June 20, 2005

How Safe Are the New Contactless Payment Systems?

By Evan Schuman, Ziff Davis Internet

As the retail industry starts to embrace contactless payment in a big way—led by $41 billion retailer 7-Eleven and Chase, the nation's largest issuer of credit cards—arguments are renewing about just how safe and fraud-proof these cards will be.

One key argument is how easily the card's data could be read by a thief, who could then presumably use the information to either steal the customer's identity or create a bogus duplicate of the card to make fraudulent purchases. The ambitious bandit might even try both.

Security issues are a crucial concern surrounding credit cards, with several recent, highly publicized break-ins making consumers nervous.

The most recent report came on Friday, when MasterCard International reported that a security breach of credit card payment data had exposed about 40 million cards of all brands to potential fraud in what one analyst said was the biggest privacy breach ever.

Contactless advocates have argued that current contactless readers can only "see" the RF chip when it's two inches away, making unauthorized scanning for customer data quite difficult.

That two-inch argument was touted recently by 7-Eleven CIO Keith Morrow, who pointed to it as a key anti-fraud fact.

That distance varies sharply, though, depending on the equipment used to do the testing.

Shell Canada, for example, performed some of its contactless testing using the high-powered antennae that it believed thieves would use, said Mike Cooper, the $2.4 billion Canadian petroleum giant's adviser for network development engineering.

The kind of low-frequency tags popular in the United States "we could read at a distance of 10 meters," which is about 33 feet, Cooper said.

He contrasted those with the high-frequency tags used by Shell Canada, which he said could be read—with that same high-powered antennae—from about 26 inches away.

The high-frequency tags "can be read from a shorter distance, so it's more difficult to snoop," Cooper said.

Chase officials disagree with the distance issue, but referred questions to Visa, one of its contactless card partners.

But Chase officials did say that the distance argument is irrelevant for their cards and customers because of several security measures—including 128-bit and triple DES encryption—that would make any improperly captured data useless.

"Even if you could skim it, with every transaction, the [authorization] code changes and that code is needed for an authorization," said David Chamberlin, first vice president for external communications at Chase Card Services.

Chase's contactless card rollout has already started in Georgia and Colorado and is expected to be in the hands of about 2 million cardholders by the end of the summer, Chamberlin said.

Although he wouldn't discuss the total projected contactless installed base numbers for next year, he said that Chase plans on shipping the cards to about "five or six more markets by the end of the first quarter" of next year and that the typical market will include about 1 million cardholders. That would suggest that Chase will have about 8 million cards in circulation by the end of March 2006, out of its current 94 million card members.

When factoring in moves by American Express and other credit card companies who have made similar commitments to contactless, the market for contactless could become substantial earlier than had been predicted.

Chase will issue contactless cards to any current cardholder who requests them, Chamberlin said, but Chase's rollout preference is to not move into markets until a sufficient number of retailers have been outfitted with the necessary equipment.

It would be pointless and potentially self-destructive to give lots of customers contactless cards if there are no—or very few—retailers where they can be used, he said. It would be akin to issuing ATM cards in an area where there are no ATMs.

Chamberlin points to several security factors, including Chase's "zero liability policy," which protects consumers but not necessarily the retailers.

The new contactless cards do have changeable authorization codes, but those are nothing new and not particular to contactless cards, said Patrick Gauthier, senior vice president for emerging products development at Visa.

It's called the dynamic CVC (card verification value), and it assigns every transaction a unique code that is based on data about that card and data referencing that particular purchase. Gauthier would not say if it also references the time and/or date of the purchase.

He said that the newer cards can use more sophisticated algorithms and crunch more data on their own. "When you have a chip [on the card], you can perform a computation for every single transaction," he said.

The security concept is similar to the popular one-time password-issuing devices, where the identification code changes every few seconds, making a stolen code useless unless—in theory—it's used instantly.

A thief that scanned the card would not be able to use it to make payments, but they would be able to capture the credit card number, Gauthier said. "What does that buy you? The card number is a little bit like your street address. It's not the key to get into your house," he said, adding that the key would be similar to the cryptographic values attached to the transaction.

Even a Web purchase will require other information about the cardholder as well as the card itself, such as the non-imprinted verification number on the card. That's why Visa and others are trying to be so strict about retailers not retaining those verification numbers in their databases.

As for the Shell position that, when properly tested, the RF low-frequency cards used by Visa can be read from as far away as 10 meters, Gauthier said such statements need to be evaluated with caution.

"Be careful to not thrust all RF technologies into the same bucket," he said. "Certain types of chips and tags you can read from a greater distance."

Visa's testing included high-powered antennae and much more, Gauthier said. "We have used specialized security labs in Europe to ascertain the vulnerabilities. This was not [tested] with a little thingy that you can hide in your pocket."

"As far as the physics are concerned, the theoretical limit [for a read] is about 1 meter. But that's a little bit like saying that the theoretical maximum speed for a vehicle is the speed of light. It doesn't mean that anyone has figured out how to do it."

But Shell's research wasn't theoretical. Shell said this was what they discovered during lab testing. Visa's Elvira Swanson commented that there is not enough known about what Shell's testing intercepted. She asked whether it was just communication noise between the card and the reader that was intercepted or was it something more useful? Did it grab credit card data? she asked.

Visa is also deploying other security techniques, many of which are not new, such as neural networks that look for fraudulent purchase patterns.

Contactless cards have also been touted as offering better security in the sense that they are much more difficult to clone than a traditional magstripe card.

But initially all contactless credit cards will still also be magstripe, which means they can still be cloned just as easily, albeit with inoperable contactless capabilities.