Pinterest Stumbleupon Whatsapp
Ads by Google

Chip-and-PIN credit cards are very common in the UK, and they’re on the rise in the US, as well—they’re generally considered to be both more convenient and more secure than the long-used American signature cards. However, a team of researchers at Newcastle University recently performed some alarming experiments that has some chip-and-PIN card carriers worried. It’s time to learn the facts and protect yourself.

Contactless Chip-And-PIN Technology

To be more specific, the cards that are at risk those that use an RFID (radio frequency identification) chip How Does RFID Technology Work? [Technology Explained] How Does RFID Technology Work? [Technology Explained] Read More to enable contactless payments.  This means that in addition to a small chip, there’s also a tiny wire running throughout the card; when passed near a terminal, that wire generates a small amount of electricity, passes information to the chip, and sends a reply back to the terminal authorizing the payment. It’s quick and convenient.

rf-smartcard

In general, this is totally fine. Banks and card issuers generally don’t require a PIN for small purchases (usually those up to £20), and everybody is happy. PINs are required for larger purchases, reducing the likelihood of fraud. There’s also a limit on offline transactions—those that are authorized by the card, but not processed by the bank until later—of £100. Unfortunately, the system doesn’t quite work as planned.

Tricking The Tech

The team at Newcastle University found an interesting way around the safeguards put in place by Visa and detailed it in their paper, “Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.” They found that these safeguards are fooled by foreign transactions, and will generally let a terminal make a charge on the card that contains up to eight digits, which could potentially amount to $999,999.99 or €999,999.99. Presumably this is to allow for foreign transactions to be made with currencies that require large amounts, like Japanese yen, South Korean won, or the Indonesian rupiah.

Unfortunately, the chip in the card doesn’t know if it’s in Japan, South Korea, Indonesia, or a supermarket in London. It also doesn’t know the difference between a retailer’s contactless terminal and a hacked terminal that can be carried in a pocket. You might think that it’d be difficult to carry around a hacked terminal in a pocket, but the team at Newcastle managed to do it by writing an app for NFC-enabled Android phones. All the thief has to do is wave the card over your wallet if it’s sitting on the table, or bump into you so the phone gets close enough to the card in your pocket—it’s a lot like a drive-by NFC hack How Does A Drive-By NFC Hack Work? How Does A Drive-By NFC Hack Work? Read More .

Ads by Google

pickpocket-card-skim

Not only does this method bypass the £20 limit, but it also bypasses the offline transaction limit of £100, meaning the thief can be far away from you when the transaction goes through—so even if you do get a text message from your bank saying that a suspicious transaction has been detected, you’ll have no idea where you were when the thief hit you.

The authors of the paper say that if someone were to take advantage of this weakness in the system, they likely wouldn’t be able to get $999,999.99, as that would set off other alarms at the bank (unless, of course, you’re one of those people who regularly spends over a million bucks on their credit card). Even if they’re able to get £50 off of each person they bump into, though, that could add up to a huge amount of money. How many people do you regularly bump into on the Tube, or walking down a crowded high street?

Protecting Yourself

The authors of the paper recommend a few different things that Visa should do to protect their customers from these sorts of attacks, like always requiring a PIN or online verification before the processing of a transaction in a foreign currency. Visa responded to this study by saying that they have other safeguards in place and that this won’t be a problem (but we’ve heard things like that before). Until Visa makes specific fixes, it’s a good idea to protect yourself.

The easiest way to avoid this problem is also the simplest: don’t use contactless cards. If your bank offers you a choice, just choose the non-contactless option. Pretty simple. You can also request that your bank disallow payments in foreign currencies on your card if you don’t travel often. If you choose either of these options, you won’t have to worry at all.

flipside-wallets

You can also use a signal-blocking wallet, like the RFID-blocking wallets we talked about last year What Are RFID-Blocking Wallets & Which Should You Buy? What Are RFID-Blocking Wallets & Which Should You Buy? If you knew that someone could read your credit cards, passport, and even driver's license without actually having to swipe them, would you take steps to guard against it? Read More . There’s quite a bit of disagreement over whether or not these wallets are really effective and whether they’re needed, but using one certainly won’t make you more vulnerable to this sort of attack. There are plenty of options, from stylish leather wallets to sturdy polycarbonate cases that you can use to block signals. Some people just wrap their cards in tinfoil, too, though again, the effectiveness of this has been questioned. Some people even recommend using an Altoids can.

Whether or not Visa is telling the truth about their other safeguards catching an attack like this—and whether or not RFID-blocking wallets really do their job—it’s important to be aware of potential threats like this. Contactless cards are really useful, but they haven’t been around in large numbers all that long, so we still need a bit of time to get them all figured out.

What do you think of this threat? Are you worried about the security your contactless cards? Do you use a contactless card or an RFID-blocking wallet? Share your thoughts below!

Image credits: Credit cards in shallow focus via Shutterstock (edited)Swisstack via Wikimedia CommonsThief stealing wallet of a man walking on the street. Pickpocketing on the street during daytime via Shutterstock.

  1. dragonmouth
    November 18, 2014 at 10:15 pm

    I use a metal wallet. The only problem is that in spite of TV ads, it is not capacious enough. I have to leave some of the less used cards at home. I also have to carry cash in a money clip, rather than in my wallet.

    My wife has an aluminium foil-lined partition in her wallet for her cards.

    It is not only credit cards that need to be safeguarded. Any cards with magnetic strips or RFID chips need also be protected.

    • Dann Albright
      November 19, 2014 at 7:45 am

      The metal wallets that I've seen haven't looked very big—I would imagine that they could get pretty bulky and maybe heavy if they were big enough to carry all of the cards that you wanted . . . though it would be nice to have the option. Are mag stripes susceptible to a similar type of attack? I've never heard of that before.

    • dragonmouth
      November 19, 2014 at 1:07 pm

      The last couple of regular (non-metalic) wallets I had, got to be about 3/4 inch thick when loaded with all the cards. When carried in pants back pocket they could present health problems. :-)

      "Are mag stripes susceptible to a similar type of attack?
      I would hate to find out the hard way. I'm not taking any chances.

    • Dann Albright
      November 19, 2014 at 5:10 pm

      I can see how a 3/4-inch-thick wallet would be inconvenient. :-)

  2. Jack
    November 18, 2014 at 9:48 pm

    Interesting to see that Visa had not found a solution to a potential problem before issuing such cards.

    While in France last month, I tried to pay a bill with my regular Visa card. The waitress had a difficult time trying to use the card with the little machine she brought to the table. A gentleman at the next table explained to her that she needed to swipe the card in the slot on the machine. It appears most of the cards in Arles are chip based. Not as described above, however.

    • Dann Albright
      November 19, 2014 at 7:42 am

      I would imagine that Visa was pretty keen on getting their cards out into consumer hands as fast as possible. It is interesting that MasterCard seems to have headed this problem off, though, while Visa didn't.

      And yes, most cards in Europe are chip-and-PIN, and have been for a while. My father had the same problem with a server not knowing what to do with a mag stripe card! I'm not sure what you mean by "Not as described above, however."

Leave a Reply

Your email address will not be published. Required fields are marked *