Contactless payments: are we sacrificing security for convenience?
Danny Palmer investigates whether contactless card payments could see us handing our details to cyber criminals, all for the sake of buying a coffee a little quicker
It has been eight years since Chip and PIN was rolled out as a payment method in UK stores, a move which stopped us all having to sign for a newspaper and chocolate bar. It also made debit cards more secure against fraud attempts, forcing criminals to look at other nefarious methods to make a quick buck.
Now a new method of payment is on the scene: contactless payment. Using a card or smartphone with near-field communication (NFC) technology, users can pay by swiping the card or phone across a reader, similarly to the Oyster Card system on the London Underground.
According to Mark Austin, director of contactless for Visa Europe, consumers have shown an “enthusiastic response” to the technology.
“Contactless transactions increased fourfold in the year to September 2013, with more than £460m spent in the UK on Visa contactless cards, up from £100m in the previous year,” he said. “We now have more than 33 million contactless Visa cards in the UK, with almost 300,000 acceptance points around the country.”
Payments can be made without the need to enter a PIN, speeding up the process of making purchases. But if your phone or card is stolen, what’s to stop the thief using it for their own newspapers and snacks?
“Contactless is an unproven technology. Some think it’s completely safe; I remain to be convinced,” Mark Surguy, partner and fraud expert at law firm Eversheds LLP, told Computing. “The proof of the pudding is in the eating, and I won’t be rushing to be a user.”
But opinion is divided, even within Eversheds itself. Tim Buckingham, partner in the firm’s financial services dispute resolution team, is much more assured about the safety of contactless.
“The banks have spent far too much time investing in contactless to allow it to be a victim of fraud, which will damage its reputation,” he said.
Contactless payments: are we sacrificing security for convenience?
Danny Palmer investigates whether contactless card payments could see us handing our details to cyber criminals, all for the sake of buying a coffee a little quicker
Buckingham argued that the £20 spending cap on contactless payments makes it safe, as cyber criminals won’t bother trying to steal such a relatively small sum when there are easier and more lucrative opportunities around.
“If someone steals your Oyster Card, so what? You’ve lost £20 which doesn’t really matter too much,” he said, before referring to a reported practice of thieves scanning for details to steal on public transport.
“What can they buy? £10 here, £10 there in circumstances where the bank is always going to refund the consumer anyway. Fraudsters are not remotely interested. It’s a rubbish crook who sits on the Tube and steals £10 from you, frankly. The good crooks are sitting on
a laptop somewhere.
“That’s what the crooks want. They want all this data they can use as a currency to create clone cards or do something else with it. They’re not remotely interested in just stealing an individual’s data,” he added.
However, if the payment device does fall into the wrong hands, Visa’s Austin says there are checks and balances that will prevent exploitation by thieves.
“The requirement for periodic PIN confirmation means there’s only a certain number of times a card could be used by someone other than the cardholder, and only for transactions up to the contactless limit,” he said.
“Any payments made during that time are covered under Visa’s usual cardholder protection scheme, providing the cardholder takes reasonable precautions to protect their card and lets their bank know as soon as they realise it’s gone.”
Austin added that for Visa, “security is at the heart of everything we do and every service that we offer”, and the firm takes protecting its customers from theft very seriously.
“We take a multi-layered approach to security, regardless of where a transaction takes place,” he said.
“For contactless payments, there are specific processes in place to ensure customer security at all times, as well as the same consumer protections that apply to any Visa card.”