5 myths about contactless payments
By Daniel Workman
Fear. That's the emotion viewers often experience after watching media demonstrations, such as this one by CBC News, that show how easily criminals can electronically pickpocket unsuspecting cardholders.
Many Canadians are not well-versed in contactless payment technology, intensifying that fear. "A few consumers are not happy that banks no longer offer a credit card without a radio-frequency chip," says Financial Consumer Agency of Canada representative Julie Hauser. "Others are concerned about the safety and security of contactless technology."
Separating the myths from the facts may help reduce the fear about contactless payment technology.
|How contactless card transactions work|
It's a complicated process, but we'll break it down for you. See how contactless payments work.
RFID versus NFC
Some concerns may arise from perplexing terminology. Even experts confuse the terms Radio Frequency Identification (RFID) and Near Field Communication (NFC). Both refer to the transfer of information from a card or device to a reader via radio-frequency technology.
United Kingdom-based security consultant Adam Laurie explains that RFID usually describes low-frequency 'dumb' (one-way communication) applications such as door entry systems. Another U.K. expert, hardware engineer and software developer Bill Ray, says RFID has no security and a super-powerful reader can reach an RFID tag from a mile or more away.
In contrast, Visa payWave, MasterCard PayPass and American Express ExpressPay adhere to NFC, a wireless radio communications standard that contactless credit cards use for very short-range transactions.
Catherine Johnston, president and CEO of the Advanced Card Technology Association of Canada, agrees that NFC is completely different from RFID technology. "RFID is a technology that is meant to say ‘Hi, here I am -- look at me!' whereas NFC and contactless technology is designed to say, ‘I'm not talking to you until I know you're someone I should talk to.'"
Laurie acknowledges that, despite the contrasts between the two technologies, RFID has become synonymous with NFC as an accepted industry term. The misnomer brings us to our first misconception.
Myth No. 1: Electronic thieves can steal card data
from a distance
NFC credit cards must tap or almost touch the processing terminal. "As the term 'Near Field Communication' [implies], the field for signal transmission is very narrow, up to a maximum of 4 centimeters with very few exceptions," says Anthony Palermo, director of business development at the Academia RFID Centre of Excellence.
Systems consultant Joe Mante notes that anything is possible, but says the cost of developing a portable NFC reader powerful enough to remotely intercept card data is prohibitively expensive at this time.
Myth No. 2: Contactless cards continuously emit radio
A contactless card only becomes active after receiving a ‘wake-up signal' from a reader on the same frequency as the card. The chip inside a contactless card has no battery, so it can't do anything on its own. Ray explains the powered reader must first supply electro-magnetic energy to the contactless card, a triggering action that then establishes a radio connection between the card and the reader.
Having to lug around a battery-powered reader also constrains the time available for an electronic pickpocket to scan potential victims' wallets or purses.
Myth No. 3: Contactless cards are easily duplicated
Another type of technology, the EMV chip, has made it much harder to duplicate any kind of credit card in Canada. EMV, which stands for Europay, MasterCard and Visa -- the companies that back the standard -- was first introduced to Canadians in 2007. The so-called chip and PIN cards are now in mass circulation and provide fraud protection features superior to magnetic stripe cards.
Magnetic stripe cards can be easily duplicated in part because they send unencrypted data back to a reader. According to Laurie, this can result in counterfeit card purchases. "Data from the magnetic stripe can be captured, encoded on a magnetic stripe and then ‘replayed' to another terminal, which will honour the transaction," he says.
Johnston, who has worked in the card transactions area since 1989, agrees. "The reason a chip makes so much sense is that the chip itself enforces rules and is part of the security tools, which a magnetic stripe is not capable of doing," says Johnston.
Canadian chip and PIN cards are also more secure for electronic transactions conducted over an NFC connection. Ray says contactless payments involve a challenge/response mechanism that is effectively impossible to duplicate.
Myth No. 4: Contactless cards are vulnerable to
Contactless smart cards are not impervious to electronic attacks. Placing a portable reader within centimeters of a victim's wallet might enable a hacker to intercept the card number and expiry date, concedes Palermo. However, the amount of usable cardholder information that can be electronically snagged is limited.
An identity thief would not be able to capture the cardholder's name, PIN, or the security code fraudsters would need for most online purchases.
Simply by snapping a photo of the credit card instead, a criminal could capture the card number, expiry date and often the cardholder's name.
Myth No. 5: Electronic pickpocketing involves
Asked about the magnitude of financial damages electronic pickpocketing causes in Canada, Johnston says "there aren't huge losses."
"Somebody does something in a very controlled environment, and then reports that they've broken the security of a card chip," she says, referring to media demonstrations. "Then we investigate the claim and conclude that's not true."
"In fact, there are no reports of this type of criminal fraud taking place," Visa Canada spokeswoman Carla Hindman wrote in an email. "Criminals typically focus on high-value fraud that can easily be converted to cash."
Based on information from their respective websites, the transaction limit for a MasterCard PayPass and Visa payWave is $50. American Express's online FAQ section lists a $25 cap for ExpressWay transactions without a signature. These low transaction amounts make it harder for criminals to score quick money via contactless card crimes.
"Major credit card companies provide consumers with protection against fraud through their no-liability public commitment policies," advises Hauser on the issue of consumer protection.
"These commitments apply to traditional and contactless credit card transactions and ensure that consumers are not held liable for losses resulting from unauthorized transactions."
Published: May 24, 2013