The Never-Ending Dance Of Contactless Security

Written by Evan Schuman
February 2nd, 2012

For quite a few years now, the contactless payment world has enjoyed an endless-loop of defend-and-repel games when dealing with contactless security. The game starts with bank assurances that the data being transmitted wirelessly couldn’t possibly be enough for a thief to perform a transaction. Next is some public demo of a security researcher wirelessly grabbing data and completing a transaction. This is followed by industry refutations that the system demoed was either out-of-date or some part of the test was unrealistic.

Interestingly enough, there’s truth on both sides. But the dance of demo-and-explanation seems to never slow. The latest entry surfaced in Forbes, and it’s an impressive demo. Then again, so was this one and this one and definitely this one.

As executive director of the Smart Card Alliance, Randy Vanderhoof is often called upon to defend contactless payment security. He has two key points about these types of demos showing various contactless security holes. First, he questions the way the demo was set up. In the Forbes example, his concern is that the person doing the demo set himself up as the retailer—using Square—and then used unrealistically low security verification options. (More on that in a moment.)

His second concern is his big-picture argument: If these cards truly have these types of security holes, why haven’t card brands and chains seen tons of contactless fraud attempts? It’s a very legitimate question to ask.

One possible counter is whether such fraud would be necessarily recognized as contactless fraud. Given that these cards are also used routinely as old-fashioned magstripe cards, isn’t it possible that the associated frauds might not be recognized as being contactless-related?

Vanderhoof correctly pointed out that fraud-tracking should be able to make those distinctions. And therein lies the problem. It’s a should. Those systems should be able to identify whether the fraud is contactless in origin, but only if someone is looking for it. Without getting paranoid and cynical and suggesting that brands have a strong incentive to close an eye and go out of their way to not find such a trend, it’s certainly fair to say that no one with Visa or MasterCard has much of an incentive to find that trend, either.

(Note: Vanderhoof raised a question about the credibility of a vendor—who is trying to hawk wallet protectors—finding that contactless signals are security risks. It’s true that almost everyone involved in these discussions has a strong financial incentive to say what they’re saying, so conflict of interest is rampant. That said, Vanderhoof’s point here is quite legitimate. This conflict seems a little more blatant than most.)

The should issue also plays a role in the unrealistically low security settings of the demo-er. Said Vanderhoof: “He created a merchant account for himself and he set the rules for how to handle transactions. And he chose to not verify CVV. In the real world, merchants don’t do that.”

Weak security settings should never be used by major retail chains. But that doesn’t mean that they’re not, as L.L. Bean reminded us all last year.

Contactless payments have been slow to take off in the U.S.—and for some very good reasons—although there are small signs it might be turning around.

The moves from Visa and MasterCard to bring EMV to the U.S. this year will likely breathe even more life into contactless. As the usage increases, those frauds will either start to materialize or they won’t. But one thing is certain: The dance of claims and counter-claims will be with us for years.


3 Comments | Read The Never-Ending Dance Of Contactless Security

  1. ed Says:

    Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?

  2. contaftless okay Says:

    Nothing is 100 secure. Merchants have all been hit by dodgy checks, stolen credit cards, counterfiet bills etc. If as a merchant you wish to forego the basic security checks of any transcation, that is your own look out. Contactless card transactions are verfied online, if there is fraud the bank with take the liablity. This does not happen with checks, bills. Oh and contactless is faster than any other form of payment and you do not have to check the takings at the end of the day: so faster service and a bit more secure.

  3. MC Says:

    To contaftless. Not completly true that the bank will take the hit for a fraudulant contactless transaction. When paying at the fuel pump with contactless, you will have a defined pre-auth limit which is set by the issuer and obtain an online auth number. Even with the issuer providing real time auth, should the customer dispute the transaction, the liability and burden of proof still lies with the retailer in most circumstances. To the issuer they claim this is a “card not present” transaction if completed out of sight of the store attendant. Add that to the fact that that a gas station forecourt allows the hiding of the necessary fraudulant transaction supporting equipment inside a vehicle, it creates the anoynmous environment that fraudsters prefer to operate under.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.