Blog article
See all stories »

'Press to Pay' silver bullet for contactless cards fraud

Contactless cards are in the "limelight" again. First it was M&S, then London buses (in fact, BBC reported on that issue back in February), now it's Amazon.

Let's start with the latter. I highlighted the "CVV-less" problem of Amazon last summer. Amazon claims they "employ impressive fraud detection systems". One of the methods they use is device "fingerprinting" - it's a solid technology, but doesn't always work in case of Amazon (for the reasons I cannot discuss here). Amazon is happy to eat some fraud for now, so let it be. I guess that level of fraud is small enough, considering that Dave Birch of Consult Hyperion dismissed the risk of the exposed card number and expiry date.

Previously, the banks were pointing to the likes of Amazon; they now agree that contactless cards should have been made more secure to start with. So, what is the industry going to do about the problem, existence of which they now have to admit?

There are talks of re-issuing contactless cards and enabling the replacement ones with "masking" to protect card details. That will only start the "cat and mouse" game - think of "unmasking", countered with "supermasking", to be brought down by "a hole discovered in supermasking" etc.

The best security is often achieved by obscurity. This time it can be physical.

There is a company working on an elegant and cost-effective "Press to Pay" solution (the term coined by Jeremy Acklam). It's a neat mechanical button, hidden under the surface of a contactless card, that needs to be pressed to make the card work. Like flicking the light switch. "Press to Pay". Simples!

That means you need to get the card out of the wallet - which you have to do anyway, if you have more than one contactless card or an Oyster.

The real question is: what is the true advantage of a contactless transaction compared to the "chip & PIN" one? (I am talking about the cards, not the mobile phones here). A couple of seconds saved by not having to enter PIN. Is it really worth all the hassle and risk?

With two or three contactless cards in our pockets, we become attractive crime victims - threaten someone, get his or her contactless cards, buy cigarettes, sell them easily at half price. "Pay with contactless and earn £100 in 5 minutes!"

Currently, the issuer takes full responsibility for any contactless-related fraud. Once the volume of such losses picks up, the banks will start shifting liability to the consumers. The consumers will ditch the contactless cards. And that will greatly upset my wife who loves the convenience offered by contactless cards. Better go and fix that problem.


Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 June, 2013, 09:41Be the first to give this comment the thumbs up 0 likes

Not having to take it out of a wallet is a major appeal of contactless cards for me. Take that away, it almost turns into a damp squib. That said, chip-and-PIN involves the huge friction caused by password, so the difference between contactless-taken-out-of-wallet and chip-and-PIN is more than just the few extra seconds. Until something comes along in between, I'm happy with only one contactless-card-that-stays-inside-my-wallet.

A Finextra member
A Finextra member 10 June, 2013, 14:04Be the first to give this comment the thumbs up 0 likes

The Amazon feature has been around for a long time, and it's never caused Amazon enough pain to take it away.  The problem they have with the feature is that it makes an ideal showcase for security "experts" to show, in public, the "vulnerabilities" of payment services.  The biggest risk around the Amazon "fraud feature", therefore, is that it is primarily used by security "experts" to expose security holes in payment services.

On the contactless card conundrum: is it not possible that when the card schemes initially got excited by contactless, it was with a view to migrating payments on to mobile phones?  Seems reasonable to me, as the usage differential between contact and contactless is pretty negligible.  However, given that making payments work on mobile phones seems to be beyond the capabilities of banks and mobile operators, we are left wondering as to the point of contactless cards.  


A Finextra member
A Finextra member 10 June, 2013, 14:17Be the first to give this comment the thumbs up 0 likes

Great point, David, as to the original raison d'etre of "contacless".

Member since




More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all