14

In the past few years Contactless Payment cards have been introduced and I have been reading some articles surrounding security of these cards. The following article "Stealing data from contactless cards is easy, experts warn" states

A Which? spokesman said: 'By touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. 'With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless.'

This article seems to suggest stealing contactless card is easy but the same article also states:

Figures from the UK Cards Association show that in 2014, the total annual contactless fraud loss was £153,000 compared with total spending of £2.32billion.

Which seems a relatively small percentage.

Looking at the Visa FAQ website it states the following:

Can a fraudster with a bogus contactless terminal steal money from my card by brushing up against me?

Today’s fraudsters are on the hunt for full card details. The only information that could possibly be read from a contactless card is the card number, the expiry date and in some instances, the cardholder name – the same information that’s available on the front of your card.

On its own this information is simply not useful for today’s fraudsters – who also need to get their hands on the really sensitive information, such as the CVV code (the three digit security code on the back of your card), PIN numbers, Verified by Visa passcodes, card security codes, billing addresses and other hidden security data. None of these essential details can be read from a contactless card.

But according to the other article, card number, card holders name and expiry date is enough to purchase things online on certain websites contradicting the VISA statement.

So how safe is my contactless payment card?

What are the risks should I be aware of?

What can I do to protect myself against potential risks?

Anders
  • 64,406
  • 24
  • 178
  • 215
User1
  • 3,041
  • 5
  • 23
  • 30
  • For prevention you might want to lookup Faraday's cage wallets. – BadSkillz Jun 09 '16 at 10:28
  • 3
    Remember. this is a risk for the BANK not you. you only have to make plausible that those transaction can not be you (due to location for example) Also not all implementations are the same. it depands on what 'type' of EMV chip is used. – LvB Jun 09 '16 at 10:42
  • This question is far too broad to answer succinctly without getting into a long discussion ! How safe is your credit card when you hand it to a waiter in a restaurant (who may have a dodgy PoS device, or have to go swipe it elsewhere) ? How safe is your credit card when you put it in an ATM that may have skimming devices installed ? How safe is your credit card when you use it to do online shopping ? How safe is your credit card when you transact over the phone and you give all your card details ? – Little Code Jun 09 '16 at 11:17
  • 2
    @LittleCode I am talking specifically about the **_CONTACTLESS_** element of the card and **_nfc_** technology. I am not interrested in how safe my card is in general as there are lots of resources on this – User1 Jun 09 '16 at 11:21
  • @user1 and I'm talking specifically about putting your worries in context. ;-) – Little Code Jun 09 '16 at 11:23
  • When they were first introduced into the UK, Marks and Spencer had a big problem where their terminals were taking money from other cards in the wallet as here [bbc](http://www.bbc.co.uk/news/business-22545804). Also, the whole 4-5cm maximum thing is only if people are using radios that follow the specifications. I can setup my own reader using custom radio that can read a card a good few meters away without problem, here is a do it yourself article on [hackaday](http://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/), you think the bad guys will follow the specifications? – ewanm89 Jun 09 '16 at 15:56
  • 1
    @ewanm89 so the distance the card transmitts is down to the power of the reader? Therefore if I had a very powerfull reader I could read loads of cards in a crowded area. i.e. a subway station. If this is the case I am not sure why the security of these cards hasn't been questioned before – User1 Jun 09 '16 at 16:00
  • @user1 it's not that simple, it's down to the power of the card is partially dependent on the power of the signal it got from the readers transmitter to activate it. However more important is that it depends on the sensitivity of the readers receiver. Once on the air waves it doesn't ju8st go x distance and that's it, it goes x distance before a receiver of a given sensitivity can no longer read it. As a such if the receiver has a high enough sensitivity to pick up the weaker signal it can be read from further away (and be able to filter the signal out of the background static). – ewanm89 Jun 09 '16 at 16:05
  • Oh, antenna's play a role too... wouldn't do subway/underground. But say hidden in the back of a van in a high street... well, you could kiss NFC good bye. – ewanm89 Jun 09 '16 at 16:07
  • Will people *ever* stop creating new security problems in the name of saving a moment's time or inconvenience? If not, why don't we simply do away with money outright. Theft would vanish, along with most crime. It would be worth it. –  Jun 27 '16 at 19:19

1 Answers1

11

Can an attacker get information off the card?

