Contactless payment data can be picked up at a distance
- 30 October 2013
- From the section Technology
Data transmitted during contactless payments can be picked up from almost half a metre, researchers have warned.
Inconspicuous equipment including a shopping trolley, a backpack and a small antenna were used to intercept synthesised payments card data.
The information was detected at more than four times the distance it should have been, according to researchers.
The UK Cards Association said that fraudsters would not be able to harvest enough details to be dangerous.
During a wave-and go transaction, customers tap or hold a card near a reader to pay for purchases of up to £20, without entering a PIN code.
A key security feature of contactless cards is that they should not transmit payment information further than 10cm from a reader.
Thomas P Diakos, a researcher at the University of Surrey, built equipment that could reliably eavesdrop on synthesised payment data from a distance of 45cm.
"The results we found have an impact on how much we can rely on physical proximity as a security feature", said lead academic superviser Dr Johann Briffa. "The intended short range of the channel is no defence against a determined eavesdropper."
At that distance, fraudsters could harvest information without arousing suspicion, the researchers said.
The team published details of their research in a paper in the Institution of Engineering and Technology's Journal of Engineering website on Tuesday.
Hide banking details
Mr Diakos used a pocket-sized cylindrical antenna, equipment in a backpack, and a shopping trolley to pick up data that had been fabricated to behave exactly like payments card information.
The test equipment was "compact and relatively inexpensive", Mr Briffa told the BBC.
"The test demonstrated that payments data can be received," he said. "What can be done with it is another question."
The research team has started to look at how wave-and-go card security mechanisms can be cracked and payment information revealed, he added.
Contactless cards systems use different security features to hide banking details, including encryption, and authentication mechanisms to check whether details should be transmitted.
Fraud 'extremely rare'
Despite security measures, contactless card fraud in the UK last year resulted in losses, although relatively small, of £13,700, according to industry association Financial Fraud Action UK.
Trade body the UK Cards Association, which represents credit and debit card issuing organisations, said that the researchers would not have been able to harvest significant information using their equipment.
"Instances of fraud on contactless cards are extremely rare," said a UK Cards Association spokesman.
"Although the sort of contactless card reader built by the University of Surrey might be able to interrogate a card, any data obtained would be limited to the card number and expiry date that can be seen on the front of the card," the spokesman said.
Fraudsters harvesting card numbers and expiry dates would not be able to clone cards, and would find it difficult to make a fraudulent transaction, he added.