Are Contactless Payment Methods Secure?

Friday, August 20, 2010

Robert Siciliano


“Contactless,” in this context, refers to the use of a wireless device. A payment is contactless when, instead of inserting your credit or debit card, you hold your card or keychain device within a few inches of the terminal, and your payment information is sent and processed wirelessly.

Contactless payments offer a faster and more convenient alternative to cash for small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

Hackers, whether they’re black hat (bad guys) or white hat (security professionals), are always looking for vulnerabilities in technology. The bad guys’ intentions are to exploit these vulnerabilities for ill-gotten gain, and the security professionals’ are to make the technology more secure.

A white hat hacker demonstrated some of the vulnerabilities of early contactless technologies for Canada’s CBC News. However, these demonstrations took place in unrealistic settings, and the IT professional went to great lengths to concoct scenarios in which this payment processing method could lead to fraud. These scenarios encourage fear, uncertainty, and doubt, without providing any tangible testing value.

In response to the question of security in contactless technology, the Smart Card Alliance stated, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions.

Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

A researcher can manipulate tests in a controlled environment and create a desired outcome that seems to establish vulnerability, but there’s a big difference between that type of demonstration and real world penetration testing.

To date, there is no such thing as 100% perfect security, and my guess is that there will never be. With that in mind, it is essential that the good guys continue to work towards that goal, impossible as it may be, and to expose flaws that they find, but they should do it responsibly.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses on CNBC. Disclosures

Possibly Related Articles:
Post Rating I Like this!
shawn merdinger It's well worth checking Chris Pagent's excellent work in the are of long-distance RFID sniffing. He set a new world record at Defcon 18 at 217 feet. More at:

Anthonie Ruighaver Contactless Payment Methods are an excellent example of how we are willing to exchange security for convenience. Using marketing statements from the Smart Card Alliance about security is not really relevant.
Lower security is, however, compensated for by the low expected loss for the payee if the system is compromised.
The lower security may be a bigger problem for the merchants, assuming they will not be compensated for fraud when organized crime does get in on this promising new market for them.
And academics are already showing/teaching how to compromise these systems.
Robert Siciliano Anthonie, show me examples of "lower security". Show me real world breaches of a minimum 100,000 contactless transactions that turned into money for the criminal. Show me. Don't show me controlled manipulated laboratory hacks, show me real world hacks. Then I'll point to breaches involving a 100 million raw credit card numbers that have cost the merchant/retailer/public millions.
Anthonie Ruighaver Isn't that one of the problems with security. We have different definitions of security. Some measure security by the level of incidents. Others measure security by the level of controls to prevent incidents. Or, you can examine the level of residual risk. All are valid but limited ways of looking at security.

I just stated that there currently is less of a problem with contactless payments methods as there is a lower expected loss per card, but that there will be a problem when contactless payments become as popular as credit cards and people start realizing all the different ways the system can be compromised.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.