Yes, at least some can, and the UK consumer group Which? mentioned in the question did it:

Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

Can the info be used to buy stuff?

While most online shops will not let you pay without the CVV, some do. So while the fraudsters might have limited shopping to choose from, they can still spend your money:

We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved.

Your card could also be copied and used for other contactless transactions. Which? estimates that limits on those would limit the theft to £45 - £100.

Note how the qoute from the Visa FAQ is carefully worded not to say that this isn't possible, just that it is not what fraudsters are looking for nowadays.

How close would the attacker need to be?

Edit: See ewanm89's comment - this might not be true.

To pull this off and be able to read a card you have to get quite close. The Guardian interviews a privacy standard expert at the National Consumers Federation:

He said that while industry standards specify a maximum magnetic-field strength for card readers of 5cm, some may be able to read cards at greater distances.

“It may be possible for a small percentage of cards to be read 15 to 20cm from the reader,” he said. “Even if this was to occur in 0.1% of cases, with more than 300m transactions taking place last year, many consumers could be affected.”

Is this a problem for you?

The bank or the merchant will be liabel for most of your monetary loss, so you will not end up in the poor house just because someone steals your credit card number.

Which? reports on the rules, but they might be different outside the UK or EU:

Fraudulent transactions on contactless cards are protected by the same rules that apply to other card payments. This means that if you're a victim of fraud, your bank will refund you the money, provided it’s not a result of your own negligence. However, you will have to pay the first £50 of the total amount of fraudulent transactions made on your card.

That the banks takes most of the financial hit does not mean this is without impact on you:

  • You might loose £50.
  • You will have to go through the hassle or reclaiming money from your bank if your card is abused. Maybe just an annoyance, but still.
  • If the attackers only steal small amounts, you might not even notice and hence not be able to report it.
  • It is hard to be completely anonymous if you carry around a radio tag broadcasting your name. It is easy to think of situations where you would not want to wear a name tag...
  • Some cards broadcast recent transaction history. This has obvious privacy implications.
  • Credit card numbers could be used in phishing attacks. A cold caller who knows your card number is more likely to fool you.
  • A card number could be used to impersonate you. It is not uncommon for a customer support to use some digits from your card as a security question to verify your identity. You can get a lot of private information, like order history, from a customer support. In some places you can even get them to do a password reset.
  • Buying things in your name with your credit card can make you look pretty bad. Your significant other might not be so happy to find big payments for porn sites in your credit card history... This could be used to mess with people.

In the end, you will have to decide if it is worth the risk or not. I would not worry about the money, but if I lived in a dictortorship I would not bring my credit card when attending a protest.

What can you do to protect yourself?

I see three solutions:

  • Try to convince your bank to give you a card without this capability.
  • If they don't want to do that, you can try to physically destroy the antenna. A bit risky, since you could acidentally destroy the card.
  • Carry the card in a faradays cage wallet. Either buy one or if you feel handy, make one yourself. (Either way, make sure to test it so you know that it actually works.)
Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • 2
    “It may be possible for a small percentage of cards to be read 15 to 20cm from the reader,” <-- for readers following the specification, one can always uses custom radios without such limitations. – ewanm89 Jun 09 '16 at 16:01
  • "While most online shops will not let you pay without the CVV" physical access to card terminal will allow to create transaction without CVV. So if attacker works in place which gives him access to terminal he could put some of the cash transactions on stolen card. – user902383 Jul 10 '17 at 07:04
  • Fourth option for protecting yourself: Load the card into a smartphone "digital wallet" (Google Pay / Samsung Pay / Apple Pay / etc) where the contactless technology has to be enabled via fingerprint or PIN before each use. Then leave the physical card at home, in a metal box. This is the approach I will take if option #1 (request a card without contactless) fails. – Ben Voigt Nov 25 '18 at 16:25