Munich, 29th July 2013 - Contactless payment cards have been in the news for all the wrong reasons over the last few months.
Download SPA's Expert Paper
Phantom and duplicated payments in some UK stores have led to headlines asking ‘how safe is your money’ and references to ‘controversial new payment methods’.
And we’ve seen, the UK-based Centre for Cybercrime and Computer Security at Newcastle University has been able to ‘steal’ card details from contactless payment cards – raising fraud and cyber crime concerns.
But how much is hard fact and how much misunderstanding? To be frank, it's a little of both.
First, phantom and duplicated payments need to be separated from the fraud discussion – not least because these are easily avoidable.
They don’t happen in the vast majority of retail and payment environments because of a ‘block’ program embedded in the point of sale (PoS) terminal. Quite simply, this stops multiple cards being read at once. So rather than a security hole, these kinds of incidents are likely due to the failure of the organizations to implement correct protection mechanisms when their contactless solutions are deployed.
Contactless has vulnerabilities
On the question of fraud, there are certainly well known vulnerabilities within the Radio Frequency (RF) transmission i.e. when the card is presented to the PoS reader. These can, theoretically, lead to skimming attacks, card data being captured, and denial of service attacks – the kind of results seen in Newcastle University’s lab tests.
But how likely are these to happen in the real world? ‘Not very’ is the short answer.
A major body of research and a huge amount of effort has gone in developing countermeasures to ensure these RF vulnerabilities cannot be easily exploited outside the lab.
Much of this research is well established, having been conducted by governments, homeland security agencies and the EU during the development of ePassports. Contactless payment shares the same underlying technology platform, and as a result has benefited from the dramatic improvements in ePassport-to-terminal security that such investments have delivered.
The convenient security compromise
Of course, as with any form of security, systems are not infallible. Security is a compromise between delivering the highest degree of protection and offering the user the best levels of convenience. However, the reality is that contactless security is a mature field, and countermeasures been created to make fraud economically unfeasible. The real world risks are therefore minimal.
The Smart Payment Association, the group representing the smart payment industry, would be delighted to offer an expert viewpoint (backed by thousands of hours of lab and field testing) on all the security issues, and the myths and realities, of contactless card and mobile NFC payment.
Downlaod SPA's Q&A
Download SPA's Expert Paper
Notes to Editors:
About Smart Payment Association (SPA)
The Smart Payment Association addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalised payment systems & services both now and for the future.
Stéphanie de Labriolle
+33 6 85 91 19 94