Contactless payments using cards and mobile devices now drive a significant share of global commerce. But security flaws in contactless technology are leaving the doors wide open to fraudsters, claim two London-based researchers.
In the UK, one in five payments is now made by contactless cards or mobile devices, with the share of contactless due to rise to 40 percent of all payments by 2028.
In China, the world leader in digital payment technology, around half of in-person spending already takes place using mobile digital wallets.
According to the banking industry, contactless fraud is a relatively small problem, and it’s one that’s getting smaller.
“Fraud using the contactless technology on payment cards and devices remains low, with £19.5 million of losses during 2018, compared to spending of £69 billion over the same period,” UK Finance, a bank-funded lobby group, said in a publication released earlier this year.
Payments giant Visa also downplays the significance of the issue, saying that its own contactless fraud rate in Europe declined by 40 percent from 2017 to 2018, even while the volume of contactless payments rose sharply.
UK Finance cites the additional security measures contained in a new European Union directive as another reason not to worry about contactless fraud.
“Bank systems are detecting fraudulent spending more quickly, combined with the £30 limit on individual contactless transactions,” UK Finance says.
“From September 2019, new rules (the EU’s second Payment Services Directive) will require a PIN once a customer’s total contactless payments exceed a cumulative value of roughly £130 (€150) or when five payments have been made,” UK Finance says.
But two security researchers, speaking at the Black Hat Europe 2019 conference in London on December 4, painted a much darker picture of contactless payment risks.
According to Leigh-Anne Galloway and Tim Yunusov of Positive Technologies, the main technical standard for contactless card or mobile device payments is inherently flawed. This standard, called EMV, was developed jointly by Europay, Mastercard and Visa.
“Only two banks blocked our attempts to make payments for between £31 and £100”
First, said Galloway and Yunusov, it is possible to bypass the cardholder verification limits for contactless payment cards, such as the £30 payment limit in the UK.
The attack, which involves changing the information exchanged—in the form of a digital token or ‘cryptogram’—between the contactless device and the card reader, also works against mobile wallets, and even if the cell phones are locked, they said.
“We tested three different versions of Visa’s cryptograms, twelve Visa cards issued by banks from around the world and only two banks blocked our attempts to make payments for between £31 and £100,” said Yunusov.
“We reused the same cryptogram twelve times”
Second, said the security researchers, it’s possible to reuse the information exchanged between the contactless payment device and the payment terminal so as to make multiple payments for the same amount.
“We reused the same cryptogram twelve times to make payments of the same amount from the same bank,” said Yunusov.
Digital wallets on mobile phones and tables, which are increasingly popular, present another type of security vulnerability, said the researchers.
“For small transactions [under the £30 contactless limit] an Android device simply needs to have an active screen. This makes it possible to carry out electronic theft from a victim’s wallet as long as near field communication is active on the device and the screen is active,” said Galloway and Yunusov.
“The screen can be activated by any number of methods. These methods can include requesting Bluetooth pairing, calling the phone, or pressing the volume keys,” they said.
What about the extra security steps brought in by Europe’s second Payment Services Directive (‘PSD2’), which in theory reduce the scope for criminals to exploit contactless technology?
“Pretend to be a phone. Mobile wallets are out of scope for strong customer authentication,” said Yunusov.
“Performing attacks is much easier with a consumer device like a mobile or tablet than with a contactless card,” added Galloway.
Unfortunately, the payments industry is reacting with complacency to the evidence of new security vulnerabilities, say the researchers.
This appears to be driven partly by the knowledge that consumers can reclaim their own money from banks if they are the inadvertent victims of contactless fraud, and are therefore unlikely to panic en masse.
“It’s a monopoly and because there’s no competition they don’t feel the need to change”
But there is little reason for such a response, said Leigh-Anne Galloway.
“We believe that contactless is less secure than Chip and PIN payment. Contactless fraud is a real thing in 2019, even if it’s hard to understand the specifics. Visa and Google have both said they won’t be releasing a fix for the vulnerabilities we’ve described.”
And there’s a cultural problem that distinguishes financial technology from the rest of the tech business, where firms rely on the input of hackers to identify and address problems, the researchers argue.
“The payments industry has a vastly different approach to the rest of industry when it comes to fixing vulnerabilities,” said Galloway.
“It’s a monopoly and because there’s no competition they don’t feel the need to change. Visa’s approach is to use a risk-based model, based on their own data. They believe that fraud is reducing and they don’t feel the need to do anything about it.”
Don’t miss any more New Money Review content: sign up here for our newsletter