Chip-and-PIN credit cards are very common in the UK, and they’re on the rise in the US, as well—they’re generally considered to be both more convenient and more secure than the long-used American signature cards. However, a team of researchers at Newcastle University recently performed some alarming experiments that has some chip-and-PIN card carriers worried. It’s time to learn the facts and protect yourself.
Contactless Chip-And-PIN Technology
To be more specific, the cards that are at risk those that use an RFID (radio frequency identification) chip to enable contactless payments. This means that in addition to a small chip, there’s also a tiny wire running throughout the card; when passed near a terminal, that wire generates a small amount of electricity, passes information to the chip, and sends a reply back to the terminal authorizing the payment. It’s quick and convenient.
In general, this is totally fine. Banks and card issuers generally don’t require a PIN for small purchases (usually those up to £20), and everybody is happy. PINs are required for larger purchases, reducing the likelihood of fraud. There’s also a limit on offline transactions—those that are authorized by the card, but not processed by the bank until later—of £100. Unfortunately, the system doesn’t quite work as planned.
Tricking The Tech
The team at Newcastle University found an interesting way around the safeguards put in place by Visa and detailed it in their paper, “Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.” They found that these safeguards are fooled by foreign transactions, and will generally let a terminal make a charge on the card that contains up to eight digits, which could potentially amount to $999,999.99 or €999,999.99. Presumably this is to allow for foreign transactions to be made with currencies that require large amounts, like Japanese yen, South Korean won, or the Indonesian rupiah.
Unfortunately, the chip in the card doesn’t know if it’s in Japan, South Korea, Indonesia, or a supermarket in London. It also doesn’t know the difference between a retailer’s contactless terminal and a hacked terminal that can be carried in a pocket. You might think that it’d be difficult to carry around a hacked terminal in a pocket, but the team at Newcastle managed to do it by writing an app for NFC-enabled Android phones. All the thief has to do is wave the card over your wallet if it’s sitting on the table, or bump into you so the phone gets close enough to the card in your pocket—it’s a lot like a drive-by NFC hack.
Not only does this method bypass the £20 limit, but it also bypasses the offline transaction limit of £100, meaning the thief can be far away from you when the transaction goes through—so even if you do get a text message from your bank saying that a suspicious transaction has been detected, you’ll have no idea where you were when the thief hit you.
The authors of the paper say that if someone were to take advantage of this weakness in the system, they likely wouldn’t be able to get $999,999.99, as that would set off other alarms at the bank (unless, of course, you’re one of those people who regularly spends over a million bucks on their credit card). Even if they’re able to get £50 off of each person they bump into, though, that could add up to a huge amount of money. How many people do you regularly bump into on the Tube, or walking down a crowded high street?
The authors of the paper recommend a few different things that Visa should do to protect their customers from these sorts of attacks, like always requiring a PIN or online verification before the processing of a transaction in a foreign currency. Visa responded to this study by saying that they have other safeguards in place and that this won’t be a problem (but we’ve heard things like that before). Until Visa makes specific fixes, it’s a good idea to protect yourself.
The easiest way to avoid this problem is also the simplest: don’t use contactless cards. If your bank offers you a choice, just choose the non-contactless option. Pretty simple. You can also request that your bank disallow payments in foreign currencies on your card if you don’t travel often. If you choose either of these options, you won’t have to worry at all.
You can also use a signal-blocking wallet, like the RFID-blocking wallets we talked about last year. There’s quite a bit of disagreement over whether or not these wallets are really effective and whether they’re needed, but using one certainly won’t make you more vulnerable to this sort of attack. There are plenty of options, from stylish leather wallets to sturdy polycarbonate cases that you can use to block signals. Some people just wrap their cards in tinfoil, too, though again, the effectiveness of this has been questioned. Some people even recommend using an Altoids can.
Whether or not Visa is telling the truth about their other safeguards catching an attack like this—and whether or not RFID-blocking wallets really do their job—it’s important to be aware of potential threats like this. Contactless cards are really useful, but they haven’t been around in large numbers all that long, so we still need a bit of time to get them all figured out.
What do you think of this threat? Are you worried about the security your contactless cards? Do you use a contactless card or an RFID-blocking wallet? Share your thoughts below!
Image credits: Credit cards in shallow focus via Shutterstock (edited), Swisstack via Wikimedia Commons, Thief stealing wallet of a man walking on the street. Pickpocketing on the street during daytime via Shutterstock.