Smartphones raise non-contact card fraud risk
A Melbourne based programmer claims to have cloned the secure content on tap-and-go payment cards by copying and uploading that information onto a specially written smartphone application. He then used the device to make payments in Woolworths' supermarkets.Peter Fillmore, principal consultant at Payment Security Consulting, told Banking Day yesterday that he now believed contactless cards, coupled with host card emulation (now available on a range of smartphones), were lowering the bar for potential fraudsters. His claims were first revealed in The Register.While Fillmore only cloned his own cards, he said that his experiment had shown that in theory it would be possible for criminal gangs to scan card data and use it to make fraudulent purchases. Fillmore said that, in the past, credit card cloning had required sophisticated technology but HCE meant this was no longer required. He said most retailers would be hard pressed to discern the difference between a legitimate payment made using a smartphone and a fraudulent one.Visa and MasterCard, which both manufacture contactless payment cards, were asked for a response to Fillmore's allegations.Visa said that there had been no reports of fraud perpetrated by reading its payWave cards, and noted that in any case the potential for using data read from a card was limited. According to a company spokesperson, each Visa payWave card has its own unique security "key" and only approved terminals have the appropriate key to accept payment from that card. This was an example of the many layers of security protecting Visa payWave transactions, Visa said."Contactless cards, and by extension, mobile phone payments that use the same technology, are as secure as traditional chip cards and meet all the same standards for security," the spokesperson said."Visa payWave cards have no power sources to transmit data and can only work when a card or Visa payWave-enabled phone is within four centimetres of a secure, certified reader."When a transaction is entered by the sales person, the card reader 'powers up' the card, which then transmits an encrypted code that is unique to a particular transaction. This code changes every time the card is used. This is known as dynamic card authentication."Fillmore, however, claimed that only a limited number of encrypted codes were used making it relatively easy for hackers to breach the security.Visa maintained that there had been no reports of fraud perpetrated by reading Visa payWave cards. "In fact, our data shows there has been no increase in the rate of fraud as a result of the introduction of contactless payments technology and card fraud in Australia remains at low levels," the spokesperson said.Earlier this year Visa's senior director of risk services, Ian McKindley, said that if card-not-present fraud was taken out of the equation, card fraud in Australia costs around four cents in the $100. Contactless card fraud was lower again, coming in at around two cents in the $100, he said. MasterCard did not respond to Banking Day's inquries by our production deadline.