Guest Blog from David Birch: Not just contactless, but M&S contactless

Guest Blog: Not just contactless, but M&S contactless

Written by Consult Hyperion's David Birch, this is a version of a post that has previously appeared at Chyp.com's blog.

I rather like contactless cards. I like contactless watches more. And I like contactless phones even more than that. I’m a contactless fan. I find it rather convenient to nip in to get a coffee without having to remember my wallet, since I’ve always got my phone in my hand. I’m quite attached to my splendid Barclaycard OnePulse card: it is a regular chip and PIN card, contactless card and an Oyster card all in one. When I head into London for the day, I don’t take my main wallet with me, just my hip wallet with the OnePulse and my coffee loyalty cards. I wish there were more places that I could use it – principally the nice coffee shop on the platform at Woking station – but there you go. In this, as in so many other things, I remain in a minority.

According to a new study conducted by retail banking and ePayments software provider, Compass Plus, only one-in-10 British consumers reported to making a purchase using a contactless card in the last month, and 40 percent don’t even know what NFC payments technology is.

[From 05 - Are UK Consumers Clueless About Contactless Cards? | PYMNTS.com]

One of the places where I use my card, watch, phone or whatever else I happen to have with me is Marks & Spencer. Which reminds me. Not just contactless, but Marks & Spencer contactless, has been in the news of late.

But customers who got in touch with the Money Box show on Radio 4 said they were charged when the plastic was in their purse and well away from the readers – meaning they unwittingly paid twice. And sandwich chain Pret A Manger is said to be investigating similar claims by a customer whose card was more than 11inches from a reader.

A victim of the M&S error, identified only as Rosemary, told Money Box her Smile card was activated about a foot away from the reader at a store in Chichester, West Sussex – even though she was paying with her Lloyds debit card instead

[From Customers charged twice for items because contactless cards were activated from their pockets | Mail Online]

As I told the BBC researcher when I was asked about these reports, I think it highly unlikely that M&S is a source of dark energy, cold fusion or electromagnetic fields that defy the laws of physics. I simply do not believe the claims that the terminals read cards that were a foot away from the readers and nor do I believe claims that customers were “accidentally” double-charged. As someone observed in response to The Guardian article on same,

Not wanting to accuse anybody in the article of telling fibs but this doesn’t add up. Surely if the till took payment via contactless payment, how does then[sic] ask for the same payment again via Chip and Pin; i..e[sic] once payment is received said till usually spits out a receipt. [From Contactless cards: how safe is your money? | Money | The Guardian]

So let’s deal with this double-charging first. As you know, we’re not Powerpoint-and-waffle consultants, we’re get out and get real consultants. So Stuart and I set off to M&S with a variety of cards and tried transactions in more than one terminal. And you just can’t accidentally double charge. If you put a contactless card in the read range of the terminal, it executes the transaction just as specified. You can’t then insert a chip and PIN card and do another transaction – there isn’t a transaction pending. In order to pay twice, you would have to ignore the receipt that’s been printed out by the terminal and proceed with another transaction. I don’t see how this can happen accidentally. Maybe it’s a matter of staff training. If I was the checkout person and someone said “can you ring that up again”, I might ask why.

I’m sure that’s what happening, but the idea that the terminal might read both the contactless and contact cards and charge both needed further testing. Just because we couldn’t make it work in M&S doesn’t mean we couldn’t make it work elsewhere. We got out a Vx820 (this is the Verifone terminal that is used by M&S) and tried to replicate the failure mode, but we could not. When the chip and PIN card is inserted, the contactless interface is turned off correctly. We couldn’t get both types of card read simultaneously.

clip_image001

So the problem must be that someone swings their purse or their handbag or wallet over the contactless reader while searching for a chip and PIN card but they can’t be double-charged without a non-accidental intervention. Incidentally, on the way back from M&S we popped into Starbucks and discovered to our surprise that they had Vx820s installed as well, so we tried the experiment there too.

Now on to the claims that the terminals are reading cards from people’s backpacks. Is it plausible that the configuration of the M&S terminals means that customers are resting their handbags, wallets, purses or whatever on the readers so that their contactless card gets charged? Yes it is. Is it plausible that they are reading them a foot away. No it isn’t. Although I have a theory (strictly speaking, I should say that Stuart deduced a theory from the evidence of our experiments) as to what is happening.

