The abilty to turn off Contactless


#1

Hello all, I think it was revolut that had a feature where you could turn off contactless & turn off internet transactions, & even chip & pin, I found the ability to turn off contactless the one that really helped me as I am aware people have software that can read your cards details. I’ve tried card protectors. Got tired of taking the time to get them out ect…
Are any of these features on the Roadmap gang? :+1::rainbow:


#2

Check out this article.


#3

Thanks a lot @Rob . That cleared that up nicely. :pray::rainbow::+1:


#4

How does disabling contactless work with offline transactions? Surely the only safe way to fully remove contactless is to issue cards that lack contactless functionality.

I would certainly like that option, especially as I use Apple Pay for contactless anyway, so the contactless on the card is just a needless security vulnerability. Obviously, it should be a customer choice as some banks already do, as people bank differently.


#5

Not Recommending recolut but they have the three options , Turn off Chip n pin & or Contactless, & or Online Transactions. Sadly recolut wasn’t for me. Then when premium came along and they started doing monthly charges and things didn’t work I left


#6

I’ve seen Revolut but it doesn’t appear to be a bank and the reviews look to be pretty bad. Monzo also may have the option, but Starling is the first actual bank with a current account of the challenger banks and its offering seems to be the best out there right now.


#7

Presumably the card itself doesn’t know that contactless payments have been deactivated and therefore continues to broadcast its payment information regardless.

That article suggests the card shares its card number and expiry date via RFID so that information could enable a fraudster to clone your card even with contactless payments disabled.

This isn’t a topic I know anything about so anyone with an understanding of how this works is welcome to correct me. :slightly_smiling_face:


#8

Much like the old magnetic stripe, contactless cards store certain information that isn’t encrypted and can be read by anyone. It includes card number, expiration date, cardholder name (removed from some newer cards), and some additional information.

This is obviously a concern as your card details can easily be stolen by a passive reader, but unlike the magnetic stripe I don’t believe it is easily possible to create a new contactless card from the information. This is because the CVC is generated dynamically by the chip, which can’t be cloned passively.

It does provide enough information to create a magnetic stripe clone to be used abroad though, which is worrying as it can be done without you ever knowing. At least with the magnetic stripe and chip a fraudster has to have had access to the physical card at some point.


#9

I think part of the protocol involves the terminal and card negotiating allowable methods. Part of this includes whether the transaction is online or offline. I’d guess the Starling card refuses (or could be setup to) contactless when online isn’t available


#10

Cant recall if Starling or Mozo, but I recall one of them floated the idea of having separate card numbers for printed on card, mag strip, chip and in, contactless. By doing that they could refuse a transaction that was presented as a magstripe, but using contactless details.


#11

Its why I like contactless on Mobile. Dont know about apple but with Android pay the screen needs to be on before the NFC chip can be read. So surly more secure then simple bank card.


#12

Apple Pay is extremely locked down even compared to Android. I believe contactless is only enabled per transaction on a successful fingerprint read or passcode entry. There is very little access to NFC beyond this in the current release of iOS, and limited reading capabilities for iPhone 7 and onwards in the next iOS release.


#13

The simplest way of using Apple Pay on your iPhone is to place and hold your finger on TouchID sensor (while the screen is off) and move your phone to the payment terminal. This activates the NFC chip, the screen lights up, your fingerprint is authenticated, and (hopefully) the transaction is approved in one simple action.


#14

I never knew that how intriguing, so basically your phone is absolutely the safest thing to use with making payments? Which is why I only use Apple Pay,


#15

Essentially, yes, the phone is the best method for contactless for numerous reasons (it doesn’t share card details, authenticated with fingerprint/passcode, etc.). However, it does depend on the device you’re using as Android can have issues with malware and is not as locked down as iOS.

(Not that iOS is perfect).


#16

After looking into this further, it does appear the card issuer can ‘disable’ contactless remotely (though you have to make an ‘online’ transaction for the card to be updated). This is achieved using issuer scripts which allow the card issuer to update certain aspects of the card profile/application. The updates are provided during an ‘online’ Chip and PIN transaction. As far as I am aware, no major banks actually do this as of yet.

Given this possibility, I would be very much interested in Starling offering this option to disable contactless. Ideally this would be an option in the app with a notice saying that it may have a delay for it to activate. This is vastly improved over the current method of simply blocking ‘online’ transactions.

However, if this is not available, I believe it would be great to allow customers to request contactless be disabled through customer services in this way. This has benefits for Starling and for customers, as it allows the customer to have a card with contactless disabled without Starling having to issue two different types of card.


#17

And also helping to reduce fraud :slight_smile:


#18

Contactless card fraud is eye watering. I work in fraud and it’s huge. The system is swamped by card fraud and it’s a nightmare to catch people, it requires huge manpower to track down CCTV and as the amounts are small in fraud/bank terms it usually goes to the bottom of the pile. Someone somewhere is suffering huge daily loses, I can’t see it being sustainable in the long term. Banks tend not to lose out, they take most of the money back from the shops/services (large and small). It seems a bit pointless.

Apple/Android/Samsung Pay are the future. Have you known Apple to make many rash bad decisions? They know it’s the future.


#19

I agree, this is why I think a challenger bank should really be doing more to change the status quo. I understand it’s difficult for a new bank to offer things like different card types, etc. but a longer-term goal should be to help reduce fraud by enabling mobile payments without contactless cards or allowing users to ‘properly’ disable contactless on their cards.


#20

Going off on a slightly complete tangent…

How far off do you think we are now before we just drop ‘bank cards’. I notice a few cash machines are starting to show up with NFC pads as well as card slots although I’ve not tried to use them (not sure if they’re just for account holders with that specific bank or for anyone with a contactless card and if they work with Apple/Android pay - although I might go and try that out at lunchtime).

Would anyone be willing yet to completely ‘go cardless’ so that you don’t have a physical card? All payments either done through apple/android pay or, for online sites where you need to give your card details (and don’t have alternative options like Apple/Android Pay or Paypal for example) - have a ‘virtual card’ display in the banking app?

Actually, looking at the ‘Card Management’ section of the bank app (in iOS anyway) it actually DOESN’T show the card number/CVV details - is that an oversight? a technical limitation? or a security risk to have that within the app?

It’ll be interesting to see some stats on how many businesses (in the UK at least) are still not ready to accept contactless payments).

The 3 main obstructions that I can see right now are:

  1. Vast majority of cash machines are not equipped for contactless transactions (I also assume you can’t get cashback with Apple/Android Pay?)
  2. Some shops are not equipped yet - although that presumably is dropping
  3. Going abroad - different countries always generally support card payments

On another query about contactless vs Apple/Android pay. Contactless has the £30 limit per transaction but Apple/Android apparently don’t have that. So, does that mean anywhere that accept contactless, I can use Apple Pay for transactions above £30 or only at specific shops that have said they accept Apple Pay? To be honest, I’ve not used Apple Pay for a transaction above £30 yet anyway.