How Secure Are Contactless Payments?

“Don’t compare the security aspects of basic RFID technology used to identify dogs or goods with the security technology of contactless payment cards”, says Didier Godart of Rapid7
“Don’t compare the security aspects of basic RFID technology used to identify dogs or goods with the security technology of contactless payment cards”, says Didier Godart of Rapid7
Trending: Mobile Payment Transactions
Trending: Mobile Payment Transactions

It has been a long time coming, but radio-frequency identification (RFID) payment technology is finally being widely used in credit cards as a direct interface to the chip. It is also being deployed in smartphone retail payment solutions such as Google Wallet, and nationally in prepaid payment cards, including the German Geld Karte system, the Octopus card in Hong Kong and London’s own Oyster card.

This has led to a number of questions being raised about the privacy and security of such payment methods, and leads us to ask whether RFID payment technology is worth the risk?

Currently the main markets for RFID payments are transport systems and low-value convenience goods, such as vending machines, phone booths and snack bars. “The retail market will grow because it allows transactions to be completed much more quickly and, as already proved by Oyster and Octopus, the public like convenience”, says Tim Arridge, a senior consultant at Frazer-Nash.

Barclaycard’s latest contactless innovation is called PayTag and is a miniature credit card stuck to the back of your phone that turns it into a contactless way to pay for purchases up to £15 in value. “PayTag uses Near-Field Communication (NFC) technology, just like on the Oyster card terminals on the London Underground”, Arridge explains. “Barclaycard says PayTag is safe and secure, and if your PayTag is lost or stolen, you’ll be protected against fraudulent activity”.

HSBC is gradually rolling out contactless debit cards with a £20 (~$32.50) transaction limit, and the Lloyds Banking Group have around 1.5 million of the same already issued across the UK, with Natwest/RBS providing them upon request to eligible customers. In fact, there are more than 20 million contactless credit or debit cards already issued, and more than 80,000 merchant readers installed in the UK. You have to assume that the question of fraudulent activity has not been ignored by the card issuers, so why is there so much fear, uncertainty and doubt surrounding contactless payment technology surfacing within both specialist and mainstream media, and the technology industry itself?

Contactless Concerns

Thomas Skora, a senior security consultant at Integralis, explains some of the most common security concerns. “The main issue lies with the convenience of the payment process, not with security per se”, he insists, continuing “payments can be performed simply by touching a card to a Near-Field Communication reader. This makes the process very fast and appealing for the user but effectively bypasses well-established security steps like authorization by PIN entry”.

One linked concern is that without this security protocol, the payment process can be reversed, and an attack can occur by putting a mobile NFC reader (such devices already exist) close to a payment card, thus performing an unnoticed payment. “Technically, the legacy payment method called a magstripe profile is still available on the chip of a credit card, and therefore it is also reachable through the NFC interface”, Skora adds. “In this magstripe profile, the data needed for a payment (credit card number, expiry date, one-time card verification code) can be read from the card without any protection in the sense of a successful authentication or encryption”.

This type of attack was demonstrated for several types of credit cards by the ‘RFID Electronic Pickpocket’ and android-nfc-paycardreader Android apps, and each showed how it is possible to read sensitive data that can be misused by an attacker, according to Skora. “From a privacy perspective there is sufficient data to identify a person uniquely, as it can be done with unique IDs in browser cookies”, he concludes, admitting that “I don’t think that this could be really used for tracking purposes. The communication between cards and normal readers is only possible for a very short range (a few centimeters) and enhancement of communication ranges would be technically difficult and cost-intensive”.

Spooky Security

Dave Birch is a director at Consult Hyperion and chairs the Digital Money Forum, as well as being a research fellow at the London-based Centre for the Study of Financial Innovation. When it comes to the current payments regulatory schemes, Birch sees no problem with RFID payment technologies because they use the same basic technology and software as existing chip-and-pin (EVM) cards.

