CyberSec Consultants

The Inconvenient Truth about Contactless Payments (RFID / NFC)

Written by

CyberSec (Pty) Ltd

in

RFID or Radio-Frequency Identification and NFC (Near-Field Communication) uses electromagnetic fields to automatically identify and read tags attached to objects. The tags contain electronically stored information. Passive tags, such as payment cards, access cards, ID cards and passports, are powered from the RFID / NFC reader. Active tags, such as E-Tags, mobile phones and some motor vehicle remotes, have a local power source (such as a battery) and may operate hundreds of meters from the RFID / NFC reader. Unlike a barcode, the tags don’t need to be within the line of sight of the reader, so it may be embedded in the tracked object.

RFID / NFC, as a method for contactless payments has become increasingly popular globally with a recent, rapid increase in South Africa specifically. This capability has allowed consumers to make “tap-and-go” payments without needing to hand over the card, and in some cases, without needing to provide a pin code.

To better understand the associated risks, I took to the streets to explore how my South African issued bank card behaved – Both locally and abroad.

  • Use Case 1 – Using the RFID / NFC enabled card as a payment method
  • Use Case 2 – Using a (RFID / NFC capable) smart watch or phone, with the card enrolled as a payment method

To give a further example of how tap-and-go is being adopted overseas, see this vehicle which uses a RFID card to unlock the vehicle and drive it – This is an initiative by GoGet in Australia:

Before I talk about the observations, I want to briefly unpack the anatomy of card security for context:

  • Magstripe – Although a supposed legacy form of reading card data, this was “replaced” by chip & pin for improved security following a rise in card related fraud, such as skimming. This was owing to the ease of reading the magstripe, which stored the Card Number (PAN), Expiry Date, Service Code, CVV1 (this CVV is different from the one located on the back of your card – CVV2) and Check Digit on Track 2.
  • Chip & Pin – EMV cards are smart cards (also called chip cards, integrated circuit cards, or IC cards) that store their data on integrated circuit chips, in addition to magnetic stripes (for backward compatibility). This was the answer to further securing the card, providing an “unreadable” chip on the card to store the aforementioned information. Furthermore, (following the EMV specification) there are 2 types of PIN parameters possible with EMV:

a.     Offline PIN, this is stored on the chip-card and verified by the card. This PIN is encoded on the secure element of the chip card. This allows for faster transaction times and potentially offline transactions as the terminal does not need to “contact” the bank for pin verification

b.     Online PIN, this PIN is not stored on the chip-card and is verified by the Issuer of the card.

 A chip-card may support “a”, “b” or both. If it supports both, the PIN is usually the same, but this is not a requirement. For more about card parameters – See ‘Service Codes’ below.

  • Floor Limits – This is the amount of money above which the card transaction MUST be authorized – The limit can vary from merchant to merchant. In most cases, this capability is available to any merchants to allow for faster processing times. For example, places that may draw large queues, such as a fast-food drive-through, tollgate or cinema. As you can imagine, there is opportunity for fraud and therefore, between the issuer (bank) and the merchant, they must specify a limit to which they accept the risk – Often between R1 and R1000. You may notice this taking effect, when as you finish entering your pin, the transaction authorizes instantly – without dialing up.
  • Service Codes – These are often a series of 3 numbers stored on the card that tell the card “how-to-behave”. For example:
  • Expiry Dates – Interestingly, as mentioned in the first point ‘Magstripe’, the expiry dates of a card are stored on the card itself and can be modified by a card skimmer on the Track 2 data.
  • Check Digits – Check digits, or Longitudinal redundancy check (LRC) — is one validity character calculated from other data on the track, however, most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader. Also, because this is a form of data integrity rather than data security, it needs to follow the International standard ISO 1155, which has its algorithm for calculating the check digit publically available.
  • Fallback Transactions – A fallback transaction normally occurs when a chip card, presented at a chip terminal, cannot be read due to a technical issue with the chip which results in the technology “falling back” to a magnetic stripe transaction. In some situations, a fraudster may create a counterfeit card with an intentionally damaged chip in order to invoke this scenario. Alternatively, they can purposefully damage the chip, cover it with clear tape or insert the card backwards. For this reason, fallback transactions are deemed risky by the payments industry and it is the issuer (bank) that holds liability on fallback transactions.

