Contactless is the future. But just before you leave for work – go into your kitchen and rip a little bit of Aluminium foil off the roll and wrap it round your contactless debit/credit card. There you go; payment details safe and sound for the day.
You don’t have to have a deep understanding of contactless technology to know this just sounds absurd. Every time we make a contactless payment we don’t want to feel like we are unwrapping our BLT during our lunch break.
With the excitement of the Apple Pay launch barely settled, questions surrounding contactless security on cards have been raised again and have got some users worried. Is there really no such thing as bad publicity?
Which? recently issued a piece on contactless security that claimed they had found a security flaw in contactless cards that gives anyone with a contactless card reader the ability to ‘steal’ details from users cards which can then be used to buy products online.
So was this nothing more than a scare story? There certainly wasn’t anything “new” in the report. Let’s just say we don’t think it’s going to affect contactless payment from growing now and in the future.
Yes, it’s technically possible to read the card details over the contactless interface. In a lab it’s easy – we can demonstrate with our toolsets – but in practice it’s virtually impossible to do without the card holder being aware. It’d surely be easier and less intrusive just to video them taking the card out their pocket and get the details that way!
The contactless technology used to make the transaction between your card and the payment terminal needs typically 4cm to connect – so for someone to ‘steal’ your details with one of these readers they would have to be pretty “seriously invading your personal space” close, I’m pretty sure I would notice this wouldn’t you? And who’s to say we all keep our cards (ready for someone to pinch) in our back pockets? (For example I know a lot of females keep their card inside a purse, inside a bag).
The only reason it’s possible to get the card details at all is to support legacy terminals – primarily in the US; but then security is only as good at its weakest point, which for a plastic card is those embossed numbers in plain sight.
There are 58 million contactless cards in circulation in the UK and according to the most recent statistics, the amount of money lost to fraudsters is 0.7p for every £100 spent on contactless – less than on non-contactless cards. So for everyone who understands the technology such as the contactless experts, payment companies and analysts who have studied, prepared and for some deployed this contactless technology – they definitely are not even breaking a sweat with the latest ‘revelations’.
Of course we know that security is a critical element of contactless payments – it is second to none on the tick list when considering adopting this method of payment.
When it comes to adopting mobile payments, consumers are even more conscious of security issues. Those concerns may not always be based on fact, but it’s why as an industry we have to make sure our solutions are secure and not risk breaking the fragile trust that consumers have in our solutions.
The fact is that mobile allows many opportunities to increase the security of payments:
Weak authentication methods, like a four digit pin, can be replaced with biometrics.
The connected nature of mobile phones allows for cloud based updates of payment credentials; meaning that if someone does steal the payment card details the value of what they’ve pinched is reduced: the life time of the credentials is measured in hours not years and there are rules applied as to where the credentials can be used – credentials intended for in-store mobile payments cannot be used for e-commerce transactions.
New risk management techniques can be developed such as Visa’s mobile geo-location technology.
Oh, and those embossed numbers we mentioned earlier are no longer in plain sight but only displayed when the user needs them… and then only after authenticating themselves.
After EMV was introduced, it greatly reduced counterfeit card fraud and has now been deployed in over 80 countries around the world. The fraudsters aren’t stupid and will look for the easiest win, which is why the majority of fraud these days is e-commerce based. It’s also why we shouldn’t worry about scary people running around with high-tech scanners – there are much easier ways to get card details.
Perhaps coming up with better ways to tackle the e-commerce fraud problem without inconveniencing the consumer is the key to reducing fraud and not scare stories about contactless, which is secure.