Security questions raised over contactless card payments
Leading banks have been pushing contactless cards hard in the past few years but new research suggests there are security issues associated with these types of low-value transactions, which are expected to hit one billion in the UK next year.
In theory, contactless card transactions made using near field communication (NFC) technology – used for purchases of £20 or less by customers holding a card or NFC-enabled smartphone near a terminal – must be made within five centimetres of the terminal.
However, researchers from the University of Surrey have proved they were able to collect NFC data by ‘electronic eavesdropping’ from as far away as 80cm.
This has, in turn, raised security concerns around a product that banks believe will help them take the fight to online commerce companies, such as PayPal, which have gained a powerful share in the fast-growing market for mobile payments.
The research, which was published last week by the Institution of Engineering and Technology’s Journal of Engineering, was made possible by using an antenna, a shopping trolley and a backpack. Using this equipment, the researchers said they “successfully received contactless transmission from distances of 45cm to 80cm”.
NFC technology has been overshadowed to some extent by other emerging mobile-payment technologies, such as apps, QR codes and chip-and-pin devices for smartphones. Nevertheless, 30 million contactless cards have been issued in the UK by Visa, which predicts one billion contactless card transactions in the UK in 2014.
In addition to the use of NFC technology by London buses, Oyster cards and at the 2012 Olympics, payments are accepted by many retailers, including Marks & Spencer, Post Office, Starbucks and Waitrose. Last week, for example, chemist Boots announced all of its UK stores would accept contactless payments.
However, the findings of the University of Surrey researchers are likely to cause some concern among a consumer base that is already suspicious of this type of technology.
A survey published by gocompare.com in April this year said a quarter of respondents found contactless payments “scary”, with only 6% of respondents saying they had made a contactless payment with their card.
Nevertheless, many in the industry do believe concern regarding NFC security is unwarranted. The UK Cards Association said instances of fraud on contactless cards are extremely rare, adding that the card reader built by the University of Surrey would only be able to obtain the card number and expiry date shown on the front of a card.
“The reality is that the card details that can be gleaned through this type of electronic eavesdropping are not sufficient to execute a transaction at the POS [point of sale] or online [provided the merchant is using the required security mechanisms],” says Julie Conroy, research director at Aite Group.
Conroy explains that, at the POS, the transaction requires a dynamic security code, which is generated by the chip at the time of transaction. Online, the transaction is required to contain the CVV2 code, a data element that cannot be obtained through electronic eavesdropping.
“There are far easier ways for criminals to acquire all the requisite data for illicit transactions through global database breaches and skimming incidents in non-EMV [Europay, MasterCard and Visa] countries such as the US,” says Conroy.
“Electronic eavesdropping simply doesn’t give them the data they need, or the scale they need, and should be relegated fairly low on the list of attack vectors the industry should be concerned about.”
Johann Briffa, one of the authors of the University of Surrey research, clarifies: “In the paper we published, we looked at the distances at which the transmission could be captured, depending on field strengths transmitted and user scenarios. We did not look into what the data captured would contain and the corresponding security implications.
“It’s important to highlight that designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper.”
While the findings of the survey might not be seen as overly concerning within the industry, this is not the first time the security of NFC technology has been called into question. Earlier this year, some Marks & Spencer customers reported that payments had been taken from contactless cards that were more than four centimetres away from the terminal. Customers claimed they had attempted to pay by chip and pin but had found that payments were taken from NFC-enabled cards in their wallets.
Meanwhile, other factors continue to hinder the widespread adoption of NFC payments.
Last month, Strategy Analytics revised down its forecast for NFC adoption. Having predicted in May the value of NFC payments would reach $53 billion by 2017, the firm now believes this figure will only by $48 billion. In a press release, the company cited the prospect of alternative mobile-payment solutions being launched by Apple and PayPal as factors contributing to uncertainty regarding NFC’s future.
While many Android devices support NFC technology, Apple opted not to include NFC in its latest iPhone releases, the iPhone 5S and iPhone 5C. With Apple representing 40% of the smartphone market in the US, this omission is significant and is seen by some as a serious hindrance to the future of NFC.