You can read this article from 2016 where I demonstrate the above concerns, here.

So, just before I jump back into RFID / NFC contactless payments, I think it is worth noting the following, extremely concerning, observations

  • Magstripe, as a form of identifying a payment card, is known to be flawed;
  • For this reason, EMV Introduced the chip & pin capability;
  • In addition, the magstripe remained on the card, with the same data (albeit 1 service code digit) for backward compatibility.

–  In case the chip is damaged

–  In case the terminal does not support chip & pin.

Therefore, it would be safe-to-say that chip & pin, in its current implementation – Is fundamentally flawed. For as long as the magstripe is still on the card, encoded with payment data, card skimming and card fraud is still as possible as without the chip & pin.

So what have the issuers (banks) actually done to try and reduce the risk? The answer, as it appears to me, is to:

  • Further maximize the use of limits. This would be in effort to reduce the amount (value) of the fraud before it is identified and stopped rather than remove the magstripe entirely, for the reasons stated above; and
  • Introduce 2FA where possible, such as the 3D Secure functionality, Dynamic Passcode Authentication (DPA), and OTP for online, Card Not Present (CNP) transactions.

However, in credit of the issuers (banks), it would also be necessary to note that there are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards that may possibly also act as a restraint to not “do what they like”.

EMV originally stood for “Europay, Mastercard, and Visa”, the three companies that created the standards. The standards are now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are:

  • VIS – Visa
  • Mastercard chip – Mastercard
  • AEIPS – American Express
  • UICS – China Union Pay
  • J Smart – JCB
  • D-PAS – Discover/Diners Club International.
  • Rupay – NPCI
  • Verve

So what’s wrong with RFID / NFC enabled contactless payments?

The answer is quite simple – It is fundamentally no different to the other forms of card identification – Other than its convenience. This being said, it seems to have a higher risk tolerance (for now) which I can only assume is due to its new-ish adoption.

Following the research, it appears some card issuers (banks):

  • Restrict the number of contactless transactions that can be made before the PIN is requested, to minimize fraud;
  • Force a cash limit for each contactless transaction which differs slightly between issuers;

At the same time issuers (banks) are supposed to limit the number of contactless payments each day to protect users if their card is stolen. If a certain number of contactless payments are exceeded, usually three, a PIN number is requested or the card may even be blocked.

However, some issuers (banks) have been known to allow as many contactless payments as the customer wishes to make.

So let’s not kid ourselves, contactless card fraud is on the rise; in the first half of 2018, thieves stole more than £8 million from contactless fraud.

In conclusion, although the risks are reportely low:

  1. You card can be targeted with an NFC enabled terminal even when it’s in your wallet or purse:It is possible to be defrauded on your RFID / NFC enabled contactless card. See ‘Are Contactless Cards Cloneable‘ for more information.
  2. It is possible for fraudsters to skim details off your contactless card, for instance, by standing behind you in a queue. (The distances from which you can be skimmed vary depending on the power of the reader. But some researchers say that because the NFC technology in contactless cards uses a 13.56Mhz radio frequency technology that only transmits digital data within a very short range (typically 5 cm or less). No communication should be possible beyond that range.) However, the University of Surrey Journal of Engineering said a team managed to “successfully receive contactless transmission from distances of 18 to 31 inches”.
  3. Your card can be targeted with an NFC enabled terminal even when it’s in your wallet or purse:

A fraudster could potentially purchase a device like these seen on Takealot:

That said contactless card fraud (from data publicly available) does not appear to be common. However, I would err on the side of caution when South African banks say:

This technology protects our customers against card related-fraud, such as card skimming, as they no longer have to insert their card into the point of sale device” – Raj Makanjee, Chief Executive for FNB Retail.

