, you mean contactless, not contact. Contact is where you insert the card. 

 

Now, let's analyze your statement. It isn't completely untrue, it's just ridiculous fear-mongering. No, nothing is totally safe - nothing. Yes, someone can bump-skim a contactless card. What will they get?

PAN - Primary Account Number

Expiration data

Potentially the data needed to conduct a replay attack and create ONE transaction

 

PAN and expiry are useless on their own, as those do not allow a transaction anymore. There isn't even a real name on the contactless interface - it is replaced by false data or a blank, so someone can't try to Google for an address, etc.

 

A replay attack of a generally low-value contactless transaction is not a great value proposition for a scammer, and bumping against people or surreptitiously installing a rather big NFC/RFID skimmer isn't easy.

 

Let's compare this to magnetic stripes. What do you get?

PAN

Expiry

Name

The data required to create a working card that can be used for any in-person transaction

 

Also easily skimmed, by attaching skimmers to ATMs, gas pumps, etc or - much worse - malware on the point-of-sale allowing mass skimming of this data.

 

As for contact EMV? Similar data to contactless can be skimmed or retreived from the POS, but with a name and without nearly as easy of time creating a replay transaction. With EMV migration, contactless MSD will eventually go away making a replay attack on contactless harder than it is today.

 

Conclusion: no, contactless isn't totally 100% theoretically safe. Nothing is. Someone may be able to skim a single low-value contactless MSD transaction through an awkward and difficult method. But it's a heck of a lot safer than magnetic stripes!

---

And even if someone did manage to commit fraud with contactless, it ultimately doesn't matter to the cardholder. Yay for $0 liability, one of the few pro-consumer things the government actually instituted.