Contactless payment cards raise security concern - but is there a much older problem?

Filed Under: Android, Data loss, Featured, Mobile, Privacy

On Friday, British TV saw a report from Channel 4 News which claimed that Barclays banking customers who used contactless cards could have their data stolen without their knowledge.

The report claimed that millions of Barclays customers were exposed to fraud.

When I watched Benjamin Cohen's report on Channel 4 News, I thought it was entertaining and I am always supportive of anything that helps keep information security at the forefront of people's minds.

However, in the commentary that arose afterwards, I wondered if others might be getting concerned about Near Field Communication (NFC) Technology and contactless payments, when they should be more concerned about a much older problem.

The data that the news report showed being recovered using NFC was no more than any shopkeeper has after seeing your card, nor the person standing behind you in the queue. If NFC is used for a transaction by "bonking" the card only (no other information required) then Barclays requires that the financial sum involved is relatively small.

Benjamin Cohen credit card details

Being able to pick up this data in the way shown is not a new "exploit", as such. The news item has highlighted that the new generation of mobile phones, with in-built NFC, are now more widely available and therefore make it a lot easier to acquire these basic credit card details. A lot easier with the new mobile devices – yes. But is that really the problem?

The real issue for me is that online retailers, especially ones that trade as extensively as Amazon, are able to undertake "cardholder not present" transactions without the corroborative information required by the relevant standards. As Channel 4's piece showed, the transaction required neither the CVV number (security number of the back of the card) nor even the cardholders billing address.

Amazon logoTo do this, Amazon, must have been given a dispensation by whoever does their processing (their acquiring bank), and that bank is not Barclaycard.

I can only assume that Amazon has such an enormous online presence that their acquiring bank is willing to waive some of what is normally required by the standards.

There is little for consumers in the UK to worry about, as we are protected when making credit card transactions, and unless the CVV is provided as part of the transactions, then the liability for any fraud falls somewhere between the retailer, card issuer and acquirer.

If we were to assume that in this case Amazon had agreed to assume all of the liability, then it must be worth their while to take the ensuing risks for the ease it offers their customers. It would be a business risk trade-off: increased sales versus potential fraud.

So, I think it leaves us with a couple of questions about contactless payment to consider:

  1. How worried are you that someone knows your credit card face details? It feels like an invasion of privacy, so it will concern some people.

    However, put the question another way, i.e. how worried should you be? I suspect the answer is many people would not be that worried, as these details are widely known.

    Having said that, I suspect the increasing ease with which this can be done will prompt the card issuers to collaborate. They could provide mechanisms that protect the data further, if only because customer trust is such a vital issue for both retailers and card issuers.

  2. Are you happy completing transactions with a retailer that sacrifices transaction security for ease of use?

    Where the customer is not taking the risk, I suspect most will prefer ease of use over security. That is, until any fraud becomes so widespread that users are finding themselves spending as much time telling the card issuer about fraudulent transactions, as they do ordering their items.

Image of stolen data, courtesy of Channel 4 News.

, , , , , , , , ,

You might like

13 Responses to Contactless payment cards raise security concern - but is there a much older problem?

  1. Sean · 887 days ago

    Excellent post. But point of clarification.

    “nor even the cardholders billing address.”

    This isn't true in my experience. Whenever I “Add a Credit Card” to my Amazon account, “Step 2: Select Billing Address” has always been part of the process.

    Are you sure that Amazon didn't require Channel 4 News to enter a billing address?

  2. Gerald D · 887 days ago

    Because Amazon doesn't require the CVV (three digit code on the back of the card) they become liable for the fraud amount, not your card issuer.
    I am sure they will start asking for the CVV when their losses get out of hand, even if it means closing their "one click" service down.

  3. geoffscontacts · 887 days ago

    Good piece Prof Woodward (I researched and produced the piece for C4N).

    You're right - a big question mark hangs over Amazon (Sean - in our experiment when we entered the credit card details we only entered a delivery address - and that didn't match that of the cardholder).

    Amazon have failed even to acknowledge our request for comment.

    I'm currently trying to find out who runs their European banking facility - if anyone can help on that?

    • Sean · 882 days ago

      Thank you for the clarification, Geoff.

      I was comparing my .com to co.uk account settings, perhaps I am being asked for billing address due to my US based account. Would be interesting to see what a digital purchase with no address requires in the UK.

  4. Stu Thomas · 887 days ago

    Having designed the cryptography for the replacement of the Oyster Card -ticketless travel- using contactless debit/credit cards, I can see where the worries are coming from. Separate research (e.g. Chaos Computer Club research) shows privacy issues too (as with the NFC components of passports), that is to say - tracking of individuals via unique numbers such as the PAN, and correlating that with CCTV.

    For contactless payments, the back-end fraud systems are meant to pick up and protect cardholders from fraud from the small value transactions, and there is significant reliance upon those systems, rather than the front end cards to protect cardholders, acquirer's. It's a trade-off between delivering a useful, cost effective service, and not having that service at all. It easy pickings to say interception of clear-text information is security risk, every use of technology introduces a risk, it has to be balanced properly, given the commercio-economic-business-societal benefits.

