The security of contactless payment card technology has been called in to question by a new study into NFC devices published by professional engineering body
A team of researchers from the University of Surrey's Department of Computing
successfully received a contactless transmission from distances of 45-80cm using inconspicuous equipment, highlighting security concerns to personal data.
The study outlines how the research team used portable, inexpensive and easily concealable equipment including a pocket-sized cylindrical antenna, a backpack and a shopping trolley, none of which would raise suspicion if used in a supermarket queue or in a crowded place. Using this equipment, the team showed how reliably eavesdropping could be carried out at various distances, with good reception possible even at 45cm when the minimum magnetic field strength required by the standard is in use.
Proximity vulnerability implications
The study said that the implications of its findings are significant for consumers. “The results we found have an impact on how much we can rely on physical proximity as a 'security feature' of NFC devices," said lead academic supervisor of the research, Dr Johann Briffa. "Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper.”
Eleanor Gendle, IET managing editor at The Journal of Engineering, said: “With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats. It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”
A UK Cards Association
spokesman, however, told Retail Technology
that instances of fraud on contactless cards are extremely rare. "Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information - and it certainly could not be used to make a cloned card."
The trade body also pointed to additional layers of security already in place to prevent the use of a card number and expiry date, such as PIN and CVV code (the three-digit number found on the back of cards), which cannot be harvested electronically. "The vast majority of online retailers require the card security code, along with the cardholder's address, and all have robust security checks in place to protect both their business and their customers from fraud," he said. "Banks and retailers also use a range of sophisticated fraud prevention tools, such as intelligent fraud detection software, to combat card fraud.
“In the case of any fraud using a contactless card, consumer are protected against loss - they will not be liable for any fraudulent use. At the end of 2012, annual figures showed that levels of card fraud have declined 36% since their peak in 2008. Levels of fraud on contactless cards were negligible at just £13,700, compared with non-contactless losses of £55m, clearly demonstrating that it is a safe payment system in which consumers can have confidence.”
The study was carried out by Thomas P. Diakos, a PhD student in the University of Surrey’s Department of Computing, and funded by the Engineering and Physical Sciences Research Council
(EPSRC) and IT consultancy Consult Hyperion
. Dr Johann A. Briffa and Dr Stephan Wesemeyer from the Department of Computing, and Dr Tim W. C. Brown from the Centre for Communication Systems Research made up the study’s supervisory team.