Investigating the myths and realities of contactless payment fraud - An SPA Paper - April 2016
Contactless payment cards have been in the news for all the wrong reasons over the last few months. Phantom and duplicated payments in some UK retailers have led to headlines asking ‘how safe is your money?’ and references to ‘controversial new payment methods’. We’ve also seen Newcastle University's Centre for Cybercrime and Computer Security demonstrate ‘how easy it is’ to scan card details from contactless payment cards – raising fraud and cybercrime concerns.
In light of these recent stories, and the inaccuracies sometimes reported within them, the SPA published a first version of a position paper to uncover the myths and realities of contactless payment risks. Since the original publication, a dramatic increase in terms of number of contactless transactions has been observed enabling to collect fraud data to elaborate the first reliable statistics. In particular as explained in Paragraph 6, our initial analysis explaining why we believed contactless payments were safe is backed by the first published figures on fraud levels by the Banque de France.
Added to this, we firmly believe that user education can, and should, raise public awareness of the realities of the potential security threats of contactless payment.
So, by offering an analysis of contactless payment security, the paper provides an expert, independent view. It details the potential forms of attack - both real and theoretical – and highlights the countermeasures in place to respond.
Crucially, this paper will be regularly updated and made publically available to assure the highest levels of transparency, to report against potential new threats as they appear, and to chart ongoing industry activity to address and minimize risk.
In this respect we note that at present, in the retail payments industry “contactless payments” refer to both, payments initiated with a plastic contactless card as well as payments using a mobile device with a NFC interface, also known as “mobile contactless payments”. This second version of our report takes into consideration that fact and therefore includes new material to address new risks created by mobile contactless payments. SPA points out however that available data for contactless payments fraud relate exclusively to plastic cards.