Are Contactless Payment Cards Tickets to Wholesale Fraud?
Modernizing Authentication — What It Takes to Transform Secure Access
With today's magnetic-stripe credit cards, you at least know who you have given your card to.
To use your account, thieves must get their hands on your card; or, if they gain access to online records, they have to get not only your credit-card number, but also its expiration date (and more recently, the authorization code on the card back).
However, the new "contactless" payment systems present new opportunities for fraudulent activity that are far less obvious than with mag-stripe cards.
A thief need not have possession of a victim's contactless card in order to capture all the relevant information. He or she only has to intercept the data during the wireless connection between the card and a point-of-sale system.
The thief doesn't even need to decrypt the contents. It's enough to extract the encrypted data and use that in a transaction.
And to read the encrypted data, one only needs to get in reasonably close proximity to the victim. Contactless radio signals are very short range, but can be picked up from three to six feet. A thief can simply "walk by" the victim.
Proximity or "contactless" cards are used exclusively in physical locations which, not coincidentally, is where the majority of credit-card fraud occurs.
Worse, the majority of fraud is perpetrated by employees; by insiders, whose access to cards and ingenuity in misappropriating data are a deadly combination.
Small mag-stripe readers are easily "palmed," for example, so the employee can simultaneously process a legitimate credit-card payment on a POS system and store the card's data for illicit use later on.
This method is simple and reasonably covert with just a little sleight-of-hand practice.
Credit-card fraud has never been a difficult crime to commit at the point of payment.
So how can the "contactless payment card" be compromised? Not quite as easily as a mag-stripe.
As advocates point out, contactless-card data is protected with 128-bit triple-DES encryption.
But these new technology cards present some new opportunities that didn't exist before.
For example, take a full-service restaurant where the bill is presented to the customer at the table. What if the waiter has a mini "contactless" reader in his pocket?
Such a device could read a card anywhere in reasonably close proximity; it need not even be from someone at the particular table that he is cashing out.
Next Page: Waiter on a mission?