Contactless Cards: Convenience before Security?

I was on national Radio Monday lunch time, taking part in a debate on cashless societies; specifically I was giving my (the security) perspective on the new Contactless Debit/Credit Cards, which will be rolled out within the UK early next year. My points were as follows:

Since the introduction of Chip & Pin in the UK a couple of years ago, there are been a significant reduction in credit card fraud at the high street till (cash register), even the latest figures for the last six months show credit card fraud at the cash register is down by 11%, despite an overall rise in UK card fraud of 26%, which underlines the growing problem with card fraud. The trends show the bad guys are increasingly stealing UK card details to either use online, or to use them in countries where PIN numbers are not required to process transactions, i.e. using the magnetic strip on the back of the card instead of the chip, which I’ll get on to later in this rather lengthy post.

The reason why Chip and Pin is successful is that in principle it uses a two-factor authentication system, in that one factor is the card which is something you have, and the second factor is the PIN number, which is something you know, you need both to authorised the transaction. However to use the new contactless cards all you need to do is “wave” the card about 5 cementers from the contactless (RF) card reader and you’re done, which is single factor system, as all you need is the card in your possession, so if a bad guy gets hold of wallet... It's also worth stating that the contactless RF functionality will go onto existing bank and credit cards, rather than a specially blank card “cash only” card. Visa said it will ask for pin number after every £50 spent or so, and can only be used for transactions under £10, which may rise in the future. In my opinion this is putting Convenience ahead of Security. During the debate I cited the following example, in that I “punished” my kids by taking them through a fast food drive thru over the weekend, at the pay window a chip and pin reader was handed to me (cabled not wireless), and within 12 seconds (yes I timed it), I had pushed in my card, entered my pin, been approved, removed my card, and handed back the chip and pin terminal, this for a transaction of less than £4, so retailers do have the technology to provide quick two factor authentication for small transactions with the regular system. I do understand the convenience of speed with the so called “wave and pay” system, but my argument as a consumer, is I should at least be given the choice to always use my pin with every RF transaction, especially if RF becomes mandatory on future cards.

I brought up the topic of RF skimming, in that for around £100 to £150 I could build my own RF reading device which could activate the passive RF chip within a contactless card and read it when in range. I know it’s encrypted and so not much sense can made of what can be read, which Visa provided assurances over during debate, however the UK passport agency said the same thing about their RF system within UK passports, only for a security professional to break the encryption system, accessing details from a passport without even opening the envelope it was in. Here lies another of my concerns, its fairly common knowledge a lot of credit card fraud and card theft starts within the postal systems in the UK, the fact is I could use my custom RF reader as a contactless card detector, a kind of a credit card metal detector if you like, which would tell me which envelopes had cards in. I only hope they wrap the cards in tin foil or something similar, to insulate the RF when issuing them by post.

Following on from the RF encryption, which by all accounts is better than the UK passport, I followed up by asking when will credit card issuers get rid of the magnetic strip on the back of cards, as most of information on the magnetic strip isn’t encrypted and allows easy card cloning and skimming by the bad guys, no real answer on that apart from it was needed for international purposes, again I would prefer the option of not having a magnetic strip on the back of card, since nearly all of my transactions with cards are made a chip reader.

If only I could customise my own credit/debit card, which I’d be happy to pay a premium for, for a start I would have my picture “etched” onto the card (three factor authentication possibilities!) and no magnetic strip, but the trouble is always the same with good security, it comes down to a decision of Risk Vs Cost, which is ultimately made by the credit card folks, who take the biggest hit on paying for credit card fraud, however they pass that to us within card interest rates. Just to make that clear, if you are victim of fraud by the contactless cards system, you will get your money back according to the guy from Visa Europe, however there is always a hassle factor and stress factor to consider for the card consumer, so perhaps as consumers we really should expect better security.

Other interesting points raised, there are retailers who won’t accept card payments under £10 or will add a surcharge, so I doubt if contactless cards is going to take off with them, as it was kind of the selling point, that you could walk into your local newsagent and use a contactless card instead of money, however most newsagents don’t currently take cards due the transactional costs imposed by card issuers. And what if I had lets say a MasterCard Contactless Card and a Visa Contactless card in my wallet and a wave my wallet at the RF reader, will it work and how do I know which card I paid with?

Another topic that was discussed was payments by mobile phones, again it came down to whether it was a two factor authentication system, i.e. if user had to enter a password or pin, I had no problem, however if it only meant you only needed a phone, then it turns the phone into an instance cash item, which could be really worrying for the younger sections of society, which is where most mobile phone theft (muggings) occur. I have blogged and even Podcasted about poor mobile phone security in past, which could be another attack vector to consider which such payment systems.

Make no mistake, I’m a fan of a cashless society although I think it is still many years away. I like new technology, and I do know nothing can ever 100% secure, I just don’t want to see basic security corners cut and backward steps taken, as I think society in general has a long way to go in getting to grips with Information Security.