NFC contactless payment security

Question

This is really bugging me.

Up until recently debit cards with an electronic chip were the most popular electronic form of payment available in Poland (I'd wager that in other European countries as well). It does seem pretty safe too - in order to make any kind of purchase (either from an ATM or in a store), the user needs to provide a PIN code. While said PIN isn't particularly long it's there to provide an extra level of security: the first being the card itself.

In recent times PayPass (or similar) cards have been gaining popularity and it seems banks are pushing these cards onto the public. These cards can act just like the regular debit cards described above, but you can also use them to make payments using NFC.

Here's the big deal: when making a payment through NFC the user doesn't need to input the PIN.

It seems to me that with a wireless technology like this, a PIN should be a definite requirement as it feels the technology isn't particularly secure. One example of this is the proxy attack, where one person with a cell-phone gets some items in a store and goes to pay for them, while another person with a cell-phone looks for a PayPass card to read (on a crowded train / bus / station / etc.). Depending on the technology used, those cards can be read from quite a distance away as well.

Which brings me back to the matter of PINs... Why aren't PINs always a requirement when paying using NFC?

EDIT:
I do realize that the amount you can pay for using NFC is limited*. However, as far as convenience goes (no need to put the card in / swipe wallet) it seems like we're trading security AND some convenience for... slightly more convenience.

What I mean: as it is, you can pay for small things by just swiping the card. Great. But inputting a 4 digit pin after swiping shouldn't be much of a deal, right? And then you wouldn't need to limit the amount you can pay for. You could still keep the card in your wallet, and the whole thing would be just as fast. In fact, ideally, you could have a "PIN-less" limit as it is now but allow NFC transactions over that amount... just require the PIN! Or are there other technical / security concerns with PINs and NFC in general?

_{* While it seems that this limit could easily be changed, I haven't heard of a bank (in Poland at least) actually allowing the customer to make such a change. I know I tried calling my bank directly and was informed this is impossible...}

Answer 1

It is about risks weighted against benefits.

Requiring PIN for NFC transactions would reduce main NFC advantage - speed. NFC payments without PIN are used only for payments of limited amount and usually for limited number of transaction and/or limited total amount of transactions per day. Maybe also other bank specific rules apply; at least I was informed by my bank that I may be asked for PIN without reaching any limit. This way card issuing bank or card company limit its risk (in EU you are not liable in the case of fraud for more then 150 EUR as long as you haven’t acted with gross negligence) and keep you using the card often and making profit for them.

Answer 2

Some issues with contactless payments and digital wallets:

1. Loss or theft -- an attacker gaining access to a device could allow access to the confidential information and allow continuous fraudulent transactions until accounts were disabled and/or fraud was caught. Pulling a SIM card could prevent even the most-stalwart lock and/or lockdown protections, and the SIM card could even be scanned in order to clone
2. Spoofing -- NFC tags can be reprogrammed, replaced, or subverted (e.g., covered) by a new, malicious tag. Windows Phone devices are extremely susceptible to tag attacks, e.g., web-based protocol handlers, but others may be as well
3. Skimming -- An attacker can read information from NFC without the user's knowledge or consent, often from a distance
4. Eavesdropping -- Using an antenna, an attacker can listen to an exchange between NFC devices. Certainly 100cm distance is not out of the question
5. Data corruption -- Standard meaconing, interference, jamming, and interception (MIJI) techniques are possible because NFC is based on radio frequency
6. Data modification/insertion -- although more complicated than data corruption, these attacks are very possible and real
7. Relay, or proxy, attacks -- NFCProxy and others have shown that two Android devices can do quite a lot to live relay and/or store for replay at a later time

Check out these prezos for just a ton of information:

• http://www.slideshare.net/0xroot/demystifying-apple-pie-touchid
• https://www.syscan.org/index.php/download/get/b76f003a5aaa39a780c660e557f2ac6a/SyScan15%20Peter%20Fillmore%20-%20Crash%20and%20Pay:%20Owning%20and%20Cloning%20NFC%20Payment%20cards.pdf
• https://www.lateralsecurity.com/downloads/Lateral_Security-NFC-Redux-Kiwicon6.pdf
• http://www.slideshare.net/peterswedin/nfc-attacks
• http://eandt.theiet.org/news/2013/oct/hacking-contactless-card.cfm

Or tools: http://wiki.yobi.be/wiki/Android_Apps#NFC-related

Answer 3

What you seem to be missing is that you are not making the risk-security tradeoff here. The NFC-without-PIN decision is up to the bank, because the bank is liable for any fraud up to the legal limit (150 EUR). If your payment is skimmed by one of the thieves as you fear, it will be your bank that has to pay the expense of the transaction, not you.

This, of course, assumes that someone detects the fraud. Major US banks have some pretty sophisticated fraud detection systems in place; if they see a card used in two different geographies at the same time, they can place a fraud block on a card. And it is your responsibility to read your bill each month and look at the charges, but that hasn't changed -- reading your bill has always been your responsibility. But if they don't spot it, and you don't spot it, yes, you will eat it.

They are trying to make the cards more convenient at their own expense. Why? The intent is that the convenience will be an incentive for consumers to use their NFC for small amounts, because they make money on each transaction, no matter how small. For this extra income, they are willing to risk some money on minor fraud.

Accepting this risk doesn't mean they are accepting a lot of risk. If you tell your bank that you did not make a specific small payment without a PIN, they will reverse it, but they will then flag your account and watch your complaints more carefully. If you demonstrate a pattern of reporting fraud but there is never any evidence, they will start investigating you.

They are certainly free to change this approach if NFC-relay-skimming becomes a serious financial threat. They are going to monitor this closely. If skimming apps become popular amongst the thieving crowd, or the banks start losing millions of Euros every week, they will certainly change their strategies. But until that dark day arrives, they expect to profit from this.

Answer 4

I might be wrong but I think NFC is used only for small payments , here in England the amount cant exceed 15 Pounds

http://www.3g.co.uk/PR/April2012/barclaycard-playtag-adds-nfc-support-to-all-smartphones.html

Answer 5

As others have already noted, PIN-less transactions are limited to a certain amount (and optionally a certain number of transactions after which a contact/PIN transaction is necessary).

Regardless of the NFC/contact distinction, not requiring the consumers PIN for every transaction can also be beneficial to security: PINs that aren't entered can't be recorded by manipulated payment terminals; the opportunity for skimmers to record the PIN as well as the magnetic stripe data is thus reduced.