MasterCard plays down risk of contactless clone fraud
MasterCard has invited Melbourne-based programmer Peter Fillmore, who this week claimed to have been able to clone secure content from his contactless payment cards onto a smartphone and use that to buy goods from Woolworths' supermarkets, to meet its security experts to discuss the concerns he has regarding the technology.Fillmore this week claimed that contactless cards, coupled with host card emulation now available on a range of smartphones, were lowering the bar for potential fraudsters.Both Visa and MasterCard deny there has been any evidence of fraud, or that their contactless payments cards are vulnerable.MasterCard yesterday said that, while data can be read from near field communications applications which are at the heart of the contactless payment process, this could not be used to create a counterfeit card and was "typically not sufficient to perform an ecommerce transaction.""On a technical level, we mandate the use of CVC3 in the chip (dynamically created security codes), which makes it nearly impossible to duplicate a card or 'replay' transactions - because a code that accompanies an authorisation request changes every time an authorisation request is made. "This is a key point. For every transaction made with a PayPass card, there is a discreet (sic) authentication code that changes after each transaction. Without the proper code the transaction will not be authorised."Fillmore, however, maintains that although the security standards recommended by the card companies set a high watermark, they are not always being adopted by the issuing banks. He tested the security on his own NAB-issued MasterCard and found that there were only 99 "unpredictable numbers" being generated as the unique codes to support authorisation requests. NAB has yet to respond to a request for comment.He says because there are far fewer unpredictable numbers being used than recommended by the card companies' security policies it would be feasible for a fraudster to configure a high power card reader that could be held close to a wallet or handbag to perform 100 transactions, each with an incremental unpredictable number. The information can then be uploaded to a smartphone app and used to complete what amounts to cloned transactions that would be hard for a retailer to identify as fraudulent.MasterCard maintains that because static data (such as the cardholder's name which cannot be retrieved by electronic scanning) is also required to complete a transaction such a scam would fail. The card Fillmore claimed to have cloned onto a smartphone was his own, so he knew the name, card number and expiry date.Both Visa and MasterCard are playing down the likelihood of widespread fraud given the security framework and sophisticated monitoring systems associated with contactless payment cards, and also stressed their zero liability policies as a further important consumer protection.