8

I've heard claims that contactless cards and NFC is no less secure than chip and PIN as indicated below.

According to Barclays:

All our new Contactless debit cards include the latest advanced security features required by the payment card industry. Payments are processed through the same secure Visa technology as your Chip and PIN transactions.

If they are just as secure as chip and PIN, what's to stop someone creating a portable card reader that charges the max amount allowed (£15 in the UK) then just walking around with it, perhaps in a packed out train?

Nick Stauner
  • 521
  • 2
  • 15
George Duckett
  • 183
  • 5
  • Well, you can purchase an RFID reader for under 40 dollars online http://www.sparkfun.com/products/8628 – crasic Jun 06 '11 at 03:49

2 Answers2

11

As you point out, Contactless Payment cards have a relatively low maximum transaction limit. [US$25 in the US and under £15 in the UK]

While they are known to be breakable [Ref] that puts an upper limit on a single case of fraud.

Where there are multiple, systemic frauds (as described in your example), the pattern is detectable, [Further reading], in which case the bank can reverse all transactions performed by that merchant (and perhaps start criminal proceedings).

Banks are in a position can require high-levels of authentication for their merchants, require a merchant to leave a deposit or delay the outgoing payments to ensure that they can take remedial action.

It is important to remember that payment systems do not need to be perfect to be profitable; they need only be better than the existing alternatives - neither cheques nor cash, for example, are risk-free.

In summary: These systems are known to be insecure, but the banks can use measures to protect against rampant fraud.

Oddthinking
  • 140,378
  • 46
  • 548
  • 638
  • Thanks for the explanation, particularly re. being able to reverse a merchant's transactions. That's the kind of thing i was looking for. Thanks for all the extra links too. – George Duckett Jun 03 '11 at 06:49
  • The first sentence may be in need of an update. According to the linked Wikipedia page, there is no limit in the US anymore, and the limit is currently 30 GBP in the UK. The page even suggests that there isn't even a requirement for a PIN or signature beyond a certain threshold. – Schmuddi Jul 14 '18 at 12:24
2

what's to stop someone creating a portable card reader that charges the max amount allowed (£15 in the UK) then just walking around with it, perhaps in a packed out train?

Charging a contactless card is a lot more than just walk around with a card reader. It's not like you put the card reader close to someone's pocket and £15 are transferred into your own pocket and no one notices it. It's not even like using stolen card data for payments.

Having a card reader is not enough (and there's no need to create it by oneself, card readers can be easily and legally bought or rented).

To charge a card one have to be a client of a payment service provider, a company which transfers money from a buyer's bank account to the seller's bank account. The card reader is registered in PSP system with a unique ID and every transaction can be easily traced back to the owner. So even if someone would manage to charge a couple of cards huddling around, they'll be found very quickly.

And some more considerations:

  • it is not so easy to charge a card in the crowd - the maximal distance betweeen a contacltess card and the reader should be not greater than ca. 5 centimeters and
  • the charging won't work att all if there are more than one contacltess card in the pocket.
Common Guy
  • 4,658
  • 6
  • 18
  • 24
  • What is wrong with this answer? It sounds quite reasonable to me. Why the downvote? – RedSonja Jul 17 '18 at 10:49
  • 1
    Please [provide some references](http://meta.skeptics.stackexchange.com/q/5) to support your claims: that you can't make a reader that works more than 5cm away, that you can't read when there is more than one card in your pocket, that it is traceable, etc. – Oddthinking Jul 17 '18 at 11:09
  • You also forget to mention that the range at which the cards can be interacted with by the payment terminal is extremely short, measured in millimeters. Merely having the card in your wallet in your trouser pocket or purse is enough to block it. – jwenting Jul 17 '18 at 14:11
  • @jwenting That is mentioned in the answer already ("ca. 5 centimeters"). However, that limit may not be reliable; see for instance [this study from 2013](http://digital-library.theiet.org/content/journals/10.1049/joe.2013.0087). Since the card is passive, the strength of the signal is to some extent controlled by the attacker. – IMSoP Jul 18 '18 at 13:11