“Your total is $12.95,”says the cashier at the local supermarket. I take out my wallet to perform a familiar tap on the POS terminal, wait a second, then hear the beep and – voila! – the transaction is successful!
A contactless bank card is super-convenient. You don’t need to swipe your card, recall the PIN, put a signature with a crappy pen, and that doesn’t take the acts of taking out the wallet, searching for cash or fishing for coins in the depths of the pocket. Just a tap – and you are good to go.
Cashiers are also happy with contactless means of payment as well: it makes the purchase a much quicker process and increases the ‘bandwidth’ of the cashier, the acknowledged bottleneck of all retail processes.
However, its ease of use makes you wonder whether stealing your money is equally easy. Could a criminal simply tap your pocket with a clandestine reader and completely strip you off your hard-earned cash?
In order to find this out, I studied a lot of reports from hacking conferences and talked to a number of bank representatives. The collective feedback was quite positive, but not without tiny drawbacks.
Reach
Contactless cards operate NFC (a sort of RFID-based technology). A card integrates a chip and an antenna which respond to the POS terminal’s request using a 13.56 MHz frequency range. Different payment systems use their own standards called Visa payWave, MasterCard PayPass, American Express ExpressPay, etc. But all of them still employ the same approach and the same core technology.
The reach of NFC transmission small – below an inch. So, the first line of defense is physical. The reader, in essence, should be placed in immediate proximity to the card, which could hardly be done clandestinely.
At the same time, one could assemble a custom reader able to operate within longer reach. For example, researchers at the University of Surrey demonstrated a compact scanner capable of reading NFC data within a distance of 80 cm.
uch a device may be capable of issuing requests to contactless cards on public transit, in shopping malls, airports and other ‘populated’ locations. In many countries NFC-compatible cards can be found in every second wallet, so in overcrowded places criminals would find a pretty big pool of victims.
Ultimately, one could go even further and cope without a custom scanner or physical proximity. An elegant method of ‘eliminating the distance’ was developed by Spanish hackers Ricardo Rodrigues and Jose Villa and presented at the Hack in the Box conference.
The majority of today’s smartphones are equipped with an NFC module. Apparently, smartphones are frequently located in close proximity to a wallet – say, in a handbag or in a pocket. Rodrigues and Villa devised a concept of an Android Trojan, which turns a target smartphone into a like of a NFC transponder.
As soon as a compromised smartphone is placed close to a contactless card, it signals the possibility to perform a transaction to attackers. Scammers then activate a regular POS terminal, and place their NFC-enabled smartphone close to the terminal. Thus, a sort of a ‘bridge’ over the Internet is built between an NFC card and an NFC terminal, regardless of the reach.
The Trojan might be distributed via standard methods, like the one involving a bundle of the malware and a hacked paid app. The only prerequisite in this respect is Android 4.4 and higher. Even root access is not necessary, although it is a desirable option for the Trojan to work when screen of smartphone is locked.
Encryption
Getting a target card within the reach of a rogue reader is just half of the task. There is another, more serious, line of defense – encryption.
Contactless transactions are protected by the same EMV standard which protects ordinary plastic cards equipped by an EMV chip. Whereas a magnetic strip can be easily cloned, a chip would not allow this to happen. On receiving a request from a POS terminal, its IC generated a one-time key. This key could be intercepted, yet would not be valid for the next transaction.
Researches have numerously voiced their concerns about the EMV security; however, real-life cases of hacking an EMV card are still unheard of.
Are contactless payments safe?
There is one thing, though. In a standard deployment, the EMV card security concept is based on the combination of encryption keys and a PIN code inputted by a user. In case of contactless transactions, PIN code is not requested, so the means of protection in this case are limited to encryption keys generated by a card and by a terminal.
“In theory, it is plausible to produce a terminal which would be reading the card’s NFC data ‘from the pocket’. Yet, this custom terminal should employ encryption keys obtained from an acquiring bank and a payment system. The keys are issued by the acquiring bank, which means the scam would be very easy to track and investigate”, explained Alexander Taratorin, the director of application support at Raiffeisen Bank.
Value of transaction
There is yet another line of defense: limitation of value of transaction for contactless payments. This limit is coded into the settings of a POS terminal, as seen adequate by an acquiring bank based on recommendations obtained from payment systems. In Russia, the maximum value of contactless transaction is 1000 RUB, whereas in US this limit is set at $25, and in UK at 20 GBP (soon to be raised up to 30 GBP), etc.
Should the value exceed this limit, the transaction would be rejected or require an additional proof of validity, e.g. a PIN code or a signature, depending on the settings provided by the emitting bank. To prevent attempts to charge smaller sums consequently, an additional security mechanism would be invoked.
However, there is a rub. Almost a year ago, another team of researchers from the University of Newcastle (UK) reported vulnerability in the security system of Visa contactless cards. Once you choose to perform the payment in a foreign currency and not in GBP, you can bypass the limit. If a POS terminal is offline, the maximum value of transaction might reach as much as 1 million EUR.
However, Visa reps declined feasibility of such an attack in real life, stating that the transaction that huge would be rejected by a bank’s security systems.
According to Raiffeisen Bank’s Taratorin, a POS terminal controls the maximum value of transaction, regardless of the currency.
We’ll choose a different way
So, does it all boil down to the practical improbability of a bank of a payment system’s failure to prevent rogue contactless transaction? The likely answer is yes, provided that scammers do not work for the bank in question.
At the same time, there is another unpleasant finding. NFC can facilitate the theft of payment card credentials, if transaction itself cannot be hijacked.
The EMV standard presupposes that some data is stored unencrypted in the chips’ memory. Such data might include the card number, last transactions, etc., depending on the policies of the emitting bank or the payment system. The data could be read via an NFC-enabled smartphone with a legitimate app (like Banking card reader NFC) – you can check it out yourselves.
Until now, the information at stake was considered open and not sufficient to compromise the card’s security. However, a prominent British consumer media outlet Which?, surprisingly, busted the old myth.
The Which? experts tested a handful of different contactless cards emitted by UK banks. With the help of an affordable NFC reader and free software they managed to decode the card number and expiry date for all the participating cards.
It seemed that it was not time to bother. Wouldn’t one need a CVV number to shop online?
The sad truth is that many online marketplaces do not require a CVV number. The Which? experts successfully ordered a 3K GBP worth TV at one of the major online retailers.
The bottomline
Whereas the very technology of contactless payments presupposed several layers of protection, it does not mean your money is 100% safe. Many elements of bank cards are based on obsolete technologies like magnetic strip, possibility to pay online without additional authentication, etc.
In many respects, security depends on the settings used by financial institutions and retailers. The latter, in their pursuit of faster shopping and less ‘abandoned carts’, at times prefer to sacrifice payment security to a bigger buck.