the Payment Monkey has been quiet again. It’s not because there is nothing to write about, it’s because the Payment Monkey has to spend several hours a day riding in a big red car, and then has to spend more hours studying for a maths degree, which he is doing for fun. Tonight he is having a few hours off, and happened upon an article in Cards International; it was a free article, and after reading it, it was clear to the Payment Monkey that things that are given to you for free are generally worth every penny that you invest in them. You can read it for yourselves here.
Apparently, contactless cards are ‘highly susceptible’ to ‘e-pickpocketing’, and what’s more, the guys at Visa know this but are keeping very quiet. It seems that the public is being kept in the dark, as always, and unsuspecting cardholders are at risk from ‘surreptitious interrogation’, or so says a company specialising in the manufacture of RFID shielding contactless smartcard holders.
The article, short that it is, makes a number of points about the ease of data capture, all of which are true. However, the conclusion that the “stakes are as high as your credit limit” cannot be derived from the preceding truths.
Are we surprised that contactless cards can be read in passing? No, not really – they are designed to do just that. Are we surprised that they will give up their payment data easily? No, not really – they are designed to do just that. Are we surprised that the crims can use the skimmed data to generate counterfeit cards? Well yes, we are actually, even in the payments third world that is the US.
All transactions in the US are authorised online, and contactless transactions are secured using a dynamic Card Security Code (CSC), which can only be authenticated by the issuer host. The dynamic nature of the CSC means that data collected by the e-pickpocket will not be authorised if replayed in front of a Point of Sale device, as it's dynamic, and a magstripe card built from the skimmed data won’t work either, though I have to admit that there is an outside chance of lining up the numbers as the CSC is only three digits long. However, in the developed world, EMV security means that this outside chance actually becomes a non-starter.
The fact that the crim can read the cards and extract the data easily does not mean that the data can be used, and it can’t. The guys from the “Credit Card companies” are absolutely right – but then the guys from the credit card companies are not selling card safety-sleeves to gullible cardholders.
The easiest way to prevent the crims reading your contactless card is already available, and usually at no extra cost. It is an inevitable consequence of progress, and it is already being implemented by the card issuers. The fact is that whilst the first card you receive might be readable, once you have been issued with a second card, providing you keep them together, the crims will have as much difficulty reading them as they would have if you spent loads of money wrapping them in an expensive cow-skin Faraday cage. This is clearly evident if you have ever tried to use a contactless card without first taking it out of your wallet, if your wallet contains more than one contactless card. The best way to secure a contactless card, short of frying it in the microwave, is to keep it next to another contactless card.