Jump to content

Manually Disabling Thai Bank Debit Card "Tap To Pay" Function "Security Flaw" or "Convenience"? Up To You...


Recommended Posts

2 minutes ago, NanLaew said:

A lot easier just to read the terms and conditions you agreed to when you accepted and started using your contactless payment card.

Wrong.

 

The problem would still exist whether I read the agreement or not.  As I stated in my original post, there are no debit card options other than those that also have the "tap and pay" function.

Link to comment
Share on other sites

10 minutes ago, phetphet said:

Isn't there a small daily limit on "Tap to Pay"?

I just double checked.  I remembered the limit incorrectly for my original post.  My bank has a 100,000 THB daily limit, not 500,000 THB.  Still too high in my opinion.

Link to comment
Share on other sites

57 minutes ago, NotReallyHere said:

I wanted to use the debit card, expecting her to slide it into the reader and that I would then enter the card's PIN.  Instead she took my card, tapped it against the reader and handed it back to me.  The PIN entry was bypassed.  To me, this is a security flaw. 

From Visa...

"No signature [PIN?] is required for most transactions under THB 1,500, for added convenience".

Looks like your B100,000 limit isn't a problem as over B1,500 verification would be necessary.

 

"Is using Tap to Pay with Visa secure for my customers?
Yes. Tap to Pay with Visa utilizes multiple layers of security to protect transactions, including cryptography and secure network processing. Customers also benefit from Zero Liability for all unauthorized purchases made with their Tap to Pay with Visa card or mobile device.

 

Edited by Liverpool Lou
  • Thanks 1
Link to comment
Share on other sites

You can set your daily limit yourself and change it whenever you choose. (Kasikorn)

 

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

 

The idea was SMALL amounts were quicker and easier(like buying a coffee etc).

AFAIK.

Link to comment
Share on other sites

43 minutes ago, Liverpool Lou said:

From Visa...

"No signature [PIN?] is required for most transactions under THB 1,500, for added convenience".

Looks like your B100,000 limit isn't a problem as over B1,500 verification would be necessary.

 

"Is using Tap to Pay with Visa secure for my customers?
Yes. Tap to Pay with Visa utilizes multiple layers of security to protect transactions, including cryptography and secure network processing. Customers also benefit from Zero Liability for all unauthorized purchases made with their Tap to Pay with Visa card or mobile device.

 

I appreciate the information from VISA.

 

Still...  The THB100,000 is the daily limit, not necessarily the transaction limit.  Granted, THB 100,000 would be difficult to achieve with multiple 1,500THB transactions.  But the possibility still exists if the thief is dedicated.  Online it could happen quickly.  Buying Bitcoin or Gift Cards, maybe?

 

I don't trust the "Zero Liability".  The card is connected to a bank account.  It's not a credit card.  Who knows how long it takes to convince the bank or VISA that the transactions were unauthorized.  And in the mean time, I won't have any cash in my bank account.  If VISA has a true "Zero Liability" policy, then fraud would be through the roof.  People making false claims against their own card transactions.  I think the $50 liability seen on most credit cards is to decrease (somewhat) people committing fraud on their own cards.

Link to comment
Share on other sites

47 minutes ago, Liverpool Lou said:

You can alter your card's payment limits!

Yes, but what I didn't like was that the bank automatically set the default at the highest amount (which I incorrectly remembered as 500K, actually 100K - not as dramatic).  20,000THB is my bank's lowest limit.

 

Also, can't alter the card payment limit online or through their app.  You have to go to an ATM.  Doable, but awkward, I thought initially.  In retrospect, I suspect it is supposed to be a security feature.  You possess the card and are on camera changing the limit.

Link to comment
Share on other sites

Tap to pay is not a security flaw. As far as I know the PIN gets asked every so often and it gets asked when the amount is no longer small.

 

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

  • Like 1
Link to comment
Share on other sites

28 minutes ago, JackGats said:

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

  • Thanks 1
Link to comment
Share on other sites

59 minutes ago, CharlieH said:

You can set your daily limit yourself and change it whenever you choose. (Kasikorn)

 

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

 

The idea was SMALL amounts were quicker and easier(like buying a coffee etc).

AFAIK.

My bank has five payment limit levels (0/20K/30K/50K/100K).  Changing the payment limit can only be done at an ATM (not online or through the bank app).  If I'm at the ATM, I'll just pull the cash I need.

 

I would prefer "0" limit with the "tap and pay" and 30K with all PIN verified transactions.  Getting that mix is only possible by disabling the "tap and pay" function manually.

 

I agree that contactless is quicker and easier, but I think for those times that I'm not carrying enough cash, entering a PIN is quick and easy enough.

