UK government sets guidelines to combat contactless m-payments fraud

28 August 2009 | 8517 views | 5 Security/Risk

The UK government has laid down guidelines designed to tackle fraud associated with mobile phone-based contactless payments.

Contactless m-payments - where users can make low value purchases by tapping their handsets against specially equipped terminals - is being trialled by several phone companies and banks.

The Home Office says it has been working with the industry to make sure tough security measures are in place to prevent phone thieves or cloners from being able to take advantage of the new technology.

The government department has now issued guidelines, asking firms to make sure bank details, phones and SIMs are disabled as soon as possible once phones are reported lost or stolen.

In addition, verification, such as a PIN, will be required for any transactions above the maximum contactless payment value (currently £10) and if more than a certain number of smaller charges are carried out in a row.

The Home Office also wants to encourage those who sign up for a contactless payment handset to add their details on the National Mobile Phone Register (NMPR), making it easier for stolen phones to be identified and recovered. NMPR is linked to voluntary databases designed to make it easier for police to identify and recover stolen phones. Approximate 22 million phones are currently registered on it.

Alan Campbell, minister, Home Office, says: "This technology is an exciting new development but we must continue to work together to reduce any new opportunities for criminals to profit from mobile theft. As new technologies like this develop we aim to consider where safeguards can be incorporated at the drawing board stage."

Barclaycard, currently trialling the technology with wireless operator Orange, has welcomed the guidelines.

Dan Salmons, director, payment innovations, Barclaycard says: "Contactless is the future of payments and with plans for payments to be possible via mobile phone in 2010 the guidelines announced by the Home Office will ensure that security and consumer confidence in mobile payments is further improved."

Comments: (5)

Comment on this story (membership required)

Dean Procter - Transinteract - Sydney | 29 August, 2009, 14:57

I'm sure they will be just as effective as any other guidelines have been, but I'm at a loss to remember an example.

0 thumbs up! (Log in to thumb up)

Report

Colin Henderson - Bankwatch Consulting - Canada | 31 August, 2009, 04:29

I am with Dean on this. Why on earth would it take Government regulation to ensure basic PIN/ password/ security measures be employed. Barclaycard should be embarrassed that they are being told to do what ought to be basic product design. The whole card approach which is based on just meeting minimum standards was ridculous 5 years ago, and is now inexcuseable.

0 thumbs up! (Log in to thumb up)

Report

Jon Shamah - E J Consultants Ltd - London | 31 August, 2009, 06:58

The reason why the UK Govt is making this noise now is so that they can be seen to be doing *something* on the run-up to the 2012 Olympics, where m-payments, combined with e-tickets etc is their current recurring vision.

I also agree that these are all basic measures, which should reasonably be expected to be implemented prior to large scale adoption. - That is unless there is some indemnity given by Barclaycard et al, who are willing to accept liability for any losses. - don't hold your breath.

0 thumbs up! (Log in to thumb up)

Report

Andrew Churchill - Technology Strategy - London | 31 August, 2009, 14:24

Why only worry about contactless m-payment fraud, not card based? And Jon, why have m-payments and e-ticketing for 2012 (transport ticketing consultation was out last week)? Surely m-payments, with m-ticketing (as the Barlcaycard/Oyster/O2 pilot), so then why not take advantage of the mobile (a computer) as an integral part of the security process? Some of the current pilots do seem rather unimaginative!

0 thumbs up! (Log in to thumb up)

Report

Steve Brunswick - Thales - Long Crendon | 30 September, 2009, 12:49

Moves by UK government to lay down guidelines designed to tackle fraud associated with mobile phone-based contactless payments and to increase public confidence are welcome if issuers and acquirers are to make the most of this new channel and grow payment volumes.

Whilst government guidelines are one way to ensure that adequate security measures are in place, it must also be combined with an industry commitment to best practice security. To date, the industry has been careful to add security on both the contactless devices and in the processing network, including a unique built-in secret key on the card which generates a unique CVV. It's also interesting to note that the processing of contactless payments does not require the use of the cardholder's name and some cards do not even include the cardholder's account number. Furthermore, contactless transactions can only be processed once which prevents incidents of "repeat attacks" from occurring, which can affect other types of transactions.

Clearly, the security of any new transaction channel must be a priority if it is to enjoy widespread success, so it is good to see that both the payments industry and the Government have contactless security firmly on the agenda. But other challenges associated with mobile contactless, such as preparing the payments infrastructure for increased transaction volumes where on-line transactions are the norm, require just as much attention if contactless payments are to be the success that everyone in the payments industry hopes they will be.

0 thumbs up! (Log in to thumb up)

Report