Contactless credit cards security

Question

In the UK there has been a large increase recently in the use of contactless card payments (you pay by waving your card over a reader). Prior to this the primary way to pay with a card was to use "chip and PIN" where you insert your card into a machine and enter your PIN.

The banks and card issuers claim the contactless method is more secure than chip and PIN but I am struggling to see how this can be true.

Visa appear to just gloss over the security measures in place:

How secure is a Visa contactless payment?

Very secure indeed, and certainly much more secure than carrying cash. Visa contactless cards use the same secure technology as Chip and PIN so you can feel totally confident when you’re using it to pay. _Source

There is no second factor authentication (PIN entry) when paying. If I have someone else's card I can pay, up to a transaction limit of £20, ten times a day.

I have also had the ultra paranoid thought that someone could modify the the Kimble tag sensors around the door and read your card automatically as you leave the store. That is probably pure science fiction though.

My question is: How can contactless payment be more secure than Chip and PIN?

Possible duplicate of [Are wireless card skimmers just fearmongering?](http://security.stackexchange.com/questions/142081/are-wireless-card-skimmers-just-fearmongering) — André Borie, Nov 08 '16 at 17:13
I disagree on the duplicate as that focuses specifically on prevent cards from being read wirelessly. I am asking about what security measures make contactless "better" than chip and PIN. — Burgi, Nov 08 '16 at 17:18
Contactless payments are definitely not more secure than chip and PIN. That's why they have the lower limit, £20 when launched, but I think £30 now. The usability is great of course. I don't know if anyone has released fraud figures, I would be very interested to see them. Probably low for now, but I wouldn't be surprised if that increases as fraudsters get to know the technology. — paj28, Nov 08 '16 at 17:25
Do note that they're not claiming that it's more secure than chip+PIN; they're claiming that it's pretty much as secure, but more secure than carrying cash. In any case, the main safeguards for customers are not technical but legal/contractual - the liability for fraudulent contactless transactions is on banks and/or merchants, and they often choose to accept this risk. — Peteris, Nov 08 '16 at 17:40
@Peteris that is a good point, I may have misunderstood the marketing material my bank sent along with the new card. I'm trying to find the exact reference I saw where that claim was made. — Burgi, Nov 08 '16 at 17:54
In the end it doesn't matter if it's more secure or less secure if the credit card companies believe it's what we as customers want, they will move to it despite the warnings saying it's not secure. Provided they accept the risks, for doing so, and as long as we understand the risks so we can do our best to prevent fraud ourselves it will work out. Your routing and account numbers is all you need for check fraud but actual fraud is pretty low if you protect the information in question. Up to us to protect our information — Ramhound, Nov 08 '16 at 23:51

score 7 · Accepted Answer · edited Aug 22 '18 at 08:20

No, contactless transactions are not more secure than contact transactions. The whole contactless business has a lot more to do with making payments easier on the point of sale (and possibly enable future developments of the smartcard business) than in increasing security.

Ridiculous early US implementations aside, we have a couple things going on here:

transactions less than a certain amount are authorized in nocvm mode, meaning, no card verification method - it's what you have observed
transactions over a certain amount (depending on the country etc) will be asked for an online pin verification (meaning the PIN is encrypted in the PIN pad and sent over the network to the issuer for authentication), whereas contact-EMV cards will typically do an offline PIN verification where the POS asks the card's EMV chip if the PIN is OK.
- this is more of a different kinds of usability tradeoff than a security one - offline pin allows offline authorizations on the POS where transactions need to be super fast. Both online PIN have their unique (and difficult to execute) attack vectors.
with contactless the card doesn't get a chance to verify the issuing host's authenticity (ARPC verification is not done). It's one security measure of the EMV scheme that I never fully understood and with contactless it's gone so I guess I was not the only one :) but still, it's 1 security measure less

Some extra EMV tags aside, as far as I know this is the only impact of EMV+CLESS vs old-school EMV. Magstripe+CLESS, or allowing EMV fallback with CLESS results in that youtube video from the beginning of the post and is completely ridiculous.