This underlying security architecture often gets overlooked, and instead “the wireless aspect of it seems spooky to people”, he acknowledges, leading to often irrational concerns over non-existent threats. Indeed, Birch insists that while current contactless payment cards are just as secure as other card payment technologies, contactless mobile phone payments have the potential to be “significantly more secure, since there are a number of characteristics of mobile that make it much harder to defraud people”, not least the fact that “if I steal one of your cards you may not notice for days, but if I steal your phone you notice right away”, he insists.

Dispersing FUD

According to Didier Godart, a security researcher with Rapid7 who formerly helped develop the PCI standards while working at MasterCard, contactless cards come with a batch of fears and misconceptions attached. Notably, the idea that anyone with an appropriately equipped scanner could read your account information and reuse it. But is this actually possible in a real-world attack scenario rather than a lab-based one?

“Having worked for a credit card company, I can tell you that they have been carefully working on the security of this ‘new’ payment method for a long time”, Godart told Infosecurity. “Don’t compare the security aspects of basic RFID technology used to identify dogs or goods with the security technology of contactless payment cards.”

"[It] makes the process very fast and appealing for the user but effectively bypasses well-established security steps like authorization by PIN entry"
Thomas Skora, Integralis

Indeed, basic RFID tags are typically cheap, read-only, low-memory devices that can be read over greater distances and have no or minimal security. Contactless payment cards and readers, however, contain secure microprocessors and memory, have the ability to perform cryptographic processing, have multiple functions, and are required to operate at very short ranges of less than two to four inches so that the consumer needs to make a deliberate effort to initiate the payment transaction.

“Each company has varying security methods for their contactless cards, but usually the card carries a code that is constantly changing in tandem with the card issuer’s computers”, Godart explains. “The code is good for just that one transaction and then changes to something else. This transaction information is generated using a strong encryption key that is known only to the financial issuer. Issuers can verify this dynamic card information before approving a payment transaction from an authorized reader”. In the event that a motivated individual did read the information from a contactless payment device, the security features designed into the device, the payment terminal and the payment system would therefore mitigate against the information being used for fraudulent transactions.

Legally Speaking

Companies involved in RFID payment technologies do, however, need to carefully assess their data privacy obligations and ensure that the contractual framework used by them contains sufficiently robust measures and appropriately allocates risk and responsibility for data privacy compliance, warns Emily Jones, a senior associate at Osborne Clarke.

In particular, there are a number of obligations under regimes such as the UK’s Data Protection Act 1998 (DPA) that must be applied where the information collected or processed can indirectly or directly identify an individual.

“Even where seemingly anonymous codes are used instead of what might obviously be considered personal data, such as a name and mobile phone number”, Jones explains, “if that code can be combined with information held elsewhere to identify someone, then that will be personal data covered by the DPA”.

"The wireless aspect of it seems spooky to people"
Dave Birch, Consult Hyperion

The payments process is not a linear one and involves the sharing of various amounts of data, so the role of each of the parties as data controllers and processors – and their responsibilities from a DPA perspective – can be difficult to identify and then capture contractually. “The use of RFID payment technology could unlock more data and make this available to more companies who may have different intentions about how it should be used”, Jones continues, adding “whilst the temptation may be to collect more data in order to increase its intrinsic value and potential for use, companies should be cautious about over-collecting information and bear in mind that the greater the volume of data, the greater the risk of loss, corruption or theft”.

Indeed, security is especially important, both from a data privacy and payments regulatory perspective, and it is an area on which the Financial Services Authority (FSA) and the UK’s data protection regulator, the ICO, continue to focus. “There is no magic list of what constitutes an appropriate technical measure, so companies need to assess the security risks and then think about how these could be minimized using technology such as end-to-end encryption, biometrics and two-factor authentication”, according to Jones.

RFID payment technology providers need to fully embrace the requirement for high security standards, not just to prevent regulatory action but also to build and maintain consumer confidence, which will, in turn, drive take-up and use of the technology.

What’s hot on Infosecurity Magazine?