[Dave Birch] There’s a new press regulation environment in Britain. The government has just passed a new law to stop newspapers from saying bad things. I heard about it on the radio. I didn’t quite catch all of the story, but I think in essence newspapers have to have stories approved by Hugh Grant or someone similar before publication. About time too! The excesses of the British journalist need to be addressed and the full power of the law must be applied to irresponsible reporting that scandalises, misleads and obfuscates. Exhibit A:

The banking industry […] insists: “The technology is extremely robust, has been thoroughly tested and is working as expected. Payments can only take place where the card is placed within 5cm (2 inches) of the terminal”. This was apparently disproved in the University of Surrey’s research,

[From Engineers claim to prove risks of ‘contactless’ bank cards – Telegraph]

This is, like anything else you read in the papers concerning a subject you have even the vaguest understanding of, wrong. The journalist clearly didn’t read the paper or pay any attention to what was actually said by the researchers. They did not say, claim, imply, hint or suggest that you can do a payment from more than a couple of inches away. They did not “apparently” or indeed actually disprove any such thing. What they said was that you can eavesdrop on a transaction from more than the 8cm read/write range for NFC devices. This is one example of the fun reporting of a recently-published academic paper on NFC security that has kept our PR people busy for a day or two…

Contactless cards can be hacked with off-the shelf technology

[From Contactless cards can be hacked with off-the shelf technology – E & T Magazine]

Really E&T Magazine? Hacked? No such thing. This paper, published by researchers from the University of Surrey, showed that it is possible to eavesdrop on NFC communications from a couple of feet away under certain circumstances. They built a rig for doing this from easily-obtainable bits and pieces.

Inconspicuous equipment including a shopping trolley, a backpack and a small antenna were used to intercept synthesised payments card data.

[From BBC News – Contactless payment data can be picked up at a distance]

Putting to one side the issue of whether a shopping trolley might genuinely be considered “inconspicuous” or not, it’s a story where the media got the wrong end of the stick big time. I urge you to go and reader the paper for yourself:

Eavesdropping near-field contactless payments: a quantitative analysis

[From IET Digital Library: Eavesdropping near-field contactless payments: a quantitative analysis]

If you read to the end of this paper, you will see…

This work was funded by EPSRC and Consult Hyperion.

So what is the background to all of this? Well, several years ago Consult Hyperion was commissioned by UK Cards to run detailed experiments on contactless security and we were able to establish that it was possible to eavesdrop on contactless transactions under laboratory conditions. Naturally, since we are seen as being industry thought-leaders in the field of secure electronic transactions, it was important to us to understand all aspects of this issue so that we could give our clients accurate advice. We do a lot of risk analysis work for organisations developing new transactional systems and the integrity of our recommendations depends on an understanding of the details of the vulnerabilities: What is the cost to an attacker? What is their likelihood of detection?

We decided to explore the area further by funding PhD research at the University of Surrey to get some new perspectives on the subject and I have to say that it has been wonderful to witness the ingenuity that the researchers brought to the topic! If you read the paper, you will see that they were able to design kit that means you could in theory stand within a couple of feet of someone at a supermarket checkout and listen in on the communications between their contactless bank card and the supermarket terminal. This is because the cards and the terminals work using the EMV (“chip and PIN”) standard that does not encrypt the data between the card and the terminal. Now, this does not mean that the payment system is compromised! The data that you might be able to obtain in this way (the card number and the expiry date) is printed on the front of the card anyway – if you’re that close to someone you might as well just read it as scan it – and because of the way that the EMV works, you can’t use this data to create a clone card. Just as when we did the original risk analysis on contactless in 2007, the conclusion is that contactless bank cards are fit for purpose.

Summary: we thought that this kind of eavesdropping is not a practical attack on contactless bank cards and the research appears to have confirmed that. Boring, but the truth, and very reassuring to our clients in that space.

There is another point to be made, though, which actually is important. Remember that the research was not specifically about payments but about contactless transactions in general. It stands as a general and timely reminder to the designers of NFC-based systems to carry out proper risk analysis and not to rely on the short range of NFC communications to preserve privacy/confidentiality.

We’re very proud to have been able to support this research. Our clients depend on us exploring the frontiers of knowledge in these areas so that they can be utterly confident in our advice and we will continue to research the field to their benefit. Open discussion of threats, vulnerabilities and countermeasure is the way that the industry works to keep payments safe.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

1 comment

  1. Why not encode a different account number on the chip vs. the one embossed on the front of the card? Any intercepted data (whether eavesdropped or from any other means) could not be used for CNP transactions (since the issuer would always decline this account number unless accompanied by a valid cryptogram). The last 4 digits of the account number could be the same (so that the truncated number on the receipt would still match the embossed card). What am I missing?

    [Dave Birch] Indeed Amex used to do this and as part of their tokenisation strategies it could even make sense for the schemes to switch to four PANs (one on the card for CNP, one via contact interface for POS, one via contact interface for ATM and one via contactless interface).

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: