Pinterest Stumbleupon Whatsapp
Ads by Google

Over the past five years, Contactless payments have rapidly entered the mainstream. They allow us to buy things without having to swipe-and-sign, or key in our PIN numbers into point-of-sale machines. They’re the epitome of digital laziness, which perhaps explains why their popularity has soared.

But are they secure? What threats surround this new financial fad? More importantly, should you sign up?

How Contactless Payments Works

Before we get into the various threats associated with contactless payments, we might as well explain how they work in a very general, fundamental way. The cornerstone technologies of contactless payments is NFC (Near Field Communication) What Is NFC & Should You Buy a Phone That Has It? [MakeUseOf Explains] What Is NFC & Should You Buy a Phone That Has It? [MakeUseOf Explains] If you’re in the market for a new phone in 2013, you’re probably going to hear about something called NFC, and how it’s apparently changing the world. Don’t be fooled by the sales talk though.... Read More and RFID (Radio Frequency Identification) How Does RFID Technology Work? [Technology Explained] How Does RFID Technology Work? [Technology Explained] Read More . These are short-range radio signals, which consume little energy. A point-of-sale terminal will read from the chip and access certain information that allows it to process the traction. This chip can be found on a card, or increasingly commonly, a mobile device.

Things differ slightly between implementations though. Many Visa, MasterCard and American Express credit and debit cards come with RFID chips built in, and allow the owner to make a limited number of small transactions without keying in their PIN number.

Then there are other smartphone-based payment systems. Apple Pay, for example, allows you to pay using a wave of your iPhone or Apple Watch How To Use Apple Pay To Buy Things With Your iPhone How To Use Apple Pay To Buy Things With Your iPhone Your iPhone may some day be the only device you need to purchase products and services, but first you need to start using Apple Pay. Read More . Unlike contactless credit cards, transactions are secured by the smartphone device itself. To buy something, you must first authenticate with your fingerprint.

Ads by Google

Similarly, purchases made using Android Pay (which has been available in the United States for some time now, and is gradually making its way into Europe) are protected by traced patterns and pin codes.

The third major smartphone payment method is Samsung Pay. Transactions using this are secured through tokenization (device-specific credit card numbers, rather than real ones) in order to protect the owner’s credit card details.

Justin Dennis wrote a more general review of the smartphone-based payments market Everything You Need to Know about Apple Pay, Samsung Pay, and Android Pay Everything You Need to Know about Apple Pay, Samsung Pay, and Android Pay Android Pay, Samsung Pay, Apple Pay all have their advantages and disadvantages. Let's take a look at exactly how each of them works and who can use them. Read More late last year, which is absolutely worth reading.

Threats To Contactless Payments

Naturally, numerous security issues are associated with contactless payments. These manifest themselves in three different ways — stolen cards, cloned cards, and card data being leaked.

Stolen Cards

Stolen cards are less of an issue with the various smartphone-based payment systems. Because while someone could quite easily steal your phone, it’s much harder to steal your fingerprint or PIN code.

The same isn’t true about contactless credit and debit cards. When stolen, it becomes possible for someone to purchase things from the victims account without their passcode, as there’s no requirement for a PIN number.

ContactlessPayment

Despite this, fraud is rather low on the contactless cards, largely due to the fact that most issuers have limits on what can be spent using them.

In the first months of 2015, only £516,500 (around $800,000) of fraudulent charges could be attributed to them in the UK. While this sounds like a lot, it really isn’t. It’s the equivalent of £0.02 for each £100 spent using the cards.

Cloned Cards

By design, it’s immensely difficult to clone contactless credit and debit cards. Hard, but certainly not impossible, as one Australian researcher proved.

CreditCloseUp

Peter Filmore was able to create an Android application which ran on a Google Nexus 4 device Google Nexus 4 Review and Giveaway Google Nexus 4 Review and Giveaway Even though I am an iPhone user and have been since the first generation iPhone was announced by the late Steve Jobs back in 2007, I've tried to keep an open mind about viable alternatives.... Read More , and was able to clone the data held on Visa and MasterCard contactless cards. He then used this information to make real-world purchases at Woolworths, where he purchased beer and snickers bars.

