Contactless payments – researcher intercepts card data from a metre away

library
crime | hacking | security

Your mission, should you choose to accept it, is to intercept contactless payment data at distances of up to 90cm using a backpack, shopping trolley, and a small antenna.

Mission: Impossible?

Apparently not, according to a paper published by the Institute of Engineering and Technology on Tuesday.

University of Surrey researcher, Thomas P Diakos, created an inexpensive receiver, small enough to fit into a backpack, using the above items along with other off-the-shelf electronics. Using this equipment he was able to eavesdrop on cards at distances of 20 – 90 centimetres, maintaining good reception at up to 45cm – despite the fact that one of the main security features of contactless cards is a requirement not to transfer payment data in excess of 10cm from a reader.

Lead academic supervisor Dr Johann Briffa said:

The results we found have an impact on how much we can rely on physical proximity as a security feature. The intended short range of the channel is no defence against a determined eavesdropper.

Contactless payments, utilising Near Field Communication (NFC) technology, are becoming increasingly popular in many parts of the world.

They allow consumers to make low-value purchases (up to £20 in the UK, for example) merely by holding their card near to a reader.

By eliminating the need for a PIN number to be entered, such a payment method allows for extremely quick purchases, something that those with hectic lifestyles undoubtedly appreciate.

There are, however, some security concerns about contactless payments, with ‘skimming‘ being an obvious mode of attack.

In April a survey showed that 45% of the respondents were either totally against the introduction of NFC or, at the least, unsure about using it as a payment method.

Of those who did not want the technology to be introduced, 59% cited security concerns. Such results may have been influenced by a Channel 4 report in March which showed a standard mobile phone could be easily adapted to acquire a limited data set by simply coming into close proximity with a bank card.

Even with this small amount of data – the cardholder’s name, the long card number and expiry date – a criminal could still make fraudulent purchases from some companies, though a UK Cards Association spokesman did tell Naked Security that:

There are already additional layers of security in place to prevent the use of a card number and expiry date, such as PIN and the card security code (the three-digit number found on the back of cards), which cannot be harvested electronically. The vast majority of online retailers require the card security code, along with the cardholder’s address, and all have robust security checks in place to protect both their business and their customers from fraud.

Fraud related to contactless card payments appears to be small in comparison to their non-contact counterparts though. The UK Cards Association said that at the end of 2012 the levels of fraud on contactless cards were negligible at just £13,700. This compares with non-contactless losses of £55m.

The association also highlighted how cardholders are protected should the worst happen:

In the case of any fraud using a contactless card, consumers are protected against loss – they will not be liable for any fraudulent use.

The trade association for the card payments industry in the UK also played down the University of Surrey’s findings, saying that:

Instances of fraud on contactless cards are extremely rare. Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card. A fraudster would find it very difficult to make a fraudulent transaction using this information – and it certainly could not be used to make a cloned card.

Meanwhile, those at the University of Surrey are set to continue their work, saying that future experiments will look into how ‘wave-and-go’ cards can be cracked and how the uncovered data could be used by criminals.