28 July 2014

Talk of Many Things

Ketharaman Swaminathan - GTM360 Marketing Solutions

49 | posts 189,715 | views 1,471 | comments

The Clear And Present Danger With NFC Payments

26 September 2012  |  6045 views  |  11

Technophobes and security pundits have been warning us for a long time that it’s possible for a passerby with an RFID reader – and malafide intent – to skim debit / credit card details off contactless cards and NFC smartphones even when they’re tucked away inside their owners’ wallets, pockets or hand bags.

I’d a first hand exposure of this security hazard during a recent visit to my friendly neighborhood book lending library, which is part of a nationwide chain of libraries that makes innovative use of RFID technology. With RFID reader kiosks reading RFID tags embedded inside every book, issue and return of books has become a frictionless, self-service process across the chain. For those interested, more details can be found in the post titled Innovations At A Click-And-Mortar Library on my personal blog.

During this trip, I selected a book and placed it on the kiosk. When I tapped the ‘Issue’ button, the kiosk read the RFID tag in the book and displayed its title on the touchscreen. But, alongside the book I wanted to borrow, I noticed another book in the list. When I pointed out the spurious entry to the store manager, she’d a quick look at the screen and told me to ignore it. It turned out that the false alarm was raised by a book being read by one of the library’s staff sitting beside the kiosk. In other words, the kiosk wrongly scanned a book that wasn’t placed on its tray but happened to be situated a couple of feet away.

As I was filing out of the library, I overheard the store manager grumbling to her colleagues about the kiosk’s temparamental behavior: On some days, it failed to identify books placed on its tray, whereas on other days like that one, it overzealously scanned books located several feet away.

I normally don’t get scared off a new payment technology just because someone claims to have hacked it somewhere and proved it to be unsafe – greater convenience generally tends to win me over. But, on this one, I think the aforementioned technophobes and security pundits have a point. Being slapped with one extra book on a library card is no big deal. But, having credit and debit card details broadcasted to people and card readers in the close proximity is so not okay. Based on my personal experience, I’m likely to be ultra-cautious about contactless cards, NFC or any other RFID-based payment method in future. 

Having said that, let me hasten to add that the overall consumer experience with contactless and NFC payments will be shaped by the way in which the technology is implemented rather than by the technology per se. In the two years that I've used TfL's contactless Oyster Cards, I never faced a single reliability or security problem with them (except for still not receiving the refund of the credit balance on the card I'd surrendered when leaving the UK over four years ago. But, since that's neither a technology nor an implementation issue, I'll let it pass!).

RFID in Library TagsMobile & onlinePayments

Comments: (16)

Alexander Peschkoff - TEDIPAY - London | 26 September, 2012, 15:24 As you said it yourself, it's not the technology (e.g. Contactless), it's the implementation (protocol, UI, SE integration) that presents a danger. Those who don't get it (many big boys are in that category), would pay a heavy price (monetary and loss of trust) for the "post factum" education...
Brett King - Moven - New York | 27 September, 2012, 04:43

Ketharaman,

It is interesting that while technically possible to skim RFID contactless cards, in the 15 years of the successful operation of the Octopus card system in Hong Kong, there has not been a single recorded instance of the fraud you mention that represents a 'clear and present danger'.

I'd be more worried about the current fraud with mag-stripe that is readily recorded and in the billions, compared with a technology that while it could theoretically be compromised, is labelled by the industry as 'fraud-proof'.

I don't think using the library RFID example has any redeemable merit when RFID contactless technologies used specifically in payments scenarios in UK, HKG, Singapore transport systems have been successfully deployed for over a decade without any of the fraud instances or dangers you have identified.

Sorry - I just think that this is not a reasonable argument. The tech is well proven, and this is counter-productive. In the case of Octopus 15 years and $12.8m of daily transactions conducted securely over contactless technology with zero fraud instances is a pretty tough record to poke holes in.

BK

Alexander Peschkoff - TEDIPAY - London | 27 September, 2012, 12:37

"In the case of Octopus 15 years and $12.8m of daily transactions conducted securely over contactless technology with zero fraud instances is a pretty tough record to poke holes in."

None of the existing payment technologies have zero fraud. Octopus had several holes when launched, but their team did a great job addressing the problems. Any existing exploits are not tangible. 

The danger - real or perceived or theoretical - comes from potential systemic/platform risk. For example, if someone finds a commercially-viable way to exploit known RFID weaknesses, "zero day" attack could be very damaging. We saw this happening recently with ultra-secure banking systems, on a tangible scale, on several occasions. Add to this equation "supply chain"/"human factor" threat - e.g. pre-loading mobile phones with malware at the production stage. Very few people can comprehend the scale and far-reaching potential of yet unknown or little understood vulnerabilities.