Some sensational reports show that contactless cards can be remotely read by someone close to you, but upon testing it has shown that the data that can be retrieved is not sufficient to be used in fraudulent transactions – the chip cryptograms are just too strong” – Tshipi Alexander, Head of Consumer Issuing at Absa Card

Versus that of global research:

It seems that the banks are taking a very complacent attitude when it comes to stopping the easy to target contactless payment fraud. They casually reassure consumers that they are 100% covered for any stolen money and they will return any lost cash to their accounts.

Upon reading the publicly accessible data on an NFC banking card compliant with EMV, the following data could be seen:

  1. Card Number – Full card number as displayed on the front of the card
  2. Expiry Date – Full expiry date as displayed on the front of the card
  3. Card Type – ie. Mastercard, VISA, etc.
  4. Card Issuer – VISA, Gemalto, Cryptomate, ACS, etc.
  5. Service Codes – See ‘Service Codes’ above
  6. AID – Application Identifier. Each AID indicates a specific card scheme product that is supported, such as Visa, MasterCard and Maestro
  7. Transaction Counter – The counter results in uniqueness to the cryptograms (ARQC) and provides tracking values for the host verification services, allowing replayed transactions and cloned cards to be identified. See Explaining Unpredictable Numbers (UN’s) for how this has been circumvented. The best the card issuing can do in effort to prevent re-use of old transactions, is to reject transactions with an ATC value lower than the highest ATC value that it observed in a transaction.
  8. Pin Try’s Left – The actual number of invalid pins that can still be entered before locking the card.
  9. Transactions! – A list of the last transactions completed on the card, even transactions that were not contactless. This includes amount, transaction type and terminal country.

Given the above, I think it is safe to say that despite the belief that more data can be read off the magstripe than the contactless card – This is in fact false.

Although it is highly likely, that if you were to fall victim to this kind of fraud, the issuer (bank) would refund the money you lost, there is also a lot that cannot be simply “refunded”, such as:

  • Your personal information – In some cases, your Name, Surname or Transaction History, depending on what information the issuer decides to store on the card.
  • Your time – Anyone who has had to report card fraud to a bank would know that most often, these things don’t just happen over night – It is an administrative process to capture, process and have the funds reflect back in your account.
  • Your cashflow – Even though issuers (banks) have set varying limits per transaction (that dont require a pin), you ca still lose hundreds (if not thousands) of rands and this may have a negative impact on your cashflow while navigating the fraud processes.

How to minimize the chances of contactless card fraud

  • Contrary to being told you don’t need to worry – Be Aware, Be Alert.
  • Don’t hand over your card to anyone, for instance, in a restaurant. If your card is taken out of your sight someone could skim the card, which copies the data.
  • Contactless users aren’t always offered a receipt so if you want to keep track of spending and make sure you aren’t being overcharged, ask for one.
  • Contactless users may also be inclined to tap their card without visually inspecting the amount – be sure to verify the value of your payments.
  • You should check your statements as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled. Especially considering that some amounts may be below your notification threshold/value.
  • Banks issue contactless cards by default today. However, you may not be obliged to take one. If you’d rather have a traditional chip and PIN card, try ask for one instead.
  • Use tinfoil to line your wallet etc. This will block radio-frequency identification signals to and from the card.
  • If your card is lost or stolen, act fast. Contact the necessary companies to cancel your cards immediately.
  • Some banks and card companies allow you to ‘turn off’ your card when you are not using it through their apps – Hopefully this becomes a standard feature in future.

Considering RFID / NFC as a technology has many more uses than purely for payments, such as, but not limited to:

  • Smart Identification Cards (South African ID Cards)
  • Passports
  • Access Cards (For office buildings, parking, secure areas, etc)
  • Smart Keys (Keyless Entry Vehicles)
  • Public Services (Gautrain, Busses, etc)

CyberSec (Pty) Ltd has a RFID / NFC Blocking Card accessory. Just place it near any of your RFID / NFC enabled items to protect your information and reduce the likelihood of falling victim to RFID / NFC fraud

Just grab one of our business cards to start protecting your RFID / NFC financial & personal information!

More posts