„You should pay USD 12.95,” says the cashier at the local supermarket. I take my wallet, touch the terminal with it, wait a second, hear a beep and – voila! – paid!
Contactless bank cards are very convenient. You don’t have to swipe your card, enter your PIN, sign your invoice, take it out of your wallet, look for cash or fish for coins in the depths of your pocket. You just zoom in – and that’s it.
Cashiers also have reasons to be satisfied: the purchase is much faster, so the cashier’s efficiency is also greater.
Though the simplicity of use makes you wonder if it is so easy to steal your money too. Can a criminal just touch your pocket with a hidden reader and completely deprive you of your hard-earned money?
To find out, I studied many reports from burglary conferences and spoke to many representatives of the bank. Overall, the conclusions are positive, although there are also some minor drawbacks.
Contactless cards use short range communication (NFC) technology. The card connects the chip and the antenna, which responds to the POS terminal requests at 13.56 MHz. And although each payment system uses its own standard (eg Visa payWave, MasterCard PayPass, American Express ExpressPay, etc.), they all follow the same approach and the same technology.
The NFC transmission range is small, no more than 4 cm. So the first line of defense is physical – the reader should be in the immediate vicinity of the card, which would be difficult to do imperceptibly.
Although someone could create a custom reader capable of operating at greater distances. For example, researchers from the University of Surrey demonstrated a compact scanner capable of reading NFC data at a distance of 80 cm .
Such a device can send requests to a contactless card in public transportation, shopping malls, airports, and other areas where there are many people. In many countries, NFC-compatible cards are found in every second wallet, so criminals can find quite a few victims in overcrowded places.
Ultimately, you can do without a standard scanner or physical proximity. Spanish hackers Ricardo Rodrigues and Jose Villa came up with an elegant way to eliminate the gap and showed it at the Hack in the Box conference.
Most of today’s smartphones are equipped with an NFC module. These devices are often located close to the wallet – for example in a purse or pocket. Rodrigues and Villa have developed an Android Trojan that turns a selected smartphone into a device that acts like an NFC trandponder .
When a hacked smartphone comes close to a bank card, it signals attackers that the transaction can be carried out. Then the fraudsters activate a regular POS terminal and place their NFC-enabled smartphone close to it. It can be said that an invisible bridge is created between the NFC card and the NFC terminal, regardless of the range.
The Trojan can be distributed using standard methods, such as through malware packages or hacked paid applications. The only requirement is that Android version 4.4 or higher. Administrator level access is not even necessary, although it is a welcome option for the Trojan to run even when the smartphone screen is locked.
Placing a given card within a prepared reader is only half the battle. There is a second, more serious line of defense – encryption.
Wireless transactions are protected by the same EMV standard that protects ordinary plastic cards equipped with an EMV chip. While a magnetic stripe can be cloned easily, it is not that simple in the case of a chip. Upon receipt of the request from the POS terminal, its IC generated a one-time key. It could be intercepted, but would not be valid for the next transaction.
Researchers have repeatedly voiced their concerns about the safety of the EMV standard; although you don’t hear of real card hacking using it.
Are contactless payments safe?
There is one more point that should be mentioned. In standard use, the EMV card security concept is based on a combination of encryption keys and a user-entered PIN. For contactless transactions, a PIN is not required, so in this case the security measures are limited to the encryption keys generated by the card and the terminal.
“In theory, it is possible to produce a terminal that reads the NFC data of a card while being in a pocket, for example. Such a terminal should use encryption keys obtained from the acquiring bank and the payment system. The keys are issued by the acquiring bank which means that the fraud would be easy to trace, ”explained Alexander Taratorin, director of application support at Raiffeisenbank.
Value of the transaction
There is one more line of defense: limiting the transaction value for contactless payments. This limitation is coded in the settings of the POS terminal and its amount is decided by the acquiring bank on the basis of instructions received from payment systems. In Poland, the maximum value of a contactless transaction is 50 PLN, in the United States – USD 25, in Great Britain – GBP 20 (it will soon be raised to GBP 30).
If the value exceeds the limit, the transaction will be rejected or an additional confirmation element will be required, e.g. a PIN or signature (depending on the issuing bank settings). In order to prevent frequent charges of smaller amounts, an additional safety mechanism will also be triggered in this situation.
Although there was also a gap here. Almost a year ago, another team of researchers from the University of Newcastle (UK) discovered a vulnerability in the security system of Visa contactless cards. After choosing to pay in a foreign currency (other than British pounds), the researchers were able to circumvent the aforementioned restriction. When the POS terminal is offline, the maximum transaction value can reach up to EUR 1 million.
Visa reports that the likelihood of such an attack in real life is declining, saying such a huge transaction would be rejected by banking security systems.
According to Taratorin of Raiffeisenbank, the POS terminal controls the maximum value of a transaction, regardless of the currency.
We will choose a different path
So, does it all boil down to the fact that such a failure of the bank’s payment system is practically impossible, through which suspicious contactless transactions could be carried out? Probably the answer is yes, provided that the fraudsters do not work for the bank in question.
Meanwhile, there are other conclusions: If the transaction itself cannot be intercepted, NFC technology can facilitate the theft of payment card credentials.
The EMV standard assumes that some data is stored unencrypted in the chip’s memory. Depending on the policy of the issuing bank or payment system, they may include the card number, recent transactions, etc. The data can be read via an NFC-enabled smartphone with an original application installed (eg NFC bank card reader ).
Until recently, it was believed that card security could not be compromised. Although, a prominent British consumer media outlet Which? he unexpectedly refuted the old myth .
Experts from Which? tested several different wireless cards issued by UK banks. Using an NFC reader and free software, they decoded the numbers of all cards and their expiry dates.
There was nothing to worry about. After all, you need a CVV number to buy something online, right?
Unfortunately, the truth is that many online stores don’t require a CVV number. Experts from the company Which? They successfully ordered a £ 3,000 TV from one of the largest online stores.
While wireless payment technology involves several layers of protection, that doesn’t mean your money is 100 percent safe. Many elements of bank cards are based on outdated technologies, such as a magnetic strip or the ability to pay online with a card without additional authorization.
In many respects, security depends on the settings used by financial institutions and retailers. The latter, seeking to speed up the purchasing process and reduce the number of „abandoned carts”, sometimes prefer to sacrifice payment security for the sake of greater earnings.
Below you will find general basic safety rules :
- make sure that no strangers can see it when entering the PIN,
- do not show the card in public,
- be careful when downloading the application to your smartphone,
- install an antivirus,
- enable SMS notifications from the bank,
- notify the bank immediately if you notice any suspicious activity.
If you want to be absolutely sure no one can read your NFC card, consider purchasing a screened wallet. Nobody can cheat the laws of physics.