The problem with mobile is simple: any exploit would work on a platform level, not individual phone level. Good comparison: Pay TV systems (e.g. SKY box) use MUCH higher security than banking cards - if a card is compromised, the risk is contained within one account only. If Pay TV algo is cracked, the whole user base can start using service for free...

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 27 September, 2012, 13:42

@AlexP: TY for your comments.

@BrettK: TY for your comments. I'm in agreement with whatever you've said about the safety track record of Octopus card since I've experienced the same with Oyster card. However, this only speaks for the "Probability of Occurrence of Fraud". Risk is also a function of the "Impact of Occurrence of Fraud". Here, as I've said, it doesn't matter if I get slapped with one extra book in my library card. Similarly, with any closed loop transit card, I'm likely to lose a few GBP / HK$ / SG$. So, in both examples, the impact of fraud is negligible. Whereas, in the case of mobile wallets using NFC, it's open-loop, it's a credit or debit card, not a prepaid card like Oyster / Octopus, there's virtually no limit on how large a tab another person in the vicinity can charge to my credit / debit card. So, the impact of fraud is extremely high. Therefore, the overall risk of NFC payment is quite high even if the probability of fraud might be low. Makes me wonder if this is the reason why NFC mobile wallets are still struggling to enter the mainstream despite Octopus and other contactless transit cards having been around for 10+ years.

Brett King - Moven - New York | 27 September, 2012, 15:24

I do think it is important to point out that NFC and RFID are two different technologies, and failure points on RFID have little to do with NFC security issues.

BK

Matt White - Finextra - London | 27 September, 2012, 17:27

I've suspended some comments. No more 'we've got this great product' type entries, please. 

Salil Ravindran - Oracle - Amsterdam | 28 September, 2012, 11:23

Traffic at a retailer is not expected to be as huge as in a transit system so let us be fair that most tap and go payments will be protected by the consumer with a pin which is not the primary consideration when RFID is implemented today in a retail/transport context

Also, the reading range of RFID is far more than an NFC chip and hence riskier. Not sure if the two are comparable in the same context 

Either way I dont think this is a big reason for poor adoption of contactless

 

 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 28 September, 2012, 14:56

@SalilR: TY for your comments. As I'd pointed out in my earlier comment, even granting that the probability of fraud is low, the impact of fraud with general-purpose NFC payments is very high, therefore the risk is far higher than with contactless transit cards, which hold hardly 10-20 GBP. It's interesting that you bring up the topic of traffic volumes. The very fact that contactless cards are used in places that have high traffic - let's ignore (say) South Quay DLR station at (say) 11 PM for the moment - and are constantly under human surveillance actually makes it very difficult for scamsters to skim them, especially when the pickings are hardly 10-20 GBP. It was only after a bit of furore that Google Wallet introduced a PIN, but that was only to start the app, and different from the PIN for individual Chip-and-PIN cards stored inside it. Not sure if GW and the other NFC-based mobile-wallets require PIN for authorizing individual tap-and-go transactions. At least, I haven't seen such a step in any of GW's demo videos.

A Finextra member | 17 June, 2013, 13:47

So... what you experienced is RFID at 2 feet.. NOT CONTACTLESS PAYMENTS!! Get your facts right about payments before making wild and inaccurate claims in other blog posts. 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 June, 2013, 15:42

@Anon:

NFC and contactless are based on RFID communication standards, as @AlexanderP had pointed out above:

http://en.wikipedia.org/wiki/Near_field_communication

In fact, in another Finextra post on which I'd commented, the author wrote: "Contactless cards... work by using Radio Frequency Identification (RFID) technology".

Maybe if you'd read the previous comments to this blog post and the other post, you'd have reconsidered your comment. Not sure where you read my wild and inaccurate claim.

A Finextra member | 17 June, 2013, 16:01

You comment here http://www.finextra.com/community/FullBlog.aspx?blogid=7794 - "I wouldn't rush to rule out technology as the cause of double-dipping at Marks & Spencer. I've experienced this at two feet" which given the nature of the blog implies that you have used a contactless card from 2 feet. Anyone who has ever used Contactless cards in the UK market knows this is utter rubbish, hence my remark.

For many reasons I have to post this anonymously but I do work in payments and have worked with retailers, issuers, schemes and device manufactuerers on their contactless deployments in case you feel I am just making this up

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 June, 2013, 16:59

@Anon:

Since I've outed my location, I guess I invite comments like "Anyone who has ever used Contactless cards in the UK market knows this is utter rubbish". But, since posting anonymously is never my cup of tea, I have to respond to such comments: I've used both closed- and open-loop contactless cards in UK back in 2007-2008, the former at a Starbucks cafe inside the premises of a Top 5 UK Bank and the latter at a Krispy-Kreme store, both in Canary Wharf. (I did say here that "I was a very early adopter of contactless cards"). 

