Over the past several years, contactless payments have been slowly but surely entering the mainstream financial world. With mobile payments readily accepted at most retailers, eMarketer researchers are forecasting a 32% growth in the total number of mobile payment users in 2017 to 50.8 million. Contactless transactions allow us to easily purchase items without having to swipe-and-sign or key in pesky PIN numbers into point-of-sale machines. But with digital conveniences come financial threat. Here is everything you need to know before you make the switch to contactless payments.
Contactless payments — the basics
Before we delve into the threats associated with contactless transactions, it is important to note the fundamental technologies that make these payments possible.
Most commonly used, Radio Frequency Identification (RFID) uses radio wave transmission between a tag and a reader to exchange information, such as between the chip on your credit card and the chip reader at a store. Many Visa, MasterCard, and American Express credit and debit cards come with the RFID chips built in, and allow the owner to make a limited number of small transactions without keying in a PIN number.
Similarly, Near Field Communication (NFC) is a short-range wireless connectivity standard that uses magnetic field induction to enable communication between two devices in a close range, such as a smartphone and point-of-sale terminal. NFC is primarily used for smartphone-based payment systems, such as Apple Pay, which allows you to pay with a wave of your iPhone or Apple Watch. Smartphone-based transactions are secured by the smartphone itself, meaning that to buy something, you must first authenticate the device with your fingerprint.
In each scenario, a point-of-sale terminal will read the respective short-range signal and assess certain information that allows it to process a transaction.
But of course, contactless payments can be the target of numerous security threats. Here, we break down the top three security threats to contactless payments: stolen cards, cloned cards, and leaked card data.
Threats to contactless payments
Stolen cards. Stolen cards are of serious concern for owners of contactless credit and debit cards. Due to the convenient nature of contactless transactions, when a card is stolen, it becomes possible for the thief to purchase things from the victim’s account without their passcode as there is no requirement for a PIN number for smaller transactions.
Stolen cards are less problematic for the various smartphone-based payment systems, because while someone could just as easily steal your phone, it is much harder to steal your fingerprint or PIN code to surpass the lock screen.
Purchases made post-cancellation. Contactless cardholders who cancel their cards after they have been lost or stolen are at a heightened risk of fraud, more so than traditional card users. The security issue stems from the fact that stores don’t immediately confirm transactions with your bank when a payment is made via card, meaning that canceled cards can still work for months after cancellation. While some banks proactively prevent accounts from being abused by this type of fraud, the issue is exacerbated for contactless cards because you do not need to enter a PIN each time you use them.
Leaked or skimmed data. While smartphone-based payments are less vulnerable to this sort of attack, the wireless signals that make contactless payments possible are at risk of being “skimmed” for data. When you make a purchase via RFID or NFC signals, you transmit a limited amount of information found on the front of your card — namely, the expiration date and card number. While the three- to four-digit card verification value (CVV) is not provided, it is possible for savvy thieves to algorithmically determine it. With all of that information, there is no stopping a thief from going on a shopping spree.
However, there is good news for smartphone-based users of Apple Pay: The RFID payment system does not transmit the customer’s credit card details to the point-of-sale kiosk, but rather replaces the information with a unique “Dynamic Security Code.” Any data that is intercepted and decoded is ultimately worthless to an attacker once the transaction is complete.
So should you use contactless payments?
While the threats to contactless payments are real, there are some robust security protections against the majority of attacks, including issuer spending and frequency limits on contactless transactions. Your bank may also provide credit monitoring in the event of fraudulent use.
Contactless payments offer users the cutting-edge convenience of new financial technology. As with any technology, security flaws can pose a threat to users who are not aware of the associated dangers. Despite the threats, contactless payments can be a viable and secure payment option for responsible users.
Learn more about Electronic Products Magazine