Contactless transactions – ranging from access control and ticketing to financial payments – emerged almost two decades ago and, since then, have become widely accepted and more diverse, now including mobile wallets, key fobs, tags or stickers for smartphones or wristbands.
Over 370 contactless transactions are now made every minute in the UK – six per second – and monthly spending on contactless cards exceeded £100 million in March 2014, tripling the numbers of the previous year.
However, the security of these transactions continues to be an area of concern. Contactless payments actually have the same level of protection as chip and PIN payment cards, but don’t require the user to enter a PIN number. Rather, to send data, most contactless cards use radio technology (RF) or the newer near field technology (NFC) that turns a smartphone into a digital wallet. Over the last decade, researchers have shown that fraudsters can pickpocket a victim’s financial data using a dedicated amplifier, an antenna and other low-cost electronics that can fit into a rucksack.
Here are the top security threats you should be aware of if you’re using a RF-based card, along with our top safety tips to keep your payments secure:
Skimming attacks: If mutual authentication is not required, anybody with a reader that can communicate with the RF tag on the credit card can strip the cardholder’s name, card number and expiration date. Tip: Make sure RF-enabled credit cards are not readable by using slipcases and wallets to shield from unwanted scanning.
Eavesdropping attacks: This allows attackers to record data streamed between the tag on the credit card and another legitimate reader from even longer distances. However, this can’t be mitigated by wrapping the card in a protective case. Tip: Use “blocker tags” to simulate the presence of more tags and confuse hackers trying to capture your unique code.
Hacked terminals: These attacks require legitimate readers at POS terminals to be replaced with counterfeit or hacked readers. They intercept the shopper’s data, including keystrokes of the PIN pad along with a time stamp of the interaction. Tip: It’s very difficult to detect a malicious terminal. Be vigilant and watch out for anything suspicious.
Replay attacks: An attacker can capture messages from a user entering their details and resend (replay) it whenever he or she wants. Even though the messages may be encrypted, retransmission of valid logon messages is enough to gain access to your account. Tip: Use session tokens to log in with random, one-time passwords that can’t be reused by impostors.
Relay attacks: Similar to a man-in-the-middle attack, this technique involves a malicious terminal that sends the victim’s data to an accomplice who can use it to complete another fraudulent transaction almost simultaneously. Tip: Select services with better cryptography to lower the risk of data being deciphered by unauthorised readers.
Cross-contamination: This attack uses various techniques to locate the victim’s address and uses other publicly available information to trick the bank into issuing a new card in the victim’s name. Culprits can abuse it to go on an online shopping spree. Tip: Notify your bank or card issuer immediately if you notice suspicious activity regarding your account.
In addition to the above, perhaps the most important piece of advice is never let anyone walk away with your payment card, not even staff offering to help you!