How Safe Are Contactless Cards?

The world is starting to become more convenience-driven as we approach new frontiers in technological development for consumers. This trend has been more pronounced ever since banks started issuing contactless debit cards in 2008. Fast forward to the year 2014, and some banks are even shoving these cards at people without giving them the chance to keep their old chip-only cards. This quasi-forced shift in technology has had many people worried. When worries start manifesting, it’s time for MTE to respond!

The new contactless system for cards actually isn’t new. On high-value items in shops, there are sometimes these stickers stuck on them with a wire running along a square-shaped spiral when you peel them out. You’ve likely seen one. Here’s an image of the rear end:

contactless-rfidsticker

This sticker is used for theft detection. Its mechanism is very simple. The wires you see are a radio frequency identification (RFID) antenna that sends a very weak radio signal. There are two or more RFID “gates” that appear as you exit the store (shown below). When they query the item you’re carrying, they’re reading its radio signal to identify whether it’s been purchased or stolen, and then sound an alarm when something goes wrong.

contactless-rfidgate

Contactless cards operate using the same concept, except they’re not detecting theft. They’re broadcasting data to a reader, which processes the payment using the financial credentials that the card offered. The signal, however, is so weak that the card must be within five centimeters (roughly 2 inches) from the reader to communicate.

If you’re broadcasting your financial information, isn’t that insecure? Many people worry about the fact that their cards now have RFID antennas that can be communicated with at any moment. The potential for theft is a bit problematic if that’s all the information you have.

Banks are aware of the risks they are putting their customers through, and have decided to roll out their contactless systems with a couple of measures in place. The first measure is one you’ve already read about earlier in the article, which involves making the card send a signal weak enough that it requires very close proximity with a reader to make a payment. This means that no other device farther than five centimeters (again, two inches) away from the card can actually understand what information the card is sending.

The second measure involves limiting the card’s technology to make only small-ticket payments. In the UK, contactless cards can’t make purchases smaller than 20 British pounds (GBP). In the US, it depends on the card issuer, but it’s generally limited to $50. Each country has a limit according to the average wealth of the citizen. Romania, for example, limits these purchases to roughly $20-25 per item (100 RON).

Limited payment capacity lowers the bank’s losses at the moment they’d have to respond to liabilities caused by undue purchases (such as those made during a theft or a clerical error).

With all of the banks pushing towards a contactless model, are the safeguards they placed enough?

contactless-cardicon

Remembering that it is in both the interest of the bank and of the consumer to keep payments secure, there are still many reasons why it’s possible that the banks issuing contactless cards may have jumped the gun with their decision. The introduction of this technology may bring in risks that outweigh the convenience these cards provide in the first place. Among them:

  • A thief may still use a reader of his own to effect micro-payments of random amounts under the card issuer’s limit. All the thief has to do is bump into his victim, and he has suddenly stolen a small amount of money from that person. Women carrying purses and men carrying messenger bags are the most likely targets, since the location of the card is more obvious.
  • Lazier (but more intelligent) thieves can put readers in locations that people lean on most often, favoring the side that a purse is typically carried on. For example, a thief may put an innocuous box containing a card reader near a support column in an airport and pull “fees” from the card that feed directly to the thief’s account.
  • A much more ambitious thief can record whatever information your card sent to duplicate it. At a later point in time, perhaps weeks later, that thief can create a cloned version of your card with your own RFID signal. I don’t think I need to tell you what kind of problems you’ll be having if this happens.

Aside from intentional theft, there’s also the possibility of accidental theft. For example, if you put your card close to a reader with the intention of making a chip-based payment (the old fashioned kind), you may end up doing the transaction twice. If you have multiple cards in a wallet, and decide to lazily put your wallet in front of a reader, the wrong card can be read or more than one card will be charged.

There’s one surefire way to protect your contactless card: Get an RFID-blocking wallet. There are many out there, but some of them might be phony. Be sure to check reviews and see if people have tested it, then test it yourself. Put your contactless card inside of your wallet and hold it close to a reader. If the reader makes a transaction, the wallet is not authentic.

You either get an RFID-blocking wallet or you watch every step you take to make sure you don’t come across some reader that might steal your money.

Contactless cards are relatively safe (for the moment). However, I wouldn’t turn off the alarm just yet. There are many concerns that haven’t been addressed, some that weren’t even mentioned here. If you feel like you have something to share about this new technology, feel free to leave a comment below!