How Safe Are the New Contactless Payment Systems?

Written by Evan Schuman
June 20th, 2005

As the retail industry starts to embrace contactless payment in a big way?led by $41 billion retailer 7-Eleven and Chase, the nation’s largest issuer of credit cards?arguments are renewing about just how safe and fraud-proof these cards will be.

One key argument is how easily the card’s data could be read by a thief, who could then presumably use the information to either steal the customer’s identity or create a bogus duplicate of the card to make fraudulent purchases. The ambitious bandit might even try both.

Security issues are a crucial concern surrounding credit cards, with several recent, highly publicized break-ins making consumers nervous.

The most recent report came on Friday, when MasterCard International reported that a security breach of credit card payment data had exposed about 40 million cards of all brands to potential fraud in what one analyst said was the biggest privacy breach ever.

Contactless advocates have argued that current contactless readers can only “see” the RF chip when it’s two inches away, making unauthorized scanning for customer data quite difficult.

That two-inch argument was touted recently by 7-Eleven CIO Keith Morrow, who pointed to it as a key anti-fraud fact.

That distance varies sharply, though, depending on the equipment used to do the testing.

Shell Canada, for example, performed some of its contactless testing using the high-powered antennae that it believed thieves would use, said Mike Cooper, the $2.4 billion Canadian petroleum giant’s adviser for network development engineering.

The kind of low-frequency tags popular in the United States “we could read at a distance of 10 meters,” which is about 33 feet, Cooper said.

He contrasted those with the high-frequency tags used by Shell Canada, which he said could be read?with that same high-powered antennae?from about 26 inches away.

The high-frequency tags “can be read from a shorter distance, so it’s more difficult to snoop,” Cooper said.

Chase officials disagree with the distance issue, but referred questions to Visa, one of its contactless card partners.

But Chase officials did say that the distance argument is irrelevant for their cards and customers because of several security measures?including 128-bit and triple DES encryption?that would make any improperly captured data useless.

“Even if you could skim it, with every transaction, the [authorization] code changes and that code is needed for an authorization,” said David Chamberlin, first vice president for external communications at Chase Card Services.

Chase’s contactless card rollout has already started in Georgia and Colorado and is expected to be in the hands of about 2 million cardholders by the end of the summer, Chamberlin said.

Although he wouldn’t discuss the total projected contactless installed base numbers for next year, he said that Chase plans on shipping the cards to about “five or six more markets by the end of the first quarter” of next year and that the typical market will include about 1 million cardholders. That would suggest that Chase will have about 8 million cards in circulation by the end of March 2006, out of its current 94 million card members.

When factoring in moves by American Express and other credit card companies who have made similar commitments to contactless, the market for contactless could become substantial earlier than had been predicted.

Chase will issue contactless cards to any current cardholder who requests them, Chamberlin said, but Chase’s rollout preference is to not move into markets until a sufficient number of retailers have been outfitted with the necessary equipment.

It would be pointless and potentially self-destructive to give lots of customers contactless cards if there are no?or very few?retailers where they can be used, he said. It would be akin to issuing ATM cards in an area where there are no ATMs.

Chamberlin points to several security factors, including Chase’s “zero liability policy,” which protects consumers but not necessarily the retailers.

The new contactless cards do have changeable authorization codes, but those are nothing new and not particular to contactless cards, said Patrick Gauthier, senior vice president for emerging products development at Visa.

It’s called the dynamic CVC (card verification value), and it assigns every transaction a unique code that is based on data about that card and data referencing that particular purchase. Gauthier would not say if it also references the time and/or date of the purchase.

He said that the newer cards can use more sophisticated algorithms and crunch more data on their own. “When you have a chip [on the card], you can perform a computation for every single transaction,” he said.

The security concept is similar to the popular one-time password-issuing devices, where the identification code changes every few seconds, making a stolen code useless unless?in theory?it’s used instantly.

A thief that scanned the card would not be able to use it to make payments, but they would be able to capture the credit card number, Gauthier said. “What does that buy you? The card number is a little bit like your street address. It’s not the key to get into your house,” he said, adding that the key would be similar to the cryptographic values attached to the transaction.

Even a Web purchase will require other information about the cardholder as well as the card itself, such as the non-imprinted verification number on the card. That’s why Visa and others are trying to be so strict about retailers not retaining those verification numbers in their databases.

As for the Shell position that, when properly tested, the RF low-frequency cards used by Visa can be read from as far away as 10 meters, Gauthier said such statements need to be evaluated with caution.

“Be careful to not thrust all RF technologies into the same bucket,” he said. “Certain types of chips and tags you can read from a greater distance.”

Visa’s testing included high-powered antennae and much more, Gauthier said. “We have used specialized security labs in Europe to ascertain the vulnerabilities. This was not [tested] with a little thingy that you can hide in your pocket.”

“As far as the physics are concerned, the theoretical limit [for a read] is about 1 meter. But that’s a little bit like saying that the theoretical maximum speed for a vehicle is the speed of light. It doesn’t mean that anyone has figured out how to do it.”

But Shell’s research wasn’t theoretical. Shell said this was what they discovered during lab testing. Visa’s Elvira Swanson commented that there is not enough known about what Shell’s testing intercepted. She asked whether it was just communication noise between the card and the reader that was intercepted or was it something more useful? Did it grab credit card data? she asked.

Visa is also deploying other security techniques, many of which are not new, such as neural networks that look for fraudulent purchase patterns.

Contactless cards have also been touted as offering better security in the sense that they are much more difficult to clone than a traditional magstripe card.

But initially all contactless credit cards will still also be magstripe, which means they can still be cloned just as easily, albeit with inoperable contactless capabilities.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.