The Never-Ending Dance Of Contactless SecurityWritten by Evan Schuman
For quite a few years now, the contactless payment world has enjoyed an endless-loop of defend-and-repel games when dealing with contactless security. The game starts with bank assurances that the data being transmitted wirelessly couldn’t possibly be enough for a thief to perform a transaction. Next is some public demo of a security researcher wirelessly grabbing data and completing a transaction. This is followed by industry refutations that the system demoed was either out-of-date or some part of the test was unrealistic.
Interestingly enough, there’s truth on both sides. But the dance of demo-and-explanation seems to never slow. The latest entry surfaced in Forbes, and it’s an impressive demo. Then again, so was this one and this one and definitely this one.
As executive director of the Smart Card Alliance, Randy Vanderhoof is often called upon to defend contactless payment security. He has two key points about these types of demos showing various contactless security holes. First, he questions the way the demo was set up. In the Forbes example, his concern is that the person doing the demo set himself up as the retailer—using Square—and then used unrealistically low security verification options. (More on that in a moment.)
His second concern is his big-picture argument: If these cards truly have these types of security holes, why haven’t card brands and chains seen tons of contactless fraud attempts? It’s a very legitimate question to ask.
One possible counter is whether such fraud would be necessarily recognized as contactless fraud. Given that these cards are also used routinely as old-fashioned magstripe cards, isn’t it possible that the associated frauds might not be recognized as being contactless-related?
Vanderhoof correctly pointed out that fraud-tracking should be able to make those distinctions. And therein lies the problem. It’s a should. Those systems should be able to identify whether the fraud is contactless in origin, but only if someone is looking for it. Without getting paranoid and cynical and suggesting that brands have a strong incentive to close an eye and go out of their way to not find such a trend, it’s certainly fair to say that no one with Visa or MasterCard has much of an incentive to find that trend, either.
(Note: Vanderhoof raised a question about the credibility of a vendor—who is trying to hawk wallet protectors—finding that contactless signals are security risks. It’s true that almost everyone involved in these discussions has a strong financial incentive to say what they’re saying, so conflict of interest is rampant. That said, Vanderhoof’s point here is quite legitimate. This conflict seems a little more blatant than most.)
The should issue also plays a role in the unrealistically low security settings of the demo-er. Said Vanderhoof: “He created a merchant account for himself and he set the rules for how to handle transactions. And he chose to not verify CVV. In the real world, merchants don’t do that.”
Weak security settings should never be used by major retail chains. But that doesn’t mean that they’re not, as L.L. Bean reminded us all last year.
The moves from Visa and MasterCard to bring EMV to the U.S. this year will likely breathe even more life into contactless. As the usage increases, those frauds will either start to materialize or they won’t. But one thing is certain: The dance of claims and counter-claims will be with us for years.