It is a human reaction to question something that isn’t familiar. But of course when money gets involved, it’s not a bad idea to perk up one’s ears to the news.
A cautionary video has been making its rounds across social media, showcasing at least two applications that are available over Google Play that can, reportedly, glean information from the contactless function on credit or debit cards, and the information can “be extracted and emailed anywhere”.
Many concerns have been raised from the video. As of the time of writing, it has been viewed 4.5 million times and shared 7,400 times.
Some netizens even declare that instead of buying a card protector like the video entreats, it is prudent to just disable PayWave altogether. They’ve been saying this since even before the video made its rounds on social media, but this is definitely fuel to their fire.
In light of all of this uncertainty we decided to take a closer look into the claims made in the video to parse exactly what the risks are, and how much of it could potentially impact your wallet.
TL;DR, the risk as of now is not worth throwing a big fuss over, but it’s not zero.
What Is The Information Shared?
As was confirmed by Bank Negara AND NFC.com—the people responsible for handling the contactless system—the information that can be wirelessly gleaned from a scan of the card is as below:
“The following information can be read from the card that is also printed on the front side of the card:
- Credit card Number
- First name, Last name
- Expiration Date
- Transaction Counter
- Service Number”
None of this these include important information that a fraudster needs in order to make purchases, such as the three-digit number printed at the back of your card, or the unique authentication code that is manually generated for each transaction for the Chip n Pay system.
We even took a closer look at the apps used in the video to be sure. The first application used in the video can be installed from Google Play here. The Credit Card Reader NFC records all of the above information, but with a detailed tab to record the transaction history, and a log of that same information.
Even by the developers’ own admission, “In some new EMV cards, holder name and the transaction history have been removed by issuer to protect privacy.”
In fact, during our own experiments, we found that Maybank has blocked transaction information from showing on the app.
Meanwhile the second, scarier looking app used is called the Smart Card Toolkit. The app, by their own admission, records publicly shared information that is already available on the card, which is listed above. It just presents the information in blocks of code. For someone who cannot read the information, it seems entirely possible that some of that info involves something risky.
Neither of these apps are able to access some key information needed to make illicit purchases under your name.
As covered by SoyaCincau, any attempt to use the information gleaned through online shopping is easily put to a halt by the existing TAC system that has been enforced in Malaysia since before the contactless payment days. In this regard, Malaysia’s implementation of security was actually ahead of the UK in a similar age.
The Sh*tstorm Has Already Happened—In Other Countries
Malaysia is far from the first country to be rolling out the contactless method, and we will not be the last. This means that we are able to look at other countries’ journey though contactless payments as precedent to what will happen in Malaysia. By 2014, Australia has been declared a “hooked on tap and go payments” nation, and there are at least 10 other countries that are riding the contactless wave.
And judging from their reactions to contactless in the past, ours is just par for the course. If you come back to this article in the year 2020 when contactless is almost as ubiquitous as Facebook, I just want to say, I called it.
It seems that most countries also go through this phase of uncertainty about the safety of the contactless system.
In 2014, ASB New Zealand produced this post called ‘Mythbusting – Contactless cards explained‘, and one of the points that they addressed was titled: “I’ve heard that someone can scan my pocket and get my credit card details, is this true?”
Sound familiar?
(By the way, the answer by ASB is no. But you can scroll down to see some users’ counter-arguments against their statement for your own argument’s sake.)
And Barclays UK made their own contactless statements to say that yes, the risk exists but it is a small risk.
And back on Malaysian shores, Bank Negara released their own statement, debunking the concerns raised.
The Actual Security Flaws In Contactless Payments
But to address the elephant in the room, while the video’s touted security flaw proves to be false, there are actual risks to using your contactless card.
The first and obvious security flaw involves cashiers or friends and family who have access to your card—people who are able to see the 3-digit CVV code at the back of your card.
But if they are already able to get that close to your card, there is no reason for them to use a smartphone app when just reading or snapping a picture on a camera provides the same insight. This security flaw has existed even before the banks rolled out contactless services on cards.
