Yes, Contactless Payments Are Safe

A so-called "expert" from security company MacAfee says contactless payments are a threat to consumer financial information. Here's why he's wrong.
Published: June 16, 2008

Reuters ran an article a few weeks ago entitled “Mobile phone payments ‘pose huge fraud risk’.” The story quoted Greg Day, an analyst at security specialist McAfee, as saying near-field communications (NFC) used for phone payments represent an opportunity for sophisticated criminals to steal a lot of money.

Day doesn’t point to any significant flow in the technology, but is quoted as saying, “The mobile space is fraudsters’ biggest opportunity for the future, largely because many people still see their phone as a communication device, rather than something that they have to keep secure.”

In fact, a group of hackers at a conference recently claimed they can break into NFC phones. Even if that’s true, however, it doesn’t mean NFC phones “pose the greatest future threat to the security of consumers’ financial details.”

Day says thieves could steal small amounts of money often to reap huge sums. But the industry is already responding to potential fraudulent transactions. One protection is the Card Verification Value code (CVV, also known as CVC). Each credit-card number is associated with a three- or four-digit code, located on the back of the physical card. It’s static on all mag-strip cards, but it’s dynamic on an NFC phone. So if a legitimate NFC phone is used, a new CVV is assigned. If a bogus phone is then used, it will have the wrong CVV and the transaction won’t go through.

The NFC industry is also working on an Over the Air (OTA) method of transferring data to a mobile device for personalization and security applets. Currently, if a hacker finds a way to break into the secure sector of an NFC chip, you’d have to replace the NFC chip. With OTA, if there is a breach, you could just send out a security patch to the phone and dynamically fix the security issue.

Another option being discussed is a digital receipt. Here’s how it would work: If someone somehow were to clone your NFC phone’s payment capability and purchase a handbag or pack of cigarettes, you would receive a text message on your phone—a receipt, stating the item, time of purchase, price and retailer. You could then immediately call your credit card company and inform them of the problem.

Compare that to a mag-strip card. You would pay your dinner bill with a credit card, and the waiter would clone your card. The waiter’s friends would use the card to make several purchases during the next three weeks, and you wouldn’t learn about the fraudulent charges until you got your monthly statement.

Here are two other things to remember. Credit-card companies have software that analyzes transactions in an effort to detect fraud. When an unusual activity occurs, a block is put on the card until the cardholder can be contacted. The same is true of phones used to make credit-card payments.

What’s more, credit-card companies often protect consumers from fraudulent use of their cards. When a fake transaction occurs, it is voided and the merchant is often the party that takes the hit. So security experts can try to scare people, but the truth is, consumers don’t appear to have much to be concerned about at this point.