Once the U.S. overcomes its security issues with contactless payments and assures the public of the safety of using them, this technology will explode.
But what are these stories about (and what do they mean)? A typical example is this story about cards transmitting cardholders names and numbers in the clear that is illustrated with a picture of a card that doesn’t. But look at the heart of that story. According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many contactless cards will transmit your name, the credit card’s number, and its expiration date (but not the CVV) unencrypted to anyone nearby with an RFID scanner. This is true, but I’d put a different spin on it: researchers have discovered that these cards comply with their specifications and do exactly what they are supposed to do.
Now, of course it makes no real sense for the cards to transmit the card holders name. That’s true. But it also makes no sense for standard chip & PIN cards to transmit the card holder’s name either. It’s just legacy thinking, another example of the transition to a new technology that is merely, in its first generation, used to simulate the old technology. In fact, as my colleague Tony Pickup has previously recommended, there’s also no reason why the chip & PIN cards should deliver the same number over different channels. Why does, for example, my debit card give up the same PAN to a POS terminal as to an ATM? All this means is that PANs stolen from POS terminals can be used to make bogus ATM transactions. Let’s start designing fraud out, we’re all agreed on that.
But back to the impending security catastrophe that the journalists are warning us about. It’s what these stories mean that continues to bother me. They suggest that card issuers will put cards into the market that will increase their risk. If this were true, what would be the explanation? That card issuers are dumb? That banks don’t have any security experts? That suppliers are misleading banks? I’m really keen to know.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]