Technophobes and security pundits have been warning us for a long time that it’s possible for a passerby with an RFID reader – and malafide intent – to skim debit / credit card details off contactless cards and NFC smartphones even when they’re tucked away
inside their owners’ wallets, pockets or hand bags.
I’d a first hand exposure of this security hazard during a recent visit to my friendly neighborhood book lending library, which is part of a nationwide chain of libraries that makes innovative use of RFID technology. With RFID reader kiosks reading RFID
tags embedded inside every book, issue and return of books has become a frictionless, self-service process across the chain. For those interested, more details can be found in the post titled
Innovations At A Click-And-Mortar Library on my personal blog.
During this trip, I selected a book and placed it on the kiosk. When I tapped the ‘Issue’ button, the kiosk read the RFID tag in the book and displayed its title on the touchscreen. But, alongside the book I wanted to borrow, I noticed another book in the
list. When I pointed out the spurious entry to the store manager, she’d a quick look at the screen and told me to ignore it. It turned out that the false alarm was raised by a book being read by one of the library’s staff sitting beside the kiosk. In other
words, the kiosk wrongly scanned a book that wasn’t placed on its tray but happened to be situated a couple of feet away.
As I was filing out of the library, I overheard the store manager grumbling to her colleagues about the kiosk’s temparamental behavior: On some days, it failed to identify books placed on its tray, whereas on other days like that one, it overzealously scanned
books located several feet away.
I normally don’t get scared off a new payment technology just because someone claims to have hacked it somewhere and proved it to be unsafe – greater convenience generally tends to win me over. But, on this one, I think the aforementioned technophobes and
security pundits have a point. Being slapped with one extra book on a library card is no big deal. But, having credit and debit card details broadcasted to people and card readers in the close proximity is so not okay. Based on my personal experience, I’m
likely to be ultra-cautious about contactless cards, NFC or any other RFID-based payment method in future.
Having said that, let me hasten to add that the overall consumer experience with contactless and NFC payments will be shaped by the way in which the technology is implemented rather than by the technology per se. In the two years that I've used TfL's contactless
Oyster Cards, I never faced a single reliability or security problem with them (except for still not receiving the refund of the credit balance on the card I'd surrendered when leaving the UK over four years ago. But, since that's neither a technology nor
an implementation issue, I'll let it pass!).