Contactless Cards: Wave of Things to Come or Passing Fad?

By Alan Nevels, ICBA Bancard

Can Radio Frequency Identification technology, or RFID, leave cardholders vulnerable to electronic pick pocketing, credit card theft and ultimately payment fraud? Yes, say two University of Massachusetts researchers, Tom Heydt-Benjamin and Kevin Fu, who recently demonstrated the ease in which thieves could intercept data from contactless credit cards.

Armed with an off-the-shelf receiver, the researchers were able to snag the card number, expiration and issue dates, and cardholder’s name of 20 test subjects without ever touching their credit cards. And while they weren’t able to lift the printed credit card validation number on the back of the card, not all online merchants require such information, note some industry experts.

The good news is such hacks would have to be done from a very limited range – since the card itself holds must receive a signal from a device to initiate a payment. Multiple RFID-enabled cards in a single wallet would also make such theft more difficult. And it would be hard to mass produce cards based off the stolen information, all reasons that Paul Kocher, president and chief scientist at Cryptography Research, labels the threat from such devices negligible.

The better question, Kocher suggests, is what would fraud rates look liked compared with those associated with magnetic stripe technology? Any time a mag-stripe card is handed to a server or swiped at a gas pump it is at risk for being copied with a simple USB reader and the information, mass produced, he notes.

Compare that with chip-based cards and RFID information, which also contain security cryptographic keys, which generate a unique mathematical function for every transaction, making it much more difficult for somebody that has recorded such information to resolve the keys, he explains. It’s also easier to trace because you know when the transaction occurred, says Kocher.

There are companies that produce sleeves that block radio transmissions, he says. “It doesn’t have a practical or rational” application, but may serve a “marketing purpose” to increase customer’s comfort with the technology, he reasons.

Kocher’s tolerant attitude about the possible threat may be supported in part by the difficulty in quantifying the risks. While there are “100 million credit cards now that have this contactless technology embedded into them,” according to Identity Stronghold a company that makes RFID-blocking products, sources quoted for this story were not able to quantify how many, if any, criminal card frauds occurred using such devices.

Accounting for the Threat
That’s not to say there aren’t real concerns with the technology—security related and otherwise. For starters, the technology must be deployed correctly to be most effective. The Card Verification Value (CVV) field on the magnetic stripe needs to be different than what is revealed on the RFID. If not the security benefits of having online customers implement their unique three-digit code on the back of their card becomes moot. And if issuers bypass the encryption options in favor of shorter processing times, they jeopardize the card’s safety.

And then there’s the “psychological fear” that issuers need to account for and arm against.

Timothy Daley, senior consultant with technology firm Cornerstone Advisors, and a victim of credit card theft via mag stripe, admits he’d be hesitant to open himself up to a new threat – real or theoretical – where his card wouldn’t even need to leave his possession to be compromised. In rural areas it may not be as much a concern, he says, but on public transportation, in densely populated areas the crime could be conducted unnoticed, he reasons.

If issuers expect to rollout out such technology they need to have a communication strategy that adequately informs the public on the benefits and the risks of card use, he says.

People aren’t used to the idea of wireless communications between their card and an external device. So headlines about electronic pick pocketing will heighten concern, concurs Kocher.

Once the card is compromised, current back end fraud prevention tools, like neural network technologies that help issuers detect if an out of band transaction will be challenged. Card manufacturers may be able to offer some physical card security features to help block RFID fraud. One company recently demonstrated at BAI a card that required the user to enter a four-digit pin before the last four digits of the card appeared. And cards with changing account numbers upon each use are also being vetted. 

Mobile devices present another challenge and possible displacer for contactless cards. They run on the same technology, but have the ability to combine hardware and RFID security making them an attractive alternative. Unlike a contactless card, users can attach an address to a mobile devise that can be verified. And if the phone is lost or stolen users can call their financial institution and have it disconnected, Daley explains.

For now the decision to roll out – or not – the technology seems to be a big bank debate as they grapple with how to convince merchants to invest in the technology without having a critical mass of cards in market. Select trials with big box retailers in limited geographic areas may dictate the technology’s future. For now, small issuers can sit on the sidelines, devising their game plan should contactless cards prove the wave of the future.

<back to March 2011 Technology & Security Digest>