The name "cash 2.0" is glued to contactless payment cards more and more strongly. On the one hand, there are grounds for such a term, as small cash payments are more often replaced by the delivery of a smart card or mobile phone with an RFID chip to the reader window in a transport turnstile, vending machine or a cashier’s store terminal. But on the other hand, such a substitution of concepts is not entirely correct, since the most important properties of cash — anonymity and non-traceability of payments — are not provided for in the now widely implemented contactless payment systems. For the so-called "cash 2.0", on closer inspection, does not differ in principle from ordinary credit or debit cards that are tightly tied to specific people and their bank accounts.
From a commercial point of view, there is no need to link payment smart cards to its owner. But from the point of view of security, according to many independent experts, contactless payment cards based on RFID chips not only carry a heavy legacy of badly protected magnetic stripe credit cards, but also generate a lot of new problems. However, the card payment industry, vigorously promoting a new technology, strongly disagrees with such views and tries to convince people of the opposite - that the contactless system is safer than the traditional one. So who is right in this dispute?
Face and wrong side
Launched in 2003 as a pilot project in a couple of southern US cities, the new technology of contactless RFID-based bank cards has now become a reality in many countries in Asia, Europe, and both Americas. If the purchase is relatively small (usually up to $ 25), then all payment transactions are reduced to bringing the RFID card to the “window” of the reader device at the trading terminal that replaces the cash register. Externally, the procedure resembles the payment of travel on public transport using similarly arranged tickets, but contactless credit cards are a universal means of payment, applicable at any points equipped with appropriate terminals.
The main purpose of the new technology is to introduce cashless payments where, for one reason or another, they prefer to pay in cash: in cinemas, pharmacies, fast-food restaurants and similar places - in other words, everywhere where queues are often lined up. However, the queue can be quickly liquidated by refusing credit cards and the accompanying check-signing procedure. As evidenced by experience, payment for new contactless credit cards turns out to be even faster than payment in cash, if only because the cashier does not have to bother with the change.
Although in our country or, oddly enough, in the United States themselves, new contactless cards are still a wonder, the total number of issued cards is already measured in tens of millions. The largest cashless payment networks and their partner banks that issue new cards give them different names - Visa Contactless, MasterCard PayPass, etc. - but they all work on the basis of the unified ISO 14443 standard for contactless smart cards. According to the industrial group Smart Card Alliance, from 2005 to 2007, more than 20 million credit and debit cards with radio frequency communications were issued. Only one Visa for the summer of this year has released more than seven million. According to the testimony of this company, the pace of implementation of contactless cards is the highest among all payment technologies introduced in the last fifty years.
Automated fraud detection systems that support card payments and other banking transactions, by special algorithms, verify the authenticity of the transaction and give an alarm signal in case of suspicious signs. Rules for identifying fraud may vary significantly from different banks or retailers, and details about them, as a rule, are not disclosed.
But all this is only one - the front, so to speak - the side of the new technology. Looking the same "from the inside", you can see something else. As for the success figures, it can be considered differently. For example, the milestone of 40 million cards (twice the current one) was previously planned by the industry to reach by the end of 2006. Due to the unpopularity of the term RFID, repeatedly compromised by human rights defenders' attacks on this “spy” technology, in the context of new payment cards, they now carefully avoid using this letter combination, most often resorting to innocent RF cards, that is, simply “radio frequency cards”. Finally, in order to achieve high rates of introduction of the new technology, banks first combined the RFID chip and the traditional magnetic stripe in the case of one payment card, and then claimed the right not to warn customers that there was also an RFID chip in their new credit card. Accordingly, a special logo-icon has become optional, which, generally speaking, is used to label information transmitting RFID devices. Such actions can be considered a gift from banks to a client ("Surprise! Surprise!") - but it can be interpreted as a deliberate deception of consumers.
Representatives of the banking and card payments industry explain their actions by finding the best ways to combine new technologies with traditional ones, which are gradually becoming obsolete. Therefore, for the sake of uniformity and preservation of the payment processing infrastructure already deployed around the world, all information required for financial transactions about the credit card and its owner is broadcast from the memory of the RFID chip in virtually the same format as it is written on the magnetic stripe of the card. This is where the essence of the problems with contactless payments lies.
Combining the two systems in one device raises legitimate questions about the security of a new technology, both in comparison with traditional “contact” cards based on magnetic stripe, and in relation to already known attacks and abuses applied specifically to RFID.
As for the companies that issue contactless credit cards, they cite a number of arguments indicating a higher security of the new technology in comparison with the traditional one. First, they say, with contactless payments, the owner no longer needs to let go of the card and hand it over to the seller (waiter, clerk, etc.), which significantly reduces the risk of inconspicuous copying and compromise of the card. Secondly, readers in trading terminals work with cards only a few centimeters away, which prevents information transmitted by radio from being intercepted by intruders. Finally, a decent cryptography and digital "watermarks" are built into the RFID chips, which protect each transaction and prevent it from being intercepted, recorded, and played back somewhere else, in order to fraudulently mimic the purchase payment.
