Still a touchy subject it seems

[Phil James] The safety of contactless payments continues to attract considerable attention. The casual reader can be forgiven for believing that the technology and payment scheme has not been thought-through and security loop-holes remain to be “discovered”. Actually, one loop-hole is well-known and I’ll make another attempt to explain just what is going on here.

The usual reposte from the payments industry is that cardholders have nothing to fear from the technology even if the merchant and the transaction acquirer (who collects and makes the electronic payment) don’t follow the rules which protect the payments exactly. An explanation of this starts to get a bit complicated almost immediately and most casual readers are probably wary of long explanations about “liability”. So what is happening and has the industry simply overlooked the “holes” because it has been convenient to do so?

Reading Contactless Cards

The cards have been designed to be read using a contactless technology and that much of the data transferred over the air between the card and reader is in clear and not encrypted. This is deliberate and not a mistake. It would be quite difficult to encrypt the interface to the reader (you can do this for a proprietary or local system such as Oyster – but we need a system that will allow any card to work in any terminal anywhere in the world).

The industry claims that the cards must be very close to readers before they can be read. This is true. The reason is because the technology uses magnetic fields to power the card and communicate data, so it’s like a transformer and is not a radio device. This technology is infeasible for communication at long distances, with experts recognising that a custom built reader could stretch the range to 20cm but with difficulty. I have been part of a team which built a rig capable of powering a card at a metre, but the device was extremely large and created very large fields which rendered electronic equipment unusable for several metres around. Any cards getting too near the coils could be destroyed. (And communicating didn’t work). The equipment was extremely hazardous!

So if you want to connect to someone’s card, you need to get very close indeed. But you could, of course.

However, you can eavesdrop on a coupling between a card and a contactless reader. A card and reader in good contact will induce an electric field around the reader (sorry about the physics) and it is the signalling on that we can detect at distance. In other words, you can’t interact with a card yourself at a distance but you can snoop on a conversation between a card and reader. We concluded (in 2007) that distances of metres can be accommodated by a properly built and tuned eavesdropping coil. Recent reports have shown a simple device which can eavesdrop some 60cm from the card and reader. Engineers claim to prove risks of contactless bank cards – Telegraph

Anyway, it doesn’t matter if you interrogate a card close up or eavesdrop at a distance, you’ll see similar data.

The Data we can see

This has been covered in each response to the news stories. Along with a lot of transaction-specific data there are the Primary Account Number (PAN) and Expiry Date. There is an interesting data field which looks like the coding on the magnetic stripe but has a cryptographic value which is coded differently to the actual magnetic stripe. So this can’t be used to code a counterfeit magnetic stripe card unless the Issuer is careless with their checking. For the cynics out there we can be pretty sure this is one area that really is checked when the transaction gets to the Issuer. For any Issuers out there who don’t do this you shouldn’t be in business.

There is no other data which could identify the cardholder personally. Some cards used to include the cardholder name in the contactless data but this is being removed.

So, as has been said before, we are talking about the collection of the PAN and Expiry Date. This is also the data that hackers are keen to retrieve from online systems and web-sites. Why should that matter?

Liability

The payments industry wants and needs to support commerce. There are few rules that state “you cannot do that!” They usually say “on your head be it!” So the Issuers through their schemes (Visa, Mastercard etc) state rules that determine who will pay if the transaction turns bad. This is not the same as preventing bad transactions in the first place.

In the press articles challenging the security of contactless payments you may have seen “an industry spokesman” stating the cardholders have nothing to worry about because the rules protect the cardholder from liability if the merchant or his acquirer does not provide the necessary security information. Bear with me as I explain what this really means.

What the payments industry expects is that transactions in a “card present” environment (e.g. shop) are submitted with PAN, Expiry Date and transaction related data including a cryptogram generated by the chip card. The cryptogram is generated from important details in the transaction (including the amount) and cannot feasibly be predicted outside the card chip and the Issuer security processor. Both contact (Chip & PIN) and contactless cards generate the cryptograms. The cryptograms act as proof that the card was involved in the transaction.

In a “card not present” CNP environment (e.g. internet) the chip cannot be used directly. Some banks have supplied cardholders with devices that can generate cryptographic codes either with a Chip & PIN card or as a stand-alone device. However, transactions using such devices are usually restricted to bank account operations. Today, the only feasible method of performing CNP transactions outside banking is to supply the PAN, Expiry Date and a special code printed on the back of the card (often referred to as the “Security Code”) which is not encoded anywhere else on the card. Using the Security Code shows you have (or had) access to the card.