 

In general, I'm bothered that the banks don't give customers an option of turning off contactless payments.  Surely, it is technologically possible.  Primarily, I'm concerned about the security.  Opportunity makes a thief.  I've had petty amounts stolen from me here.  Stealing a card for a few contactless payment transactions wouldn't be unthinkable.  It wouldn't be a huge loss for me, but a pain in the ass I can easily avoid with a little cut in the card.

 

I'm not normally a conspiracy theorist, but I suspect this is all an attempt to get us to slowly get used to the idea of using our phone for contactless payments.  The point of that would be to track us better so that we can be profiled and marketed to more effectively.  I don't want to be tracked or profiled any more than I already am.  That is one of the reasons I use cash for 95% of my transactions.

Link to comment
Share on other sites

37 minutes ago, JackGats said:

Tap to pay is not a security flaw. As far as I know the PIN gets asked every so often and it gets asked when the amount is no longer small.

 

By swiping your card it could get cloned. Swiping is what you should be suspicious of!

You make a good point, however, I rarely use the debit card.  I use cash.  If I forget cash (which rarely happens) I use the debit card (at reputable establishments only).  I make frequent small cash withdrawals from ATMs which are EVERYWHERE.  I'm not bothered by the "inconvenience".  For someone with my usage profile, I think contactless payments pose a bigger threat for fraud than cloning.  I'm much more likely to have my card stolen than cloned.  I've been pick-pocketed twice in 4 years in SE Asia.  I don't think cloning happens here as often as it does in the West.  I may be wrong...

Link to comment
Share on other sites

32 minutes ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

This was a consideration of mine also.  I did, however, read somewhere that the new cards require much more proximity to be read by the scanner.  Also, there is encryption between the VISA card and the VISA card reader that cheap scanners can't crack.  I think cloning by passing by someone on the subway has become more difficult.  Either way, not a concern of mine anymore now that I've cut the card's antenna.

Link to comment
Share on other sites

5 hours ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

I thought if you had 2 cards against one another no remote reading was possible. 

Link to comment
Share on other sites

5 hours ago, gargamon said:

Sorry, but a tap card can be cloned while it's still in your wallet by someone walking behind you with a relatively cheap scanner. That's why the current trend is to have an rfid blocking wallet that prevents the scanning.

Nah. Tap to pay is normal in most countries and has led tona reduction in fraud due to merchant  controls

Link to comment
Share on other sites

7 hours ago, The Hammer2021 said:

Nah. Tap to pay is normal in most countries and has led tona reduction in fraud due to merchant  controls

"Tap to Pay" is basically cash.  There are no "merchant controls".  That is the point.  The merchant doesn't check ID.  The merchant doesn't require a PIN.  You can set a daily payment limit, but unless you have taken the effort to do this, the default is probably your bank's highest limit.  In my case, 100,000 THB.

 

Let's do an experiment.  Meet me at the mall with your card.  We'll give your card to a mototaxi guy I know.  He'll be wearing a floppy hat, sunglasses and COVID mask.  Basically, unidentifiable.  We'll tell him he can use your card to make as many purchases as he wants as long as they are under 1,500 THB each and only one purchase per store.  He has to come back with the card when the "merchant controls" kick in.  You don't have to worry about any consequences of our little experiment because according to another poster, VISA assures "Zero Liability" for fraudulent purchases made with "Tap to Pay".

 

And let's not kid ourselves.  We are all paying for the "Zero Liability" policy of VISA through higher fees and higher interest rates.  They are offsetting their losses with their fee structure.

Link to comment
Share on other sites

7 hours ago, Everyman said:

I’ve been trying to get my tap to pay card to work but it doesn’t. Which bank is this? Where did you use it?

 

Also i dont know if you are from the UK but you need tap to pay there to pay for things 

Are you using a debit card issued by a Thai bank?  Does it have the VISA "tap to pay" logo?  You should be good to go.  If not, take it to the bank.

 

I used my Thai debit card at 7Eleven to test my antenna modification and prior to that at a "Western standard" mall in town.

 

I don't use my Thai bank debit card outside of Thailand.  In Europe or the US, I just do without items that have purchase conditions that I disagree with.  There is often a work around, even if it is sometimes cumbersome.  I'm not a convenience junkie.

Link to comment
Share on other sites

20 hours ago, CharlieH said:

Also in the Uk as an example contactless will only work upto I think its £30 after that it has to be PIN.

£100

 

5 hours ago, NotReallyHere said:

And let's not kid ourselves.  We are all paying for the "Zero Liability" policy of VISA through higher fees and higher interest rates.  They are offsetting their losses with their fee structure.

