Are Contactless Payment Cards Tickets to Wholesale Fraud?

By Jeff Chasney  |  Posted 08-18-2005 Print Email
Opinion: Contactless systems that let customers wave a keyfob or credit-card over a reader to make a purchase are convenient, but the capacity for fraud, especially from insiders, is mind-boggling, according to Jeff Chasney, CIO of CKE Restaurants.
Do you know who has been contacting your "contactless payment card," or those of your customers? You may not.

With today's magnetic-stripe credit cards, you at least know who you have given your card to.

To use your account, thieves must get their hands on your card; or, if they gain access to online records, they have to get not only your credit-card number, but also its expiration date (and more recently, the authorization code on the card back).

However, the new "contactless" payment systems present new opportunities for fraudulent activity that are far less obvious than with mag-stripe cards.

A thief need not have possession of a victim's contactless card in order to capture all the relevant information. He or she only has to intercept the data during the wireless connection between the card and a point-of-sale system.

The thief doesn't even need to decrypt the contents. It's enough to extract the encrypted data and use that in a transaction.

And to read the encrypted data, one only needs to get in reasonably close proximity to the victim. Contactless radio signals are very short range, but can be picked up from three to six feet. A thief can simply "walk by" the victim.

Proximity or "contactless" cards are used exclusively in physical locations which, not coincidentally, is where the majority of credit-card fraud occurs.

Worse, the majority of fraud is perpetrated by employees; by insiders, whose access to cards and ingenuity in misappropriating data are a deadly combination.

How Safe Are the New Contactless Payment Systems? Click here to read more.

Small mag-stripe readers are easily "palmed," for example, so the employee can simultaneously process a legitimate credit-card payment on a POS system and store the card's data for illicit use later on.

This method is simple and reasonably covert with just a little sleight-of-hand practice.

Credit-card fraud has never been a difficult crime to commit at the point of payment.

So how can the "contactless payment card" be compromised? Not quite as easily as a mag-stripe.

As advocates point out, contactless-card data is protected with 128-bit triple-DES encryption.

7-Eleven's CIO: Contactless Payment Is Here Click here to read more.

But these new technology cards present some new opportunities that didn't exist before.

For example, take a full-service restaurant where the bill is presented to the customer at the table. What if the waiter has a mini "contactless" reader in his pocket?

Such a device could read a card anywhere in reasonably close proximity; it need not even be from someone at the particular table that he is cashing out.

Next Page: Waiter on a mission?



 

Submit a Comment

Loading Comments...
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date