New hi-tech contactless payment systems may be far less secure than has been believed, a team of University of Surrrey researchers has warned. Banks and cellphone makers offer “contactless” payment where a cellphone or card is tapped on a receiver to pay – but a team has proved this exchange can be “sniffed”.
Using equipment described as “ordinary and inexpensive”, the team were able to intercept data over distances of more than a foot – which could put personal data at risk.
The “receiver” was small enough to carry in a backpack or shopping trolley, and, “Would not raise suspicion in a crowded store,” the researchers say.
Speaking to We Live Security, Dr Johann Briffa, Computing Lecturer, says, “Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper.
“The results we found have an impact on how much we can rely on physical proximity as a ‘security feature’ of NFC devices.”
Phones such as Samsung’s Galaxy S4 ship with Near Field Communication chips built in – and many companies hope to use these for payment systems. “Contactless” payment cards issued by banks are also vulnerable, the researchers warned.
Both systems rely on extremely short-range radio transmissions – but being able to snoop on them from further away might put personal data at risk. It is not unknown for cybercriminals to construct specialized devcies for information theft – in Russia, a PIN terminal has been offered for sale on cybercrime forums, which broadcasts victims’ card details instantly via SMS.
As the number of devices with NFC chips has grown, more banks have added apps to allow payment via the chips, according to CNET.
The rate of adoption of contactless cards varies widely by country, but almost 40 million are in circulation in Britain, according to the The Telegraph. Users pay by tapping plastic against a reader. Various companies hope to add such functionality to NFC phones.
From the outset, though, the Telegraph claims, the technology has been “dogged” by fears of electronic eavesdropping.
“What we have tested is the reception of a synthetic transmission; reception requires an antenna, receiver circuitry, and a PC with data acquisition card. The distance at which reception is possible depends on the transmitting power,” says Dr Briffa.
Briffa says the clarity of the signal, “depends on various factors, including the transmitting power and any interference. Under lab conditions, we have achieved low error rates as far as 45cm at minimum power levels specified by the standard.”
Eleanor Gendle, IET Managing Editor at The Journal of Engineering, where the research were published, said: “With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats. It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”
Author Rob Waugh, We Live Security