New-age pickpockets: Tap-and-pay spoofing possible, but limited

Tap-and-pay technology may be convenient, but there's a chance it's not entirely secure. A mobile app called JackLess was created with the intention of allowing you to scan your card credentials into a mobile device so you could pay with your phone. However, according to one senior computer security expert, criminals can use JackLess to scan strangers' cards and then make contactless purchases with their details.

"On the Skytrain during the afternoon rush hour, we're certainly close enough to each other that I wouldn't notice if somebody tapped my wallet," says Chester Wisniewski, a Vancouver-based senior security adviser for security firm Sophos.

But before you panic, know there are limits to such a crime's effectiveness, and there are some steps you can take to protect your card.


The fraud will only go so far
Tap-and-pay cards use near field communication (NFC) technology, which is sometimes called the grandchild of Radio Frequency Identification (RFID) technology. RFID is the umbrella term for communications that use radio signals to identify objects. Another kind, such as that found in a Nexus Pass, allows communication at a much greater distance than NFC, which must be within a few centimetres of the terminal to work.

"A criminal can't sit with a parabolic dish in a van and just read everyone's credit cards as they drive by," says Wisniewski. "If I want
to use my card at a tap-and-pay terminal, I almost have to be touching the reader for it to go through and a criminal would need to do the same thing if they wanted to copy the tap-and-pay data from your card."

Additionally, JackLess can't pick up the three-digit Card Verification Value (CVV) code located on the back of your card, which a thief would need for most online purchases. Each card has three CVV components: the 3-digit number on the back, one in the magnetic stripe and one inside the NFC chip. Though a criminal using JackLess could get the CVV code from the NFC chip, it would only be good for one transaction.

"That third CVV component changes every time you use your card's tap-and-pay capability," says Wisniewski. "What that means is, if a criminal were to copy your card's contactless payment information, at best they're only going to be able to use it for one fraudulent transaction because the next time you tap the card, that CVV number will change and render the criminal's information useless."

So not only does a thief have to get close to you to scan your card, but they also have to beat you to the store to use it. Plus, liability for fraudulent purchases with tap-and-pay does not usually fall on consumers, so even if you happen to be unlucky enough for all the factors to come together and fall victim to fraud, you won't be on the hook. And you won't be too much out of pocket in the meantime, as contactless transactions have limits, usually $50-$100, Wisniewski says.

In addition to a transaction limit, Interac Flash sets a limit on how many contactless payments can actually be made per day and once that limit is reached, you (or a fraudster) won't be able to make any more purchases without entering your PIN.

RFID shields
However, if tap-and-pay theft remains a concern, there's a simple way to defend yourself: RFID shields, which protect your NFC cards.

You can buy RFID shields such as the as-seen-on-TV Identity Stronghold Secure Sleeve, or you can pick one up at almost any store. These sleeves actually work, but Wisniewski says you don't need to spend $20 to protect your cards. "It's just a fine mesh of wire built into them that blocks the radio signals and if you're cheap you can line your wallet with aluminum foil and it works just as well," he says.

Still, Wisniewski doesn't believe this kind of fraud is a big enough problem to invest in such a shield. He says that no RFID shield will protect against the more sophisticated tap-and-pay crimes that the RCMP says are on the rise. "If you're paranoid about this kind of thing then, yeah, an RFID shield does work, but today the crime is more around [physically] stolen cards, and I suspect we're going to see more tampering with PIN pads as time goes on, so that multiple tap-and-pay card credentials can be captured," he says.

If you really believe that contactless payment capability creates more of a liability than a convenience, you can simply ask your bank to issue you a card without an NFC chip.

See related: Why Canadians are slow to adopt mobile payments, 6 milestones to widespread in-store mobile payments, A breakdown of contactless payments


Published November 20, 2015

Most recent Legal, regulatory, privacy Stories