I was recently issued with a contactless payment card by my bank, and I’ll be frank: I’ve been dubious about the security of such cards, or indeed any Near Field Communication (NFC) systems. As I have been working with a client in London, the security of my payment card came to the fore, as Transport for London have started offering the option to pay on the Tube (our local underground system) using such a card instead of their proprietary Oyster card.
I like the Oyster card: It’s quick and simple and I only have to wave the card over the card reader for it to register and debit the payment. The difference between an Oyster card and my debit card however, is that the Oyster card can only be used to pay for transport in London, and I can go online and check all of my transactions, which are in turn taken from my credit card. In short, the use of the card is limited and I can easily stop its use by removing the payment method.
With the contactless payment card however, payment can be anonymous and there is no easy way to track your payment online. It wasn’t too long before TfL had managed to take a payment from my the debit card rather than my Oyster card. TfL actually recommend keeping cards separate so that payment isn’t taken from the wrong card, but doesn’t that defeat the point of these cards being easy and simple to use?
Your money is safe isn’t it?
The banks all state that they will refund any money that has been fraudulently taken, and that you must enter a PIN every so often to validate you still have possession of the card. I have never used my debit card for contactless payment, other than that one inadvertent (and in my view therefore fraudulent) debit by TfL, which means that there is huge potential for the card to be debited without my permission and without any checks taking place. The suggestion that only small sums can only be taken (a maximum of £20) is also ludicrous – That is not an insignificant sum and can build up over a day if someone steals the card from you – or as can be seen below, simply reads your card.
In addition, if money has been taken fraudulently, you must then contact the bank and complete a form before you get your money back. In the case of TfL, I complained and there was an immediate response, but it still took an hour of my time to chase it up once I had realised what had happened and a couple of days before the refund came through.
By this point I had had enough, and if the danger of unintentionally paying for something yourself isn’t enough, consider this: there are apps available for free on mobile telephones which can read your card. It doesn’t take someone too long to create an app which will allow them to read your card through your coat pocket on a crowded tube, then play it back over NFC to start taking sums of money out of your account anonymously.
Don’t believe me? Read on…
Disabling your card
There are ways to disable your contactless payment card, and whilst the banks dissuade you from doing so, it’s fairly easy, if you know how to do it. The NFC system links the chip on your card to a set of wires that are run round the edge of your card. These wires are activated by a low power transmission which then allows the system to read your card and take an (offline) debit. The solution therefore is, using a scalpel, cut a thin line about 5mm into the card. The difficult is choosing where to cut.
Attempts to cut the NFC wires
As you can see, I had several attempts to cut the wires, but in the end, at least for a NatWest card, the solution was the cut closest to the chip:
If you can scan it, so can anyone else…
How do I know that it worked? As I mentioned earlier, it was very easy to find a card reader app for my phone, so after first checking it worked by swiping it over the phone before I had severed the wires, I repeated it until the card could not be read. The app in question, in case you want to check what data can be easily read from your debit card? The Android EMV Paycard Reader.
In the case of my bank, I asked them explicitly to send me a card not containing the NFC functionality, and I strongly recommend that you do too. The card pictured above is now in tiny shreds somewhere in the landfill. Unfortunately I also know that some UK banks and certainly in other countries, other banks are not offering this facility, so the only solution is the one above.
I’m sure many will say that contactless payment cards are quick and convenient, but between typing in a PIN and the exponential risk (and hassle) of fraudulent or inadvertent debits from your bank, I’ll choose the current method of entering in my PIN any day.
Researchers at Newcastle University have recently uncovered a similar potential flaw in Contactless Payment Cards. By using a mobile phone as an EPoS (Electronic Point of Sale), scammers can take huge sums in a foreign currency from a Contactless Payment Card in one transaction.
Admittedly, it is likely that the Falcon fraud prevention system that is used by most major banks would flag such huge transactions and block them, but the premise that your payment card can be scanned using a hand-held device, and then used to rapidly denude your bank account is a viable one.
Source: BBC News, https://www.bbc.co.uk/news/uk-england-tyne-29862080