Contactless payment security, concerns and considerations

As new research raises concerns that crooks could bypass the £30 limit on certain contactless cards, we take another look at whether the technology really is as safe as banks claim, and how you can keep yourself safe.

Contactless payment limit 'could be bypassed'

Criminals could be able to skip the £30 payment limit imposed on Visa contactless cards, a security firm has warned.

Positive Technologies claims that a Visa vulnerability allowed them to bypass the limit on cards with 'five major UK banks'.

The limit, which increased from £20 to £30 in 2015, was put in place to ease concerns that crooks would be able to steal huge sums from bank cards without any need for verification.

You can read more detail about how the hack works in the link above but, in short, it's a 'man in the middle attack' where they used a device to intercept communications between a payment terminal and the Visa contactless card being used, tricking it into thinking that verification isn't needed while telling the terminal that it has already been provided.

Visa told Forbes, which broke the story, that it would not be updating its systems as it wasn't a scalable fraud.

“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer,” a Visa spokesperson told Forbes.

Tim Yunusov, head of banking security at Positive Technologies, commented on his firm's findings: "While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."

It's worth stressing that there have as yet been no actual examples of criminals bypassing the limits; it's merely one firm warning about the possibility.

While this potentially raises the risk of having far bigger sums withdrawn from certain cards – especially as the contactless technology can on occasion keep working long a card is reported stolen – it's worth noting that it's not quite as easy to steal cash from a contactless card as many would believe.

The rest of this article, which was first published last year, runs through some of the most common security concerns and myths that surround contactless payments to help you stay better informed.

It's VERY difficult to steal directly from a contactless card

Many banks and consumers assume that contactless fraud is where money is stolen from your contactless card directly.

It's a theory seemingly backed up on social media every few months with images (as below, from Tumblr) and warnings posted of supposed fraudsters carrying Chip & PIN machines, stealing from seemingly oblivious members of the public.

While this sounds, in principle, like a valid concern, it would be incredibly difficult for criminals to operate such a machine without being noticed almost immediately.

There are myths about how easy contactless card fraud can be carried out (Image; Tumblr)

Chip & PIN machines need to be registered with a payment vendor and linked to a bank account before they can be used to charge cards – like how you need to register your mobile phone’s SIM card with a network before you can make a call.

Since every transaction is monitored for fraudulent activity, and applying for such a device is a lengthy process with many safeguards to stop fraudulent uses, it’d be incredibly risky for any criminal to do this without drawing an incredible amount of attention to themselves.

Contactless “skimming” is a fraud risk

Contactless payment fraud image (Image: Shuttrstock)

While there may be no hard evidence of contactless based fraud, this doesn’t take into consideration if card details are stolen via contactless for later use – better known as “skimming”.

Using widely available technology, or even a smartphone app, criminals can wirelessly read data from your contactless card without charging you a penny.

In most cases, the data includes the full 16-digit card number, the card type (Visa, MasterCard, or similar), the issuing bank, the expiry date, the card owner’s name, and in some cases (worryingly) a mini-bank statement.

With this data, it’s possible for criminals to create a cloned card with the original card details for use at older ATMs, shops, or even websites with poor security checks.

Alternatively, they could simply collect thousands of card details with the intention of selling them on to the highest bidder.

As there’s no financial transaction taking place, there’s no record of how many times it’s been read wirelessly, where it was read, by whom, and what their motive was.

Lost and stolen cards CAN still work months after cancelling

Contactless card fraud: hackers can use cancelled cards (Image: Shutterstock)

When contactless payments were first rolled out, concerns were raised about pickpockets and thieves being able to use a stolen card, without verification, to make high-value purchases.

Reporting a card lost or stolen, and reporting any suspicious activity on your bank statement immediately should theoretically block that card from being used fraudulently.

However, there have been mixed reports from members of the public that their cards continued to work long after being reported as lost or stolen.

Banks have complex security limitations in place to detect fraudulent contactless transactions, but consumers should keep an eye on their bank statements and flag transactions they don’t recognise immediately – even if the card has been cancelled.

You should also keep an eye on your credit report for suspicious transactions.

What about ApplePay and Google Wallet?

Apply Pay and Google Wallet: how safe are they? (Image: Apple, Google, loveMONEY)

When contactless payments first made their debut on smartphones concerns were raised about the security of card details being stored on, and transmitted from, a smartphone.

The initial fear was that instead of a malicious person reading card details wirelessly from a wallet – which tends to reside in a limited number of secluded places, such as a pocket or a bag – they could read them from a phone – an item we tend to carry more publicly.

Fears surrounding this potential threat quickly subsided, however, as the technology was showcased to only work in the specific context of paying for goods.

In the case of ApplePay, for example, card details are only transmitted when the phone detects a Chip & PIN machine that is requesting payment, it requires either a passcode, or thumbprint, to complete the transaction, and the 16-digit card number transmitted is semi-randomised per transaction.

These features give contactless payments via a phone another level of security in cases where the phone is either stolen, or a receipt is dropped at the point-of-sale terminal displaying the full card number.

Having said that, the Positive Technologies research mentioned at the start highlighted how mobile wallets could be vulnerable where a Visa card has been added

"Here, it is even possible to fraudulently charge up to £30 without unlocking the phone," the firm claimed.

Keep yourself safe from contactless fraud

Contactless payments offer a convenient way for consumers to pay for goods but, like most technology, come with a handful of security concerns that everyone should be aware, but not scared, of.

With that in mind, here are some top tips to help keep yourself safe from contactless-based fraud:

  • RFID-blocking wallets, or a few sheets of thick tinfoil, will block any wireless signal from leaving your wallet without your knowledge;
  • Some banks offer non-contactless cards to their customers, but you have to ask. Contactless is very much the standard-issue these days;
  • Using systems like ApplePay and Google Wallet give an extra level of security when paying and don’t transmit your card details without your consent;
  • Report any cards that are lost or stolen immediately to your bank, and keep an eye on your bank statement for suspicious transactions.


Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © All rights reserved.