Contactless Payment and RFID skimming – Security Before Ease


Tired of long queues at coffee shops, movie ticket counters or your favorite grocery stores? A payment feature called payWave by Visa or payPass for MasterCard aims to tackle just that. With this contactless technology, simply hold your payWave enabled Visa card (or payPass enabled MasterCard) at a distance of no more than 4 cms from a reader at the sales counter and your transaction is done in a matter of seconds.No more entering pins or swiping your cards. And guess what, the card doesn’t leave your possession too! And all this leads to a much easier and faster transaction up to even 3X times faster.

How It Works

The payWave or payPass cards (and other such contactless cards) come with an embedded chip that sends the card data to the reader. Such a chip is based on the RFID (Radio Frequency Identification) technology and has a radio antenna that sends out radio signals. RFID is basically a one way communication wherein the reader gets the required information from the card but no information is sent back to the card from the reader. In case of payWave or payPass cards the RFID chip is a ‘passive’ one i.e. it doesn’t emit any signal because they don’t have any power. It gets its energy only when it comes in contact with a nearby radio transmitter. Whenever a RFID enabled card is used for shopping, the entire transaction details are encrypted and sent over the radio network. However, there is a catch. Though the information for that particular transaction is securely encrypted, it appears that the credit card number or the expiry date are not.

RFID Skimming

Since the card number and the card expiry date are not as securely transmitted, anybody with a RFID card reader can read the card without the owner knowing it and potentially extract information from it. This is very popularly know as “RFID skimming” and can be used dangerously as the video below demonstrates.

Apparently anybody can create a RDIF card reader and steal information from anyone in close proximity, such as in a crowded bus or train, and use it to create a fake card and easily use it at any regular outlet.

Preventing RDIF Skimming

There is hardly anything that you can do if your credit card information is stolen like this even when it’s in your possession all the time.Unfortunately there is no mechanism to deactivate your card for contactless transactions  and activate it just before you intend to use it, post which it automatically gets deactivated again. The only possible solution is to keep your cards in ‘RDIF safe wallets’ or maybe remove the RDIF chips from the card itself (works, but not recommended).

Visa and MasterCard both boast of this mode of payment as being one of the most secure payment solutions available, and yet they limit the amount for transaction to only 100$ (anything over that requires the regular swipe and pin and works with the same card). They do have a zero liability policy in place which means fraudulent transactions if reported will be reimbursed fully. But one feels that’s not enough. And yet they have gone ahead and pushed these cards on consumers in countries like Australia, the United States, Canada etc without any option to opt out. Though the cards are not available in most Asian countries like India, it wont be long when they’ll be forced down on customers in these countries too.

It’s only a matter of time, though, before sophisticated criminals who have proven adept at wide-scale debit-card fraud turn their attention to RFID credit cards. Maybe they are just waiting for a wide scale adoption for the same. Lets us just hope VISA and MasterCard would have wisened up by then and incorporated safety measures to counter them. What is in place now is simply not enough.

<< >>