But first, I wanted some facts. Since Consult Hyperion knows very literally everything about EMV, contactless, NFC and retail payments (we work for the issuers, schemes, card manufacturers, terminal manufacturers, acquirers and everyone else in the value chain), I went back to the office and pulled a few strings, called in a few favours, made a couple of calls. Well, actually, I went to talk to Katie Facey, who runs the Consult Hyperion test laboratory if we had any Vx820s around. It turned out that we did because we were messing around with them for one of our international clients, so I asked her to put a Vx820 into Marvin and run a test cycle for me. Marvin is our custom-built robot test rig for contactless and NFC. It’s a six-axis, laser-calibrated, computer-controlled marvel. With the Vx820 loaded, we set Marvin running to slowly bring contactless cards into range from different sides and measure how close the cards had to be to carry out a transaction.

Here are the test results.

Contactless Card Position Distance to Read
From Screen 7cm
From Keypad 1cm
Between Screen + Keypad 6cm
Screen Right 2cm
Keypad Right No txn
Screen Left 3cm
Keypad Left No txn
Reader Top 1cm
Reader Bottom No txn
From screen, back of reader 1.5cm
From Keypad, back of reader No txn
Between screen + keypad, back of reader No txn

clip_image002So, the terminals work as advertised and the maximum read range is not 30cm-40cm but under optimal conditions only 7cm and then when the card is placed dead centre to the screen over the contactless symbol. I think the 7cm gives us a clue as to what is happening.

I wander into M&S a buy a vanilla fudge bar. I have my wallet in my hand. I open it to take out my chip and PIN card. At this point, I am holding my wallet over the reader, less than 7cm away. There’s a contactless card in my wallet and the terminal reads it. I don’t see it register a payment because my wallet is covering up the screen of the PIN pad. I put my wallet in my other hand, or on the counter, or in my pocket or wherever 30cm-40cm away. Now I put the chip and PIN card in the reader and I notice that the transaction has completed because the contactless card (now 30cm away) has been read, so I write to The Daily Mail. Mystery solved.

I think, by the way, that it doesn’t do any of us (in the industry) any harm to read some of the general public’s comments on this story. Here are a few of the comments on the Guardian’s version of the story. (In which Charles Arthur was kind enough to quote me.) I would not, for one moment, want to mislead you into thinking that people who respond to articles in The Guardian are in any way a cross section of the great British public, but nevertheless the comments are worth leafing through.

  • This is the first that I have heard of contactless cards” which seems to confirm that survey results that I started with.
  • Then there was the cautious “So far I have not been offered a contactless card. Just as well, as I would never consider using one – far too risky”.
  • I appreciated the Ocker vote of confidence: “You’re all a bunch of paranoid luddites (tautology?). Contactless payment has been the norm in Australia for a couple of years now (with a maximum purchase value of $100 without a PIN) and there have been no reported problems yet”.
  • There was also the untrue “apps exist which draw down the encrypted data, it’s not difficult to find code online which decrypts this data and re-writes it to a phone, blank card or even hotel key card”. All of this is incorrect. The data isn’t encrypted, although it does carry a digital signature formed from a private key inside the chip (this is why you can’t clone EMV cards – because there’s no mechanism for reading this private key). You can’t re-write this data to make a counterfeit magnetic stripe card because the data passed over the contactless interface isn’t the same as the data on the magnetic stripe. As an aside, years ago a friend of mine rewrote his debit card stripe onto a coffee card that he took with him on his travels a couple of times. Thus if the card got lost or stolen, it would not appear of any value to a criminal! Sadly, since the advent of chip and PIN this avenue of fun has been blocked off.
  • There was also the pragmatic “I just have my oyster card on the other side of my wallet to the contactless credit card”, reflecting on the problem that a number of people have remarked on where if you present a contactless card and an Oyster together to an Oyster reader then they don’t work.
  • I loved the realistic “For a shop, debit cards are cheaper than cash, unless they are factoring VAT and income tax into the calculations”. It’s shame that I have to “factor” income tax into my own salary, but I can see why some shops might prefer not to.

My favourite, of course, was this one:

"If this guy said no way its not the cards, id[sic] be reassured, but clearly, this so called ‘consultant’ has no idea of the capabilities of NFC technology. he[sic] maybe a consultant, but not of payment technology, thats[sic] for sure."

Oh no. Rumbled. I’m afraid “toothbrushrampage” has seen through my obviously faked photographs, my bogus test results and my so-called “measurements” to uncover the conspiracy. Yes: the banks are in it with Marks & Spencer! The banks have been issuing cards that M&S terminals can spy on while you drive past in your car, thereby occasionally charging you twice for the same sub-£20 transaction and hoping that you won’t notice it. It was a brilliant plan, and we might have got away with it if it hadn’t been for you darn kids.

These are personal opinions and should not be misunderstood as representing the opinions of  Consult Hyperion or any of its clients or suppliers.

Leave a Comment

Current ye@r *