For an actual, contactless-related security flaw: if there are card scanners around to pick up information during cashier transactions, the one-time authentication code would be transmitted over the air and can be picked up on the transmitters.
This would require more sophisticated equipment than just a freemium app on your Android, and also negates the protection you would get from any card protector or aluminium foil.
Forbes states that “Those codes (One-time CVV) can only be used for one transaction, and have to used in the order they’re generated. If a payment processor detects multiple transactions with the same code or even codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number once, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.”
Meaning that in this specific instance, a particularly zealous crook who was determined to use this method can theoretically stand around cashier areas with their paid-for equipment to pick up the CVV codes transmitted that can be used one time before a card gets blocked.
Roger A. Grimes on Infoworld said it best. “It would be a lousy use of a criminal mastermind’s time. Today’s smart criminals break into websites and steal hundreds of thousands to tens of millions of credit cards at a time. Why would a criminal go to the effort and expense of stealing credit card info one card at a time when you can steal a million in one shot?”
I can personally understand this type of behaviour for particularly personal purposes, but from a criminal money-making perspective, there are other better ways to reap rewards.
But what this does is prove that there is a possible security flaw. The risk of it being used is small, so it has been left as-is because the current risks are easily mitigated. However it is in fact, there.
Just saying that the existing ability to exploit the system is very unlikely, while a comforting measure at the current time, should not be the end of the conversation.
A software that can automatically scan and exploit the weakness inherent without the criminal’s active participation could eventually come about. And the fact remains that at the very least, a user will have to go through some troubles to unblock a card if a criminal has tried to exploit the CVV before.
I don’t doubt that there are already projects underway to provide a better solution than CVV, but as of now, this is something to at least take note of.
The Takeaway
Randy Vanderhoof, executive director of the industry group the Smart Card Alliance on Forbes, said that, “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction.”
He continued, “The reason we think that’s the case is that it’s very difficult to monetise this as a criminal. The premise that this is a new threat is absolutely false.”
In the end, the issue of contactless hacking is blown out of proportion in our country.
On the other hand, there are still security flaws inherent in the system that are rife for exploitation if a crook is determined or creative enough to monetise. In fact, some entities even know about some of the security oversights on the current system, but priority is low on stopping those gaps as long as the technology to exploit them is not yet developed.
So if you do decide to buy a card protector or even contactless protection wallet, you will likely make some merchants quite happy, unnecessary as it is. Even if it does not work you’re no more at risk than you were before you bought the items.
And in the end, if you do fall to human error and lose your card, SoyaCincau has stated that “If all else fails and your cards do get cloned/stolen/hacked, major card issuers like Visa and MasterCard have Zero Liability Policies for the use of their cards. This means that if you notice any unauthorised transactions on your final statement, you can make a report to your bank and have those transactions corrected quickly.”
So as long as you are aware of your transactions, you should not be too worried. You can perhaps even use one of the apps stated above to check on what your card has been used for, and be very careful about not losing your card (which you should already be, contactless or not).
In this regard, if you are the type of person at a high risk for this, then there is merit in disabling the contactless function on your card.
But in my opinion, the risks are overstated. Even the two “scary” apps that were used in the video prove to be just fancy tools for people who want to keep track of their own spending. Risk comes baked into everything that we do in the world, but we take on those risks anyway because what we are getting out of it is worth more.
Our sister nation Singapore had similar misgivings to the issue in their beginning stages, but now more than just a contactless system, they are now looking into becoming a whole contactless society.
Risk has already existed even in the pre-payless card payment methods, but that did not stop us from brandishing our cards at POS stations if the situation strikes us. If all of us simultaneously stopped using Facebook the moment any risk comes up, we would not be living in this wonderful, interconnected global village that we have today.
Any new technology should be allowed its growing pains, because one thing that we do know for certain is that it is ever-changing. And over time, we will be better for it in the long run.