Criminals could 'easily' eavesdrop on contactless payments

Credit: YAKOBCHUK VIACHESLAV/Shutterstock.com

Using equipment built from 'off-the-shelf electronics' and a data acquisition (DAQ) card, engineers from the University of Surrey found they could reliably grab data from Near Field Communications (NFC) payment methods at far past their supposed 4cm range.

They even showed how criminals could use their equipment surreptitiously, concealing it in a rucksack and a shopping trolley.

"The results we found have an impact on how much we can rely on physical proximity as a security feature", said Dr Johann Briffa from the University's computing department.

"The intended short range of the channel is no defence against a determined eavesdropper."

A very subtle supermarket trolley from the study. Source: The Engineering Journal

125 NFC transactions are made every minute in the UK and one in four UK Visa cards now has contactless technology, according to Visa statistics from earlier this year.

Yet the technology has failed to take off in the way that many hoped it would and continues to be plagued by security concerns.

What can they steal?

The question for this latest piece of research, however, is whether data obtained in this way could be used for fraudulent purposes.

The UK Cards Association says it can't, and that instances of fraud on contactless cards 'are extremely rare'.

Nevertheless, this isn't the first time the security of the contactless system has been questioned.

In May, customers at Marks and Spencer reported that money had been taken from cards in their wallets and purses by the chain's payment terminals.

Though, officially, the cards need to be within 4cm of the contactless terminal to process a payment, cards up to a foot away have been debited without the customer's knowledge.

One cardholder told the BBC's Moneybox programme that a payment was taken from a contactless enabled card in her purse, which was nearly 40cm from the terminal.

More fraud risks

Contactless cardholders can currently use NFC to pay for purchases up to £20.

Thanks to their promotion by banks, there are now more than 23 million contactless cards in circulation in Britain alone.

The research from the team at Surrey, however, suggests that much needs to be done to minimise the possibility of payments going wrong.

As well as eavesdropping, Dr. Briffa warned that contactless cards might also be vulnerable to skimming attacks and relay attacks, where the victim's card is activated from a distance and the information transmitted to a legitimate reader to complete a transaction.

In 2012, Financial Fraud Action UK reported that the losses due to contactless card fraud amounted to £13,700.

While the figures are relatively small in the world of fraud, they are likely to increase as criminals adapt to the new technology.

More bad news for NFC

Responding to this week's research, Richard Koch, the head of policy at UK Cards admitted that the contactless system needs improving.

"We're very much in the initial stages of the roll out of contactless," he said. "We're monitoring very closely the issues that are presented."

That's surprising because NFC has been rolled out in the UK much more slowly than elsewhere and, some might argue, it has been the lack of a coordinated approach that has allowed consumer fear of the technology to fester and stopped providers coming up with effective fraud methods.

In Poland - and hat tip to The Finanser for pointing this out - NFC was rolled out nationally and in one year, 2011, had easily overtaken UK usage.

As we reported earlier this year, the slow rollout has also allowed mobile payment apps to jump into the space NFC might have occupied for consumers.

Incidentally, though mobile payments of all kinds have stalled a little, mobile payments online neatly solve the contactless security issue: there's no near field for criminals to latch on to.