Contactless payment cards use near field communications (NFC) to effect automatic small payments without having to physically read the payment card or its PIN – proximity of card and reader is sufficient. One of the main security features is that any communication between card and reader should not be possible at a distance of more than 10 cms.
But Thomas Diakos, Johann Briffa,Tim Brown, and Stephan Wesemeyer have demonstrated in a new paper that they can intercept the communications at a distance varying between 20 cms and 90 cms from the card. "Reliable eavesdropping", says the paper, "was possible up to 40 cm. This is still a distance an attacker could easily find himself from his victim without raising any suspicion. For example, this could be the case in a crowded underground station or at the checkout queue of a supermarket."
For the moment, this appears to be academic research. "The results we found have an impact on how much we can rely on physical proximity as a security feature", said lead academic superviser Dr Johann Briffa. "The intended short range of the channel is no defence against a determined eavesdropper." What can be done with that data is another matter.
"Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card", a spokesman of the UK Cards Association told the BBC, "any data obtained would be limited to the card number and expiry date that can be seen on the front of the card", the spokesman said. That data would not normally be enough to effect a future card-not-present fraud, where the merchant would normally also require the security code from the back of the card. This is not broadcast during contactless transactions.
Neira Jones, a specialist in financial security and a partner at Accourt, agrees with the UK Cards Association. "If we accept the fundamental premise that 'with enough effort, anything can be hacked,'” she told Infosecurity, "it all comes down to return on investment for the criminals. How long would it take criminals to harvest enough data to be able to make it financially viable for them? Some card data each time someone makes a payment? How long to they have to be there? How long can they bypass physical security measures? And finally, when they get the limited info they have captured, what can they do with it?"
Jones suspects that there are easier, more efficient attacks providing greater return for the criminals, "We have seen in the recent Santander and Barclays hacks that social engineering enabled the installation of KVMs at cashier positions – this is much more cost-effective for criminals than trying to capture some info sporadically and then trying to monetize it.
"I’m very much with UK Cards on that one", she added. But, "having said that, each time such things get highlighted, it demonstrates the technical prowess of the researchers but it also encourages organizations to tighten their practices and processes, which is no bad thing…"
"Future work", conclude the researchers, "involves experimenting with actual mobile phones and contactless cards instead of synthetic data and examining the information that could be eavesdropped and its potential towards a privacy attack on the victim." NFC, phones and personal privacy may in the future prove a more attractive attack vector for criminals than contactless cards on their own.