Contactless payments security drama; a storm online?
Don’t say we didn’t predict this a few weeks ago, but once more the UK media has been awash with a story concerning the state of security of contactless cards. Brought to everyone’s notice by the UK’s Daily Mirror is research that was conducted by consumer-watchdog group, Which?, that showed the card numbers and expiration dates of contactless cards can be captured through the use of a simple scanner, opening the door for millions of users to be exposed to fraud.
According to The Daily Mirror, a report of the test results stated that while the name of the cardholder and the security code were not captured during the transmission, cybercriminals are still provided with enough information to make purchases from a mainstream website. “By touching volunteers’ cards to our card reader we got enough details to go on an Internet spending spree,” the report claimed. The group’s tests proved a handheld device placed near a “tap and pay” card could easily pick up the sensitive data. Six different debit cards and four credit cards were tested and all of them showed signs of the security flaw. The stolen information was then used to successfully purchase items online.
Luckily, cooler heads are prevailing (it’s not like we haven’t seen this hysteria before), with the UK Cards Association stepping up to dismiss the findings and informing The Guardian newspaper that the methods shown were not a new discovery. “Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud,” Richard Koch, head of policy at the UK Cards Association, explained to The Guardian. He added that, in the majority of cases, a retailer requires more information, such as the security code and the cardholder’s address, to even begin processing a transaction.
Naturally, many in the contactless payments industry are a little exasperated by this type of scaremongering with most comments out there being summarised by one anonymous commentator saying, “Nothing new here but the real story should be why are there online stores still out there not mandating CV2 and checking AVS?”. Very true indeed.
While we are talking about about security in the card industry, Mastercard also put out an interesting video last week looking at their super-secret Digisec Lab, housed somewhere in the heart of rural England. This is a confidential facility that works with the payment industry – including government security agencies and academics – to research, develop, test, and importantly, break, the latest in payment security innovation to ensure payments are protected in both the physical and digital worlds. All very ‘backroom boffins-type thing’, but interesting nonetheless. A good countenance to the Which? story.
A more positive report out from Lloyds Bank Cardnet last week went as far as demonstrating how merchants taking contactless payments would invariably find themselves with more business. The new research claims that usage of contactless cards has trebled with just under half of consumers (47 per cent) expecting or preferring businesses to offer contactless payment for low-value transactions of less than £20.
Despite its relatively recent introduction, over a tenth (12 per cent) of consumers state that not enough retailers offer contactless and just under a tenth (9 per cent) suggest that the current £20 spending limit is too low. However, all is not lost for those businesses that do not hold payment terminals, as four out of ten consumers (40 per cent), say that they would still continue to shop in businesses that do not offer contactless card payment facilities.
Of those that own a contactless card, when asked what they liked most about contactless payments, a quarter (25 per cent) of respondents stated speed of transaction and a near identical number (24 per cent) said ease of transaction. The least favored element of contactless payments is security, with over a third (37 per cent) stating this as their main dislike.
So, get ready for more opportunities for contactless payments out there. Even if not everyone is happy about this new development. The online satirical website, ‘The Daily Mash’, have put out an article* claiming that “Retail staff have complained that contactless payment means they no longer get to stare intensely at customers while their card goes through”. The piece goes on to say;
‘Nikki Hollis, who works in a garage, said, “The only good bit about this job was messing with people’s heads in that seemingly endless few seconds between PIN entry and PIN acceptance. They would look at me, I would look at them, they would look at the floor. Sometimes they would say something about the weather, which I would ignore. Then they start to shuffle uneasily, at that moment they want nothing more in the world than to take their Ginster’s product and flee into the night. About a third of the time I would pretend something was wrong with the machine, just to make them do it again. The rest of this job is shit, but for those few seconds I was a minor god.” A CBI spokesman said, “Soon your debit card will be a miniature drone which flies out of the window at night and makes aspirational purchases of Japanese denim and French horns. Look at your own payment history. Are you honestly saying we couldn’t spend it better?”’
Until next time,
Steve Atkins
Contactless Intelligence
* This section is a joke. Please don’t write to me about how wrong this part is. Please.
![]()
