Contactless cards are in the "limelight" again. First it was M&S, then London buses (in fact, BBC
reported on that issue back in February), now it's Amazon.
Let's start with the latter. I highlighted the "CVV-less" problem of Amazon last summer. Amazon claims they "employ impressive fraud detection
systems". One of the methods they use is device "fingerprinting" - it's a solid technology, but doesn't always work in case of Amazon (for the reasons I cannot discuss here). Amazon is happy to eat some fraud for now, so let it be. I guess that level of fraud
is small enough, considering that Dave Birch of Consult Hyperion dismissed the risk of the exposed card number and expiry date.
Previously, the banks were pointing to the likes of Amazon; they now agree that contactless cards should have been made more secure to start with. So, what is the
industry going to do about the problem, existence of which they now have to admit?
There are talks of re-issuing contactless cards and enabling the replacement ones with "masking" to protect card details. That will only start the "cat and mouse" game - think of "unmasking", countered with "supermasking", to be brought down by "a hole discovered
in supermasking" etc.
The best security is often achieved by obscurity. This time it can be physical.
There is a company working on an elegant and cost-effective "Press to Pay" solution (the term coined by Jeremy Acklam). It's a neat mechanical button, hidden under the surface of a contactless card, that
needs to be pressed to make the card work. Like flicking the light switch. "Press to Pay". Simples!
That means you need to get the card out of the wallet - which you have to do anyway, if you have more than one contactless card or an Oyster.
The real question is: what is the true advantage of a contactless transaction compared to the "chip & PIN" one? (I am talking about the cards, not the mobile phones here). A couple of seconds saved by not having to enter PIN. Is it really worth all the hassle
With two or three contactless cards in our pockets, we become attractive crime victims - threaten someone, get his or her contactless cards, buy cigarettes, sell them easily at half price. "Pay with contactless and earn £100 in 5 minutes!"
Currently, the issuer takes full responsibility for any contactless-related fraud. Once the volume of such losses picks up, the banks will start shifting liability to the consumers. The consumers will ditch the contactless cards. And that will greatly upset
my wife who loves the convenience offered by contactless cards. Better go and fix that problem.