UK customers charged twice with contactless payment cards

Are contactless payment transactions secure? asks the Smart Card Alliance security Q&A FAQ. "Yes," it says. "Contactless payment devices are designed to operate at very short ranges – less than 2-4 inches [approx 5-10 cms] – so that the consumer needs to make a deliberate effort to initiate the payment transaction."

But that hasn't been the experience of several customers at retailer Marks & Spencer. M&S is currently the UK's largest user of RFID-based contactless payments. It has just completed the installation of the technology in all of its 644 UK stores and receives some 250,000 contactless payments every week. 

A report by the BBC taken from its Radio 4 Money Box programme describes the experience of two listeners who had payments taken unexpectedly and unintendedly from cards that were kept away from the card reader – in one instance, never nearer than approximately 30 cms. Further examples in the radio broadcast indicated similar occurrences at Pret a Manger and with Transport for London.

The problem is a classic example of the conflict between ease-of-use and security. The whole purpose of contactless payment is to make the process easier and more convenient for the user. It uses a very weak RFID signal that can, in theory, only be read within a distance of no more than 10 cms. But it is completely passive. That means that the customer needs do nothing more than present the card to the reader for the transaction to be completed automatically.

This passivity is the system's weak link. Currently contactless payment cards can only be used for payments of up to £20. However, in Practical Attack on Contactless Payment Cards, Martin Emms and Aad van Moorsel describe how an inexpensive combination of RFID reader and hidden camera can be used to silently read the card data and film the CVV security code. Armed with this combination, an attacker could then use the details to make more expensive card-not-present fraudulent online purchases and have the goods delivered to a separate address, 

The solution, say the authors, is simple: such skimming frauds can be prevented by making the cards active rather than passive. "Card activation will be achieved by the application of pressure anywhere on the card, this should be possible whilst the card is still inside a wallet, thereby maintaining the convenience and speed of contactless payments." This would, of course, also protect customers from the inadvertent double payments as seen in M&S.

In the meantime, however, users can protect themselves by keeping their contactless payment cards within a simple faraday cage when not in use. There are several commercial card holders that will do this, while folding the card in kitchen foil will apparently have the same effect (not tested by Infosecurity).

In February Visa Europe predicted that there would be 34 million Visa-branded contactless cards in circulation in the UK – and 175,000 terminals – by the end of 2013.

What’s hot on Infosecurity Magazine?