This exploit depended on two things: the limited amount of card data provided during a contactless transaction, and the ease in which CVV (Card Verification Value) numbers can be predicted. Forbes security blogger Thomas Fox-Brewster explained how the attack worked in more detail early last year.

Leaked and Skimmed Data

There’s also the risk of someone ‘skimming’ contactless credit cards. When you purchase something using them, you transmit a limited amount of information found on the front of your card. Namely, the expiration date, and card number. The CVV number isn’t provided, but as we mentioned earlier, it’s possible to algorithmically determine what it is.

ContactlessCloseUp

This information doesn’t sound like a lot, but UK consumer champions Which? were able to use this information to go on an online shopping spree, where they purchased a £3,000 ($4,270) television using a fake name and address, amongst other things.

It’s worth adding that Samsung Pay is invulnerable to this attack, as it generates a new credit card number for each transaction. As is Apple Pay, which does not transmit the customer’s credit card details, instead replacing them with a “Dynamic Security Code”. Any data that is intercepted and decoded is ultimately worthless to an attacker.

What Protections Are There?

At this point, you could be forgiven for thinking that contactless payments are a veritable free-for-all for credit card fraudsters How Credit Card Fraud Works, And How To Stay Safe How Credit Card Fraud Works, And How To Stay Safe Despite what you may have heard, credit cards do get stolen, and credit card fraud happens, online and offline. But how does a thief get your card number, and how can you keep it safe? Read More , but that’s simply not true. There are a number of robust protections against the majority of attacks.

Firstly, contactless payments are limited by value. In the UK, the most you can pay with contactless is £30. In the United States, it’s $25. In Australia, it’s a little bit higher at $100 AUD, and any purchases past that point require the user to key in their pin number.

They’re limited by frequency too. Your issuer will limit you to so many contactless payments before requesting your PIN number. This essentially makes it impossible for someone who has stolen a card from purchasing high-value items, or going on a spending spree.

ContactlessInUse

Furthermore, in most countries (especially the UK) card issuers indemnify holders against losses caused by fraud, so long as they aren’t proven to have been irresponsible with their cards.

This isn’t them being altruistic. It’s been proven that contactless payments boost spending by around 25%, which in turn benefits them through merchant fees, as well as associated fees and interest. They are absolutely incentivized to get their customers to trust the system.

Finally, if you’re concerned about your cards being skimmed and then used to make purchases, you can purchase special RFID-proof wallets What Are RFID-Blocking Wallets & Which Should You Buy? What Are RFID-Blocking Wallets & Which Should You Buy? If you knew that someone could read your credit cards, passport, and even driver's license without actually having to swipe them, would you take steps to guard against it? Read More . It’s also been proven that wrapping your cards in tinfoil can also protect them from being read, although some might find that a little big extreme.

Don’t Be Deterred

Contactless payments are a bleeding-edge technology. As a result, you can almost guarantee that any security flaw will become headline news. But don’t be fooled, for the most part, they’re secure by design.

Are you a contactless-phile, or a contactless-phobe? Tell me why in the comments below.

Photo Credits: Woman using cellphone for paying by leungchopan via Shutterstock, Man paying with NFC technology on credit card (LDProd), Credit contactless card with secured chip (SergeBertasiusPhotography), Woman paying by credit card in a cafe (Monkey Business Images)

  1. Shane Harris (Patch)
    April 15, 2016 at 3:00 am

    I have no aversion to contactless payments, I use them everyday.

    My only issue is the delay in which thing become available in Australia.

    I recently switched from Android to iPhone and was annoyed to find out that the Apple Pay feature only supports American Express, very few retailers in Australia accept this form of payment and the ones that do charge 4-6% fees.

    Cheers

    • Matthew Hughes
      April 30, 2016 at 10:03 pm

      Oh yeah, American Express is the same the world round. Great cards (if you can get one), but they suck for retailers, and availability is a bit spotty.

Leave a Reply

Your email address will not be published. Required fields are marked *