Don't let them infect your devices

Researchers uncover major flaw in contactless payments

Researchers at the UK’s University of Sussex have discovered how to hack into contactless payment cards, also known as near field communications. The process, known as skimming, was carried out with off-the-shelf equipment bought from a hardware store.     They published their findings in a technical paper which is a bit complex, but boiling it down they created a near-field inductive loop antenna for transmission to act like an antenna. They also used the same antenna and a modified shopping trolley for receiving information. Apparently it could work up to a distance of 100cm. The financial services industry says contactless payments cannot be eavesdropped beyond 5cm. The image gives you an idea of how rudimentary the equipment was and clearly a hacker is not going to wheel one of these into a store and park it up next to a payment point. However, that’s not the point, the researchers wanted to assess the security of near-field communications.

NFC is going to become commonplace – despite the risks

Unsurprisingly, the financial services industry bristled at the findings and the researchers conclusions that near-field communications had serious implications for consumers.  But the industry’s reaction is hardly surprising.  Many players have invested heavily. Visa, Mastercard and Google have already developed platforms for contactless payments, banks are heavily promoting them and mobile manufacturers are equipping handsets with NFC technology. In short, contactless transactions ranging from access control to ticketing and financial payments are becoming increasingly popular in Europe, Asia and the United States. Apparently a spokesman for the UK Card Association said the data obtained would only consist of the card number and expiry data. The PIN number and card security code cannot be harvested.

NFC flaws already exposed

That may be the case but the industry has also been adamant that eavesdropping over this range wasn’t previously possible. There is also the threat of relay attacks which essentially activate someone’s card from a distance and then transmit the card information to a legitimate reader to complete a transaction. NFC payments have been dogged by errors. Shoppers at Marks and Spencers had money removed from their accounts without their permission. The cards were only supposed to work when at a short distance from the reader but a couple of customers said payments were taken when their cards were in their purses and not close to the reader. Barclays VISA contactless payment cards were also exposed to risk when it was discovered that data from the cards could be stolen by special readers in mobile phones.

Growing need for identity theft protection

Despite the teething errors, NFC communications are clearly here to stay. The benefits for business are just too great to ignore; lower costs, faster processing and reduced staff headcounts to name but a few. As a result NFC is going to become increasingly pervasive and we’ll find ourselves using the technology by default. However, as the University of Sussex researchers have shown, NFC is not as secure as sometimes claimed. If anything, this emphasises the need for good identity theft protection, so we have the peace of mind that should our details be stolen, we know about it and can take appropriate action.

Written by Steve Bell

Steve has a background in IT and business journalism and has written extensively for both the UK national and trade press including The Guardian, Independent-on-Sunday, The Times, The Register, MicroScope and Computer Weekly. He's also worked for most of the world's largest IT companies producing content producing. He has a particular focus on IT security and has produced several magazines in this area.

More articles by Steve Bell

Leave a Reply




Please enter the code

Please enter the captcha code!

Security code

Ranked #1 by industry experts

BullGuard Internet Security Cup

Internet Security

Free download
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.