Is contactless actually as safe as they claim?

A big question on everyone’s mind, and one that I get asked almost weekly, is “how safe is contactless?”. Many people are rightly skeptical when it comes to new technology, especially after listening to one of my talks. With many banks now shipping contactless cards by default, and many shops now requesting that you pay using contactless, it’s a worthy consumer concern that should be addressed.

There is no *evidence* that contactless fraud exists

If you pick up the phone right now and speak to your bank, this is what they’ll tell you. And they’re right, there is no evidence that contactless fraud exists… but that doesn’t mean to say it doesn’t happen. The problem is, with the way most theoretical contactless based methods of fraud are carried out mean that it’s almost impossible to quantify it. For example, the banks categorise “contactless fraud” as being able to take money from a target’s card directly via contactless – and many consumers think this is the biggest, and only, threat.

You might have heard in the news, or seen the pictures on social media, claiming that fraudsters are charging contactless cards of commuters whilst travelling on public transport. There’s only one thing wrong with this – using a chip & pin machine to actively charge cards leaves a lot of paperwork behind. Having applied for one of these machines, I can tell you that the process of getting one is long and arduous. You need to link it with a bank account, provide proof of address, explain your business model, provide bank statements, give turnover figures – all of which fraudsters obviously won’t do.

If they were to use a Chip & PIN machine to charge targets via contactless, it’d be a ridiculously stupid way of doing things. But that doesn’t stop contactless based fraud from potentially happening

What kind of contactless fraud can actually happen then?

By using pretty simple technology, I can read data on contactless cards without charging you a penny. While I might not choose to charge a card, that doesn’t stop me from being able to collect and store:

  • The bank name
  • Card type
  • Long card number
  • Expiry date
  • Customer name
  • Transaction history (for all transactions on that card)

Armed with this data, it’s pretty trivial to create a cloned card and attempt to use it in a shop or at an ATM. Alternatively, fraudsters can just collect a mountain of these card numbers, package them up, and sell them to the highest bidder.

While there’s “no evidence of contactless fraud” and there’s no way to tell if a cloned card came from reading a card via contactless, it doesn’t stop it from being possible (I’d argue it’s already happening).

Going old fashioned

Of course, scanning the card to save the details in order to make a cloned card later isn’t the only trick fraudsters have in their playbook. By pickpocketing or stealing the physical card itself, they can make a few small purchases using contactless without verification. Luckily this is limited just now to £30 per transaction and a maximum of 3–4 transactions per day. Unfortunately, no amount of technology will fix this particular problem.

I’ve had mixed reports too from people about the length of time a card remains “active” when used via contactless. Some have claimed their card kept being used months later by fraudsters after they had it stolen, while some reported it stopped immediately.

While reports vary, it’s safe to say that you should contact your bank immediately if you ever lose your card. Just in case.

What about Apple Pay or Android Pay

I was very skeptical about Apple Pay in the beginning as I’m really not a fan of contactless, but I have to say, Apple (and Android) have done something pretty good. I was forced to use it just over a year ago having left my wallet in the studio and nipped out to get coffee. I’d previously added my bank card to my phone for testing purposes and wasn’t particularly happy about using it (after being so negative towards it in the beginning) but, with the extra security features, I have to say I’m a big fan.

The way it works is pretty simple – your phone has a “one time” card number it sends to the machine. This number is only transmitted when you put your phone over a Chip & PIN machine that has contactless and is awaiting a card. Combining this with the requirement to enter a passcode or use your thumb and the fact your card numbers are obfuscated on the screen means that there’s little chance anything can happen. Believe me, I’ve tried. If you don’t believe me, grab the receipt and have a look at the “card number” it’ll be totally different to the long card number on your physical bank card.

I’ve seen these card defender things, what are they and are they any good?

If you’ve never seen them, these are little wallets that you can slip your card into if you’re worried about it being read without your permission. I’m a fan of any technology, or product, that helps safeguard consumers… except I’m still quite on the fence about them. Having been shown them multiple times now, I have no doubt that they work (and I tested a number of them) but I can’t help but think that someone’s commercially capitalising on fear.

While I’ve listed a few ways that contactless can be used for nefarious purposes, it seems a little cumbersome to have a shield over every card. Many of us carry more than one card, and the cost of, say, £2 per defender can quickly mount up – especially when just a sheet of tinfoil in your wallet would do the job.

It’s also a question of accessibility. It’s incredibly difficult to slide your card in and out of these little wallets (they effectively function as micro-faraday cages) every time you need to use it. Not to mention the added risk of the plastic wallet itself being eventually imprinted with the card it stored’s raised digits.

Still, if you have them and are worried about your data being read contactless-ly – theres no harm in using them. But don’t exactly rush out and buy them.

So what’s the verdict?

The actual technology behind contactless is pretty secure — and what I mean by this is how it interfaces with the Chip and PIN machines when making a transaction… That’s not to say though that the Chip and PIN machine itself isn’t dodgy, that someone hasn’t “bumped” into you on the train and scanned your wallet, or that someone’s off having a £30-a-time mini-shopping spree with your stolen card.

What it boils down to is whether you feel comfortable with a radio in your wallet broadcasting your card details to the world. Whether the risks outweigh the benefits. What matters to me though is that consumers know and understand these risks. The banks, corporations, and many private individuals are great at marketing contactless as the best thing to happen since debit card payments — but they often leave out the potential risks, which to me is sacrificing convenience over security and lulls people into a false sense of security.

As for what I do, I take the lead of friend (and a bloody excellent pickpocket, showman, and all round nice guy) Mr. James Freedman, with a little bit of Scott “magic” thrown in. First, sign up for Apple/Android Pay and register all your cards. Then take a craft knife, and score just above the signature strip on the right hand side — this disables many contactless chips, as it effectively breaks the circuit. Your card will still work in an ATM, swiping & signing, or in a Chip & Pin machine fine… it just won’t be able to be read via contactless. This means that if I want the convenience of contactless — I need to use my phone. As most of us are glued to our phones 24/7, you probably have it in your hand at the tills anyway.

If you want to use contactless, that’s absolutely fine. I’m expecting a large number of people to respond — much like my article on TPS, or Facebook like and share “competitions” — telling me I’m wrong, or that they’ve used contactless since day one and never had an issue, and that’s absolutely fine.

Like I said before — it’s all about consent.