20

Recently (well, a few months or even a year ago), my bank, here in Australia, introduced this PayWave technology to their Visa debit cards. They claim it's secure, but all they talk about is their policies, which requires you to notice that there's a problem (From the website):

Visa payWave-enabled cards are backed by Visa's Zero Liability Policy1 and are as secure as any other Visa chip card. They carry the same multiple layers of security, which ensures that you are not responsible for fraudulent or unauthorised transactions.

It obviously doesn't carry the same layers of security, as you don't have to use your PIN or signature. Well, for purchases under $100, but even that is a lot of money to some people (any amount is a lot to me), so it's a bit weird to say that anything under that is a "low-value" purchase for anyone. If a homeless person found/stole my card, I don't see them buying anything above that.

Someone I was talking to even suggested that a person could walk down the street with one of these PayWave machines in their bag, and bump it against other people's bags in the hopes of finding a compatible card.

It sounds like they're sacrificing security for convenience, and underestimating the ingenuity of thieves. I can't seem to find any information that isn't advertising or otherwise biased, and I don't have any expertise in this area at all to tell the difference between a legitimate concern and paranoia. Is Visa PayWave as secure as it claims?

schroeder
  • 123,438
  • 55
  • 284
  • 319
AlbeyAmakiir
  • 311
  • 1
  • 2
  • 7
  • Aww, I spent time on this question to make sure it was reasonable, and it's downvoted. What did I do wrong? – AlbeyAmakiir Nov 21 '12 at 23:38
  • The issue of being aware of transactions is a tricky one however I am based in China and for the princely sum of 60 cents per month my banks (one for Matsercard and one for for my debit card) will sent you an automatic text showing transaction value and balance. It's brilliant for making sure that you are charged correcteing in addition to if you are having your account accessed without your permission. Wish my NZ bank would offer this. –  Jun 24 '14 at 02:45

4 Answers4

11

Visa and other credit card manufacturers use the EMV standard to authenticate credit/debit card transactions. The Wiki article explains it better than I can, but this is a highly technical topic - it will take time to read and understand.

You should also see the answers to similar questions about NFC/RFID/EMV.

Essentially though, the demonstrated cloning attacks get you a single transaction within the no-PIN limit ($80 to $100 in most cases). There are probably significant difficulties involved in wardriving (war-NFC-ing?) amongst the general population - least of all is getting paid without being caught. AFAIK no one has demonstrated the ability to clone a payment terminal.

And finally - we always trade off security for convenience. Do you have two locks on your front door? Three? Eight? Do you walk around in protective padding? Do you wear a bulletproof vest to school?

The tradeoff here is a reduction in transaction time from ~15 seconds to ~2 seconds. Add it up over millions of people and trillions of transactions and you're looking at significant time savings. Is this worth the extra risk? The card issuers seem to think so - and have publicly promised to reimburse customers for losses that are caused by security problems.

Community
  • 1
scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
11

The secret of credit card transaction security is that by law (in many jurisdictions) the card issuer is responsible for fraudulent transactions after a certain limit, not the card holder. Since they already assume the bulk of the liability, most (all?) simply make the jump to say that the card holder is not responsible under any circumstances for fraud.

This means that card security is simply a cost-benefit trade-off for the issuer. It's worth the cost for the issuer of writing off a certain amount of fraud if in exchange they get a reasonable return for the policy. Hence the $100 limit; Visa is confident that within that range, they can detect fraud reliably enough to make it worth their while to remove certain security measures.

Therefore, whether or not it's secure is their problem, not yours. Obviously you have to actually report suspicious transactions. This makes it a bad idea to keep an account open that you don't monitor. But that has always been the case.

