Giving evidence to the London assembly transport committee about TfL’s plans to introduce contactless payment to London’s transport network, he answered yes when asked by a member of the committee whether the system was “100% safe” against “invisible pick pocketing”.[From Transport for London says new contactless tickets will be ‘100% safe’ | Guardian Government Computing | Guardian Professional]
Will is, naturally, correct. If I am able to sneak a bogus reader onto the Underground and surreptitiously hold it against people’s pockets to read the card data inside, it’s not much of a crime. I have to put the reader up against your wallet. If I want to read your card from the other side of the carriage, I need an antenna the size of a wagon wheel pumping out so much power that the coins in commuters pockets would be sparking.
But even if I can access the card in your pocket, I can’t use the data to make counterfeit cards and I can only put spurious transactions through to a merchant account at a bank: I can’t “pickpocket” anything, in the sense that I can steal anything of any value. But it seems to me that electronic pickpocketing “meme” is unstoppable.
An ongoing effort by credit card companies to issue 1 billion radio frequency identification chip-enabled contactless cards by 2016 will dramatically increase the public’s susceptibility to identity and financial theft from electronic pickpocketing, Identity Stronghold announced today.[From ‘Electronic Pickpocketing’ Threat Worsened by Credit Card Industry Plan to Issue 1 Billion Contactless Payment Cards, According to Identity Stronghold – pymnts.com]
Now, I have to say, in all honesty, that I know of no report from a reputable source of any incident of electronic pickpocketing ever having taken place anywhere in the world. Not one. I have never seen an unauthorised charge on any of my contactless cards and if I did see one I would simply call my issuer and have it wiped.
The real question, of course, is security: If a special little reader can take and use your credit card data from your phone, how is Google going to ensure this only happens when you want it to happen?[From Google’s Mobile Payment Platform to Launch, Report Says ( – Consumer Electronics )]
This is a misunderstanding of the difference between stripe cards and chip card (whether contactless or otherwise). We wrote an Android app to use a Square to read the magnetic stripe data from a credit card, decode it and then send it on. But the problem here is not Square or Android or Twitter but the magnetic stripe. If you read a magnetic stripe, you have all the data you need to make a magnetic stripe transaction. But if you read a contactless card, you do not have all the information you need to make a contactless card transaction.
Contactless card and phones, the ones with NFC interfaces like the Google phone referred to above, don’t send the data necessary to construct a bogus magnetic stripe and you can’t use the data that they do send to make a bogus NFC application because the secret keys that you need to create the secure messages are never transmitted – they stay inside the secure element (SE), just as they stay inside the chip on a chip and PIN card. So the strength of the electronic pickpocketing meme does not come from the technology, nor can it come from experience.
As I’ve said before about contactless, there must be something about contactless, about wireless interaction, that causes irrational concerns.
Among those that are not yet ready to use contactless, security appear to be the dominant consideration. Which means, of course, that whatever we might think about actual security situation we must get better at communicating it.[From Digital Money: Contactless update]
I’m at a loss what to do though. If I were the UK banks, I might try to persuade the BBC to get a contactless card story into Eastenders, as that seems to be the standard public education channel these days. Otherwise the stories will just keep coming.
At least once a year, the contactless payments industry, indeed all of us, has to put up with someone spreading fear about contactless cards and the ability of someone to scan the card of a passerby with a portable contactless reader. Yes, it’s true. It can be done. But who cares? The risk is beyond minuscule.[From PaymentsJournal – Non-Existent Monsters in Your Wallet, Reporting Finds]
If the London Assembly were being really forward looking, they would have asked Will what terrific new services TfL will be able to deliver once customers begin using the coming generation of NFC phones instead of contactless cards. This is only just around the corner now.
“Until we see implementations of NFC that allows us to get repeatable transaction times within 500 milliseconds, this is going to be a concern for us,” Will Judge, Transport for London head of future ticketing, told NFC Times.[From Transport for London Calls for Faster NFC SIMs | NFC Times – Near Field Communication and all contactless technology.]
He also said, at the Transport Card Forum in London in December, that some “very clever people down in Guildford” are going to make this happen. Modesty forbids me from providing a link to these transaction heroes, suffice to say that I fully expect the targets for TfL’s Future Ticketing Project (FTP) to be met.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
I think Walt Ausgustinowich would take exception to the comment “Now, I have to say, in all honesty, that I know of no report from a reputable source of any incident of electronic pickpocketing ever having taken place anywhere in the world.”
However I am completely on the same page as you David. e-Pickpocketing, wedge, man in the middle attacks are just sensationalist headlines to bash the banks with.
I say we move to NFC asap with a £25 limit and higher transactions with online passcode validation.
Off my soap box now.
I have seen many dramatic ‘news’ segments about electronic pickpocketing here in North America, and they all have a similar starting point. Strangely enough, news media seem drawn to the demonstration made by a so-called expert, who also happens to sell sleeves to protect against that evil! This guy sure is getting more than his 15 minutes of fame! I fully agree with you, Dave. My question is: how can we, as industry experts, teach the media to ask the tough questions, or to defer to experts that will have a counter point of view?
Rene………for me all US needs to do is adopt EMV and then choose DDa as opposed to SDA.
Sure this will push the fraudsters to another channel and not eliminate fraud but in Europe we saw this migrate to Card Not Present and non EMV markets. We are still trying to manage the former with most banks looking to move away from VBV and SecureCode etc and now considering a bespoke secure method for CNP internet trans.