App/Card features


#1

Currently work for one of the ‘big four,’ love the real time balance on mondo for a start. I do think their app is great but think it could be improved by being able to have more control over the features of the debit card:
-temporarily cancel/disable a card-the number of times I’ve ‘lost’ my card and it turns out i just left it at home-and the choice is either waiting for a week for it to be sent out in the post or stressing someone may have got their hands on it.
-turn contactless on/off-not so much for me, but whenever my occupation is found out, people invariably start talking about their new contactless card and how ‘unsafe’ it is.
-ability to set transaction/withdrawal limits-this occurred to me after a recent stag weekend…
-building on that, being able to block the card from ATMs?
-PIN REMINDER-I’ve had to use this once, with a rarely used credit card-passed a few security measures and my PIN was revealed online. Seriously impressive and so much easier than being on hold for 20 minutes and then waiting a week for it to be sent in the post.
Would be interesting to see if these are feasible…


( related to Monzo CEO, Investor in Monzo ) #2

you can already freeze your card if you misplace it :wink: by freezing your card as your default choice until you need / want to use it would turn contactless off , again freezing your card would block ATMs - can’t help with the stag do :wink:


(Andrew Ross) #3

Like these ideas particularly the withdrawal / spend limits…


(Hugo Cornejo) #4

I wonder if people’s “fear” towards contactless/certain kinds of transactions disappears once you have real-time notifications. As in, if someone gets to use my card for something fraudulent I get the notification instantly and I get to freeze the card and contact customer support while the fraudster is still on the shop.

I can imagine some kind of fine-tune control for the card at some point (accept or not ecommerce transactions, etc.) but I have the feeling that it may be one of those clever technical solutions in search of an actual problem… When was the last time that you had this kind of problem?


(Rika Raybould) #5

EVERY SINGLE TIME.

I’m going to be very happy when everyone moves to Apple/Android Pay so they can stop bugging me about the lack of authentication on contactless cards. My current stock reply is “That is why contactless has a £30 limit and why you should call your bank immediately if you lose a card or have one stolen”.

The example everyone has pointed to is the picture of a handheld terminal on the Underground and the person swiping it up against pockets. An attack that relies on offline capabilities and is not going to last very long if everyone calls in about the charge on their statement. You could still harvest the long card numbers and expiry date along with a small amount of usage history using an Android phone though I suppose.


(Andrew Ross) #6

Is contactless limited to £30? I’m sure I’ve done more before? Maybe that was with Applepay?


(Rika Raybould) #7

Apple Pay supports CDCVM with properly configured terminals (expect more merchants to support this over the next year). The basic overview is that it’s a verification method where the device can confirm that Touch ID/a passcode was used so it’s treated with the same limits as entering a PIN on the terminal.


(knows someone who knows Tom quite well) #8

This is why I have a wallet with RF screening built in!


(James Billingham) #9

RichardR was pointing out that it’s incredibly annoying that people raise these concerns about contactless all the time, because they’re largely without merit. Contactless is safe. Contactless will never result in you losing your money. You do not need to be adding any shielding to your wallet.


(knows someone who knows Tom quite well) #10

Depends what you mean by safe - I’d rather not have my card details harvested and sold on the darknet, as the hassle of sorting it all out is more than I wish to go through.

And of course, what is not crackable today could well be crackable tomorrow…


(James Billingham) #11

Contactless cannot be used to harvest card details under any circumstances. Don’t worry - the people who built it aren’t complete idiots :slight_smile:


(Rika Raybould) #12

Hang on, I can pull all of this information over contactless using just an Android device (card number redaction mine). In some Visa implementations, I can even pull cardholder name and more information about each transaction.


I wouldn’t say that the fears are unfounded, just that I’m tired of being complained at as if I was personally responsible for the entire specification or something.

Now, Apple Pay is MUCH better. Even though the phone can be activated from sleep by touching it against a reader, nothing is sent until you successfully authenticate with Touch ID or passcode (on the Watch, it does not even respond unless you double click the button). Even then, the device vibrates and makes a noise (bypassing mute on the Watch) while transmitting only a much less useful device ID with no obtainable transaction log, no personal information and forces the transaction to go online for the notifications.


(James Billingham) #13

Bear in mind though, that data is only equivalent to the contents of the magstripe, which isn’t exactly considered trusted.


(knows someone who knows Tom quite well) #14

But it can be used for customer not present fraud, leading to cancelled cards, phone calls to get charges reversed and a wait for new cards.

All solved by blocking access to illicit readers using an RF shielded wallet.


(Rika Raybould) #15

Very true, it’s just easier to harvest in bulk over contactless than magstripe.


(knows someone who knows Tom quite well) #16

Interesting development…


(Rika Raybould) #17

I’m not even surprised. If I can build a working card data harvester, I have little doubt those with monetary motivation could complete the clone.

Should be noted that this completely useless against Apple Pay and likely also Android Pay. Apple Pay at least requires user intent to pay/authentication and what does get transmitted is all tokens and device identifiers that are useless to clone on to a physical card.


(Adam) #18

100% wouldn’t work against ApplePay due to the TouchID however, with Android Pay payments under £30 work without verification (like contactless cards).


(Rika Raybould) #19

Yup. Going for money with a terminal, Android Pay would authorise you for up to £30 from the default card while Apple Pay wouldn’t even respond beyond waking the device to the card selection screen.

If you were wanting to go for card cloning though, even if you did authorise, Apple Pay would give nothing of value to fraudsters (just a device identifier and a one time token). I just haven’t tested Android Pay personally as none of my cards are supported but I’ve been told it works similarly if not identically minus the differences in when it requires that verification.