[tialaramex]

It definitely doesn't hurt to ask questions, even if you don't always get answers

Many years ago I asked my employer why my salary was lower than the contractually agreed minimum salary for 21 year olds in their organisation. I never received a reply but I did receive a raise and pay backdated to the point where I was hired.

Years before that I asked my bank why I can't just use all the ATMs since they all have money in them and they're all connected to the same network. I never received a reply but some years later the ATMs were indeed all usable (of course, subsequently many began to charge money for withdrawals, so it's still worth going to the "right" ATM if you care)

More recently I asked my bank if they can avoid giving me a contactless capable credit card when they issue new cards. At first they said this was impossible, but when time came to renew my card and I mentioned being disappointed that it would now be contactless, the call taker said actually she can do that, she'll cancel the renewed card she's just had issued and send me one without contactless, but it will take a few days.

That card expired, and a few months ago I received its automatic replacement, this time it does have the contactless logo like all the others, but it came with a slim "Contactless-less" sheet explaining that the bank noticed I don't want a contactless card and have told this card not to allow contactless transactions despite the logo however, it is actually a contactless card and so if I change my mind I can just call the bank and activate the contactless feature.

[ You might wonder why I don't want a contactless card. Contactless credit cards can OK modestly sized payments based on proximity, which is convenient but clearly poses a risk of fraud I don't want. My phone is also capable of proximity based transactions, but it is not limited to some arbitrary size of transaction and I need to explicitly unlock it to allow the transaction. So, the phone "is" my credit card for the purposes of routine transactions, but it has better security. ]

[hakfoo]

I used contactless for a $150 purchase this weekend, and it seemed so strange. The shop was clearly trying to do the modern commerce setup, with tablets running some sort of Square product and not getting up to go to a central till to pay.

I work in fintech, and have a lot of contact with UK developers who mention "the contactless limits are creeping up from GBP30 to GBP100". This in a country which is way more familiar with modern card tech. Meanwhile, my American bank, which probably gets 250 calls a day asking "why does my card have a Wi-Fi logo on it?" will seemingly let me unload my entire account with a tap.

[jacquesm]

> Years before that I asked my bank why I can't just use all the ATMs since they all have money in them and they're all connected to the same network. I never received a reply but some years later the ATMs were indeed all usable (of course, subsequently many began to charge money for withdrawals, so it's still worth going to the "right" ATM if you care)

This happened not because of you asking but simply because the banks figured out that they only need one ATM in a certain region for all of the banks.

Never mind the subsequent service level reduction.

[exabrial]

I'd read up on how the protocol works... There could be a live "relay" attack available , but it's not like someone could just swipe your butt and make a bunch of cloned cards. The magstripe is more of a hazard than anything else as it the numbers on the front un-encrpyted.

[tialaramex]

I'm aware in considerable detail how EMV works, both for wired and wireless transactions. This was a choice made in light of my understanding of how flawed the technology is.

See Ross Anderson's extensive material (sorry there's a lot of other stuff in here too) at Light Blue Touchpaper (a reference to Cambridge University's traditional colour and the instructions on fireworks):

https://www.lightbluetouchpaper.org/