The Clear And Present Danger With NFC Payments

As you said it yourself, it's not the technology (e.g. Contactless), it's the implementation (protocol, UI, SE integration) that presents a danger. Those who don't get it (many big boys are in that category), would pay a heavy price (monetary and loss of trust) for the "post factum" education...

Ketharaman,

It is interesting that while technically possible to skim RFID contactless cards, in the 15 years of the successful operation of the Octopus card system in Hong Kong, there has not been a single recorded instance of the fraud you mention that represents a 'clear and present danger'.

I'd be more worried about the current fraud with mag-stripe that is readily recorded and in the billions, compared with a technology that while it could theoretically be compromised, is labelled by the industry as 'fraud-proof'.

I don't think using the library RFID example has any redeemable merit when RFID contactless technologies used specifically in payments scenarios in UK, HKG, Singapore transport systems have been successfully deployed for over a decade without any of the fraud instances or dangers you have identified.

Sorry - I just think that this is not a reasonable argument. The tech is well proven, and this is counter-productive. In the case of Octopus 15 years and $12.8m of daily transactions conducted securely over contactless technology with zero fraud instances is a pretty tough record to poke holes in.

BK

"In the case of Octopus 15 years and $12.8m of daily transactions conducted securely over contactless technology with zero fraud instances is a pretty tough record to poke holes in."

None of the existing payment technologies have zero fraud. Octopus had several holes when launched, but their team did a great job addressing the problems. Any existing exploits are not tangible. 

The danger - real or perceived or theoretical - comes from potential systemic/platform risk. For example, if someone finds a commercially-viable way to exploit known RFID weaknesses, "zero day" attack could be very damaging. We saw this happening recently with ultra-secure banking systems, on a tangible scale, on several occasions. Add to this equation "supply chain"/"human factor" threat - e.g. pre-loading mobile phones with malware at the production stage. Very few people can comprehend the scale and far-reaching potential of yet unknown or little understood vulnerabilities.

The problem with mobile is simple: any exploit would work on a platform level, not individual phone level. Good comparison: Pay TV systems (e.g. SKY box) use MUCH higher security than banking cards - if a card is compromised, the risk is contained within one account only. If Pay TV algo is cracked, the whole user base can start using service for free...

@AlexP: TY for your comments.

@BrettK: TY for your comments. I'm in agreement with whatever you've said about the safety track record of Octopus card since I've experienced the same with Oyster card. However, this only speaks for the "Probability of Occurrence of Fraud". Risk is also a function of the "Impact of Occurrence of Fraud". Here, as I've said, it doesn't matter if I get slapped with one extra book in my library card. Similarly, with any closed loop transit card, I'm likely to lose a few GBP / HK$ / SG$. So, in both examples, the impact of fraud is negligible. Whereas, in the case of mobile wallets using NFC, it's open-loop, it's a credit or debit card, not a prepaid card like Oyster / Octopus, there's virtually no limit on how large a tab another person in the vicinity can charge to my credit / debit card. So, the impact of fraud is extremely high. Therefore, the overall risk of NFC payment is quite high even if the probability of fraud might be low. Makes me wonder if this is the reason why NFC mobile wallets are still struggling to enter the mainstream despite Octopus and other contactless transit cards having been around for 10+ years.

I do think it is important to point out that NFC and RFID are two different technologies, and failure points on RFID have little to do with NFC security issues.

BK

@BK

Not quite - http://en.wikipedia.org/wiki/Near_field_communication

I've suspended some comments. No more 'we've got this great product' type entries, please. 

Traffic at a retailer is not expected to be as huge as in a transit system so let us be fair that most tap and go payments will be protected by the consumer with a pin which is not the primary consideration when RFID is implemented today in a retail/transport context

Also, the reading range of RFID is far more than an NFC chip and hence riskier. Not sure if the two are comparable in the same context 

Either way I dont think this is a big reason for poor adoption of contactless

@SalilR: TY for your comments. As I'd pointed out in my earlier comment, even granting that the probability of fraud is low, the impact of fraud with general-purpose NFC payments is very high, therefore the risk is far higher than with contactless transit cards, which hold hardly 10-20 GBP. It's interesting that you bring up the topic of traffic volumes. The very fact that contactless cards are used in places that have high traffic - let's ignore (say) South Quay DLR station at (say) 11 PM for the moment - and are constantly under human surveillance actually makes it very difficult for scamsters to skim them, especially when the pickings are hardly 10-20 GBP. It was only after a bit of furore that Google Wallet introduced a PIN, but that was only to start the app, and different from the PIN for individual Chip-and-PIN cards stored inside it. Not sure if GW and the other NFC-based mobile-wallets require PIN for authorizing individual tap-and-go transactions. At least, I haven't seen such a step in any of GW's demo videos.

So... what you experienced is RFID at 2 feet.. NOT CONTACTLESS PAYMENTS!! Get your facts right about payments before making wild and inaccurate claims in other blog posts. 

