[miki123211]

> The protection comes from the contracts and regulations between the shops and the banks.

While the comment is not quite true (see sibling replies), this part is spot on.

This is also why crackpot theories about people walking around with portable card readers and stealing money from contactless cards are false. Yes you can walk around and make those transactions, what comes after (and the setup you had to do before) is the problem. I'm not even sure whether you could get the money out before being caught and shut down. With how many people these days have push notifications for their transactions, I highly doubt that.

[stephen_g]

I did somehow have two different cards (an Amex and a Visa) compromised at the same time about two months ago, and I do wonder if it was some kind of skimmer setup - if it was just one of them then I'd assume it was just some online store I'd used it at that had been hacked, but I've not used both those cards on the same sites.

I got a notification asking me to confirm a transaction on the Visa and then looked in my app and found they'd actually got another transaction pending at a hotel. I called them up and the hotel said they would "kick out the guests" and refund me. Not sure why they didn't want to call the police on them, because when I called later they said I should report it to the police, but all of the transactions had been refunded so I literally had zero loss and there was nothing really to report... It was them who'd provided the services and suffered the loss, the hotel should have had the police remove them!

Anyway, on the same day the Visa had been used at the hotel, I also had some fraudulent transactions on the Amex, although most of them seemed to be automatically refunded by the vendor themselves (so maybe it was flagged by the vendor's anti-fraud mechanisms and refunded to avoid a chargeback from American Express) before I cancelled the card. They'd tried three times with a similar amount and they'd all refunded.

The other weird thing was that the hotel that the Visa was used at claimed that it had to be a card-present transaction or in a digital wallet, but I didn't get any notification about it being enrolled in a digital wallet and I always had the physical card with me. So not sure if that was mistaken or BS or if they managed to somehow fake the digital wallet.

But yeah it didn't work out for them because I caught the transaction the same day they'd checked in to a hotel with the card and then both were cancelled that day...

[ummonk]

Depending on how reputable the hotel was, it's possible they were in on it and the guests weren't real.

[NoahZuniga]

Maybe they wanted you to call the police, because the money was taken from your account fraudulently.

[stephen_g]

The hotel refunded the pending transaction, so they are the party that suffered the financial loss. If they hadn't done that, then the credit card company would have done a charge-back on the disputed transaction and made me whole, and I wouldn't have suffered a loss in that case either. The first question the police forms for reporting fraud or cybercrime are "how much have you lost" - they don't care if it's 'nothing'.

It's the hotel that has to clean the room, has lost consumables, and has lost revenue from it not being available to be booked...

[rcxdude]

Well, the issue is that you need a merchant account to send the money to, and it's quite hard to get one without identifying yourself, and it takes a bit of time after the transaction to actually get the money because of chargebacks and the like. So you can't just pull the money out directly. But that's true of basically any credit card fraud: what you do instead is buy something from someone who takes credit cards. Which is entirely possible with contactless, you can e.g. proxy a connection from a reader to a victim card, it's just that the limits and difficulty of lining up the time of the transaction with someone walking past make it not particularly useful (compared to just stealing or skimming the card details).

[jojobas]

Didn't people manage to present a remote card (i.e. in a mark's pocket) to a legitimate terminal through an NFC tunnel of sorts? Limited to no pin required amounts, but still.

[champtar]

I remember when contactless was introduced in France, someone from the CB bank card group (https://en.m.wikipedia.org/wiki/CB_Bank_Card_Group) said that contactless was secure because you are insured. At that time France was already using chip+pin for a while.

At the end of the day the money only goes from one bank account to another, account can be frozen, charge reversed, ... So you just need to secure the POS enough that user feel safe to use it and there is a low number of people that can hack them and are willing to risk prison.

[girvo]

> Yes you can walk around and make those transactions, what comes after (and the setup you had to do before) is the problem

I mean with the amount of stolen card details routinely traded and used successfully (at least for a while) and with how little crime like that is investigated or punished in some jurisdictions, I dunno...

Still it's not quite as simple as "taking the money from your card" like said crackpots think.

[MyPasswordSucks]

> I mean with the amount of stolen card details routinely traded and used successfully (at least for a while) and with how little crime like that is investigated or punished in some jurisdictions, I dunno...

There's a huge difference between me using your credit card to buy stuff off Amazon (chance of success: somewhere between "doubtful" and "near-definite" depending mostly on geographical factors and your particular bank), and me walking around with a hacked card reader and stealing money out of your account by dialing in phony transactions directed to my account (chance of success: somewhere between "zero" and "also zero, but with a decimal point followed by more zeroes").

[mihaaly]

Aren't the contracts and regulations holding back the honest people only? But not those who violate contracts and regulations, like the dishonest ones?