Are Contactless Payments Really Secure?

berberine writes to tell us Ars Technica has a closer look at whether the RFID technology behind many of the up and coming "contactless payment systems" is robust enough to prevent account fraud and the theft of personal information. "Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called "small ticket" items in order to get a slice of the action. Visa, for instance, doesn't require your signature for purchases at or below $25."

Re:yeah yeah

[UbuntuDupe]

Okay, whatever manipulation of the monetary system the Federal Reserve does, individual member banks aren't actually allowed to print money at will. They banks still have to pay interest on the borrowed money. I hope you were joking about that.

Anyway ... do contact-full transactions really add any security? I always hear "omg if someone steals ur card their sig will b diff so they know its not urs lol!" But really -- it doesn't prevent the transaction itself, since the cashier ignores the signature entirely. And it requires that I use an actual, unique signature (instead of just scribbling) when I really want to authroize the purchase -- which the CC company doesn't actually require you to do. So I can just scribble for all my signatures and if I want to dispute the charges at the Dog and Duck Pub, they don't have any real proof because my signature there is the same as elsewhere.

No, but they're secure enough

[tbo]

It's obvious that contactless payments are vulnerable to at least one type of attack--a real-time relay. This usually would require two "attackers" working in tandem. The first carries a modified "contactless reader" in his pocket, and stands near somebody who is carrying a contactless card (perhaps on a bus or another crowded place where it won't be too obvious. The second attacker carries a device that can act as a contactless card "repeater", with a real-time data link to the first attacker's "reader". The second attacker walks up to the reader in a store, and waves his repeater at it (perhaps hidden in his wallet, in the same hand as a dummy card so as not to arouse suspicion). The store's reader sends a signal, which is picked up by the second attacker's repeater, transmitted to the first attacker's modified reader, then broadcast to the victim's card. It responds appropriately, and its response is relayed back to the reader in the store. It's not necessary to break any encryption to do this, and there's no real way to prevent such attacks except perhaps very tight timing tolerances.

I thought about all this when the bank sent me a contactless VISA, and I initially considered refusing the card. Then I realized that the bank will take the hit on any losses, and has presumably done the math to determine that the increase in risk of fraud is acceptable, at least for small purchases. In other words, it's secure enough.

Main problem with RFID

[vlad_petric]

The existing, time-"proven" cryptographic methods are too expensive, from a power standpoint, to implement on cheap RFID systems. (between secure and cheap, cheap seems to always win). So manufacturers use proprietary hacks to allegedly achieve the same type of operations (e.g., authentication via challenge/response). However, these hacks are nothing more than security via obscurity.

Re:yeah yeah

[ushering05401]

As of 1 1/2 years ago this is how fraudulent charges were handled.

If there is a disputed charge of any amount the credit agency sends a notice to the seller. The seller MUST provide signature evidence related to the transaction within a period of several days or the charge is automatically reversed (charge-back).

If the signatory proof is produced, but the signature does not match the one on file then depending on the amount one of two things will happen: the credit lender will request video footage and or supporting documents related to the sale, or the credit lender will eat the charge and the seller does not get charged-back.

In the event of a suspicious pattern of claims of fraudulent activity the credit lender reserves the right to investigate the card holder to the extent that they may request video or other documentary evidence related to purchases made by the card holder at any location that accepts the credit card as tender. It is up to the legal department of the seller whether to comply, but my experience is that they always do. All major retailers with which I am familiar have procedures set up for handling charge-back notifications in-store, without legal department approval providing the request for documents falls withing a predefined range of appropriate disclosure (usually does not include video which is a separate approval process).

Always sign your slips with a distinct signature, never try to screw with your card provider. These guys are serious and have entire departments dedicated to identifying patterns of fraud... you are not excluded even if your fraud pattern is only going to include small amounts.

Regards.

I should also mention...

[ushering05401]

Bad form to reply to my own post, but it occurs to me that this topic might get some people thnking about how to game the system.

For any youngsters out there getting ideas... card companies also work closely with major retailers to identify a reverse type of fraud.

One case I saw related to a woman who generated false receipts for small dollar amounts (box store multimedia retailer) and returned product that had been stolen for the purpose of reducing her credit card bills with the refunded amounts.

She was allowed to continue this activity for over a year after we were notified so that she would exceed a particular dollar amount at which time she was prosecuted and convicted at a higher level than would have been possible if she had been busted immediately.

Once again... these guys are serious. Always have refunded amounts put on the card with which you made the purchase or accept store credit instead (though one or two instances won't matter much any sort of pattern over time will). It really isn't worth getting a flag put on your account. You may never know of an investigation that takes place, but you may have a higher risk level associated with your account that can change balance increases or future offers.

Bad Assumptions

[mpapet]

Then I realized that the bank will take the hit on any losses

No. You and I absorb the costs of fraud because the retailer pays a penalty and loses the income from the fraudulent activity. The retailer raises the price of her goods and services to cover these costs.

You and I also pay the costs for rewards card programs and contactless cards. Nowhere in the process does the bank assume any liability.