Forget the Tinfoil
Are contactless credit cards safe from electronic pickpockets, or should consumers shield them from rogue readers?
By Bryan Ochalla
Late last year, mainstream media outlets across the country alerted their audiences to what they considered to be an imminent threat on consumers’ purses and wallets.
According to the reports, millions of consumers are and will continue to be at risk of falling victim to so-called electronic pickpockets as long as they carry--and fail to adequately shield or protect--“contactless” credit cards like the ones offered by American Express (expresspay), Discover (Zip), MasterCard (PayPass), and Visa (payWave).
How, exactly, are consumers at risk? According to the single source that was included in most, if not all, of the media stories, thieves carrying off-the-shelf RFID scanners can easily steal credit card information. That media source was the owner of a company selling foil sleeves that are supposed to protect consumers from such attacks.
Had reporters interviewed, or at least requested information from, say, any of the major card brands, their stories would have been quite a bit less alarming. The same would have been true if they had included any experts from the payments industry.
“I really think this is about a company that wants to promote its protection technology by creating an air of fear among consumers,” says Randy Vanderhoof, executive director of the Princeton Junction, New Jersey-based Smart Card Alliance. “People who understand the payments industry know there’s nothing to this story. The average guy on the street, though, who sees this kind of story is going to think he’s at risk, and that’s unfortunate.”
But It Could Happen
It is possible that thieves wielding RFID scanners could steal some data from unsuspecting consumers’ contactless credit cards, but they wouldn’t be able to do much, if anything, with it, says Vanderhoof. “Technically, there’s nothing to prevent the account number and expiration date that’s stored on a contactless chip to be read by one of these rogue reader devices.” That said, you need more than an account number and an expiration date to steal someone’s credit card information and use it.
“The threat of electronic pickpocketing is small today because much of the relevant data--such as PIN and CVV--is not communicated via the RFID,” agrees Julie McNelley, a senior analyst at the Aite Group in Boston. So if electronic pickpockets really are roaming crowded airports and malls and using modified RFID scanners to steal information from consumers’ con- tactless credit cards, “they’re probably not getting enough information to be useful.”
Still, others aren’t so sure. The act of stealing data from a contactless credit card is “quite easy,” says Rob Havelt, director of penetration testing at Chicago-based Trustwave, a provider of on-demand data security and payment card industry compliance management solutions. “We’ve actually built devices about the size of an iPhone that you can use from about a foot away to read data off the chip.”
You don’t need much experience to create such a device, he adds. “All you have to do is obtain the parts. After that, you can plug it into an iPhone or iPad, open up the [iPhone’s or iPad’s] notepad, and get to work. I would find it hard to believe this isn’t happening on a normal basis because it’s just so easy.”
Such an approach doesn’t allow an electronic pickpocket to acquire all of the information needed to complete all transactions, but it does let them get enough data to complete some transactions, he says.“How many places really require you to give them the CVV in order to use your card?”
No Losses Identified
It’s hard to say whether or not the kind of electronic pickpocketing highlighted in the news reports late last year is actually happening.
“There are no losses that can be directly tied to this technology,” according to McNelley.
“We checked with the brands, we checked with the issuers, we checked with the Identity Theft Resource Center, we even contacted the U.S. Secret Service, which is responsible for consumer fraud,” says Vanderhoof. “All of them said that they have heard no complaints or they have had no reports of this type of fraud happening to anyone. So, if it has happened, or if it is happening out there, no one is aware of it.”
Of course, catching an electronic pickpocket in the act likely is the only way to track this kind of fraud. “Today, points of compromise via typical skimming devices or data breaches can be traced back to a common point of purchase at a merchant, or a common point of compromise such as a payment processor,” says McNelley. “There would be no such trail in the case of electronic pickpocketing, as there is no purchase event that triggers the compromise.”
Vanderhoof feels fairly certain that “the thieves who would actually profit from stealing credit card information aren’t using this approach.” Those who are “really intent on getting this information are probably doing other things like swiping information off the mag stripe or stealing physical cards--where there are no protections to prevent that type of fraud. The protections that are on the [contactless card] chip, and are related to how the chip is used, are sufficient to prevent this type of fraud from happening.”
Leapfrogging EMV to NFC
Exploring alternate payment methods sounds like a good idea to McNelley, especially since, she says, “from a contactless card perspective, consumer and merchant adoption has been so slow that I don’t think that it is worth spending a lot of cycles.”
In McNelley’s opinion, the lack of consumer and especially merchant interest in current contactless credit card technology likely stems from the fact that: 1) it requires capital expenditures on the part of merchants, and 2) there’s no real incentive for consumers to change their behavior--the current swipe methodology is something we are very comfortable with, and contactless provides no material benefits from a consumer perspective.
“There is a lot of speculation over whether payment card security will evolve in the U.S. market since we are one of the last major markets to be on mag stripe,” she adds. “It is possible that we will leapfrog EMV entirely and go to NFC. Similar to contactless, adoption of NFC will depend on the incentive for merchants to upgrade POS technology and the creation of appropriate incentives for consumers to change their behavior at POS.”
What advice does Havelt have for con- tactless card issuers? “That’s a very tough question because the answer to it involves looking at this whole, giant system that we’ve built for credit card transactions in this country and basically telling [the card brands and issuers],‘You’re doing it wrong. Rebuild it from the ground up.’ Maybe, though, it’s time to explore alternate methods, like chip and PIN, which will more adequately protect someone’s card information."
(Transaction Trends, Jun. 2011)
URL: View Published Article
Back to Articles