@Anon:

NFC and contactless are based on RFID communication standards, as @AlexanderP had pointed out above:

http://en.wikipedia.org/wiki/Near_field_communication

In fact, in another Finextra post on which I'd commented, the author wrote: "Contactless cards... work by using Radio Frequency Identification (RFID) technology".

Maybe if you'd read the previous comments to this blog post and the other post, you'd have reconsidered your comment. Not sure where you read my wild and inaccurate claim.

You comment here https://www.finextra.com/blogs/fullblog.aspx?blogid=7794 - "I wouldn't rush to rule out technology as the cause of double-dipping at Marks & Spencer. I've experienced this at two feet" which given the nature of the blog implies that you have used a contactless card from 2 feet. Anyone who has ever used Contactless cards in the UK market knows this is utter rubbish, hence my remark.

For many reasons I have to post this anonymously but I do work in payments and have worked with retailers, issuers, schemes and device manufactuerers on their contactless deployments in case you feel I am just making this up

@Anon:

Since I've outed my location, I guess I invite comments like "Anyone who has ever used Contactless cards in the UK market knows this is utter rubbish". But, since posting anonymously is never my cup of tea, I have to respond to such comments: I've used both closed- and open-loop contactless cards in UK back in 2007-2008, the former at a Starbucks cafe inside the premises of a Top 5 UK Bank and the latter at a Krispy-Kreme store, both in Canary Wharf. (I did say here that "I was a very early adopter of contactless cards"). 

With that out of the way, my point is not about how people use contactless cards - even without using contactless cards in UK, I don't expect anyone to claim that they'll wave a contactless card from two feet away to make a payment. The crux of my blog post and comment is  how contactless cards could get used unwittingly in the system. For example, I've reached the till. I've two contactless cards A and B. I wish to use Card A to make the payment, take it out of my wallet and hand it over at the POS. All this while, Card B is still inside my wallet, which is two feet away from the POS. Based on my experience with RFID technology, I'll not be surprised if Card B is inadvertently charged despite being two feet away. I'll also not be shocked if, in addition, Card A is also charged as intended. Hence, double-dipping. This is the clear and present danger with this technology. This is how I see the average man on the street perceiving it. It hardly matters how much counterevidence is produced by the payments specialist to say that this can never happen.  

A very interesting and also a bit emotional discussion here.

I for one would strongly prefer not to become subject to any payments transactions without a conscious and deliberate action performed by myself to indicate that I'm in full agreement with that payment - also if it is just amounting to a few Euro's, Pounds or Dollars or even fractions thereof.

A payments transaction that involves sliding a chip card into a slot meets that criteria. A payments transaction based on smartphones and wireless technology does not, as in conjunction with a suitable trojan and related equipment nearby it is possible to initiate fraudulent payments - without the victim becoming aware about it. 

@GerhardS: 

TY for your comment. 

In Finextra and elsewhere, I've relentlessly advocated a frictionless payment regime. Some others have gone further and proposed that payments should even be invisible. However, in all my work on payments with banks and consumers, the predominant finding that emerges resonates with your opinion: While they don't want to jump a dozen hoops to make a payment, most people do want to know when, why and how much they're paying. Let alone invisible payments, people don't even want frictionless payments. I'm slowly but steadily coming around to the view that the "less friction" message will drive greater mainstream adoption of ePayments than the "frictionless" one. Just as I'd previously learned that "less paper" works far better than "paperless" in promoting eBills and eStatements. 

Talking about deliberate and conscious action while making payments, this is a very interesting topic that has been the source of a perpetual dilemma to me: 

Between website hosting, domain name, VoIP, and a few other services that I use, I need to make around 15 payments to various service providers each month. With each service provider, I've set up a recurring mandate in such a way that they debit my credit card - not bank - account with a fixed amount each month automatically. (In this, I'm excluding mobile phone, utility and other bills where the amount is variable and I've not authorized direct debit). This saves me the time and energy of having to make each  of the 180-odd CNP payments individually every year.

Since I've signed a recurring debit mandate, I've provided overall payment authorization deliberately and consciously. But, to the extent that each payment happens without my explicit consent - some of them when I'm literally asleep - is there a lack of deliberate and conscious action? 

@Ketharaman:  Wherever money is involved, the key question is about trust. As you have entitled several providers with the right to charge your credit card account, you did indicate that you trust them enough to enter at least a mid-term business relationship and thereby you did elevate that relationship beyond that very basic transactional level "exchange that good or service against an immediate payment, no further trust" - and you don't treat each other as strangers any more.

So you are no longer paying for single transactions, rather for an entity of goods or services obtained over a time period and linked to the common trust between both parties that neither of them will cheat. That's another quality, here you are no longer concerned that much about the proper handling of each and every business transaction.

So you actually don't need those technical crutches for securing single payments transactions that badly any more. Their role is now more or less reduced to a means for data capturing.