19

This is really bugging me.

Up until recently debit cards with an electronic chip were the most popular electronic form of payment available in Poland (I'd wager that in other European countries as well). It does seem pretty safe too - in order to make any kind of purchase (either from an ATM or in a store), the user needs to provide a PIN code. While said PIN isn't particularly long it's there to provide an extra level of security: the first being the card itself.

In recent times PayPass (or similar) cards have been gaining popularity and it seems banks are pushing these cards onto the public. These cards can act just like the regular debit cards described above, but you can also use them to make payments using NFC.

Here's the big deal: when making a payment through NFC the user doesn't need to input the PIN.

It seems to me that with a wireless technology like this, a PIN should be a definite requirement as it feels the technology isn't particularly secure. One example of this is the proxy attack, where one person with a cell-phone gets some items in a store and goes to pay for them, while another person with a cell-phone looks for a PayPass card to read (on a crowded train / bus / station / etc.). Depending on the technology used, those cards can be read from quite a distance away as well.

Which brings me back to the matter of PINs... Why aren't PINs always a requirement when paying using NFC?

EDIT:
I do realize that the amount you can pay for using NFC is limited*. However, as far as convenience goes (no need to put the card in / swipe wallet) it seems like we're trading security AND some convenience for... slightly more convenience.

What I mean: as it is, you can pay for small things by just swiping the card. Great. But inputting a 4 digit pin after swiping shouldn't be much of a deal, right? And then you wouldn't need to limit the amount you can pay for. You could still keep the card in your wallet, and the whole thing would be just as fast. In fact, ideally, you could have a "PIN-less" limit as it is now but allow NFC transactions over that amount... just require the PIN! Or are there other technical / security concerns with PINs and NFC in general?

* While it seems that this limit could easily be changed, I haven't heard of a bank (in Poland at least) actually allowing the customer to make such a change. I know I tried calling my bank directly and was informed this is impossible...

Shaamaan
  • 380
  • 3
  • 12
  • The main point of NFC payments is to make it easier to pay (you don't need to swipe your card, or even take it out of your wallet). Requiring a PIN makes things _less_ convenient. Right or wrong, some security is being traded for convenience. – lzam Sep 02 '14 at 12:32
  • 1
    "It seems banks are pushing these cards onto the public". I do not know how they are pushing it in Poland, but here in France I find banks official answers to security concerns quite horrible: the system is secured for the user since in case of fraud the bank's assurance will refund him, and anyway the user is reminded to keep is payment means in secure places. As per my understanding this is just an official acknowledgment that the system is not trustable yet and will go through the same kind of trouble as online payment at its beginning. – WhiteWinterWolf Apr 19 '15 at 09:00
  • More links to read -- http://www.inforisktoday.com/blogs/how-apple-pay-exploited-for-fraud-p-1852/op-1 -- https://hackfu.mwrinfosecurity.com/hackfu-blog/params/post/465447/how-to-hack-a-contactless-payment-system.html – atdre May 12 '15 at 15:35

5 Answers5

8

It is about risks weighted against benefits.

Requiring PIN for NFC transactions would reduce main NFC advantage - speed. NFC payments without PIN are used only for payments of limited amount and usually for limited number of transaction and/or limited total amount of transactions per day. Maybe also other bank specific rules apply; at least I was informed by my bank that I may be asked for PIN without reaching any limit. This way card issuing bank or card company limit its risk (in EU you are not liable in the case of fraud for more then 150 EUR as long as you haven’t acted with gross negligence) and keep you using the card often and making profit for them.

Ktator
  • 96
  • 2
  • I'd argue that it should be up to the user at which amount they are prompted to enter a pin. I'd set mine to zero to be prompted for every payment. NFC + pin would still be vastly faster than the current card payments in Europe. They are slow not because of the pin! They are slow because you wait and wait until you are even prompted for a pin, and then you wait some more afterwards. – RomanSt Jun 14 '15 at 11:28
  • @romkyns, the risks are assumed by the banks, so it's up to the bank to set the limit of risk they're willing to accept. If your NFC card is used fraudulently as Shaamaan states, then the bank has to pay the amount of the fraud, not the cardholder. Their risk, their money, so their rules. – John Deters Feb 25 '16 at 16:20
  • 1
    @JohnDeters their money? It's taken from my account until I can successfully prove that it was fraud. The burden of proof is going to be on me. – RomanSt Feb 25 '16 at 17:01
  • 1
    The burden of proof is on them, if they didn't ask for your PIN. – John Deters Feb 25 '16 at 19:14
6

