get('text_top_button', JText::_('DEFAULT_GOTO_TOP_TEXT'))*/?>
get('text_bottom_button', JText::_('DEFAULT_GOTO_BOTTOM'))*/?>

Media Update: Investigating the myths and realities of contactless payment

Smart payment association - article blog

  

Munich, 29th July 2013 - Contactless payment cards have been in the news for all the wrong reasons over the last few months.

Downlaod SPA's Q&A

  

Download SPA's Expert Paper

  

Phantom and duplicated payments in some UK stores have led to headlines asking ‘how safe is your money’ and references to ‘controversial new payment methods’.

  

And we’ve seen, the UK-based Centre for Cybercrime and Computer Security at Newcastle University has been able to ‘steal’ card details from contactless payment cards – raising fraud and cyber crime concerns.

  

But how much is hard fact and how much misunderstanding? To be frank, it's a little of both.

  

First, phantom and duplicated payments need to be separated from the fraud discussion – not least because these are easily avoidable.

  

They don’t happen in the vast majority of retail and payment environments because of a ‘block’ program embedded in the point of sale (PoS) terminal. Quite simply, this stops multiple cards being read at once. So rather than a security hole, these kinds of incidents are likely due to the failure of the organizations to implement correct protection mechanisms when their contactless solutions are deployed.

  

Contactless has vulnerabilities

  

On the question of fraud, there are certainly well known vulnerabilities within the Radio Frequency (RF) transmission i.e. when the card is presented to the PoS reader. These can, theoretically, lead to skimming attacks, card data being captured, and denial of service attacks – the kind of results seen in Newcastle University’s lab tests.

  

But how likely are these to happen in the real world? ‘Not very’ is the short answer.

  

A major body of research and a huge amount of effort has gone in developing countermeasures to ensure these RF vulnerabilities cannot be easily exploited outside the lab.

  

Much of this research is well established, having been conducted by governments, homeland security agencies and the EU during the development of ePassports. Contactless payment shares the same underlying technology platform, and as a result has benefited from the dramatic improvements in ePassport-to-terminal security that such investments have delivered.

  

The convenient security compromise

  

Of course, as with any form of security, systems are not infallible. Security is a compromise between delivering the highest degree of protection and offering the user the best levels of convenience. However, the reality is that contactless security is a mature field, and countermeasures been created to make fraud economically unfeasible. The real world risks are therefore minimal.

  

The Smart Payment Association, the group representing the smart payment industry, would be delighted to offer an expert viewpoint (backed by thousands of hours of lab and field testing) on all the security issues, and the myths and realities, of contactless card and mobile NFC payment.

  

Downlaod SPA's Q&A

  

Download SPA's Expert Paper

  

-ends-

  

Notes to Editors:

  

About Smart Payment Association (SPA)

  

The Smart Payment Association addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalised payment systems & services both now and for the future.

  

For more information on the SPA, visit our website: www.smartpaymentassociation.com or contact us by email: This email address is being protected from spambots. You need JavaScript enabled to view it..

  

Press Contact:

  

Stéphanie de Labriolle

  

+33 6 85 91 19 94

  

This email address is being protected from spambots. You need JavaScript enabled to view it.

SPA Smart Payment Association - Follow-usSPA Smart Payment Association - Facebook SPA Smart Payment Association - Twitter SPA Smart Payment Association - Linkedin SPA Smart Payment Association - youtube SPA Smart Payment Association - slideshare SPA Smart Payment Association - google +

SPA - smart payment association

CONTACT
captcha

Company responsible as defined by the Press Law, Supplier of Services and Systems in the Media and Telecommunications sector:

Smart Payment Association e.V. PO Box 800729, D-81607 Munich, Germany

 

Management Board: Andreas Strobel, Sylvie Gilbert, Alen Lopez, Julien Drouet

 

Commercial Register:Amtsgericht Munich VR 1898

 

VAT Registration Number:DE262904711