The ease with which criminals can steal contactless card information to make fraudulent purchases highlights the need for two-factor authentication (2FA), say security experts.
Researchers at consumer rights organisation Which? revealed that users of contactless debit and credit cards could be unwittingly opening their bank account up to fraudsters.
The researchers were able to use inexpensive, widely available card scanners bought from a mainstream website to read key personal details from 10 different debit and credit cards.
They were then able to use the stolen data to place online orders for goods costing up to £3,000 without the card’s security code and using a false name and address.
In response, the UK Cards Association said this was not a new discovery and instances of contactless fraud remain extremely low.
But the findings by Which? show the risks involved with single factor security authentication, said Laurance Dine, managing principal of investigative response at Verizon.
“While contactless offers a quick and easy payment system, it also opens up risk to consumers and banks in the event of fraud; potentially damaging customer relationships in the process,” he said.
According to Dine, all payments should have 2FA, such as biometrics to authenticate individuals into systems, applications and data securely.
“Since everyone has a unique biological identity, let’s apply that single biological identity to cyberspace to establish trust,” he said.
Read more about contactless payment
- Apple Pay launches in the UK after months of anticipation.
- Swiss watchmaker Swatch set to launch a smartwatch with contactless payment functionality.
- More than 40 million fares on London public transport have been paid with contactless cards since it became available in September 2014.
- Supermarkets account for most contactless payments, as payments company Worldpay processes its billionth contactless payment.
Dine said fingerprint biometrics usually afford the easiest user interface. Users simply place a finger on a reader and authentication takes place, much like the recently launched Apple Pay system.
However, Sameet Gupte, global head of banking and financial services at Virtusa, believes contactless fraud should encourage banks and retailers to embrace tokenisation.
“Tokenisation ensures all the card details of the transaction are replaced with token numbers. It also means companies don’t need to store sensitive payment data on their networks where it can be stolen,” he said.
According to Gupte, tokenisation gives extra comfort to customers that their details are secure.
“Although the threat of fraudsters and hackers is not completely eliminated, it is exponentially reduced. We see this being adopted more aggressively as tokenisation is more secure than generic contactless payments, in the same way Chip and PIN is more secure than paying by cheque,” he said.
Security checks needed
Ross Brewer, vice-president and managing director for international markets at LogRhythm, said although the Which? finding may not be a new discovery, it does raise urgent questions.
“If banks are aware of the problem, why has it not been solved? The fact that the card details are not masked is a concern and banks should have found a way to ensure the data is not so freely available to thieves,” he said.
Potentially more worrying, said Brewer, is the fact that the researchers were able to buy goods online without needing the registered address of the cardholder, or the CCV security code.
“Correctly supplying this information should be the very minimum required for a transaction to go through successfully,” he said.
According to Brewer, it has never been more important for banks to have robust security checks in place, considering the growing popularity of contactless payments and the fact that the contactless payment limit is set to rise to £30 in September 2015.
“It is therefore more likely that criminals will begin to target cards rather than the old-style Chip and PIN for a quick and easy payday. Banks need to be extra vigilant and flag abnormal payments – such as multiple transactions in a short space of time or payments being made from unusual locations – immediately, to protect their customers’ accounts,” he said.
Brewer said retailers should only allow online transactions when all the information entered has been checked and verified, allowing them to block the use of false details.
“All organisations need to be constantly monitoring their networks for unusual activity. As technology makes our lives quicker and easier, it also does the same for criminals.
“To combat the threat, businesses must have the ability to monitor activity, correlate that information and analyse it for unusual patterns – all automatically,” he said.
Taking an intelligent approach to security is the only mechanism that will provide the visibility required to identify fraudulent activity in minutes and protect users from theft, said Brewer.
“Which? has highlighted the problem and now it is up to organisations to fix it so consumers can use the technology without concern,” he concluded.