It's saving us money with the reduced level of fraud which we all end up paying for.

Link to comment
Share on other sites

6 hours ago, treetops said:

It's saving us money with the reduced level of fraud which we all end up paying for.

I've read otherwise.  There is a phenomena called "first-party fraud".  Supposedly, it significantly dwarfs reported fraud.  An honest form of "first-party fraud" is when a cardholder makes a quick contactless payment, doesn't remember making it and refuses to pay.  A dishonest type "first-party fraud" is when a cardholder knowingly makes a contactless transaction and then refuses to pay, claiming they didn't make the transaction (but that their card was not lost or compromised).  The cardholder blames "technology" or "system error".  These transactions are not reported as "fraud" by the cardholders and do not appear in the fraud statistics.  These types of disputes are increasing as countries like the UK increase the contactless limit from 30 to 100 pounds and they supposedly dwarf reported fraud claims.  Had the cardholders been forced to slow down and enter a PIN, it would be much more difficult to dispute these charges.

 

Again, costs for these unpaid transactions are passed on to all VISA consumers, whether they use contactless or not.

Edited by NotReallyHere
typo
Link to comment
Share on other sites

 Register your card on Google Pay and leave your card at home if your worried about it's security.

I had my Visa credit card compromised in Canada, Visa called me at 2:00AM to check on a charge. The charge wasn't mine so the rep said the card is now dead, effective immediately. The charges were also reversed.

The card was compromised by using it for Internet payments, not by tapping it.

However she told me if I had the card registered for use with Google Pay I could still use my phone to pay for things with the same credit card number.

She also said that Google Pay's security is multitudes better than Visa's.

 

 

Link to comment
Share on other sites

On 6/29/2022 at 2:32 PM, treetops said:

I don't know what you've read, but do you seriously think the banks would persevere with a system that increased fraud no matter who incurs the costs?

Absolutely.  Of course they would.  Banking is a business.  The bottom line matters, first and foremost.  Banks are not ethical entities.  There are plenty of examples of banks creating lending programs that were not in the best interest of the customers assuming the loans.  The banks didn't care.  They structured the loans so that they were covered.

 

Fraud risk is like credit risk.  As long as the risk is covered with fees and interest rates, it doesn't matter to the bank if they are losing money because someone steals or someone dies with a large credit balance but no estate to pay off the debt.  Ultimately, the loss is recouped with fees and interest payments.  Banks are like insurance companies.  They manage risk such that they always come out ahead.  Have banks and insurance companies failed?  Of course they have.  But usually due to unusual, unforeseen circumstances.  The banks are well aware people will commit fraud.  Actuaries calculate the risk and set the price.  Fees/interest, for banks, premiums for insurance companies.  As the risk changes, fees, interest rates, premiums, etc are adjusted.

 

But this is getting way off track of the purpose of this thread.  You may or may not be a fan of contactless payments.  If you aren't, I hope I've provided an easy workaround for the problem of not being able to turn off the function with the assistance of your bank.

  • Sad 1
Link to comment
Share on other sites

On 6/29/2022 at 2:24 AM, kwonitoy said:

Register your card on Google Pay and leave your card at home if your worried about it's security.

I had my Visa credit card compromised in Canada, Visa called me at 2:00AM to check on a charge. The charge wasn't mine so the rep said the card is now dead, effective immediately. The charges were also reversed.

The card was compromised by using it for Internet payments, not by tapping it.

However she told me if I had the card registered for use with Google Pay I could still use my phone to pay for things with the same credit card number.

She also said that Google Pay's security is multitudes better than Visa's.

I realize it doesn't matter to some people, but I am very much averse to being tracked by Google, Apple, etc.

 

I think the fact that a person could still use their phone to pay after the card number is compromised shows the degree of confidence Google has that they have tracked the person successfully.

Link to comment
Share on other sites

6 hours ago, NotReallyHere said:

I realize it doesn't matter to some people, but I am very much averse to being tracked by Google, Apple, etc.

 

I think the fact that a person could still use their phone to pay after the card number is compromised shows the degree of confidence Google has that they have tracked the person successfully.

I don't know how you make the connection between using Google pay with my phone to be tracked by Google.

I don't really like the tracking by Google either, it's why I've got it turned off, along with most other features.

If you have a phone law enforcement can always find your location these days

Google pay is simply an electronic form of your credit card.

You don't like these options along with the tap and pay. So be it.

In Thailand you can get by with cash and I did for many years.

Now that I live in Canada cash is almost an extinct thing and I've always got my phone with me.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...