Contactless payments limit exposure to the coronavirus and therefore are the safest payment methods at the moment. But are they likewise protecting you from fraudsters?
Experts argue that contactless cards, especially if connected to Apple Pay or Google Pay, are quite safe. But some say that there are ways to hack anything.
At the Black Hat Asia 2020 summit, Leigh-Anne Galloway from the Cyber R&D Lab shared the statistics on how contactless payments impacted fraud statistics. And numbers are a bit confusing.
VISA statistics show that while the use of contactless cards has increased rapidly, VISA’s contactless fraud rates in Europe have decreased by 40% between 2017 and 2018.
Meanwhile, the Action Fraud, a police body in the UK, indicates that fraud cases between 2017 and 2018 almost doubled.
“They state that the average loss associated with contactless fraud in the UK was 650 pounds, and one particular case they investigated resulted in a loss of 400,000 pounds,” the expert said, raising a question whether contactless payments are technological advancement.
While there might be some flaws in this type of payment, experts we talked to agree that contactless payments are the safest choice at the moment.
The average loss associated with contactless fraud in the UK was 650 pounds, and one particular case resulted in a loss of 400,000 pounds.
Made for convenience
“As COVID-19 introduced fears about hygienic payments transactions, consumers and retailers are increasingly preferring contactless payments because the consumer doesn’t have to insert or hand over their card during checkout, and they don’t have to touch the payment terminal, all the while having the same security of all EMV chip cards,” Randy Vanderhoof, director of the U.S. Payments Forum and executive director of the Secure Technology Alliance, told CyberNews.
According to him, contactless payments use the same technology that makes chip cards secure and can be secured with other preventative measures such as online authorization, risk management, and real-time fraud detection systems.
Contactless payment methods are definitely more secure than magnetic stripe cards.
“The security of contactless payment technology isn’t vastly different from an EMV chip card that you insert. The main benefit here is that contactless is faster and more convenient. However, when it comes to magnetic stripe cards, contactless payments and chip cards are absolutely more secure,” Ryan Ahern, head of retail solutions & support for Ingenico Group North America, told CyberNews.
Busting two popular myths
Harman Singh, director of cybersecurity services provider Cyphere, explained that contactless cards do not work like old magnetic stripes. EMV cards contain a chip that secures the cardholder's data and encrypts its communication with the Point of Sale (POS) terminal.
According to him, there are a lot of myths around contactless cards, with short-distance skimming and repeated purchases from a stolen card being the most popular ones.
Harman Singh told CyberNews that it is possible to skim a card, but you need a special device for that - a POS terminal that can communicate with the card.
“Someone using a bank's provided POS is easy to trace, and banks have extra measures in place to block such suspicious transactions automatically,” Harman Singh said.
People are also worried about repeated purchases with stolen or lost cards. Contactless payments are limited to a certain amount, and low-value transactions do not require to use a PIN to complete transactions. Therefore, some users are afraid that threat actors can just repeat these transactions countless times.
“Banks have limitations in place. For example, only a limited number of contactless transactions can be made. Further, tech-savvy banks even provide freezing card facilities straight from internet banking applications on your phone,” he said.
Tokenization of a card
Credit industry specialist Mason Miranda claims that contactless cards can be much safer than magnetic stripe cards because it’s more difficult to steal their information with physical methods, like skimmers.
“There has been a lot of talk around RFID skimmers, which are specifically for contactless cards. However, many experts believe that most thieves would consider this a waste of time because it’s easier to go on the internet and buy people’s credit cards rather than put in the amount of work it takes to use these types of skimmers,” he told CyberNews.
Contactless cards are still subject to physical theft. So Mason Miranda recommends putting your credit card in a mobile wallet that also uses contactless technology, and is even safer that way.
Many mobile wallets, such as Apple Pay and Google Pay, use tokenization to help protect user credit card information.
“Tokenization is simply when a second number is created to shield the original card number. Often these are one-use numbers, but some can be used multiple times. The great thing about tokenization is that if a thief was to get that number, he couldn’t do much with it because it’s not linked to your credit or debit card,” he explained.
Many contactless card issuers offer virtual credit card numbers designed for online purchases. Virtual card numbers are different from your physical card number, and they’re often limited to single-use, though many feature customizable expiration dates, too.
“On top of the contactless nature of a digital-only credit card, virtual cards can enhance safety when shopping online by preventing thieves from stealing a credit card number that’s always linked to your account,” he explained.
“There are ways to hack anything”
“Beyond mitigating the risk of COVID-19 infection, contactless payments may also help with improved data-safety and data-security aspects of the business,” Bilal Soylu, founder of Xcoobee, told CyberNews.
According to him, the most common ways to implement contactless payments today are either based on near field communication (NFC) or QR-based models. The NFC-based payment systems that are popular in the US and Europe require hardware for both payer and payee, mostly in the form of an RFID chip for the payer and RFID terminal for the payee.
In most NFC processes only a card token, not the actual card information, is exchanged, and that makes the NFC process safer than magnetic swipes.
“However, security researchers have found that the cardholder's name, credit card number, and expiration date may be transmitted by contactless payment cards without encryption. They were able to use information leaked from a contactless credit card to make a purchase online, without opening the envelope in which the card was sent,” he explained.
What about QR technology?
Xcoobee advocates for QR payments that are more popular in Asia at the moment, as they might reduce the risk of data loss by separating the payment request from the actual payment process.
“The payer never sees any of the payee data nor runs processing or hosts it directly on any of the company devices,” claimed Bilal Soylu.
QR is indeed gaining in popularity, but just like magnetic stripe or chip-based payments, can be vulnerable to account takeovers, fake accounts, and also fake QR codes.
“However, there is a lot of hope for QR code contactless payments. The technology to verify payment through this channel in real-time is already available. Solutions leveraging behavioral biometrics are able to verify a buyer’s and seller’s account using both real-time and historical location behavior to protect against fraudulent transactions with extremely high accuracy. In this way, both merchants and consumers can have the best of both worlds for health safety and security,” André Ferraz, CEO of location behavioral biometrics company Incognia, told CyberNews.