comments 2

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature?

The security considerations

Well contactless cards are by nature — contactless!

While regular ol’ contact cards need to be physically inserted into a terminal to be read, contactless cards can be read ‘over the air’. I’ve seen people tap their entire wallets at the readers to make payments,  which means anyone can build a reader capable of extracting information from your card, while it’s in your wallet or bag.

The electronics to build such a reader is remarkably cheap and simple to build, after all, the specifications for something as pervasive as credit cards aren’t exactly state secrets. Just watch this video to see how easy it is to do–this one even does it with a rooted android phone.

And what data do criminals get from these readers? Your name, credit card number and card expiry date, a remarkable amount of data for very little effort.

So the cards are easily read, even while still in your wallet or bag. The bigger question though is what can they do with the data?

The answer is not much. (meh!)

How Credit Cards protect themselves

Credit card transactions are divided into two broad categories, card not present (CNP) and card present (CP) transactions.

Card Present (CP) transactions are the general in-store purchases you make with your credit card present. In these cases, the credit card terminal uses cryptography to authenticate the card, in other words the terminal has ways of making sure the card is genuine. And the general consensus is that any Chip card (whether it’s a PIN or Signature one) is un-cloneable.

The method used to protect the secret-key on these cards is comparable to the method used to secure iPhones. So rest-assured that just having name, credit card number and expiry date is insufficient to clone a credit card. You need the card’s secret-key, and that’s going to take more than a rooted android phone to extract.(a lot more!)

In other words, while criminals may be able to read your contactless card while its still comfortably in your pocket, they’ll be unable to clone it.

But what about those transactions that don’t require a card at all? What about the card not present (CNP) transactions?

CNP transactions generally refer to online transactions where the physical card isn’t present. The cardholder (or a criminal impersonator) is merely entering numbers into a web browser. I could call my wife today, give her the relevant details of my card, and get her to book me a flight to Bora-Bora, and no one would know whether she had the card or not–but the transaction would be approved.

To combat fraud for CNP transactions, cardholders are forced to enter their CVV2 number to authenticate a transaction. The CVV2 number is the 3 (or 4) digit number printed at the back of your card (or front if you’re using American Express). CVV2 is not stored electronically on the card, only printed on the back, since it’s designed for humans to read and enter manually into web browsers. Because it’s not electronically stored, it can’t be electronically read.

Which means the data read by a malicious drive-by contactless card reader isn’t sufficient to perform either offline or online transactions.

Phew!

Bank Negara’s official statement, which was released on facebook (because it’s 2016, and official statements from central banks now go on Facebook) stated long-windedly that:

• Contactless cards have an embedded chip…renders a contactless card almost impossible to be cloned or counterfeited; and

• Malaysia has adopted a stronger authentication method…To authenticate an online card transaction, cardholders are required to enter a transaction authorisation code (TAC) that is sent to their mobile phones or security device. In the event the card details are misused to conduct a transaction at an overseas merchant’s website that has not implemented a stronger authentication method, Malaysian cardholders are protected by the liability shift rules introduced by the international card networks which require the overseas merchant to bear the liability of any fraudulent transaction

The last line of the quote simply says that if someone stole your card details and shopped at sites that don’t implement two-factor, such as Amazon, or subscribed to porn websites, the merchants would foot the bill and not you. Which means that there is a policy solution to this as well–not just technologically. This sort of liability shift is how banks incentivize parties to upgrade their infrastructure.

Oh, and by the way, SMS two factor has already been deprecated by NIST–so probably wise not to start your press statement with words like “stronger authentication method” only to be follow that up by “TAC that is sent to their mobile phones”. So far the best solution I’ve seen for CVV2 codes was this one, where the code changes every hour. A slightly more problematic solution is a separate dongle, but those are cumbersome.

As a side note, since Visa uses a short 3-digit CVV2 code, researchers have found a way to brute-force guess the code by simply trying every possibly combination across multiple websites. A distributed brute-force attack, which only require that the criminals know your card number and expiry date–the two very things they can read from your contactless card with ease.

By comparison, Mastercard blocks brute-force attacks, while American Express uses a 4-digit CVV2 code (that’s 10 times harder than 3-digits to brute-force).

However, it’s easier to buy card numbers and expiry dates from shady characters online ($5-$10 a piece) than it is to read them off contactless cards in public. Just how long could you walk around a busy city with a card-reader in your pocket, before someone eventually finds out?! So .

Contactless can be more secure?