All that they say about the protection of contactless cards of their manufacturers, of course, true. That's just not the whole truth. For if it became possible not to let go of the card, then why not allow such a safe and reliable technology to pay for any purchases, and not just small things up to $ 25? And if the readers allegedly work only at a distance of a few centimeters, then how to deal with experiments demonstrating that the reception distance does not depend on low-power readers of the terminal, but on the quality of the reader’s antenna from an attacker capable of shooting the same signal from a distance of fifteen meters and more. Finally, if you deal with cryptography that protects transactions, then everything is not quite the way the industry is trying to present it.
It should be emphasized that it is not yet possible to reliably and in detail find out how information protection in bank RFID chips of cards for contactless payments is arranged. For this is a great commercial secret that the industry does not intend to disclose. To date, there is only one independent study of this technology from the point of view of security, jointly conducted by scientists at the University of Massachusetts in Amherst and the staff of RSA Security. Since reverse engineering of devices is interpreted by US law as a crime, the researchers confined themselves to an external study of the response of contactless cards to reader signals, analyzing about two dozen different RFID cards issued in 2006 by Visa, MasterCard and American Express. Four main types of broadcast data about the credit card and its owner were identified, and none of them used encryption. As for the cryptographic data protection declared by the manufacturers, it was used, apparently, only to ensure the uniqueness of each transaction.
Citizens, do not let down your guard!
Newly issued bank credit and debit cards, along with a magnetic stripe, can have an RFID chip for contactless payments. Security experts recommend when asking for new cards to immediately ask the banks whether they have a radio frequency chip. If there is a chip, although the client did not order it, then there is every reason to demand replacing the card with a traditional one.
Perhaps, someone will consider that there is no misfortune in such an approach, since openly issued information about the details of a credit card is not confidential and is available to anyone who sees the card. However, the owner of a traditional credit card usually decides for whom and where to show it; in the case of RFID, information from the chip can be taken in secret and secretly from the owner. And this opens up opportunities for a variety of abuses. Researchers, in particular, showed that on the basis of secretly read data it is possible to make a workable clone of an ordinary credit card, that is, to record this information on the magnetic stripe of another card. By the first and last names you can determine the address of the owner, and in combination with the well-known credit card details, this is enough to make purchases in many online stores (which is also demonstrated in practice). Finally, a light and secretive radio access to a credit card makes possible a more sophisticated man-in-the-middle attack — when the device next to the victim imitates the trading terminal's behavior, while it itself transmits the information received from the card to another device that repeats card responses near the real terminal. With such an organization of theft, attackers do not need to open the cryptography, you just need to organize the retransmission of the payment protocol.
A report on this work was published at the turn of 2006–07. It is reliably known that in the payment card industry, the results were carefully studied, but the conclusions were very specific. According to Visa Vice President Brian Triplet (Brian Triplett), the company's experts came to the conclusion that, in fact, the cards provided the "right level" of security for all participants in the payment system: consumers, banks and merchants. And the results of the CUSP report were regarded as “unrealistic,” because, according to industry experts, it is almost impossible to intercept a signal from an RFID card outside the laboratory. In addition, the first generation of contactless cards were investigated, and the new generation of credit cards with chips hides the name of the owner with a special mask (does not encrypt, we emphasize, only masks). Finally, there is an insurmountable barrier in front of the rogues from other security tools (including the so-called CVC, that is, card verification codes that are generated dynamically for each payment) and advanced automated fraud detection systems.
Perhaps the only admission of misses by the card industry was that, in accordance with the recommendations of the report, RFID-cards were sent by mail in a shielding wrapper. According to Kevin Fu, an associate professor at the University of Massachusetts and one of the main participants in the research team, over the past year, the card payment industry has eliminated some of the biggest holes in card protection. Nevertheless, in their new incarnation, most contactless cards continue to broadcast information about the cardholder in an unencrypted form. And the most alarming, according to Fu, is that, as a rule, clients of banks are not aware of this, and independent researchers do not receive any information from the industry for analyzing the persistence of the system.
Thus, the only “security guarantee” is only persistent but unsubstantiated assurances from companies implementing the technology. Experience shows that blindly believing such promises is at least naive.
There are always alternatives
No one, being in his right mind, would deny the convenience and advantages of payment systems based on contactless electronic cards. Moreover, all these amenities can be provided so that neither the person nor the cardholder's bank account is put at risk. This is done very simply - it is necessary that payment cards with an RFID chip are impersonal and "recharged" by the owners themselves for the amount that suits them.
It is on these principles that the most popular Octopus card payment system in Hong Kong is built, which appeared as early as the 1990s in the form of single travel cards and gradually grew into a universal means of payment for small purchases. Now, according to rough estimates, there are more than 14 million Octopus cards in circulation, which is twice the population of Hong Kong. Such cards are used by 95% of local residents aged 16 to 65 years, performing 10 million transactions a total of 4 billion dollars a year every day. The loss or theft of such a digital wallet for a cardholder is equivalent to the loss of an ordinary wallet, which does not entail threats of identity theft or bank account compromise.
In addition to contactless payment cards, Hong Kong-based Octopus Cards Limited sells wrist or pocket watches and mobile phones, which, along with their core functions, serve as anonymous payment devices.
For commerce, of course, technology is profitable, allowing you to quickly pay a single card any small purchase or service. True, the state and corporations with impersonal payment cards lose the tempting opportunity to trace and record the routes a person travels, what the press reads, what drugs he buys, etc. However, this opportunity returns again if you link contactless payments to a bank credit card. Yes, it is not safe for the cardholder. But how convenient for all those who watch.