Researchers raise contactless card security fears

Researchers raise contactless card security fears

The security of contactless payment cards has again been called into question after researchers claimed to be able to pick up NFC data from as far away as 80 centimetres.

Contactless cards are designed to only work when within a few centimetres of a payment terminal but researchers from the University of Surrey say that they have successfully "eavesdropped" on a transaction from far further away using "inconspicuous equipment".

In a paper published by the Institution of Engineering & Technology's Journal of Engineering, the team says that they used portable, inexpensive and easily concealable equipment - including a pocket-sized cylindrical antenna, a backpack, and a shopping trolley - to obtain the payment data.

The equipment enabled them to reliably eavesdrop, with good reception possible even at 45 centimetres when the minimum magnetic field strength required by the standard is in use.

However, the UK Cards Association has played down the research, arguing that the data obtained by the team - card number and expiry date - would be of little use to fraudsters.

Contactless cards are now ubiquitous on UK high streets and NFC technology is also making its way to mobile phones. Around one in seven card payments of under £20 are now contactless at retail giant Marks & Spencer while Boots today revealed that it has rolled out terminals at all of its stores. The technology is also now making its way onto London's public transport network.

Yet security concerns persist - in April a survey found that a quarter of Brits find contactless payments scary. Bank First Direct recently felt the need to change its terms to make clear that customers should remove cards from wallets before making payments to avoid charging the wrong account.

Dr Johann Briffa, lead academic supervisor, says: "The results we found have an impact on how much we can rely on physical proximity as a 'security feature' of NFC devices. Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper."

A UK Card Association spokesman relpies: "Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information - and it certainly could not be used to make a cloned card."

Comments: (5)

A Finextra member
A Finextra member 31 October, 2013, 12:47Be the first to give this comment the thumbs up 0 likes

So a signal was picked up within 45 CM, or roughly 18 inches.

That is closer than a shoulder surfer would be.

I think if someone were that close to me and the POS, at checkout, I'd say something.

New technologies lead to new discoveries about them.

That should not lead to conclusions the technologies are flawed, but rather we all need to be responsible in using them.

A Finextra member
A Finextra member 31 October, 2013, 14:12Be the first to give this comment the thumbs up 0 likes

The far bigger threat to these low payments is the EU proposed interchange fee cap regulation that would limit debit card interchange to exactly 0,2%.  A GBP 2 payment would give the card issuer a revenue of 0,4 pence to cover the cost for clearing processing, scheme fees and internal processing. The credit card issuer will receive the higher sum of 0,6 pence to also cover credit risk and  grace period cost in addition to the costs for debit transactions. No need to worry about security risks - if this regulation goes live, these services will cease as unprofitable.

A Finextra member
A Finextra member 31 October, 2013, 17:20Be the first to give this comment the thumbs up 0 likes

Your are so, so, so right about the proposed PSD 2 and the potential interchange cap.  Which, is not only for debit but potentially credit as well.

Card systems cost money to operate.  Interchange income to Issuers is vital to keep the eco-system healthy and growing.

For those that follow this, the Durbin Amendment in the US took an estimated USD $22 billion in revenue out of play for US banks.  No industry can simply accept that type of loss.

So, what a surprise, the US banks have implemented other banking fees on consumers.

A Finextra member
A Finextra member 01 November, 2013, 09:22Be the first to give this comment the thumbs up 0 likes

Back to the original subject of NFC vulnerability ...

The relative long range of NFC interceptability (up to 80 centimeters) should not be taken lightly. While one may ask someone at the checkout counter to keep more distance, that won't work in a bus or subway during rush hours. A suitable trojan on your smartphone could look out for some particular WLAN connection (easily generated via tethering from a thieve's smartphone) and then automatically generate payments to the high-tech pickpocket standing next to you in that cram-packed public transport and having some NFC gear in his jacket. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 November, 2013, 11:06Be the first to give this comment the thumbs up 0 likes

This totally resonates with my personal experience where my contactless card details were sniffed off from 2-3 feet away. 

The Clear And Present Danger With NFC Payments

On the one hand, with contact cards, fraudsters hack into supposedly secure databases, obtain card information, clone cards and steal money. On the other hand, with contactless cards, fraudsters are saved the trouble of the first two steps by being able to sniff card information from a couple of feet away, but UK Card Association would still have us believe that fraudsters can't do anything with that info.