Contactless card security – or the lack of it – is back in the media. There are three main items that the card firms say make these cards secure. Sadly I would disagree with each.
1) Short Range.
Which said that while industry standards specify a maximum magnetic-field strength for card readers of 5cm, some may be able to read cards at greater distances. Their test rig read it from 45 cm. (http://www.theguardian.com/money/2015/jul/23/contactless-card-is-too-easy-says-which)
"It may be possible for a small percentage of cards to be read 15 to 20cm from the reader," he said. "Even if this was to occur in 0.1% of cases, with more than 300m transactions taking place last year, many consumers could be affected."
So the only limit on how far a card can be read from is whether the person building the reader wants to stay within the guidelines. People planning to break the law by stealing credit cards will, of course, follow guidelines rigidly.
So your safety with a contactless card depends entirely on the honesty of the person who plans to steal it.
2) That the amounts are so small no one would be interested.
I’m going to use an actual live case that I observed here, regarding an online site and its payment. Squidoo was an article site that paid monthly for articles with the most traffic. As its monthly payment increased, so did the amount of click-fraud etc.
When the payment for a top article on squidoo was $10, fraud was very low.
When the payment was $30, coders built and sold tools just to get the payment, and sold them for $50 (e.g. SquidooBlaster).
When the payment reached $50, it was hard to get that payment without fraud.
Likewise, when the payment for a contactless card was £10 no one bothered. Now it’s £20, and they want to make it £30. At what point does it become worth the outlay for a cheap phone and wide range receiver – less than £100?
With Squidoo there was a cap – only the top 10,000 lenses got that type of royalty. With credit cards, they could get that many in an hour walking around a city street or station.
3) That after a certain number of transactions, you have to use your PIN.
Not only do they still get the funds for the first transaction, but this is where long term cons get nasty.
Once they’ve got your data, they can make a number of transactions and then get locked out.
If they’ve made small transactions, so transport or whatever else, they simply have to stop using your card, wait for you to use it and unlock it, and then they can harvest £20 off it again the next day.
£20 every day for a month is around £600 per card. The equipment for Which? cost under £200. Think the fraud is worth it yet?
And since thieves often s tore the cash by buying gift-vouchers, which are hard to trace, it provides an ongoing benefit.
The final safeguard: Insurance
If all of these safeguards fail and your card is used without your consent, the banks state they will refund you. There are a lot of issues here.
From the user’s point of view, they refund from the point where the user tells them there’s an issue. Unlike a physical card where you notice you’ve lost it, with contactless you could lose quite a bit before you get a statement or indication that something is wrong.
However from a societal point of view there’s another issue. In the TJX case one woman lost $45,000. She reported it. The card firm refunded her. The firm then either claimed insurance, or reclaimed it from the retailer, who then claimed on their insurance.
The thieves still had the original $45,000. They still benefited, so there was no reason for them not to con tinue to steal credit cards, which in fact they did. If insurance means the theft can be seen as stealing from banks and insurance, not retailers and little people, it might even encourage it – you might have noticed the number of online groups spelling ‘bankers’ with a ‘w’.
And then more recently, the possibility of a whole new field of fraud was opened up.
While RFID Journal says that the contactless chip does not contain the entire data for the card (http://www.rfidjournal.com/blogs/rfid-journal/entry?7870), InfoSecurity Journal states that it does, and that they have accessed it through a legacy profile (https://www.infosecurity-magazine.com/magazine-features/how-secure-are-contactless-payments/).
Now if this is true, it re-opens a whole field of card cloning. The security issue is simple – the RFID contactless chip contains the same details as the magstripe. This is enough for someone who scans the details to clone the card for signature use with a generated magstrip. Put a faulty chip on the cloned card and most card readers revert to the magstrip. Then the person who created the cloned card just has to swipe and sign the slip – like they signed the cloned card fifteen minutes before… It might not match the real owner’s signature, but that won’t be revealed until the slip reaches the bank in a few days.
So, no, the more I look into it, the less happy I am about the security on contactless cards. Many of the more complex technical security solutions seem to assume that a fraudster will never acquire a physical card from that bank to reverse-engineer it (because, you know, thieves never have or steal real physical cards…).
Then Visa asked to be able to track cardholders movements and transaction locations by their phones “for security” (https://nakedsecurity.sophos.com/2015/02/ 18/visa-asks-to-track-your-smartphone-to-help-sniff-out-credit-card-fraud/). And that data about where you are at what times of day every day couldn’t be abused at all, could it?
So when the bank refused to replace mine with a non-contactless card, I have just field-tested disabling my card’s contactless. My solution works.
I’ll post it here in a few days.
This blog has now moved to http://www.rablogs.co.uk/tirial, where the original article can be found. Disabling Contactless Cards - http://rablogs.co.uk/tirial/2015/09/10/disabling-contactless-cards/ was published on September 10, 2015 at 9:47 am.
Posts
