With the introduction of contactless cards into the financial sector came swift, convenient, and secure payments. However, like any useful innovation, the adoption of contactless payment has seen its fair share of controversy. Perhaps, the most prominent of these disagreements is the varying views on the security measures incorporated into these cards.
There are growing concerns about whether or not contactless cards are 100% safe from the machinations of hackers and fraudsters. Safe to say, no device is 100% fool proof, yet, it would help any cardholder to know that their personal and financial information is not readily available to those who would misuse them.
So, can fraudsters hack your contactless cards? To do justice to this question, we have to understand how the security measures in these cards work, assess the common concerns about these measures, and review reported cases of card hacks in the past. Let’s begin, shall we?
Security Measures in Contactless Cards
This section will not include security measures that are independent of the contactless technology and involve a combination of online fraud detection and risk-management policies. We will solely discuss the security system in the device’s technology.
Radio-Frequency Identification (RFID) technology with a limited range
Every contactless card contains a chip inside them that emits radio waves. This transmission is necessary to conduct transactions with the card reader. It operates on the short range of an inch or two. This wave limit ensures that users have to deliberately present their cards to the readers before information can be transferred.
Cryptographic technology for unique encryption
Each card uses a sort of authentication code known as a cryptogram to generate keys. These keys are used in the same way fingerprints are used in humans. They are unique and almost impossible to steal or replicate.
Ever-changing transaction data
The data used for every transaction with the device is also unique. Subsequent transactions have to use a completely different set of data. Intercepted data can’t be reused when performing other transactions. So even if fraudsters managed to get a hold of your transaction data, it would be utterly useless to them.
Personal information sharing limit
The names of cardholders remain inaccessible even when performing a transaction. This is according to best practices in the banking industry. Card transactions occur without the embedded chip using the cardholder’s name.
Common Concerns about Contactless Card Security
Below, we discuss the most common problems people foresee with this type of payment device.
Fraudsters may design/purchase their own card readers
Because these cards work based on radio wave technology, it seems only logical that a replica of the bank’s POS machine could extract data from them. The common belief is that a hacker with such a device if it even exists, could steal your financial information and make fraudulent transactions on your behalf.
Card skimming and cloning risk
Skimming is a term used to define the use of an electronic device to read critical data from a card over an unauthorized wireless network. The hacker’s next step after this is to clone the card using the already stolen data. This way, they may successfully make fraudulent transactions over networks with weak security.
Surpassing the daily limit
The primary purpose of contactless cards is ease and speed, so most times, you don’t have to do more than swipe your card to make a transaction. Losing your card to theft or by accident is an obvious possibility. Hence, merchants imposed daily limits on their cards to ensure larger payments would require additional verification. Unfortunately, hackers may have found a way to intercept communication between payment networks and stolen cards so they can exceed this daily limit without authentication.
Reported Cases of Contactless Card Hacks
1. In 2019, the UK’s national cybercrime reporting center released data from the previous year, stating that the biggest contactless card fraud was worth $400,000. The stolen card was used multiple times after the culprit bypassed the limit.
2. Images occasionally surface on social media showing alleged fraudsters hacking into nearby contactless cards and making payments with POS machines. All these were done with the oblivious owners standing a few inches away from them. The images have been debunked based on the fact that a POS machine can’t transact without registering it to a payment merchant and linking it to an authorized bank account.
3. There are unconfirmed cases of cards that were reported lost or stolen being used to withdraw funds when they should already be blocked. These reports are, however, mixed and unclear.
Possibility of Contactless Card Hacks
Now, to answer the ultimate question, can fraudsters hack your contactless card? After considering the above information and other parameters, the following should serve to enlighten you on the possible vulnerabilities of contactless cards.
The range required for an illegal card reader to gain access to your information is so small that they may find it hard to come so close. Low-frequency wave cards that allow little or no interference are the most secure options.
The one-time keys that the chips generate to complete a transaction serve as extra layers of protection. Even if a hacker finds a way to intercept this information, it would be useless on any other transaction.
The various payment limits on contactless cards are last resort, in case the first two measures fail, which is extremely unlikely. Although there have been reports of limits being exceeded, companies like Visa have come out to say such attacks are not feasible in real life.
With the level of resources and technology out in the world today, it seems unrealistic to expect a completely secure device. The contactless card, however, has so many layers of security that it would look like a stretch to assume fraudsters can find ways to bypass every one of them. Nevertheless, it has not been proven to be 100% secure.
To further protect your information, consider using an RFID wallet to block unwanted signals. Do not let anyone else know your PIN, keep your card hidden when not in use, and report any stolen or lost cards to the appropriate authorities.
About the Author: David Smith
David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments in the Greater China region. His expertise includes system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.