While the U.S. is no stranger to concerns about perceived risk from contactless payments, it's taken a while for the technology and the associated media-generated panic to spread to the U.K.
While contactless payments have not stirred up much in the way of news here in the U.S., something that has generated a lot of newsprint and TV minutes over the last few weeks in across the pond is a scare story about double-charging in Marks & Spencer, the tony retail home of the British middle classes. It's worth examining this to make sure similar misconceptions don't spread in the states.
... [C]ustomers who got in touch with the Money Box show on Radio 4 said they were charged when the plastic was in their purse and well away from the readers meaning they unwittingly paid twice. And sandwich chain Pret A Manger is said to be investigating similar claims by a customer whose card was more than 11 inches from a reader.
A victim of the M&S error, identified only as Rosemary, told Money Box her Smile card [issued by Visa] was activated about a foot away from the reader at a store in Chichester, West Sussex even though she was paying with her Lloyds debit card instead
Guildford, England, where my firm is headquartered, is home to no fewer than two Marks & Spencer stores and I've seen how easy it is to use contactless bank cards to buy your sandwich at lunch my colleagues do it all the time. So our consultants were very keen to see if they could reproduce this supposed fault. And they couldn't.
However, they did generate a theory as to what might be happening but first they ran some tests.
They took a Vx820, the contactless terminal used in Marks & Spencer, and fitted it into Marvin. Named after the paranoid android in "The Hitch-Hiker's Guide to the Galaxy," Marvin is our custom-built robot test rig for contactless and near-field communications technology. It's a six-axis, laser-calibrated, computer-controlled marvel. With the Vx820 loaded, they set Marvin running, to slowly bring contactless cards into range from different sides and measure how close the cards had to be to carry out a transaction.
Here are the test results.
Contactless Card Position/Distance to Read
From screen: 7cm
From keypad: 1cm
Between screen and keypad: 6cm
Screen right: 2cm
Keypad right: No transaction
Screen left: 3cm
Keypad left: No transaction
Reader top: 1cm
Reader bottom: No transaction
From screen, back of reader: 1.5cm
From keypad, back of reader: No transaction
Between screen and keypad, back of reader: No transaction
In other words, the terminals work as advertised. They don't read from a foot away, just from a couple of inches and even then only when the card is dead center over the reader.
The U.K. Cards Association estimates that the reported "faults" happen one time in every five million transactions. That statistic supports the conclusion that the system works as it's supposed to.
So here's what our consultants think is happening.
You wander into Marks & Spencer to buy some candy, wallet or pocketbook in hand. You open it to take out your contact chip and PIN card and as you do so, you accidentally hold the wallet over the card reader. The wallet covers the reader so you can't see the terminal screen and you don't notice payment being taken from the contactless card also in your wallet. You switch your wallet to your other hand out of the way, insert your contact card into the reader, and now you notice payment has been mysteriously taken by the contactless card, now a foot away, and so you call up your local news station to complain about the evil new technology malfunctioning.
U.K. newspaper website comment sections are full of people complaining about how they don't want contactless. They worry about this supposed glitch. They worry about "digital pickpocketing," something else that has been blown out of proportion.
In the U.K. and in all but the earliest pilots in the U.S., the data available over the contactless interface cannot be used to create clone magnetic stripe cards, nor can it be used online. And even with a $1 million chip manufacturing fabrication facility, it can't be used to create new contactless cards because each contactless chip is protected by a unique cryptographic key that never leaves the card.
In other words, it's pretty much useless to the average criminal. Let's hope this analysis about what contactless card readers can, and cannot, do will prevent any more scare stories taking off in the U.S.