Contactless card transactions are becoming increasingly popular in the United States, Europe and Asia. In the United Kingdom alone there are some 34.5 million cards in issue with contactless functionality according the UK Cards Association.
With contactless payments no signatures or PINs are required for authorization. This makes transactions under approximately $35 dollars quick, occurring in less than a second. It not only spurs, according to the system’s advocates, spending it also improves customer service.
However, there is a growing concern about the security risks and apparently it is justified.
Researchers from the Department of Computing, and Center for Communications Systems Research, both at the UK’s University of Surrey, published a paper detailing an eavesdropping attack on contactless payment transactions that employ Near-Field Communications (NFC) systems. Adopted already by big players in electronic payments such as Capital One, VISA, MasterCard and Google have NFC chips and there is a growing push to use them for point of sale transactions.
Published in the Journal of Engineering last month and found in the IET Digital Library, the researchers discovered that despite the belief that a distance limitation of about 5cm or just under 2” provided protection this was not the case. The researchers documented that they could reliably eavesdrop on all transactions at 40cm, or around 15,” with successful results at up to 90cm or 35.4 inches.
The research was conducted using readily available off-the-shelf hardware with the most expensive component costing about 1500 British Pounds. They posit that cheaper equipment could be custom-built by attackers and hidden in backpacks or other innocuous places making attacks easier to carry out.