With that out of the way, my point is not about how people use contactless cards - even without using contactless cards in UK, I don't expect anyone to claim that they'll wave a contactless card from two feet away to make a payment. The crux of my blog post and comment is  how contactless cards could get used unwittingly in the system. For example, I've reached the till. I've two contactless cards A and B. I wish to use Card A to make the payment, take it out of my wallet and hand it over at the POS. All this while, Card B is still inside my wallet, which is two feet away from the POS. Based on my experience with RFID technology, I'll not be surprised if Card B is inadvertently charged despite being two feet away. I'll also not be shocked if, in addition, Card A is also charged as intended. Hence, double-dipping. This is the clear and present danger with this technology. This is how I see the average man on the street perceiving it. It hardly matters how much counterevidence is produced by the payments specialist to say that this can never happen.  

Gerhard Schwartz - Hewlett-Packard - | 01 November, 2013, 11:49

A very interesting and also a bit emotional discussion here.

I for one would strongly prefer not to become subject to any payments transactions without a conscious and deliberate action performed by myself to indicate that I'm in full agreement with that payment - also if it is just amounting to a few Euro's, Pounds or Dollars or even fractions thereof.

A payments transaction that involves sliding a chip card into a slot meets that criteria. A payments transaction based on smartphones and wireless technology does not, as in conjunction with a suitable trojan and related equipment nearby it is possible to initiate fraudulent payments - without the victim becoming aware about it. 

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 01 November, 2013, 18:30

@GerhardS: 

TY for your comment. 

In Finextra and elsewhere, I've relentlessly advocated a frictionless payment regime. Some others have gone further and proposed that payments should even be invisible. However, in all my work on payments with banks and consumers, the predominant finding that emerges resonates with your opinion: While they don't want to jump a dozen hoops to make a payment, most people do want to know when, why and how much they're paying. Let alone invisible payments, people don't even want frictionless payments. I'm slowly but steadily coming around to the view that the "less friction" message will drive greater mainstream adoption of ePayments than the "frictionless" one. Just as I'd previously learned that "less paper" works far better than "paperless" in promoting eBills and eStatements. 

Talking about deliberate and conscious action while making payments, this is a very interesting topic that has been the source of a perpetual dilemma to me: 

Between website hosting, domain name, VoIP, and a few other services that I use, I need to make around 15 payments to various service providers each month. With each service provider, I've set up a recurring mandate in such a way that they debit my credit card - not bank - account with a fixed amount each month automatically. (In this, I'm excluding mobile phone, utility and other bills where the amount is variable and I've not authorized direct debit). This saves me the time and energy of having to make each  of the 180-odd CNP payments individually every year.

Since I've signed a recurring debit mandate, I've provided overall payment authorization deliberately and consciously. But, to the extent that each payment happens without my explicit consent - some of them when I'm literally asleep - is there a lack of deliberate and conscious action? 

Gerhard Schwartz - Hewlett-Packard - | 01 November, 2013, 22:26

@Ketharaman:  Wherever money is involved, the key question is about trust. As you have entitled several providers with the right to charge your credit card account, you did indicate that you trust them enough to enter at least a mid-term business relationship and thereby you did elevate that relationship beyond that very basic transactional level "exchange that good or service against an immediate payment, no further trust" - and you don't treat each other as strangers any more.

So you are no longer paying for single transactions, rather for an entity of goods or services obtained over a time period and linked to the common trust between both parties that neither of them will cheat. That's another quality, here you are no longer concerned that much about the proper handling of each and every business transaction.

So you actually don't need those technical crutches for securing single payments transactions that badly any more. Their role is now more or less reduced to a means for data capturing. 

 

 

 

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Ketharaman

Cash in Hand Is Worth More Than Card In Bush

21 July 2014  |  1592 views  |  3  |  Recommends 2 TagsCardsPayments

Warts And All, The System Works

11 July 2014  |  2024 views  |  0  |  Recommends 0 TagsRisk & regulationRetail banking

How Security Can Actually Cause Vulnerability

03 June 2014  |  2002 views  |  1  |  Recommends 1 TagsCardsSecurity

Analytics or Hair Splitting?

19 May 2014  |  1823 views  |  3  |  Recommends 1 TagsRetail bankingTransaction banking

Coin Solves A Pain. But Is It A 100 Dollar Pain?

27 April 2014  |  3008 views  |  0  |  Recommends 0 TagsCardsMobile & online
name

Ketharaman Swaminathan

job title

Founder & CEO

company name

GTM360 Marketing Solutions

member since

2009

location

Pune

Summary profile See full profile »
As Founder and CEO, S. Ketharaman provides overall direction and leadership toward setting and ac...

Ketharaman's expertise

What Ketharaman reads
Ketharaman writes about

Who is commenting on Ketharaman's posts

Andrei Charniauski
John Quamina
Sian Bentley
Tony Wenzel
Nick Collin
Alex Johnson
Seeva Selliah
Sunil Prabhu
Daniele Astarita
Alexander Peschkoff
Brett King
Atul G