Of course, the security of this fixed code in CNP is inferior to the changing cryptogram we get with card present. In an effort to increase security sometimes internet transactions are referred to something called “3D Secure” where cardholders are asked to enter various characters from a password. The positions of the requested characters changes and is not predictable. This helps prevent the fraudulent collection of passwords from a computer. Most security experts describe 3D Secure as “better than nothing”.

Provided the merchants follow these simple rules for making payments, the Issuer accepts the liability for the transaction (and hence the cardholder). So do merchants do this?

Merchant experience

Card present transactions use chip technology and provide the necessary data for Issuers and cardholders to be liable for the transaction outcome. The vast majority of cardholders have little difficulty with the Chip & PIN procedure.

The experience of internet merchants shows that each additional step following a decision to pay requiring further data entry leads to incomplete purchases and a significant loss of business. By registering a card you can avoid some steps. The internet merchants are not allowed to record the Secure Code values, so entering this is an extra step. Furthermore, 3D Secure can lose significant business (it is not hard to find many gripes online). I.e. additional security measures requiring effort from the cardholder leads to a loss of business. Therefore, a business case can be made for using only the registered PAN and Expiry Date for payment, building your own fraud-prevention systems and accepting the liability for transactions which prove fraudulent. This is what the internet giant Amazon does, for example.

The overwhelming majority of transactions are instigated by people who have every intention of paying. It may be argued that far more business can be achieved by simplifying the means to make a payment than is lost through the few who exploit the systems weaknesses. If it costs more to prevent all fraud, why not just pay for some of the fraud? Industry figures for fraud show CNP-based card fraud accounted for over 60% of the total (UK Cards fraud figures ) and the trend has been upward over the last 10 years, unlike other card frauds. This is what can make the PAN and Expiry Date valuable.

Impact on Cardholders

Issuers accept card payments with PAN and Expiry date on CNP transactions. If there is no Security Code, then the liability stays with the merchant. In practice this means that if the cardholder denies the transaction (repudiates) then the transaction is charged-back and the merchant may suffer the loss.

Clearly this procedure requires cardholders to check their statements. Checking statements is best practice and should be undertaken to ensure the transaction record is correct (looking for accidental, missing or duplicate payments – which should be rare). However, in effect, cardholders are also being asked to check against fraudulent transactions because the payment system may not adequately prevent them.

Impact on society

Some years ago after outlining how chip & PIN works to the Serious Organised Crime Agency (a Home Office NGO) I asked them about the idea of regarding fraud as a “cost of doing business”. The response was unequivocal in that ALL fraud is unacceptable. This is because many frauds are conducted by “Organised Crime” (whatever that means) and the proceeds invested in other criminal activities. There is serious social cost of accepting fraud and all measures must be adopted to minimise its occurrence within payment systems. If achieving that means regulation, then so-be-it. That was their opinion.

 A further analysis of the implications of fraud is contained here There's more to fraud than lost money .

It is also worth noting that a globally-based organisation which gains from the idea of some fraud as a cost of doing business may pay little or no tax in the country of operation. So the full costs to society of treating fraud in this way may not be paid by those responsible for those costs.

So what about contactless?

In summary, what is happening is that card details are being read using the contactless interface and used to fund an online purchase. This is easy to demonstrate and where no fraud is intended you would expect the purchase to work. It does. The question is, are the fraud-prevention measures of the online merchants sufficient to stop real fraud in this situation?

Obscuring or removing the contactless interface changes nothing. The PAN and Expiry Date are visible on the front of the card, although it may be argued that the cardholder is in a better position to protect this. Removing contactless cards will not make internet transactions any more secure, so at best would be a removal of one channel (not a particularly fruitful channel at that) for collecting PAN and Expiry Date. Some Issuers use a PAN which is contactless-specific.

There are many technical solutions to this problem. The difficulty with most is that we have to deal with an enormous global machine which uses accounts at its heart. The solutions evolved to date have effectively supplemented an account-based payment engine with security processes (authentication) but retain the basic account operation. As long as payment channels exist which bypass or provide potentially lower security then there is the potential for a “cross-channel” attack. The irony here is that the superior technology is in the spotlight for criticism.

The press articles around contactless are noise obscuring the real issue. Indeed, contactless transactions are much more secure than any other non-chip based transaction.

It’s also worth reading John Elliott’s excellent piece on this topic here A Touchy Subject