Contactless cards: keep an eye on the threat just a hand’s width away

Contactless cards (often called NFC for Near Field Communications) were used for the first time for electronic ticketing in Finland, in the early 1990’s. Nowadays, the technology has been adopted by the banking system, which is why contactless cards are becoming a more usual presence in peoples’ wallet. So, it seems that they are the newest and greatest in security. But are they?

During a small experiment, researchers have managed to pick up all the needed payment details from more than 10 centimeters away, a much greater than the usual limit. What does this mean? Watch where you put your card and your wallet, beware of people carrying card readers around in public places and don’t fully trust the RFID Card Protector foil.

It happens right on your watch

A demonstration was made using a NFC (Near Field Communication) device, which was hidden in front of a real Chip & Pin payment terminal. To get even more useful information, the researchers used a hidden camera to pick up the number off the back of the card.

This combination captured data just before the cards could be inserted into the terminal, giving the researchers a lot of interesting data without messing up the legitimate transactions.

The most important thing is that all this technology is very cheap and easy to get. For example, the equipment in this demonstration cost only £60: a £50 off-the-shelf reader and a £10 USB camera.

Although this threat is a proven fact – and other researchers have been able to pick up the card signals up to 80 cm away – authorities aren’t panicking. So far, the losses are very small comparing to the total amount of money involved in contactless card transactions.

The specialist’s solution for more secure contactless cards

Still, to avoid such situations, there is a solution that can be implemented in the near future. Contactless cards are passive in their design, therefore they can be read by any reader that comes within the usual 10 centimeters range in which they function. Since this can happen also without the knowledge of the cardholder, one solution could be the implementation of active cards which communicate with a reader only if the owner chooses this action.

Cards can be activated by putting pressure anywhere on the card – a feature possible whilst the card is still inside a wallet – maintaining the convenience and speed of contactless payments.
A piezoelectric material would be used to activate the card, removing the requirement for a battery and lowering costs. A simple switch would isolate the contactless chip from the antenna whilst the card is inactive and connects the chip to the antenna only when the cardholder specifically activates the card.

If this works, the phrase “hold onto your wallet” could have a very different meaning.

Source

This post is also available in: FrenchItalian