This is really the way it should be. If the party liable for security is the one in the best position to implement it, then the level of security you get tends to be appropriate for the value of the thing that's being secured.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • It's a close call between the answers, as there are a lot of good perspectives, but this one gets the tick. – AlbeyAmakiir Nov 25 '12 at 22:42
  • 2
    -1 This doesn't actually answer the question, it doesn't talk about the security of the cards. – Peanut Dec 10 '12 at 03:51
  • 1
    @Peanut Read a little closer: The question is "*Is PayWave as secure as it claims*", and the real answer has absolutely nothing to do with the security of the cards themselves. Since Visa is voluntarily assuming 100% of fraud liability, the anti-fraud features of the cards are to protect Visa alone, not the user. The user is already absolutely protected. Therefore, cards are as secure as claimed, and would continue to be so even in the complete absence of any security devices at all. – tylerl Dec 10 '12 at 04:37
  • 1
    @tylerl The quote from the website is that the cards are "as secure as any other Visa chip card" which as demonstrated in other answers isn't true due to their contactless interface. I don't think it's reasonable to say that the system is just as secure because Visa is willing to reimburse you if you report fraud and that they agree fraud took place, especially since banks are somewhat notorious (at least in the UK) for not being helpful in fraud cases, although due to the fact it's a new technology they may be more willing just to pay so as not to stifle consumer confidence in the technology. – Peanut Dec 10 '12 at 05:12
3

This is a marketing document, with a few weasel words:

They carry the same multiple layers of security

What they mean is that:

  • Contactless cards have the same level of tamper-resistance around the chip as direct-contact cards.
  • The data-level communication protocols (EMV) are the same for both physical interfaces.

What they're leaving out is:

  • If you can carry out a transaction without typing a PIN, then anyone can walk around with a portable terminal (e.g. a smartphone with NFC and appropriate software and keys, or a bank-issued terminal) and initiate a transaction.

It's the combination of allowing transactions with a single authentication factor (being in proximity with the physical device), and that authentication factor being weak (it's not even what you have, but what is nearby), that introduce a significant weakness.

Indeed, with PayWave, or any scheme that similarly reduces the strength authentication for the sake of convenience, the burden is on you to contest any charges. Depending on the jurisprudence in your locale, it may be easy or difficult to contest charges (the US is rather favorable to the consumer in this respect, the banks have a lot more clout in European countries).

Before you return your card in anger, consider that just by having a credit card at all, you are already taking a bigger risk. Your credit card can be used online by someone who has never been physically close to it: all that's needed is to find out the 16-digit number, and (for most but not all merchants) the expiration date and the 3- or 4-digit number that are sitting in the databases of every merchant you've made purchases from (they aren't supposed to store these, but many do). Making purchases with a credit card already doesn't require providing any truly confidential data such as a PIN; contactless payments are not new in this respect.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

PayWave is a near field communications technology and it's just about as secure as a frat-boy's morals. For the vast majority of transactions you'll be fine, but it's still a huge risk. I'd avoid it at all costs.

For more information try googling "NFC Hacks" or "RFID Hacks" there were some good presentations at BlackHat USA this year on NFC and RFID proxiemics have been completely obliterated.

Personal Opinion: stick with cash and coin.

grauwulf
  • 955
  • 5
  • 10
  • Ah, better keywords. Thanks. Just found an article saying that NFC on Android has been hacked, and another saying that they're planning on adding PayWave to Android. Great. <_ – AlbeyAmakiir Nov 21 '12 at 23:35
  • And there are apps available for android for grabbing track data from RFID credit cards. – ewanm89 Nov 22 '12 at 00:32
  • 1
    I would like to mention that there are also significant risks in going cash-only – scuzzy-delta Nov 22 '12 at 09:53
  • This is true, scuzzy-delta. There is a certain level of risk associated with any transaction. The question is, what level of risk are you willing to accept? For me that level of risk is exceeded by possibility that I can be robbed while walking down the street, and not be aware that the robbery happened. If someone hacks my bank, there are (hopefully) systems to catch that person. If someone tries to rob me on the street I can fight back. Even if some cards will reverse a false charge the onus is still on me to have that done. There is no recourse. There are only victims. – grauwulf Nov 28 '12 at 21:04