The Never-Ending Dance Of Contactless Security
Written by Evan SchumanFor quite a few years now, the contactless payment world has enjoyed an endless-loop of defend-and-repel games when dealing with contactless security. The game starts with bank assurances that the data being transmitted wirelessly couldn’t possibly be enough for a thief to perform a transaction. Next is some public demo of a security researcher wirelessly grabbing data and completing a transaction. This is followed by industry refutations that the system demoed was either out-of-date or some part of the test was unrealistic.
Interestingly enough, there’s truth on both sides. But the dance of demo-and-explanation seems to never slow. The latest entry surfaced in Forbes, and it’s an impressive demo. Then again, so was this one and this one and definitely this one.
As executive director of the Smart Card Alliance, Randy Vanderhoof is often called upon to defend contactless payment security. He has two key points about these types of demos showing various contactless security holes. First, he questions the way the demo was set up. In the Forbes example, his concern is that the person doing the demo set himself up as the retailer—using Square—and then used unrealistically low security verification options. (More on that in a moment.)
His second concern is his big-picture argument: If these cards truly have these types of security holes, why haven’t card brands and chains seen tons of contactless fraud attempts? It’s a very legitimate question to ask.
One possible counter is whether such fraud would be necessarily recognized as contactless fraud. Given that these cards are also used routinely as old-fashioned magstripe cards, isn’t it possible that the associated frauds might not be recognized as being contactless-related?
Vanderhoof correctly pointed out that fraud-tracking should be able to make those distinctions. And therein lies the problem. It’s a should. Those systems should be able to identify whether the fraud is contactless in origin, but only if someone is looking for it. Without getting paranoid and cynical and suggesting that brands have a strong incentive to close an eye and go out of their way to not find such a trend, it’s certainly fair to say that no one with Visa or MasterCard has much of an incentive to find that trend, either.
(Note: Vanderhoof raised a question about the credibility of a vendor—who is trying to hawk wallet protectors—finding that contactless signals are security risks. It’s true that almost everyone involved in these discussions has a strong financial incentive to say what they’re saying, so conflict of interest is rampant. That said, Vanderhoof’s point here is quite legitimate. This conflict seems a little more blatant than most.)
The should issue also plays a role in the unrealistically low security settings of the demo-er. Said Vanderhoof: “He created a merchant account for himself and he set the rules for how to handle transactions. And he chose to not verify CVV. In the real world, merchants don’t do that.”
Weak security settings should never be used by major retail chains. But that doesn’t mean that they’re not, as L.L. Bean reminded us all last year.
Contactless payments have been slow to take off in the U.S.—and for some very good reasons—although there are small signs it might be turning around.
The moves from Visa and MasterCard to bring EMV to the U.S. this year will likely breathe even more life into contactless. As the usage increases, those frauds will either start to materialize or they won’t. But one thing is certain: The dance of claims and counter-claims will be with us for years.
-Marc
February 3rd, 2012 at 12:51 pm
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?
February 13th, 2012 at 6:31 am
Nothing is 100 secure. Merchants have all been hit by dodgy checks, stolen credit cards, counterfiet bills etc. If as a merchant you wish to forego the basic security checks of any transcation, that is your own look out. Contactless card transactions are verfied online, if there is fraud the bank with take the liablity. This does not happen with checks, bills. Oh and contactless is faster than any other form of payment and you do not have to check the takings at the end of the day: so faster service and a bit more secure.
February 16th, 2012 at 3:22 pm
To contaftless. Not completly true that the bank will take the hit for a fraudulant contactless transaction. When paying at the fuel pump with contactless, you will have a defined pre-auth limit which is set by the issuer and obtain an online auth number. Even with the issuer providing real time auth, should the customer dispute the transaction, the liability and burden of proof still lies with the retailer in most circumstances. To the issuer they claim this is a “card not present” transaction if completed out of sight of the store attendant. Add that to the fact that that a gas station forecourt allows the hiding of the necessary fraudulant transaction supporting equipment inside a vehicle, it creates the anoynmous environment that fraudsters prefer to operate under.