Barclays bank has rolled out a contactless Visa debit card - ZDNet.com.uk
*HomeATM's personal SwipePIN device has been rigorously tested by Witham Laborities (1 of 8 certification outfits in the world) and found to meet or exceed PCI 2.0 requirements. Our device and the Witham Lab's report has been forwarded through the proper channels for PCI. 2.0 certification.
From Monday, Barclays customers will receive new or replacement cards containing RFID technology that will allow contactless transactions of up to ten pounds, without entering a PIN. (Editor's Note: Limiting transactions to 10 pounds ($14.10 US) is not a testament to the security of the methodology is it?)Editor's Note: You simply cannot sacrifice "convenience" for security. No way, no how. Security needs to be first and foremost on the minds of payment industry professionals. HomeATM understands that, which is why we implore online shoppers to "swipe" their own card information in our tamper-proof, PCI 2.0* PED providing a "dually authenticated," "3DES end-to-end encrypted" online debit solution. (with DUKPT) Don't call us alternative...the "alternative" is entering your card information "manually"...and having it get intercepted and "swiped" by the bad guys. Swipe...don't Type.
Cards will continue to be used for chip and PIN transactions and bank machine withdrawals. (Editor's Note: HomeATM uses the same bank rails used for bank machine withdrawals)
The protocol behind the contactless technology has not been made available to academic security researchers, according Cambridge University researcher Steven Murdoch, who expressed concerns that any security holes in the technology won't be found until after it has been rolled out.
"The problem with the UK contactless system is that it's secret, which means we have to reverse engineer it to point out vulnerabilities," Murdoch told ZDNet UK on Monday. "Contactless payment has been rolled out, but any security vulnerabilities will be pointed out after the banks can do anything about it."
Murdoch said that while security researchers were restricted from viewing the protocol, people with malicious intent would be able to view it. "I'm sure crooks will have a copy of the spec," said Murdoch. "People can get hold of a copy if they sign a contract saying they will not make any reports [about the protocol]. Any criminals could get hold of a copy of the specification, but academics are at a disadvantage."
A Barclays spokesperson told ZDNet UK on Monday that there had been extensive third party testing of the contactless system, and said that security risks around contactless payments had been mitigated.
Editor's Note: Yeah, by limiting transactions to 10 pounds. The money that hackers could steal is only 1% of what they could get by hacking into a system where they could steal 1000 pounds. So I suppose, in a bend it like Beckham way...that statement could be "bent" into somehow being being defended as true.
"Contactless is designed for small transactions, while users will periodically be asked for a PIN," said the spokesperson. "The card uses dynamic data authentication, in which a unique secret code is generated to authenticate each transaction, while the chip contains different information than the magnetic strip, to prevent cloning."
The Barclays spokesperson added that testers had concluded that it would not be economically viable for criminals to subvert the system. "The cost of intercepting the information doesn't justify how much could be made out of the information," said the spokesperson.
(Translation: Sure...we know it's not secure, but we limit the purchases that can be made with this insecure non-solution to 10 pounds, so that shouldn't interest the hackers. They can make more by concentrated on bigger payouts. Who needs prevention"...we've got 10 pounds of cure!)
Cambridge University researchers have said they have serious security concerns about chip and pin payments systems. Researchers Saar Drimer, Ross Anderson, and Murdoch published a paper on Thursday detailing security flaws in the Chip Authentication Programme (CAP) used for UK payments cards. The main problem for the researchers was that the some UK online cards payments systems using readers had been optimized for usability, to the extent of sacrificing security.
*HomeATM's personal SwipePIN device has been rigorously tested by Witham Laborities (1 of 8 certification outfits in the world) and found to meet or exceed PCI 2.0 requirements. Our device and the Witham Lab's report has been forwarded through the proper channels for PCI. 2.0 certification.