UK Security Spotlight: Are Cybercriminals Targeting Contactless Cards?
According to Visa Europe, the contactless card revolution that began 10 years ago has firmly taken hold in Europe. UK consumers in particular have taken to contactless transactions — more commonly referred to as “tap and pay” or “pay and go” in the US — with the UK taking the market lead in these types of payments, ahead of Poland, France, Spain, and Finland. Across the UK, 66% of consumers have made a purchase with a contactless card since the technology was made available in 2007, with Londoners leading the charge; Visa indicated that 78% of London residents have used a contactless credit or debit card (12% higher than the national average) and that 16% of all bank-owned tap-and-pay terminals are located in London.
Investopedia and other outlets bill contactless transactions as “a secure method for consumers to purchase products or services”...but how secure is the payment method in actuality? Consumer watchdog Which? is one organization that has some doubts. They said their testing of 12 leading credit and debit cards “revealed significant security flaws” and that 69% of individuals they surveyed are “concerned about their contactless card being stolen and used to make purchases.”
How Secure Are Contactless Security Measures?
Proponents of the technology point to security safeguards that have been put in place for card-based tap-and-pay transactions, including the following:
- There is a limit to the amount that can be charged to a contactless card during a single purchase (£30 in the UK as of 2015, an increase from the £10 limit set in 2007).
- Cards can only be used for a few consecutive transactions before the customer has to confirm a purchase with a PIN.
- Banks promise to refund consumers for any fraudulent purchases made with their card.
Which? says its research showed that these safeguards are not consistently applied, however. During an exercise they monitored, Which? asked volunteers to continue to make purchases between £20 and £30 until they were asked to provide a PIN, with the goal to replicate what could happen should a thief get his or her hands on a contactless card. In multiple instances, consumers were able to complete 10 consecutive tap-and-go transactions on their cards, spending more than £200 in just three hours. To add salt to the wound, the group said other research “has found card fraud cases where refunds were delayed – or wrongly refused.” And the Independent has reported that “contactless cards may continue to work even after they have been cancelled” due to a security loophole, which means consumers need to be vigilant even after closing an account and reporting fraudulent activity to their bank.
Are Cybercriminals Getting in on the Act?
Obviously, the somewhat loose nature of pay-and-go transactions — which don’t require a PIN, signature, or any other type of authentication — make physical theft of contactless credit and debit cards more lucrative for criminals. And contactless fraud is on the rise; nearly £7M was lost in 2016, more than double than in 2015.
Still, you may be thinking that, in the grand scheme, £7M is not that much. And you’d be right. Contactless fraud represented just over 1% of overall card fraud in the UK in 2016. But gains are gains — and cybercriminals are bound to follow the money trail, particularly as more and more consumers opt for the convenience of pay-and-go transactions. Paymentsense, a European merchant service provider, recently reported that 48% of shoppers want the ability to customize the single-transaction limit on their cards, and the top reason stated was because they believe the £30 ceiling is too low. (Note that, in some cases, device-based contactless transactions — like those made through Apple Pay or Android Pay — already support higher limits.)
Right now, cybercriminals need proximity to commit contactless card fraud. That means getting their hands on your credit or debit card or getting close enough to you to use a radio frequency identification (RFID) scanner to lift your credentials. Though the Independent article indicated that “digital pickpocketing” is an unlikely turn of events, the Mirror had something else to say. Regardless, it doesn’t hurt to switch over to an RFID-blocking wallet and to ensure that you always keep your contactless card within your eyesight (if not within your own hands).
The simple reality is that cash is no longer king; according to the British Retail Consortium, card payments exceeded cash payments in 2016 for the first time. And retailers are even likely to lose business if they don’t offer a card option; recent Paymentsense research revealed that nearly half (45%) of UK shoppers — and 54% of Londoners — will leave a small business or independent outlet if they cannot pay with a credit or debit card, and 25% of those say they are unlikely to ever return.While the numbers show that cybercriminals may not be focusing on contactless fraud now, they are likely to follow the money in the future. As this technology continues to become more widely adopted, look for the industrious to develop their own tools to fatten their wallets by exploiting terminals, banks, and unsuspecting consumers.
Subscribe to the Proofpoint Blog