Rippleshot Blog

Contactless Cards Pose Fraud Risk

Posted by Zach Walker on 26, Jan, 16
Find me on:

Contactless_Card.jpg

As the payments ecosystem continues to evolve and improve through new innovation, consumers are looking for easier, faster and more convenient methods to conduct transactions. 

We’ve seen an increase in the number of mobile payment platforms available to mobile phone users, opening an entirely new avenue for consumers to transact with. But at the same time, increasing  the chance of being involved in fraudulent activity, stemming from a data compromise.

One of these innovative payment methods involves credit and debit cards that can complete transactions without swiping or inserting the card into a point of sale (POS) device. These “contactless” cards increase the speed and ease at which consumers can make purchases, but there are concerns surrounding the security of this technology.

The Technology

Contactless smart chip technology involves a microcontroller that utilizes radio-frequency identification (RFID) to communicate with a RF reader by using data stored on the embedded chip. This technology can be embedded in a payment card, as well as in a mobile phone to provide consumers with yet another way to conduct transactions.  Contactless technology has several applications, such as inventory management or for travel, but we are going to focus on the capabilities of contactless payments.

Contactless payments involve ordinary payment transactions that do not require physical contact between the customer’s payment device and the POS terminal. The contactless card or device must be in close proximity, usually a few inches or less, for the payment account information to be communicated via radio frequency . The benefits of contactless payments can be seen for consumers, merchants and the financial institutions that sit in-between.

Consumers are provided with a payment alternative that increases the convenience of conducting transactions, while also removing the need to carry cash for everyday purchases. Financial institutions can expect to see an increase in transaction volume for the very same reason, and have the backing of the major payment card brands. Finally, merchants will be able to provide their customers with a smoother transaction process, while also reducing the average time each consumer spends in line to check out. And consumers seem to be responding positively to this piece of technology. Nearly one in every ten purchases involving a credit or debit card in the U.K. last year used a contactless payment card, and the number of contactless transactions also increased after the transaction limit was increased from £20 to £30.

What Is Happening With Contactless Cards Abroad And At Home? 

The latest figures coming from the U.K. indicate that there are security concerns involving contactless payments. The U.K. Cards Association has seen that fraud connected to contactless payment cards has doubled since the spring of last year, with estimates reaching as high as £185,000 for October. The consumer research group Which?, conducted a study to test the security of contactless cards. Which? researchers tested four credit and six debit cards to see if it was possible to access sensitive payment information without stealing the physical card.

The study found that a fraudster would be able to accomplish just that with the help of a card reader and software to decode the stolen data, which can be found for free online. Which? was able to obtain the card number and expiration date from all ten cards, even accessing limited information involving the last ten transactions on the stolen cards. Using a false name and address, the researchers were also able to purchase two items, including a £3,000 TV from a popular e-commerce site. Because this fraudulent transaction took place online, the £30 transaction limit is rendered useless.

When looking across the pond from the United Kingdom, the United States began integrating this payment technology in 2005 and has experienced growth in both user adoption and the capabilities of this technology. Some of the largest financial institutions now issue millions of contactless payment cards annually, and more retailers are installing contactless readers at their brick-and-mortar locations. Currently in the United States, contactless payments are supported by American Express’ ExpressPay, Discover’s Zip, Mastercard’s PayPass and Visa Contactless.

While there have not been any recent studies conducted on fraud in connection with contactless cards for cardholders in the United States, the security risks are still present. In 2012 at the Shmoocon Hacker Conference in Washington D.C., a hacker showed how easily the sensitive information stored on contactless payment cards could be accessed. Security researcher Kristin Paget was able to steal RFID-enabled payment card data with an RFID card reader found on eBay, and then was able to encode the stolen data with a card-magnetizing machine that costs roughly $300. Paget was able to do all of this while on stage in front of a crowd of hackers and security researchers. 

With two-thirds of Americans hesitant to trust retailers with their payment information, click here to see what it could take to restore consumer's confidence in the payments ecosystem. 

New Call-to-action

 

 

Topics: Industry News, Fraud