RFID: ‘Contactless’ Or Clueless?
Is your credit card data safe or is it being compromised by the use of Radio Frequency Identification tags? Is electronic pick pocketing real? Khaleej Times takes a closer look.
Imagine this shop and shock scenario. You cart a load of groceries from the supermarket shelf to a terminal and pay by scanning your credit card, glad that you won’t be joining the queue at the counter where a clerk swipes plastic for approval.
It’s called ‘contactless’ shopping and is fast gaining currency, thanks to Radio Frequency Identification (RFID). But wait.
Unknown to you, a hacker in the vicinity might be using a device to read the data stored on your card. He could be one of the many faces thronging the crowded parking lot with a tab-like gadget in hand which covertly reads your card details and transmits it to a computer. The pilfered data is duplicated on another card for more shopping on your behalf using the clone as you stare in shock at the declining balance.
Consumerism fuelled by these touch-me-not credit or tap and go cards is set to make waves in the future, but some experts like Walt Augustinowicz, founder and CEO of Identity Stronghold, say the payment process is fraught with risk, having demonstrated some chinks in plastic shopping. However, card companies like MasterCard say consumers have nothing to fear because security protocols are almost foolproof.
Augustinowicz’s US-based company has been at the vanguard of the fight against what is known as “electronic pickpocketing” where criminals use radio waves, smart phones, compact computers and point-of-sale card readers to steal identities and confidential financial information.
“We have some cards in the US that have a 50-feet read range such as the Passport Card that can be easily tracked. But the larger risk is contactless credit and debit cards. An attacker can easily purchase a card reader online that can read up to four inches away without modification. With the reader concealed, he simply has to get close to your wallet or purse. All the data necessary to use that card such as 16-digit account number and expiration date are available,” he tells Khaleej Times.
With the scanned data, an attacker can make Internet purchases on sites not requiring the three-digit CVV code or make phone purchases. “We have even successfully used an NFC-enabled cell phone to make purchases at contactless point-of-sale terminals,” he claims.
But not everyone shares his concerns about card security, or rather the lack of it. One of them is Julian Phillips, vice-president, Acceptance and Commercial Development UAE, MasterCard, who counters the research was centered on magnetic stripe cards which by their very nature cannot offer the same high levels of security offered by chip cards.
‘‘MasterCard PayPass–enabled cards and devices are processed through the same financial payments network that processes millions of MasterCard transactions securely today. Security on these payments is therefore certainly not ‘easily’ breached,” he says.
The card company recently announced a record 28 per cent growth in contactless payments technology through its MasterCard PayPass. This network now has nearly 700,000 merchant locations in 51 countries.
In the UAE, MasterCard has worked with Network International to expand its contactless payments infrastructure. It installed MasterCard PayPass terminals across more than 1,000 stores last year.
“During a PayPass transaction, we do not send all the card and cardholder details across and therefore even if someone is able to capture this information they would not be able to replicate the person’s account as they would not have all the data required to make a fraudulent transaction. All transactions are authorised online which means that the issuing bank would have electronically approved the transaction at the point of sale and therefore the cardholder is protected and has the right to dispute the transaction,” Julian explains.
Nicolai Solling, Director of Technology Services at Help AG, a strategic information security consulting company, says these concerns cannot be wished away but he sees a shift towards a better security for credit and debit card information. “Right now, it is all about convenience, but additional authentication such as SMS, pin-code or two-factor authentication is likely in the future when we pay using Radio Frequency Identification,” he says.
He says users must ensure that wrong people do not access to their credit cards with this feature. “So one of the things you can do as an individual is to carry these cards in special wallets which shields the signal. These type of wallets are readily available for cards, passports and other RFID-enabled devices.”
Augustinowicz of Identity Stronghold says there is no on/off switch and any attempt at adding one is expensive or has failed. In light of this, he says the only option left is to block the radio transmissions via shielding with shielded badge holders such as Secure Badgeholder, or Secure Wallets.
Another approach for added security will be when smartphones and the user authenticate in the payment application, which in turn activates the RFID. “I am sure it is not just for fun that Google have made very solid RFID implementation in Android and registered the company with a digital banking licence in Europe and the US,” says Nicolai.
Companies like Identity Stronghold are also working on new secure technology. Augustinowicz says they have a patent pending on a new card design that will eliminate the risk and keep all the benefits. “We will be introducing this into the market over the next year but we need to get the credit card issuers on board.”
MasterCard’s Julian says payment security depends on all stakeholders in the value chain working together to adopt best practices. On their part, cardholders should actively monitor their accounts and report to their issuer any suspicious transactions, as well as alert their issuer without delay if their card is lost or stolen.
Card hackers will always be around to keep pace with technology advances in payment mechanisms. “Replicating certain cards is much easier than picking a lock. So the burglars of our generation will not be equipped with a crowbar, but rather with an RFID-cloning device,” says Nicolai
Safety features include:
Cardholder names in MasterCard are not accessible/readable via the contactless interface between the chip on a PayPass or a Maestro PayPass card and the contactless reader. Given this, the name of the cardholder cannot be accessed from the card or device using contactless readers.
The Card Validation Code (CVC2), a 3-digit security code used for securing e-commerce and telephone order transactions, is not at risk of being compromised in a PayPass contactless card transaction. This is because the code is not present in the data on the chip of a PayPass-enabled card and therefore cannot be accessed by a contactless reader. On a PayPass–enabled mobile phone (with Near Field Communication payment capability), the CVC2 is present in the data on the chip but cannot be accessed from the mobile phone using contactless readers.
MasterCard requires the use of a dynamically generated cryptogram with every contactless transaction. Created in real-time, the cryptogram is used by the issuer to authenticate a transaction. Fraudulent reuse/replay of transaction data is defended against by requiring a unique cryptogram for each authorisation. In the event data was remotely ‘sniffed’ during a previous contactless transaction, its re-use can be detected in a subsequent transaction.