What's NFC? PayPal lobs Chip and PIN readers at UK small biz
Just as the world moves to pay-by-bonk
Accepting credit cards just got even easier, with PayPal and iZettle both announcing Chip and PIN readers suitable for European markets where mag-stripes are considered passe.
PayPal Here has been around in the US for a while, allowing merchants to take credit-card payments into their PayPal accounts, but like rival service iZettle and the much-hyped Square it uses only the magnetic stripe - which is considered too insecure for European offerings. But now PayPal and iZettle have introduced Chip and PIN offerings, with wireless connections to smartphone apps, just as the industry moves on to NFC.
Neither device is much larger than the cards they read, and both sport a keypad and a Bluetooth connection to a smartphone app. iZettle manages a small screen, while PayPal's offering relies on LEDs to show success, but beyond the cosmetics there's not much to choose between the two.
Chip and PIN dominates credit-card payments across Europe, and has led to an immediate drop in fraud as thieves have had to move into cardholder-not-present transactions - such as internet ordering, which require a delivery address and other traceable details. Americans have so far stuck with magnetic stripes and signatures for securing physical transactions.
Verifying identity by signature is fraught with difficulties: while experts might be able to confidently spot a forged Hancock, the gas station attendant lacks those years of training and these days rarely even pretends to check, so America is being pushed relentlessly towards Chip 'n' PIN too, which might explain PayPal's interest in the tech.
Using a PIN everywhere does make it less secure, vulnerable to shoulder-surfing, but that's offset by the impossibly-difficult-to-copy chip embedded in the card, so our thief needs good eyesight and light fingers to profit from the deed.
PayPal Here is aimed at small businesses who don't have the margins for traditional card processors, though it joins a host of existing offerings including Sail from Verifone and mPowa, which launched its own Chip 'n' PIN offering last month.
Accepting NFC payments should require just a small tweak to the software, once the smartphones concerned all have NFC built in. But by then everyone will be jumping into the business, so the time to grab customers is now - as PayPal is well aware. ®
There a shop local to me that will sell you any number of near-identical chips.
They do fish as well.
The question is: A market trader says that you can pay with your card. He offers you a mobile phone with a gizmo attached to it. Do you
a: Say, no thanks I'll pay by cash.
b: Put your card into an impossible to verify piece of hardware hooked up to someone's mobile?
Hmm. Tough one. I think I'd prefer a proper GSM connected C&P PED.
A certain Pin/Chip reader manufacturer ...
who manufactures motorised card reader/writers had a test ROM that allowed for duplication. The cards have no logo's (i.e. blank) and are intended for test and production purposes.
A technician friend works there and I made my own machine and he supplied the ROMs. Cost was around $320 - using my own PCB. The quick copy procedure is called a 'Yes' card. The version that takes longer yet to copy, with multiple read/writes of the 'master' card, which is because it has to test some code in a card being copied.
My wife has a copy of my card, the codes are contained in a small safe in our house. In the event of my death she will be able to continue to transact ATM business.
Banks seemingly don't do sophisticated checks as I was in the UK last year and used an ATM and then, receiving a SMS/text from me, my wife used her card in an ATM physically thousands of miles/kilometres away successfully within minutes of my use. Obviously banks believe in fast travel.
Even more susceptible are the PIN/chip readers in stores - they are designed to be remote programmed. The 'floor' levels are often changed at busy seasons. Leave the power off on a terminal overnight and see what doesn't happen.
We can also clone cell SIM chips, the easiest is a 'virgin' chip that has never been used, which can be obtained quite easily.
So much for security. As long as the banks are satisfied PIN/chip is secure. their smugness will allow us to continue copying cards. I even told a bank manager cards could be copied - he said that his information is that they are totally secure.
These unique "unpredictable numbers" aren't so unpredictable. My SecureCard is so secure I have a list of numbers in a file on my Note 2 which I can use to fool the HSBC computer. Usually it makes a request for one or two entries, just as with the real 'Secure'Key. Go figure.
What is secure is the password to the file!