Contactless cards and the urban legend
Are you ready to bust three myths about contactless cards?
So let's jump right in.
#1 Can someone read my card from a distance?
The myth says:
Fraudsters would use long-range RFID readers to extract data from contactless cards from a distance and use that card data to access cardholders' accounts and steal money.
Reality?
No, it is not possible to use long-range RFID readers to extract data from contactless cards.
The near field communication (NFC, compliant with ISO/IEC 14443 standard) technology in contactless cards uses a 13.56Mhz radio frequency technology that only transmits digital data within a concise range.
Typically the optimum distance is 4 centimeters or less - beyond, the signal is rapidly decreasing and can never exceed 10 centimeters.
That's why you do not need a contactless card protection sleeve for security reasons.
But stay with us. There's more.
#2 What about short-range skimming, then?
The myth says:
A fraudster equipped with an NFC reader would be able to access contactless cards in someone's pocket or bag in crowded public spaces like in the subway. By doing so, they would extract enough sensitive data to make a counterfeit card or make online purchases.
Reality?
It is not possible to clone a contactless card thanks to data collected by a hidden reader like a smartphone or any other NFC reader.
It is also impossible to collect enough data from the card to complete an online purchase. Only a genuine POS, provided by an acquiring bank, can communicate with the card – and a fraudster using a genuine POS would get caught by the acquiring bank and processing network.
#3 Repeated purchases if my card is stolen?
The myth says:
Because low-value contactless transactions can be made without requiring a PIN code, a thief could spend large amounts of money through many repeated small purchases.
No, even with a lost or stolen card, the total possible fraud amount would be small.
In many countries where small amounts of contactless transactions are authorized, the number of contactless transactions that can be made in a row with a contactless EMV card is limited.
After a certain number of transactions, a reset with chip and PIN in contact mode is required, or the card will automatically stop functioning in contactless mode.
There's more.
When a contactless card is reported lost or stolen, the issuing bank will cover the small amounts.
Did you know that all our contactless chip cards are EMV cards?
Contactless security revealed
Unlike older generations of banking cards with magnetic stripes, EMV cards use a smart microprocessor chip technology which:
- secures the cardholder's credentials
- performs cryptographic computation to protect its communication with the Point-of-Sale (POS) terminal and the processing network.
Since the chips are virtually impossible to tamper with or clone, EMV cards are infinitely less vulnerable to counterfeit fraud than magnetic stripe cards.
The EMV standard continuously evolves to include new security defense mechanisms, such as Dynamic Data Authentication (DDA).
It is based on public-key cryptography, typically RSA cryptography. Each EMV smart card contains a unique public and private key pair that is used during authentication.
When prompted by the terminal, the card uses one key to generate a valid cryptographic code sent back to the terminal.
This code is unique to that transaction and proves that the card is genuine. The terminal uses the second key to validate the code returned by the card.
The card's microprocessor chip is powered wirelessly by proximity to the POS (up to 4 cm).
Only a genuine POS with a genuine acquirer bank account can proceed with an EMV transaction.
Why contactless pickpocketing is impossible
Scaremongering stories almost always follow new technology, and contactless is no exception.
Reassure yourself and your customers by getting the facts on common contactless myths – and how the technology works.
More resources on contactless payment security
- Read our EMV web dossiers: EMV chip in 3 minutes and EMV in the US.
- In Belgium, Bancontact's customers can activate their payment card scheme on a selected wearable of choice.
- Europe: Nine in 10 businesses are now running contactless projects
Whitepaper
