Finance Security

Are Contactless Payment Systems A Threat To Your Finances?

Matthew Hughes 14-04-2016

Over the past five years, Contactless payments have rapidly entered the mainstream. They allow us to buy things without having to swipe-and-sign, or key in our PIN numbers into point-of-sale machines. They’re the epitome of digital laziness, which perhaps explains why their popularity has soared.


But are they secure? What threats surround this new financial fad? More importantly, should you sign up?

How Contactless Payments Works

Before we get into the various threats associated with contactless payments, we might as well explain how they work in a very general, fundamental way. The cornerstone technologies of contactless payments is NFC (Near Field Communication) What Is NFC & Should You Buy a Phone That Has It? [MakeUseOf Explains] If you’re in the market for a new phone in 2013, you’re probably going to hear about something called NFC, and how it’s apparently changing the world. Don’t be fooled by the sales talk though.... Read More and RFID (Radio Frequency Identification) How Does RFID Technology Work? What's in your wallet? Do you carry a contactless credit or debit card? Did you know that your contactless card uses RFID? But what is RFID? Let's find out. Read More . These are short-range radio signals, which consume little energy. A point-of-sale terminal will read from the chip and access certain information that allows it to process the traction. This chip can be found on a card, or increasingly commonly, a mobile device.

Things differ slightly between implementations though. Many Visa, MasterCard and American Express credit and debit cards come with RFID chips built in, and allow the owner to make a limited number of small transactions without keying in their PIN number.

Then there are other smartphone-based payment systems. Apple Pay, for example, allows you to pay using a wave of your iPhone or Apple Watch How To Use Apple Pay To Buy Things With Your iPhone Your iPhone may some day be the only device you need to purchase products and services, but first you need to start using Apple Pay. Read More . Unlike contactless credit cards, transactions are secured by the smartphone device itself. To buy something, you must first authenticate with your fingerprint.

Similarly, purchases made using Android Pay (which has been available in the United States for some time now, and is gradually making its way into Europe) are protected by traced patterns and pin codes.


The third major smartphone payment method is Samsung Pay. Transactions using this are secured through tokenization (device-specific credit card numbers, rather than real ones) in order to protect the owner’s credit card details.

Justin Dennis wrote a more general review of the smartphone-based payments market Everything You Need to Know about Apple Pay, Samsung Pay, and Android Pay Android Pay, Samsung Pay, Apple Pay all have their advantages and disadvantages. Let's take a look at exactly how each of them works and who can use them. Read More late last year, which is absolutely worth reading.

Threats To Contactless Payments

Naturally, numerous security issues are associated with contactless payments. These manifest themselves in three different ways — stolen cards, cloned cards, and card data being leaked.

Stolen Cards

Stolen cards are less of an issue with the various smartphone-based payment systems. Because while someone could quite easily steal your phone, it’s much harder to steal your fingerprint or PIN code.


The same isn’t true about contactless credit and debit cards. When stolen, it becomes possible for someone to purchase things from the victims account without their passcode, as there’s no requirement for a PIN number.


Despite this, fraud is rather low on the contactless cards, largely due to the fact that most issuers have limits on what can be spent using them.

In the first months of 2015, only £516,500 (around $800,000) of fraudulent charges could be attributed to them in the UK. While this sounds like a lot, it really isn’t. It’s the equivalent of £0.02 for each £100 spent using the cards.


Cloned Cards

By design, it’s immensely difficult to clone contactless credit and debit cards. Hard, but certainly not impossible, as one Australian researcher proved.


Peter Filmore was able to create an Android application which ran on a Google Nexus 4 device Google Nexus 4 Review and Giveaway Even though I am an iPhone user and have been since the first generation iPhone was announced by the late Steve Jobs back in 2007, I've tried to keep an open mind about viable alternatives.... Read More , and was able to clone the data held on Visa and MasterCard contactless cards. He then used this information to make real-world purchases at Woolworths, where he purchased beer and snickers bars.

This exploit depended on two things: the limited amount of card data provided during a contactless transaction, and the ease in which CVV (Card Verification Value) numbers can be predicted. Forbes security blogger Thomas Fox-Brewster explained how the attack worked in more detail early last year.