EDIT 1: holy cow https://play.google.com/store/apps/details?id=nfc.credit.card.reader.pro2 it seems the ridiculousness is still on. Not only it reveals the card data, but the transaction history too. I mean it's on Google Play, it and a bunch of others. Don't test it with production cards.

I don't understand, Visa/MC went through so much issues on the US market with the early NFC, they went through a mountain of trouble due to early magstripe cards. Finally, EMV is here and it's secure, and then they upgrade it with NFC capability by basically reverting the security almost all the way back to magstripe levels.

The main benefit of ARPC is to limit risks for cards where you (as issuer) configure them to authorise offline transactions - without ARPC a malicious user could use such a card for unlimited offline payments, i.e., do some offline transactions up to the configured limit, then do a fake "online" transaction so that the card resets its counters and will allow some more offline payments, and repeat forever. ARPC verification means that the card will only do as much offline payments as the issuer allows, and after that will force a real online connection to verify that e.g. the account has funds. — Peteris, Jan 13 '17 at 11:21
So it's not really gone with contactless, it actually gains much more meaning with contactless - having the ability to periodically force connection and a secure response (secured by ARPC) is the thing that makes it practical (less risky) for issuers to allow some contactless transactions where so many things cannot be verified. — Peteris, Jan 13 '17 at 11:24
@Peteris, indeed, that makes sense. Issue is, you *swipe* the card, you don't leave it hanging waiting for the response and then depending on the response cryptogram approve the transaction, or abort the transaction if POS lost connection with the card etc. From my experience ARPC isn't even part of the response messages in the CLESS case. — bbozo, Jan 13 '17 at 11:28
There are all kinds of cases where the card won't get the response, but it can (and often will) be configured so that eventually it will simply reject the contactless transactions unless it is "allowed" to go through with a full chip-contact online transaction; and after receiving this contact, reset counters and allow some more offline contactless use. In normal operation (at least outside USA - USA still does have the swipe enabled in many places?) it will get some contact frequently enough so that most users won't ever encounter this situation, but this does limit options for abuse. — Peteris, Jan 13 '17 at 11:37
FYI, the Android app has been taken down (anyone who has installed it previously is still able to access and install it in the future, but other users will be shown 404) — Andrew T., May 12 '20 at 01:57

score 2 · Answer 2 · answered Aug 22 '18 at 15:14

Visa never pretends that contactless is more secure that chip and PIN. They only say:

it is more secure than cash. Well if some one gets your cash, they will use it freely, while the contactless card is limited per transaction and per day. In addition you can have the bank to block it it you declare that it has been stolen, and in some case you can prove that you could not be at the place where the expense was made. In that sense it is more secure than cash
it uses the same technology as chip and PIN. Not false. Simply the procedure never requires to enter the PIN, so it is no longer something you have (the card) and something you know (the code) but only something you have.

So they do not even say that it is as secure as chip and PIN, simply a rapid reading can let think that they mean it.

Now for what I think about it.

Is it as secure as chip and PIN? No. Because having the card is enough to be able to use it, while CHIP and PIN requires in addition the knowledge of the PIN code. And the bank does know it, and that is the reason why they limit the amount that can be used contactless both per transaction and per day.

So what is the sense of contactless payment? Simplicity. Banks earn money on each and every card transaction. In addition, the typology of your card usage is now a valuable data that can be used to provided targetted advertising. And banks know how they can use or sell it. So they really want that you use your card even for cheap operations where you would not type a PIN.

What make the operation possible is that it is not really interesting for an attacker. The gain/risk ratio is not really high, simply because the gain is limited per transaction and per day. So as of 2018, I am not aware of major attacks on contactless cards - beyond using a lost card for small expenses. So most banks will accept to refund you for one day of expenses, if you lose your card, because it costs less (to the bank) than the global expected gain.

score 0 · Answer 3 · answered Jan 13 '17 at 11:46

It depends on the kind of contactless payment. Apple Pay is more secure than chip and PIN payments, because it requires fingerprint authentication and because it generates a one-off card number for each transaction that can't be re-used for another transaction even if it is disclosed.

Contactless credit cards security

3 Answers3