Currently work for one of the ‘big four,’ love the real time balance on mondo for a start. I do think their app is great but think it could be improved by being able to have more control over the features of the debit card:
-temporarily cancel/disable a card-the number of times I’ve ‘lost’ my card and it turns out i just left it at home-and the choice is either waiting for a week for it to be sent out in the post or stressing someone may have got their hands on it.
-turn contactless on/off-not so much for me, but whenever my occupation is found out, people invariably start talking about their new contactless card and how ‘unsafe’ it is.
-ability to set transaction/withdrawal limits-this occurred to me after a recent stag weekend…
-building on that, being able to block the card from ATMs?
-PIN REMINDER-I’ve had to use this once, with a rarely used credit card-passed a few security measures and my PIN was revealed online. Seriously impressive and so much easier than being on hold for 20 minutes and then waiting a week for it to be sent in the post.
Would be interesting to see if these are feasible…
you can already freeze your card if you misplace it 
by freezing your card as your default choice until you need / want to use it would turn contactless off , again freezing your card would block ATMs - can’t help with the stag do
Like these ideas particularly the withdrawal / spend limits…
I wonder if people’s “fear” towards contactless/certain kinds of transactions disappears once you have real-time notifications. As in, if someone gets to use my card for something fraudulent I get the notification instantly and I get to freeze the card and contact customer support while the fraudster is still on the shop.
I can imagine some kind of fine-tune control for the card at some point (accept or not ecommerce transactions, etc.) but I have the feeling that it may be one of those clever technical solutions in search of an actual problem… When was the last time that you had this kind of problem?
EVERY SINGLE TIME.
I’m going to be very happy when everyone moves to Apple/Android Pay so they can stop bugging me about the lack of authentication on contactless cards. My current stock reply is “That is why contactless has a £30 limit and why you should call your bank immediately if you lose a card or have one stolen”.
The example everyone has pointed to is the picture of a handheld terminal on the Underground and the person swiping it up against pockets. An attack that relies on offline capabilities and is not going to last very long if everyone calls in about the charge on their statement. You could still harvest the long card numbers and expiry date along with a small amount of usage history using an Android phone though I suppose.
Is contactless limited to £30? I’m sure I’ve done more before? Maybe that was with Applepay?
Apple Pay supports CDCVM with properly configured terminals (expect more merchants to support this over the next year). The basic overview is that it’s a verification method where the device can confirm that Touch ID/a passcode was used so it’s treated with the same limits as entering a PIN on the terminal.
This is why I have a wallet with RF screening built in!
RichardR was pointing out that it’s incredibly annoying that people raise these concerns about contactless all the time, because they’re largely without merit. Contactless is safe. Contactless will never result in you losing your money. You do not need to be adding any shielding to your wallet.
Depends what you mean by safe - I’d rather not have my card details harvested and sold on the darknet, as the hassle of sorting it all out is more than I wish to go through.
And of course, what is not crackable today could well be crackable tomorrow…
Contactless cannot be used to harvest card details under any circumstances. Don’t worry - the people who built it aren’t complete idiots 
Hang on, I can pull all of this information over contactless using just an Android device (card number redaction mine). In some Visa implementations, I can even pull cardholder name and more information about each transaction.
I wouldn’t say that the fears are unfounded, just that I’m tired of being complained at as if I was personally responsible for the entire specification or something.
Now, Apple Pay is MUCH better. Even though the phone can be activated from sleep by touching it against a reader, nothing is sent until you successfully authenticate with Touch ID or passcode (on the Watch, it does not even respond unless you double click the button). Even then, the device vibrates and makes a noise (bypassing mute on the Watch) while transmitting only a much less useful device ID with no obtainable transaction log, no personal information and forces the transaction to go online for the notifications.
Bear in mind though, that data is only equivalent to the contents of the magstripe, which isn’t exactly considered trusted.
But it can be used for customer not present fraud, leading to cancelled cards, phone calls to get charges reversed and a wait for new cards.
All solved by blocking access to illicit readers using an RF shielded wallet.
Very true, it’s just easier to harvest in bulk over contactless than magstripe.
Interesting development…
I’m not even surprised. If I can build a working card data harvester, I have little doubt those with monetary motivation could complete the clone.
Should be noted that this completely useless against Apple Pay and likely also Android Pay. Apple Pay at least requires user intent to pay/authentication and what does get transmitted is all tokens and device identifiers that are useless to clone on to a physical card.
100% wouldn’t work against ApplePay due to the TouchID however, with Android Pay payments under £30 work without verification (like contactless cards).
Yup. Going for money with a terminal, Android Pay would authorise you for up to £30 from the default card while Apple Pay wouldn’t even respond beyond waking the device to the card selection screen.
If you were wanting to go for card cloning though, even if you did authorise, Apple Pay would give nothing of value to fraudsters (just a device identifier and a one time token). I just haven’t tested Android Pay personally as none of my cards are supported but I’ve been told it works similarly if not identically minus the differences in when it requires that verification.