A closer look at contactless card security

Over the course of the last few years, Irish banks and credit card companies have been busy issuing new high-tech credit and debit cards. A new feature of these cards is a technology which permits card holders to simply ‘tap’ their card to complete purchases of certain small value items. Stores must have a corresponding card reading technology to facilitate the new card features. The technology is popularly referred to as ‘contactless’ and is represented by a triangle of nested arcs, the universals symbol for wireless.

Contactless technology use on the increase
How safe are modern debit cards?

Recently, there has been a growing chorus of concern surrounding the security of these new high-tech cards. Press and broadcast coverage in the US and to a lesser degree, the UK have highlighted what appear to be significant security flaws. News reports claim that the wireless feature of cards make it easy for criminals to remotely access card details, including account number and other information needed in order clone cards and make fraudulent purchases.

So what is this wireless feature and how does it work?

Contactless cards use a version of wireless technology called radio frequency identification or RFID. This permits cards to send a signal to card readers permitting payments to take place without the traditional swipe or PIN entry.

Having read all of the headlines on RFID risk and fraud, it appeared at first that these new cards introduced an open season for crooks and fraudsters, that just about anybody could go online, purchase a piece of card-reading technology and begin cloning consumer cards en-masse from a distance.

The Montreal connection.

I worked with a Canadian team to test how this card reading and cloning would work. They have been working on securing a card reading device to demonstrate the functionality of actually reading a card but in working with one of the technical team, it emerged that the maximum difference any RFID-enabled card could be read was 2 – 3 inches.

There are some indications that it may be possible to configure readers to scan RFID cards from a greater distance but that requires more powerful technology.

Where ID theft appears most elevated is in crowded situations, such as public transport as well as cultural and sporting events.

Some other data that became available from the research is as follows:

From CBC

The newest generation of RFID credit cards transmit an encrypted, one-time security code alongside the card number and expiry date to authenticate each transaction but it’s possible to circumvent that system by deploying what’s called a replay attack: A fraudster scans the RFID card dozens of times in a public place in a matter of seconds, without the cardholder knowing, and captures the security codes that the card transmits. A cloned card is then programmed to “replay” those codes at a store’s payment terminal.

The credit-card company would only catch on to the fraud when the real cardholder tried to make a subsequent contactless purchase with a security code that had already been used by the scammer.

Does it stack up to scrutiny? There are flaws on both sides of the argument:

  1. Why would a thief want to use your credit card only once?  Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to be used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a scammer can only use each stolen number once, and if the victim of a scam uses the card again before the thief has time to make a fraudulent purchase, all transactions on the card will be blocked. (Walt Augustynowicz of US-based Identity Stronghold demonstrated quite clearly that he could clone a credit card number and expiration date onto a hotel room card and he used it to make a purchase… but he made only one purchase with that card.)
  2. If all transactions on the card are subsequently blocked, it means the card has been compromised… and the rightful cardholder will need to get a new card. In the meantime they are going to have a tough time checking in or out of a hotel, or making any purchases without a valid credit card.
  3. Most merchants don’t bother to check the signature on the back of a card… allowing unlawful transactions to get through.
  4. It is also a matter of privacy and protecting every piece of your identity… would you feel comfortable if a stranger knew your credit card number and expiration date?

I have uncovered so many news reports on the RFID security or lack of it.  The reports (and there are a lot of them) showing Walt Augustynowicz appear to be somewhat biased because he owns Identity Stronghold and sells smartcard shields.  However he makes a valid point that what you think is secure and hidden in your pocket, really isn’t

The bottom line:

Some people still aren’t aware that their new credit and debit cards may be at risk of a new type of identity theft. These cards are typically identified with the radio wave symbol printed on them.  This RFID technology has the potential to make paying for things easier and to shorten line-ups at stores, but it also creates an easy way for savvy thieves to steal credit card information along with the expiration date.

Credit card companies fail to appreciate the risk.

The official position of credit and debit card issuers is this: Even if a thief does manage to steal your card number, there’s not much risk that they can do anything with it.  That’s because RFID smart cards transmit an encrypted, one-time security code alongside the card number and expiration date to authenticate each transaction.  However, some hackers say it’s easy to circumvent that system by deploying what’s called a “replay attack”: A fraudster simply scans the RFID card dozens of times in a public place in a matter of seconds, capturing the security codes that the card transmits. A cloned card is then programmed to “replay” those codes at a store’s payment terminal. The credit card company will only catch on to the fraud when the real cardholder tries to make a subsequent purchase with a security code that has already been used by the scammer.

Regrettably, there are so many savvy thieves out there honing their skills in credit and debit card fraud and now RFID technology is just one more tool for them to exploit.  Electronic pick pocketing has been demonstrated quite well in various news reports.  At a minimum, these reports corroborate the vulnerability of RFID technology and how it allows thieves to steal private information from anyone in a crowd without even touching the victim’s wallet or purse.

There’s confusion at the banks!

Here is what happened at three of the top five banks in Canada during our research:

One bank’s customer service representative told the researcher not to worry about their (RFID-enabled) debit card, saying it can’t be scanned by a thief, because the antennae hasn’t been activated yet (the card had been activated some months earlier). The representative and their supervisor either did not know about RFID technology, or they intentionally provided a false statement about the chip’s capabilities. Here’s why: The chip’s antenna does not have to be activated.  It is passive and it is always ready to give up its number and expiration date to any friendly or unfriendly RFID reader.

In a second test, the researcher specifically asked a customer service representative at another bank for a protective sleeve to prevent their credit card from being scanned by a thief.  The bank representative happily gave them not one, but two envelopes printed with “Bank Card Protector” and some cautionary text about protecting the card’s magnetic stripe.  Unfortunately there was no aluminium alloy (or any other metal) in the protective envelope to prevent RFID scanning.  It appeared that the bank staff member was not aware of RFID technology.

The third test during the investigation took the researcher by complete surprise!  They actually had the RFID-blocking envelopes with the aluminium alloy embedded. The employee had no knowledge of their RFID-blocking capability. They knew only that they are to be given to clients who ask for a protective sleeve for their credit or debit cards.

The bottom line:

It appears from reading through all of the various data and reaction from the third Canadian Bank, that some risk does exist with RFID-enabled cards. For consumers that may have a concern about that risk, they can protect themselves by simply wrapping their card in tin foil or asking if their bank offers a smart card protection shield, one that is manufactured with RFID blocking metal foil.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.