Thursday 11 October 2007

Contactless Cards: Convenience before Security?

I was on national Radio Monday lunch time, taking part in a debate on cashless societies; specifically I was giving my (the security) perspective on the new Contactless Debit/Credit Cards, which will be rolled out within the UK early next year. My points were as follows:

Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.

The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.

I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.

Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.

If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.

Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?

Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.

Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.

6 comments:

Andy Steingruebl said...

Dave,

Who bears the fraud risk in these transactions? Its Visa, but are the rules the same in the UK as in the US? Here, I'm only liable for the first $50 of fraud, and even there most banks waive that.

If Visa, the bank, and/or the merchant are the ones taking the financial fraud risk, then its really their decision as to what type of authentication to apply, as long as the burden of proof is on the merchant rather than on the consumer.

Am I missing something in this analysis?

SecurityExpert said...

During the debate, there was a guy from Visa Europe, a guy representing merchants/retailers and me representing the consumer, the retailer rep and myself were concerned about who would foot the cost of fraud via the contactless cards, i.e. up to £50. The Visa guy in response to these concerns clearly said with Visa cards, Visa would be fullying meeting any fraud costs, whether that sticks in the long term (i.e. a bit of spin), I'm not 100% sure, as we didn't get time to explore it further, as currently contactless cards are in trial in the UK, this policy could be changed, let hope not.

If the card company is going to met the fraud cost, that's great, at the very least it should push them to increase the security should it turn into a fraud nightmare. The impression I got was, that they were going to start with a max. send of £10 per contactless transaction but would be increasing that amount.

Personally I don't really carry a lot of cash around, I either withdraw it as I need it or use the Chip & PIN terminals to make purchases at most places, even my local pub accepts Chip & PIN! So you'd be lucky to find more than £30 in wallet. I'd rather not turn my debit and credit cards into cash values for theives, even though I'd get my money back if they were stolen and used, it's still a major hassle and worry to deal with. But what I saying is Chip & PIN already works for small transactions, is it really worth going backwards to a single factor system for the sake of saving a few seconds at the checkout? Give me wave and pin pls!

Andy Steingruebl said...

I guess the question of whether its worth it could be judged empirically based on transaction rates, etc....

Anonymous said...

It is a shame the credit card companies don't provide the Identity Stronghold Secure Sleeve(tm) with cards. It is a shielded card sleeve that blocks the RFID chip in the contactless card. In the million quantities Visa and Mastercard ship this would likely be around 10 cents a piece. You can buy them yourself online though for your own protection. In the US at www.idstronghold.com and in the UK at www.smartcardfocus.com under card holders .

They even have holders for the new biometric ePassport.

RFID Protect said...

ID Stronghold is an excellent American company, and one that we'd have absolutely no hesitation in recommending to others. You may also be interested to learn that here in the UK, RFID Protect is a British-based company that provides similar shielded wallets, passport sleeves and door-entry pass protection. RFID Protect is also unique in that it has partnership arrangements in place with UK law enforcement representatives; evidenced by its work with Bedfordshire Police Partnership Trust. To learn more visit: http://www.rfidprotect.co.uk

dissertation said...

Amazing post! Thanks.