12

Visa payWave and MasterCard PayPass have similar description - the card is equipped with antenna that it uses to talk to the terminal. For small purchases (something like less that $50) the transaction is authorized by bringing the card close (smth like no more than two inches) to the terminal.

Now what if my card is in my pocket and someone gets close to me in a crowd with a fraudulent device behaving like a terminal? What if I lose my card and someone picks it up and uses for many small purchases? How is the fact that the card being close to the terminal is the only requirement for the transaction and no other participation of the card bearer is required to authorize a transaction addressed?

sharptooth
  • 2,919
  • 2
  • 26
  • 31

5 Answers5

5

They're not. Basically, other than the data being transmitted using the RFID chip, the protection is exactly the same as the one you have on your magnetic strip: NONE.

But, you tagged this as "chip-card". Don't confuse, a chip-card is something different. Chip-cards are used in Europe and in many other places where privacy and security are of a concern for people. This type of cards is very safe and is protected very well. The chip on the card is actually a smart-card processor, which transmits encrypted data that can only be used with a pin that you type in separately. Stealing the card or copying the data on the chip, even if possible, doesn't provide anything usable to the thief, similarly as stealing your ATM card without knowing its pin makes it totally useless. In many places in Europe, they won't accept the American cards with only magnetic stripe.

But, many cards provide zero-liability protection, and you can always dispute fraudulent charges. So, let the retailers suffer the damages of the insecure American banking system, and may be they'll push the banks to adopt the European chip-card system.

littleadv
  • 190,863
  • 15
  • 314
  • 526
5

From a technical POV, there are two main versions of contactless payment cards - For MasterCard there is PayPass M/Chip and PayPass MagStripe. I believe the Mag Stripe version may just be used in the US, where there are fewer chip cards, while M/Chip is used on cards which have EMV chips. (ref)

I believe the current versions of PayPass M/Chip do perform crypto on the chip and produce dynamic hashes, meaning the transactions can not be replayed. This value is called CVC3 and can be static or computed dynamically depending on your issuer. (ref) I think dynamic is more common now, but I'm no expert. Naturally, only dynamically generated CVC3 values can't be replayed.

I've heard plenty of people ask the question about someone in a crowd with a PayPass terminal. I can't believe any merchant would allow this to happen - because MasterCard and VISA and probably their bank, would be very, very upset and would shut the merchant down quickly. As the fraud is being performed by a merchant, not a customer I think it would be found and stopped quickly. Maybe I'm naive, but it seems this would be a terrible method of committing fraud.

From a banking point of view, in Australia at least, provided you report your card as lost or stolen, your liability is limited to some nominal amount (I am not a lawyer - consult your bank). The transaction amounts here are limited to $100. I assume banks / MasterCard / VISA have run the numbers and still feel the possibility of more transactions and associated transaction fees, outweighs the risks.

Additionally, we're also now seeing small value VISA transactions not require a PIN or signature - so this kind of issue now exists for non-paypass transactions.

Regardless of all this, I'm pretty sure VISA and MasterCard will at some point mandate the inclusion of PayPass/Paywave in newly issued cards.

dkam
  • 309
  • 2
  • 4
2

Don't mix security with RFID. A contact Chip-card is NOT more or less secure that a contact-less one. You have to think it as the transport layer that is not secure in any way. The security is elsewhere : protocol, crypto, keys, etc...

bmussard
  • 21
  • 1
1

EMV contactless cards (which by now should include almost all newly issued cards) use an offline transaction counter to increase security. This counter is maintained inside the card and incremented every time a contactless transaction is confirmed by the card.

At least some issuers use that counter to limit the number of contactless transactions before the card has to be used for a contact transaction, which would usually require cardholder verification by PIN entry or signature.

This limits the risk to the number of allowed contactless transactions times the maximum amount per transaction.

lxgr
  • 176
  • 5
-1

I believe contact does have one way in which it is inherently more secure. The card has to go inside the reader. What if a thief could take money out of your wallet simply by running his hand near your pocket? Without proper PDOL implementation it seems this could be possible.

NDawg
  • 1