    • Kirsten · 885 days ago

      HI Stu, Great information and exactly the problem. Who is deciding the trade off is worth it? Not the end consumers! Most end consumers don't even realize what is going on. The banks and processing centers that are making the profits are deciding. While the trade off may seem cost effective to those profiting, I would ask that all look at the huge impact this is having globally on our economic structure. It's unacceptable and trying to make it acceptable is totally wrong. Secure it on the front end and stop promoting speed and convenience! Having a debit card that doesn't even provide basic security is certainly NOT useful in my opinion. Furthermore, I feel quite sure if given the chance and proper information, most consumers would choose security in exchange for a few extra seconds on every transaction.

  5. Robert Wurzburg · 887 days ago

    This article shows why it is critical that you use passwords that conform to the Cisco
    Complex Password Specification.
    That means it is at least a field of 15 random characters, using upper/lower case, 4
    or more special characters and symbols, and numerics.
    Unfortunately some websites do not allow special characters and symbols. Some
    compromise security even further by limiting you to only as few as 8 characters. I've
    had websites like OfficeMax, OfficeDepot, Sprint PCS, and others lower their security standards these ways from previous password usages. I complained bitterly without
    any results to improve their password security or restore it to the previously allowed
    character usages and lengths.
    Maybe it will take a major data breach and the loss of millions of dollars before these
    and other companies take password and customer data security very seriously.

    • Michael · 887 days ago

      You've raised a very interesting point. What exactly was the reasoning behind Cisco's 'Complex Password Specification'?

      Firstly, if you tell people not to write their passwords down, they'll set an easily-guessable password. If you told them to set a complex password, they'll write it down. It's a tricky conundrum.
      The second point is bigger isn't always better when it comes to passwords. Their strength can be measured by the amount of entropy it has. There's not much point having a password with more than 128 bits of entropy, and that's achievable in roughly 10 characters that include symbols and capitals.

  6. MikeP · 887 days ago

    In addition to those concerns, which are very real, there are also concerns about the way contactless transactions can occur unintentionally. TfL use the Oyster card system and there have been instances reported in the press that people have had value removed from their card just by being near the sensors wothout actually passing through, they may have been meeting someone rather than wanting to make a journey. The 'standard response' is said to be unhelpful. So if that can happen with Oyster then it could happen with other systems based on similar RFID technologies. Very worrying and very insecure it seems.

  7. Richard · 887 days ago

    "... online retailers ... are able to undertake cardholder not present transactions without the corroborative information required by the relevant standards ..."
    "How worried (should you be) that someone knows your credit card face details?"

    Erm, very?

    If Amazon will accept payments with just the card face details, and someone knows the card face details, what's to stop them from buying lots of stuff on Amazon? And when they do, won't you have to prove that you didn't give them your card details before you get a refund?

  8. Kirsten · 885 days ago

    Thank you for the great article! Too much focus is being put on merchants and Amazon. I would love to see someone investigate the processing and authenticating companies. Anyone can try anything (including bogus merchants that are out there) and mistakes can be made at the merchant level. The real question to me is why are these transactions being authorized? How about some old school "DECLINED" results being returned? Bottom line is it doesn't matter how sophisticated the technology gets if the processing centers are not doing their job to authenticate and secure the data. Let's keep in mind the processing center gets a cut for every transaction and when it's found to be fraudulent, the merchant takes the hit. The processing center might actually get a fee for both the initial authorization and then for the charge back when the money is automatically taken from the merchant for the fraudulent transactions. Someone should follow the money and see why the processing centers allow this kind of bad data to be authorized. Seems to me it should be easy to stop most of the fraud on the front end...where is the sophisticated technology here? Then, so what if someone has your basic information? They will run into DECLINED and the appropriate red flags will go off to shut down the attack on the forefront. Anyone remember old school days where merchants accounts were hard to get and you had to phone in to a live person to get authorization?

    • Dan · 884 days ago

      How is the card processor to know if the card face data is being supplied by you or by a fraudster? If I go to a retailer and use my card in a chip and pin terminal, the merchants copy of the receipt has all the information they need to order items through Amazon. I'm currenty writing this in a coffee shop, I paid with my card an the merchants copy went in the till, so anyone working there has access to the card face data of every customer that day, yet I still use my card. Instances of fraud are low enough that it's still far more convenient to use my card and accept the possibility of chasing up a fraud claim at some point than it is to carry cash around.

  9. asm-wolf · 272 days ago

    My main concern with contactless cards is that with a sufficiently large enough antenna and appropriate collision detection algorithms that I think most cards support now, one could read cards from several meters away, possibly reading the data from all of the contactless cards present in a shop. This is much easier than other methods of collecting card data, and allows one to yield the details from more cards with less effort.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Professor Alan Woodward is a visiting professor at the University of Surrey's department of computing. He has worked for the UK government and still provides advice on issues including cybersecurity, covert communications and forensic computing. Read his personal blog at www.profwoodward.org and follow him on Twitter at @ProfWoodward.