Over the past five years, Contactless payments have rapidly entered the mainstream. They allow us to buy things without having to swipe-and-sign, or key in our PIN numbers into point-of-sale machines. They’re the epitome of digital laziness, which perhaps explains why their popularity has soared.
But are they secure? What threats surround this new financial fad? More importantly, should you sign up?
How Contactless Payments Works
Before we get into the various threats associated with contactless payments, we might as well explain how they work in a very general, fundamental way. The cornerstone technologies of contactless payments is NFC (Near Field Communication) and RFID (Radio Frequency Identification). These are short-range radio signals, which consume little energy. A point-of-sale terminal will read from the chip and access certain information that allows it to process the traction. This chip can be found on a card, or increasingly commonly, a mobile device.
Things differ slightly between implementations though. Many Visa, MasterCard and American Express credit and debit cards come with RFID chips built in, and allow the owner to make a limited number of small transactions without keying in their PIN number.
Then there are other smartphone-based payment systems. Apple Pay, for example, allows you to pay using a wave of your iPhone or Apple Watch. Unlike contactless credit cards, transactions are secured by the smartphone device itself. To buy something, you must first authenticate with your fingerprint.
Similarly, purchases made using Android Pay (which has been available in the United States for some time now, and is gradually making its way into Europe) are protected by traced patterns and pin codes.
The third major smartphone payment method is Samsung Pay. Transactions using this are secured through tokenization (device-specific credit card numbers, rather than real ones) in order to protect the owner’s credit card details.
Justin Dennis wrote a more general review of the smartphone-based payments market late last year, which is absolutely worth reading.
Threats To Contactless Payments
Naturally, numerous security issues are associated with contactless payments. These manifest themselves in three different ways — stolen cards, cloned cards, and card data being leaked.
Stolen cards are less of an issue with the various smartphone-based payment systems. Because while someone could quite easily steal your phone, it’s much harder to steal your fingerprint or PIN code.
The same isn’t true about contactless credit and debit cards. When stolen, it becomes possible for someone to purchase things from the victims account without their passcode, as there’s no requirement for a PIN number.
Despite this, fraud is rather low on the contactless cards, largely due to the fact that most issuers have limits on what can be spent using them.
In the first months of 2015, only £516,500 (around $800,000) of fraudulent charges could be attributed to them in the UK. While this sounds like a lot, it really isn’t. It’s the equivalent of £0.02 for each £100 spent using the cards.
By design, it’s immensely difficult to clone contactless credit and debit cards. Hard, but certainly not impossible, as one Australian researcher proved.
Peter Filmore was able to create an Android application which ran on a Google Nexus 4 device, and was able to clone the data held on Visa and MasterCard contactless cards. He then used this information to make real-world purchases at Woolworths, where he purchased beer and snickers bars.
This exploit depended on two things: the limited amount of card data provided during a contactless transaction, and the ease in which CVV (Card Verification Value) numbers can be predicted. Forbes security blogger Thomas Fox-Brewster explained how the attack worked in more detail early last year.
Leaked and Skimmed Data
There’s also the risk of someone ‘skimming’ contactless credit cards. When you purchase something using them, you transmit a limited amount of information found on the front of your card. Namely, the expiration date, and card number. The CVV number isn’t provided, but as we mentioned earlier, it’s possible to algorithmically determine what it is.
This information doesn’t sound like a lot, but UK consumer champions Which? were able to use this information to go on an online shopping spree, where they purchased a £3,000 ($4,270) television using a fake name and address, amongst other things.
It’s worth adding that Samsung Pay is invulnerable to this attack, as it generates a new credit card number for each transaction. As is Apple Pay, which does not transmit the customer’s credit card details, instead replacing them with a “Dynamic Security Code”. Any data that is intercepted and decoded is ultimately worthless to an attacker.
What Protections Are There?
At this point, you could be forgiven for thinking that contactless payments are a veritable free-for-all for credit card fraudsters, but that’s simply not true. There are a number of robust protections against the majority of attacks.
Firstly, contactless payments are limited by value. In the UK, the most you can pay with contactless is £30. In the United States, it’s $25. In Australia, it’s a little bit higher at $100 AUD, and any purchases past that point require the user to key in their pin number.
They’re limited by frequency too. Your issuer will limit you to so many contactless payments before requesting your PIN number. This essentially makes it impossible for someone who has stolen a card from purchasing high-value items, or going on a spending spree.
Furthermore, in most countries (especially the UK) card issuers indemnify holders against losses caused by fraud, so long as they aren’t proven to have been irresponsible with their cards.
This isn’t them being altruistic. It’s been proven that contactless payments boost spending by around 25%, which in turn benefits them through merchant fees, as well as associated fees and interest. They are absolutely incentivized to get their customers to trust the system.
Finally, if you’re concerned about your cards being skimmed and then used to make purchases, you can purchase special RFID-proof wallets. It’s also been proven that wrapping your cards in tinfoil can also protect them from being read, although some might find that a little big extreme.
Don’t Be Deterred
Contactless payments are a bleeding-edge technology. As a result, you can almost guarantee that any security flaw will become headline news. But don’t be fooled, for the most part, they’re secure by design.
Are you a contactless-phile, or a contactless-phobe? Tell me why in the comments below.
Photo Credits: Woman using cellphone for paying by leungchopan via Shutterstock, Man paying with NFC technology on credit card (LDProd), Credit contactless card with secured chip (SergeBertasiusPhotography), Woman paying by credit card in a cafe (Monkey Business Images)