Some issues with contactless payments and digital wallets:

  1. Loss or theft -- an attacker gaining access to a device could allow access to the confidential information and allow continuous fraudulent transactions until accounts were disabled and/or fraud was caught. Pulling a SIM card could prevent even the most-stalwart lock and/or lockdown protections, and the SIM card could even be scanned in order to clone
  2. Spoofing -- NFC tags can be reprogrammed, replaced, or subverted (e.g., covered) by a new, malicious tag. Windows Phone devices are extremely susceptible to tag attacks, e.g., web-based protocol handlers, but others may be as well
  3. Skimming -- An attacker can read information from NFC without the user's knowledge or consent, often from a distance
  4. Eavesdropping -- Using an antenna, an attacker can listen to an exchange between NFC devices. Certainly 100cm distance is not out of the question
  5. Data corruption -- Standard meaconing, interference, jamming, and interception (MIJI) techniques are possible because NFC is based on radio frequency
  6. Data modification/insertion -- although more complicated than data corruption, these attacks are very possible and real
  7. Relay, or proxy, attacks -- NFCProxy and others have shown that two Android devices can do quite a lot to live relay and/or store for replay at a later time

Check out these prezos for just a ton of information:

Or tools: http://wiki.yobi.be/wiki/Android_Apps#NFC-related

atdre
  • 18,885
  • 6
  • 58
  • 107
  • https://github.com/nfcgate -- and -- https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Haoqi-Shan-and-Jian-Yuan-Man-in-the-NFC.pdf – atdre Jul 28 '17 at 22:26
  • https://salmg.net/2017/10/08/nfc-transaction-details-samsung-pay-android-pay/ – atdre Oct 10 '17 at 16:06
2

What you seem to be missing is that you are not making the risk-security tradeoff here. The NFC-without-PIN decision is up to the bank, because the bank is liable for any fraud up to the legal limit (150 EUR). If your payment is skimmed by one of the thieves as you fear, it will be your bank that has to pay the expense of the transaction, not you.

This, of course, assumes that someone detects the fraud. Major US banks have some pretty sophisticated fraud detection systems in place; if they see a card used in two different geographies at the same time, they can place a fraud block on a card. And it is your responsibility to read your bill each month and look at the charges, but that hasn't changed -- reading your bill has always been your responsibility. But if they don't spot it, and you don't spot it, yes, you will eat it.

They are trying to make the cards more convenient at their own expense. Why? The intent is that the convenience will be an incentive for consumers to use their NFC for small amounts, because they make money on each transaction, no matter how small. For this extra income, they are willing to risk some money on minor fraud.

Accepting this risk doesn't mean they are accepting a lot of risk. If you tell your bank that you did not make a specific small payment without a PIN, they will reverse it, but they will then flag your account and watch your complaints more carefully. If you demonstrate a pattern of reporting fraud but there is never any evidence, they will start investigating you.

They are certainly free to change this approach if NFC-relay-skimming becomes a serious financial threat. They are going to monitor this closely. If skimming apps become popular amongst the thieving crowd, or the banks start losing millions of Euros every week, they will certainly change their strategies. But until that dark day arrives, they expect to profit from this.

John Deters
  • 33,650
  • 3
  • 57
  • 110
1

I might be wrong but I think NFC is used only for small payments , here in England the amount cant exceed 15 Pounds

http://www.3g.co.uk/PR/April2012/barclaycard-playtag-adds-nfc-support-to-all-smartphones.html

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • 1
    Since this answer, the limit has been raised to £30. There is also a limit on the number of payments that can be made per day. – Chenmunka Feb 26 '16 at 09:33
  • @Chenmunka I know, that's bad, the other day my friend lost his card and whoever found it spent around £210 before my friend even noticed the loss of his card – Ulkoma Feb 26 '16 at 09:57
0

As others have already noted, PIN-less transactions are limited to a certain amount (and optionally a certain number of transactions after which a contact/PIN transaction is necessary).

Regardless of the NFC/contact distinction, not requiring the consumers PIN for every transaction can also be beneficial to security: PINs that aren't entered can't be recorded by manipulated payment terminals; the opportunity for skimmers to record the PIN as well as the magnetic stripe data is thus reduced.

lxgr
  • 4,094
  • 3
  • 28
  • 37