Leaked and Skimmed Data

There’s also the risk of someone ‘skimming’ contactless credit cards. When you purchase something using them, you transmit a limited amount of information found on the front of your card. Namely, the expiration date, and card number. The CVV number isn’t provided, but as we mentioned earlier, it’s possible to algorithmically determine what it is.


This information doesn’t sound like a lot, but UK consumer champions Which? were able to use this information to go on an online shopping spree, where they purchased a £3,000 ($4,270) television using a fake name and address, amongst other things.

It’s worth adding that Samsung Pay is invulnerable to this attack, as it generates a new credit card number for each transaction. As is Apple Pay, which does not transmit the customer’s credit card details, instead replacing them with a “Dynamic Security Code”. Any data that is intercepted and decoded is ultimately worthless to an attacker.

What Protections Are There?

At this point, you could be forgiven for thinking that contactless payments are a veritable free-for-all for credit card fraudsters How Credit Card Fraud Works and How to Stay Safe Credit cards and gift cards are regularly stolen. How do thieves get your card? How can you keep safe from credit card fraud? Read More , but that’s simply not true. There are a number of robust protections against the majority of attacks.

Firstly, contactless payments are limited by value. In the UK, the most you can pay with contactless is £30. In the United States, it’s $25. In Australia, it’s a little bit higher at $100 AUD, and any purchases past that point require the user to key in their pin number.

18 RFID Blocking Sleeves (14 Credit Card Holders & 4 Passport Protectors) Ultimate Premium Identity Theft Protection Sleeve Set for Men & Women. Smart Slim Design Perfectly fits Wallet/Purse 18 RFID Blocking Sleeves (14 Credit Card Holders & 4 Passport Protectors) Ultimate Premium Identity Theft Protection Sleeve Set for Men & Women. Smart Slim Design Perfectly fits Wallet/Purse Buy Now On Amazon $9.99

They’re limited by frequency too. Your issuer will limit you to so many contactless payments before requesting your PIN number. This essentially makes it impossible for someone who has stolen a card from purchasing high-value items, or going on a spending spree.


Furthermore, in most countries (especially the UK) card issuers indemnify holders against losses caused by fraud, so long as they aren’t proven to have been irresponsible with their cards.

This isn’t them being altruistic. It’s been proven that contactless payments boost spending by around 25%, which in turn benefits them through merchant fees, as well as associated fees and interest. They are absolutely incentivized to get their customers to trust the system.

Finally, if you’re concerned about your cards being skimmed and then used to make purchases, you can purchase special RFID-proof wallets What Is an RFID-Blocking Wallet? (And Which Should You Buy?) If you have cards, passports, or devices with RFID chips, then an RFID-blocking wallet could be important for keeping your data safe. Read More . It’s also been proven that wrapping your cards in tinfoil can also protect them from being read, although some might find that a little big extreme.

18 RFID Blocking Sleeves (14 Credit Card Holders & 4 Passport Protectors) Ultimate Premium Identity Theft Protection Sleeve Set for Men & Women. Smart Slim Design Perfectly fits Wallet/Purse 18 RFID Blocking Sleeves (14 Credit Card Holders & 4 Passport Protectors) Ultimate Premium Identity Theft Protection Sleeve Set for Men & Women. Smart Slim Design Perfectly fits Wallet/Purse Buy Now On Amazon $9.99

Don’t Be Deterred

Contactless payments are a bleeding-edge technology. As a result, you can almost guarantee that any security flaw will become headline news. But don’t be fooled, for the most part, they’re secure by design.

Are you a contactless-phile, or a contactless-phobe? Tell me why in the comments below.

Photo Credits: Woman using cellphone for paying by leungchopan via Shutterstock, Man paying with NFC technology on credit card (LDProd), Credit contactless card with secured chip (SergeBertasiusPhotography), Woman paying by credit card in a cafe (Monkey Business Images)

Related topics: NFC, RFID.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    April 15, 2016 at 3:00 am

    I have no aversion to contactless payments, I use them everyday.

    My only issue is the delay in which thing become available in Australia.

    I recently switched from Android to iPhone and was annoyed to find out that the Apple Pay feature only supports American Express, very few retailers in Australia accept this form of payment and the ones that do charge 4-6% fees.


    • Matthew Hughes
      April 30, 2016 at 10:03 pm

      Oh yeah, American Express is the same the world round. Great cards (if you can get one), but they suck for retailers, and availability is a bit spotty.