Contactless Credit Cards Pose Fraud Risk

by John Stevenson on December 2, 2010

Contactless credit cards do not require swiping, inserting, or handling by a store employee. Thanks to their construction, featuring a special radio frequency identification chip (RFID), contactless cards allow to be scanned through the air and make for a swifter payment process than traditional cards or cash.

Contactless cards, which are also known as ‘proximity cards’, appeared in Canada in 2006, with MasterCard introducing its PayPass line. At present, 90 percent of the MasterCards in the country have an RFID, which enables them to be used as contactless cards. Moreover, all MasterCards are expected to have the chip by the end of the year. Visa’s own contactless brand, payWave, is less widespread, although ‘several millions’ of the 31 million Visa cards currently in use are RFID-enabled. The good news it that most Visa cards issued in the country, including those by Scotiabank and the Canadian Imperial Bank of Commerce, are not equipped with RFID (CBC News).

While these cards may decrease the queue standing time and boost retail stores’ turnover, they are far from the perfect payment instruments that credit card institutions claim them to be. Contactless cards have one huge disadvantage – they are rather vulnerable to hacker’s attacks and can be easily misused to the financial detriment of their holders.

A recent article, published on the CBC News website, revealed that with the proper equipment (an RFID reader and the appropriate software), crucial information could be extracted from a contactless card without the knowledge and authorization of the card holder. By simply drawing the card near an RFID reader, available online for as little as $10, it was possible to obtain the number and expiry date of the credit card. Cyber-security expert Pablos Holman shares that these cards are quite easy to read: ‘Now you can get a generic RFID reader and use open-source programs available on the web and read cards.’

And with the first-generation contactless cards, which are still widely used in Canada, the RFID reader could also retrieve the card holder’s name and address – priceless information for transactions over the Internet.

Worse still, it is not necessary for the RFID reader to be in close proximity or even touch the card. RFID ‘gate antennas’, two electronic readers connected and mounted on a doorway, can be freely purchased and installed to boost the readers’ working range. Thus, it will be possible to obtain card information from anyone passing through a door where such an antenna has been mounted.

As a result of this inability to protect card holder data, contactless cards are liable to several types of information hacks:

– The data, obtained by an RFID reader from first-generation contactless cards, can be programmed on a magnetic-strip card. The latter can be used for purchases in many retail stores all over the country.

– While they are being delivered by mail, contactless cards can be scanned by scammers because credit card companies do not use magnetic-shield envelopes to protect the cards.

– A company can install RFID antennas at the workplace entrances to read its employees’ card information and compile data about their spending habits, savings, etc. Needless to say, this practice is unethical.

So far, contactless cards have had a limited spending capacity of not more than $50 a day, which has precluded the occurrence of any large-scale scams. However, if the popularity of these cards continues to rise, this limit will inevitably be pushed higher, and card holders will be in real danger of losing substantial amounts of their hard-earned money.

Comments on this entry are closed.

Previous post:

Next post: