Skip the navigation

Hacking Contactless Payment Cards

June 11, 2007 12:00 PM ET

Computerworld - Contactless payment cards, which use embedded radio frequency identification technology to complete credit and debit transactions wirelessly, may offer more security than the traditional magnetic stripe card, but theyre not impervious to attack.

Thats not to say that strong countermeasures arent available in cards issued by the major credit card brands. The key security elements in use today include methods of validating the card and reader as well as the use of triple DES encryption of message data and issuance of a dynamic card verification value (DCVV) that securely validates each transaction with a unique code.

Consider what happens when a transaction request is submitted for a MasterCard account using the card associations PayPass-branded contactless card technology. Before the wireless transaction is initiated, the contactless card interrogates the terminal to ensure that its a valid device. Then MasterCard Internationals network identifies and validates the card based on information residing in the cards on-board chip and validates the reader involved in the transaction as well.

The MasterCard network also keeps a tally of the total number of transactions processed by the customers contactless card to date and can compare that against similar data stored on the cards chip.

If someone steals your number and puts it on a magnetic stripe [card], the bank knows right away its a mismatch, says Art Cransley, executive vice president and group executive in the advanced payments customer group at MasterCard.

Even if a fraudulent card could fool the network into thinking it was a valid card, the transaction request wont be approved unless the contactless card returns the correct DCVV code. That number is generated based on transaction information, the transaction counter and a random number, and it must match the number the MasterCard calculates on its end, Cransley says. That number, and other data associated with the transaction, is then encrypted using a triple DES key thats unique to the customers card before it is sent. No one can type into a transaction and change it. No one can steal the information and create PayPass card, he says. Other card brands use similar technologies, Cransley says.

That approach makes skimming -- placing a reader next to a contactless card to pull the information off of it and create a duplicate -- very difficult. Even if a rogue reader could trick the contactless payment card into thinking it was a valid device, theres not a lot that the eavesdropper can do with that information, says Ken Warren, smart card business manager at Cryptography Research, a San Francisco IP licensing company focused on information security.

Our Commenting Policies