The MYTH of getting robbed from your pocket via Contactless Payments

While navigating on social media, I found a video around contactless fraud. The video warns people to be protective of their wallets as he initiated a contactless transaction with another person who carried his wallet inside his back pocket (you can see the video here).

Of course, a video like this can generate reactions that range from fear to skepticism.

In order to parse through potential impacts to the payments ecosystem, let’s take a deeper dive into what is actually possible with contactless technologies.

Yes, you can be “robbed”

The technology name itself is a hint: “Contactless.” This means your card does not need to be touched, (inserted into the card reader / terminal), for performing financial transactions, and, according to ISO specifications (ISO 14443) and market use, the card reader should be capable of reading the card (leveraging technical capabilities such as frequency, antenna electromagnetic power and size) from a distance of 2 inches. Practically speaking, you would not notice if a transaction has happened while you are just standing there.

Some cards are not configured to prompt the user for a PIN  or even a signature; this means the transaction can be approved by the issuer (your bank) without problems for the “thief”.

The chip in EMV-enabled cards, with the help of an antenna embedded between two PVC layers that make the contactless transaction possible, is not secure enough to prevent potential fraudsters from initiating a transaction with your wallet from a contactless reader.

But…

Burglars are quite crafty. Rules and measures must be narrowed in order to prevent their schemes from succeeding.

  1. The cards mentioned above are, normally, MSD (Magnetic Stripe Data), which means the chip is no more secure than a dynamic Card Verification Value (CVV/CVC) (which is, by the way, linked to the Primary Account Number (PAN), the Expiration Date and the Service Code; along with a bitmap that helps proving the calculation and position of that dynamic number are done correctly). Those cards are non-EMV, although they do have a chip.
  2. EMV cards have several ways to force the cardholder to identify itself before the terminal. Cardholder Verification Method (CVM) is the parameter which will tell the terminal to prompt for a PIN or a Signature, even before the transaction is sent for its approval by the issuer host. They can also have “No CVM” as a valid method, but there are implications to the merchant for doing this.
  3. The merchant can configure their terminals to approve all transactions with No CVM, but, when the card user sees the charge made to the card, when they prompt the issuer for an explanation and the bank investigates, the merchant will retain all liability. Merchants must be registered as valid before an acquirer inside a network, as well as achieving certification from the payment brands/schemes, in order to receive electronic payments.
  4. Finally, in practicality, it’s a stretch that cardholders would fail to notice somebody with a contactless terminal approaching our pockets. Of course, it might be the case that it’s someone with a mobile phone trying to get my card’s data, but there are more restrictions for that…

Solutions for mitigating the risk

  1. The “Easy” solution: Don’t carry your wallet in the back pocket. It is always easier to “attack” when the victim is not looking. If you have your wallet in your purse, keep it close to your arm pit, and not to the exterior side of the bag/purse. Remember: The electromagnetic field produced by the commercial card readers gives you a range of up to 2 inches.
  2. The “Technologic” solution: There are some infomercials on TV announcing some kind of “anti-electromagnetic” sleeve. You might use one of those if you still do not completely trust your card’s security.
  3. The “EMV” solution: In the U.S., the issuers have almost completed the EMV migration. Slowly, non-EMV Contactless cards are being removed so that transactions will be more secure. For high-value transactions (over the merchant floor-limit and the No CVM limit), the reader will prompt for a PIN or Signature.

Should you be scared?

We don’t believe so. The chances of these schemes actualizing are really low nowadays, and they will become less and less feasible with the time.

It is more probable that your magnetic stripe data gets copied at a merchant who is not EMV-ready than it is that your card gets approved via furtive contactless transactions. To successfully pull off this scheme, the following conditions need to be met:

  1. Cardholder is distracted and carrying a card in their back pocket or some location at which they don’t notice a fraudster approaching
  2. Cardholder has a contactless, non-EMV (or No CVM only) card in their wallet
  3. Cardholder carries only one card, as the reader can’t make a transaction when there are more than one

The change to new technologies is always frightening, and this is a MAJOR change… But, if we remember that a similar transition occurred when we moved from just copying the card’s embossed data with those mechanical machines and the carbon-copy vouchers to utilizing magnetic stripe, and then to EMV, it reminds us that we should embrace this sort of changes that accelerate the payment process.

For questions about contactless technology, its implementation and implications, please contact Victor at vmadera@wcapra.com.