As a final thought, is there is some security advantage to using contactless cards. (yes, I know I said all conveniences traded off security, but hear me out)

Since contactless cards are meant to be tapped, they usually never leave the cardholders hands–which means there’s less of a possibility of someone stealing your card info by taking a photo, or even just memorizing the numbers while you’re not looking. And as we discussed, the all important CVV2 is printed, and if no one can see it (because the card is in your hands), no one can steal it.

To be sure, contactless cards aren’t perfect, but they’re just the natural evolution of payments–so get with the program. You’re more likely to lose your card details, because some dumb-ass merchant decided it was a good idea to to write down your credit number and CVV2 details in their Point-of-Sale … and that same dumb-ass merchant gets hacked. Even in Singapore, I’ve had merchant insist on writing down my card details in their POS–a definitive no-no when it comes to securing your card details.

And most of the other attack vectors that contactless cards pose, are equally likely for regular ‘contact’ cards as well.

Here’s wishing Malaysia a successful Chip and Pin migration, and Merry Christmas everyone.

Conclusion

Overall, contactless cards offer a little convenience for just a slight security trade-off. I wouldn’t turn a card down just because it wasn’t contactless, they’re still pretty good.

Just make sure you don’t get debit cards (whose liability is unlimited on your part), and choose a good PIN, and always cover the pinpad with your hands when you’re typing in your PIN.

Other than that, I for one, welcome our new contactless overlords!

TL;DR

Researchers in the UK have managed to successfully ‘impersonate’  a card before, even giving a demonstration online. While this is true, the difference is that the UK uses Offline Pins, while Malaysia will implement (hopefully!) Online Pins, and in the published paper (which many members of the press choose to ignore), they specifically mention:

we have tested cards from Switzerland and Germany whose CVM lists specify either chip and signature or online PIN, at least while used abroad. The attack described here is not applicable to them. However, because UK point-of-sale terminals do not support online PIN, a stolen card of such a type could easily be used in the UK, by forging the cardholder’s signature.

Offline Pins are stored on the cards themselves, and are verified by the card–as you can imagine this isn’t a great solution. A pin enabled card is still better than a signature one, but because the Pin is verified by the card, if you can successfully compromise the connection between the card and the terminal you can beat the protocol. This isn’t ‘cloning’ the card, because you still need the original card, and some electronics, but it’s awfully close. With a stolen card, you’d be able to perform some Card Present transactions and net yourself some serious bounty–again this isn’t something a sustainable criminal enterprise would do, spending money in physical locations is a definite no-no.

The UK was one of the first countries to implement Chip and Pin, and hence the choice for offline pin. Modern implementations of chip and pin usually use Online Pins, and this means that the Pin is verified by the banks online systems (and not the card). Impersonating an online Pin card is far harder to do (at least to my mind!)

Finally, because the usage of Pin depends on the card and terminal–chances are that when you go to foreign country, you’ll still be asked for signature. That’s because these countries haven’t implemented online PIN yet, and their terminals can only do offline pins, so both the terminal and card ‘fallback’ to use signature–the only verification method both terminal and card agree on.

Further reading

  1. My initial post on Chip and Pin ( a real dummies version)
  2. Youtube video of professor Ross Anderson explaining the fundamentals of Chip and Pin
  3. BNM just completely screwing up the explanation to Sin Chew (from TheStar)
  4. A Computerphile video from Ross Anderson (the guy is brilliant)
  5. Official Bank Negara Statement on Contactless cards
  6. Statement from ABM (Associations of Banks Malaysia) on roughly the same topic, with exactly the same wording :).
  7. CNN article for a credit card where the code changes every hour

2 Comments

  1. Chok Sien Hiew

    What are the measures that can stop a fraudulent merchant from going around with a card reader to read and perform transactions with contactless cards without the cardholder realising it, in a crowded bus for example? To perform a contactless transaction, the card just needs to be near the reader right? What is stopping such a fraudster is simply that many customers will deny transactions and the fraudster will be easily caught?

    • Anonymous

      Yup. Contactless transactions are suppose to be ‘frictionless’ so no verification is required.

      But remember in order for fraudsters to do this, they need a legitimate terminal, and that requires a bank account etc etc. So it’s actually very hard to acquire anonymously, and usually leaves a long paper trail. In the end, it’s unlikely to happen because the fraud leaves such a large paper trail, and usually results with the fraudster going to jail.

      In order to fly under the radar, fraudsters can at most use this for 1% of their transactions–which isn’t a lot, considering that contactless transactions are also of lower value.

#YourComment