[Dave Birch] With contactless payment systems continuing to expand, I see another report from the U.S. concerning fears that the wireless technology behind those systems is not secure enough for widespread adoption, despite assurances from Visa, MasterCard, and other major players. Aneace pointed to a similar discussion in May, except that that time it was that retailers who were saying that

Once the U.S. overcomes its security issues with contactless payments and assures the public of the safety of using them, this technology will explode.

But what are these stories about (and what do they mean)? A typical example is this story about cards transmitting cardholders names and numbers in the clear that is illustrated with a picture of a card that doesn’t. But look at the heart of that story. According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many contactless cards will transmit your name, the credit card’s number, and its expiration date (but not the CVV) unencrypted to anyone nearby with an RFID scanner. This is true, but I’d put a different spin on it: researchers have discovered that these cards comply with their specifications and do exactly what they are supposed to do.

Technorati Tags: ,

Now, of course it makes no real sense for the cards to transmit the card holders name. That’s true. But it also makes no sense for standard chip & PIN cards to transmit the card holder’s name either. It’s just legacy thinking, another example of the transition to a new technology that is merely, in its first generation, used to simulate the old technology. In fact, as my colleague Tony Pickup has previously recommended, there’s also no reason why the chip & PIN cards should deliver the same number over different channels. Why does, for example, my debit card give up the same PAN to a POS terminal as to an ATM? All this means is that PANs stolen from POS terminals can be used to make bogus ATM transactions. Let’s start designing fraud out, we’re all agreed on that.

But back to the impending security catastrophe that the journalists are warning us about. It’s what these stories mean that continues to bother me. They suggest that card issuers will put cards into the market that will increase their risk. If this were true, what would be the explanation? That card issuers are dumb? That banks don’t have any security experts? That suppliers are misleading banks? I’m really keen to know.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

4 comments

  1. Do the people who design these systems live under a rock?
    Why is it that the “old” Internet technology we use has to encrypt the users card details at all times (for PCI compliance) but the idiots designing the shiny new card scanners still transmit this data in the clear?
    Its simply not good enough and if the Journalists create enough of a stink to make them fix it quickly before contactless payments get much bigger then thats good for everyone.
    Simon
    Mi-Pay Ltd

  2. Dave,
    Every time a new channel or payment method rolls out the Chicken Littles demand attention. Yet we so often forget that new customer interaction methods are, quite literally, a two-way street. Mobile devices (which use contactless as the proverbial rails) naturally have security risks that demand attention, but they offer unique security benefits as well, namely the ability to enable the end user to detect or even approve/reject of transactions. Research data shows that new interactive technology has powerful security advantages, but their value is limited by security professionals’ willingness to build on their strengths. Until we evolve our thinking about security beyond today’s exclusive back-office fear mongering mindset, the criminals will have the upper hand.

  3. At least in the US, the main goal of the credit card firms in all of this is to increase the volume of transactions. They have successfully dumped all of the liability and risk onto the merchants (with a bit on the consumer). This is why they have been pushing debit cards so hard (and successfully) – more transactions, but even less risk and liability for the card provider (in the US, debit cards do not have any of the long established protections of credit cards at this time).
    If you have no liability, you have no security problem… since the card issuers have no liability, they don’t care about real security – only increasing their fees and profits:
    Contactless makes transactions easier and faster. That is what matters. They will put in just enough security to get the system accepted in the market. Of course the other benefit is that they will make money on selling a whole new set of infrastructure products to vendors (with a nice licensing fee to the card companies, no doubt). The greed of the card companies was why SET died.

  4. And then people are surprised that credit card numbers are offered in India in bulk quantity. Lets get us some RFID readers and collect numbers.

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: