IMGCAP(1)]
This story appears in the August 2009 issue of Cards&Payments.
When it comes to the security of new payment technologies, perception is reality: If consumers worry about their account details being stolen or being charged for purchases they did not make, they will stay away, regardless of whether the technology poses any real threat.
The banking industry largely has overcome consumer fears about contactless card payment. No publicized real-world attacks on contactless bankcards have emerged in the United States or elsewhere the payments industry is rolling out the technology, such as the United Kingdom.
But as mobile operators, banks and other industry players lay the foundation for contactless mobile payments with Near Field Communication phones, which could roll out within the next few years, they also are preparing for Round 2 of the security debate.
Some white papers and position papers already are making the rounds as the payments industry seeks to avoid the kinds of mistakes it made with the launch of contactless payment cards in the U.S. four years ago. Among the miscues during the rollout, especially at first, was including the cardholder's name on many cards, readable in clear text over the contactless interface. That gave privacy advocates and university researchers an opening to blast the technology, conjuring up images of digital pickpockets easily stealing the names and account numbers of unwitting cardholders.
Mobile phones packing NFC technology present most of the same security issues because they use the same underlying contactless technology as cards for the communication between the phone and reader at the point of sale. With NFC, most payment applications will be stored on SIM cards or in chips in the phones and emulate contactless cards.
But NFC brings with it some additional risks, including the ability to support many applications, such as multiple bank-payment services, transit ticketing and building-access control. Moreover, phones generally have an insecure keypad, and viruses can infect handsets, which some experts–though not all–say could enable hackers to monitor PIN entry.
In addition, NFC phones can act as contactless readers and exchange data with other NFC devices peer to peer. And they even can act as mobile point-of-sale terminals. But these additional features open up other potential attacks, including the possibility of someone intercepting communication between the devices and then manipulating the data–the so-called man-in-the-middle attack.
This attack is very difficult to pull off outside of a lab, but it is possible, says Karim Slimani, head of France-based ConstructiveCard Technologies, who wrote a recent white paper on NFC security. It involves eavesdropping on the communication, which attackers could do even without the man-in-the-middle attack.
"NFC by itself cannot protect against eavesdropping," Slimani says. "But when we talk about secure channel, we can say it is required."
A secure channel would encrypt data sent and received between NFC phones and other devices. Standards makers have been working on such a secure channel, which could be used for other applications, not only payment. For example, when NFC enables a consumer to quickly open a Bluetooth or wireless Internet connection, the secure channel might come into play.
Loyalty applications are also at risk, according to a paper by the Department of Computer Science at National Tsing Hua University in Taiwan, which suggests fraudsters relatively easily could generate, copy or cash in mobile coupons loaded and transmitted from NFC phones. The researchers suggest the coupon issuer and cashier exchange a secret encryption key.
Confined To Lab
Others, however, point out that successful attacks on contactless card and NFC-phone payment are confined to the lab. Less difficult attacks, such as eavesdropping on the payment transaction data, yields little of value to fraudsters, they say. Encryption technology secures the transaction, but to fully guard against eavesdropping and related attacks would require a much more elaborate rollout of more-sophisticated encryption technology.
"The industry, in essence, says we can't protect against eavesdropping, so let's make sure the information listened to has no value," says Stuart Fiske, a security expert with UK-based Consult Hyperion. "That makes much more sense than trying to construct a global public key infrastructure for payments."
And as with cards, the payment application and cryptographic key or keys associated with it would be securely stored on a tamper-resistant smart card chip, either in the SIM card or in a separate chip embedded in the NFC phone.
Moreover, NFC phones could offer some defenses not generally available to cards, including enabling consumers to keep applications locked with a PIN or other passcode or with a fingerprint or other biometric. And subscribers, mobile operators or their agents remotely could shut down all applications on an NFC phone should subscribers report their devices lost or stolen.
But those defenses may not assuage consumer fears. Having all the applications in one place will heighten risks, at least in the minds of some consumers.
In Japan, mobile operators, led by NTT DoCoMo, have put NFC-like wallet phones in the pockets of half of the country's subscribers over the past five years. But Japanese consumers are using them less than expected.
One of the biggest obstacles to their use are worries among subscribers about putting several contactless credit and prepaid payment accounts onto the phones along with their monthly transit passes, Haruhiko Nomura, executive director of DoCoMo's Multimedia Services Department, said last year at a conference.
'Additional Comfort'
In its white paper "Security of Proximity Mobile Payments" released in May, the U.S.-based trade group Smart Card Alliance suggested requiring consumers to enter a "passcode" or scan their fingerprint on NFC phones to provide them "additional comfort and a sense of control over a transaction."
Though early in the debate, banks, card schemes and security experts appear to agree little about when to enter the PIN, where to enter it or whether to enter it at all.
With contactless cards, issuers usually require cardholders to sign or, in some countries that have adopted EMV technology, to insert their cards into terminals and enter their PINs when the contactless transaction exceeds around $25 in the U.S., 20 euros (US$34.90) in Europe and £10 (US$16.30) in the UK. Issuers also require cardholders to authenticate themselves after a certain number of consecutive contactless transactions or a certain transaction value is reached.
But with NFC mobile payment, opinions are mixed about how to perform this authentication.
Visa and MasterCard are working on standards for what to do when a consumer would want to make a higher-value purchase using NFC phones. A spokesperson for Visa Europe tells Cards&Payments that, while the card scheme has participated in trials in which users enter a "passcode" for higher-value transactions, it is early, "and some of these questions (surrounding mobile-payment PINs) remain unanswered."
Mobile Standards
In France, the country's major mobile operators and banks in May released a detailed set of standards for conducting mobile payment on NFC phones, including a section on PINs. The standards require the consumer to enter a "personal code" when the transaction is above a certain amount, for example, 20 euros; is in a foreign currency; or when the bank wants to do a periodic authentication check.
In these cases, consumers would tap the phone as many as two times: once to initiate the transaction, then again to complete the transaction after entering the PIN. The specifications also allow consumers instead to enter the code at the beginning of the transaction, in many cases, to open the application. That PIN never would leave the phone and instead would be checked on the SIM card. The result of this PIN confirmation would be indicated in the cryptogram that the terminal or back-end server checks to complete the transaction.
The group of operators and banks, called Association Européenne Payez Mobile, also gives the consumer the option of opening the application with a PIN, then tapping for the purchase, but only for amounts less than 20 euros or the limit his bank has set.
The French, however, are quick to point out this is a "personal code" and not a PIN like the one stored on French banking chip cards or the one the subscribers enter to access their networks.
Jean-François Antelem, Européenne Payez Mobile president and a payment-innovation executive at French bank Groupe Caisse d'Epargne, tells Cards&Payments the "password is not a PIN because you enter the code on the (phone) keypad, which is not certified by banks." It does not comply with the PIN-entry device, or PED, standard from the PCI Security Standards Council, he notes.
But if it is not a PIN similar to the one used for EMV cards, it raises doubts among some security experts about the strength of the authentication.
"We are monitoring the work of the French," says Colin Whittaker, head of security for former UK payments association APACS, who holds a similar role for the UK-based Payments Council. "We just still have many questions in our minds: what this really means, and how it's going to work?"
Yet Whittaker takes a dim view of entering a stronger, conventional banking PIN on the mobile phone for a payment transaction.
Whittaker is not convinced the industry yet understands the security implications of entering PINs on NFC phones, "not the least of which because we've adopted, not just the UK industry but the global industry, a certain level of standardization with respect to a PIN-entry device at the point of sale," he said at a recent conference.
And getting handset keypads on NFC phones certified as PCI compliant could be a logistical nightmare once handset makers start rolling many different models off their assembly lines.
Whether banks call it a PIN or a personal code for the payment application, it is the same thing, say other experts. And if consumers were given a choice, they probably would choose exactly the same PIN for the application that they have for their card, says Consult Hyperion's Fiske.
PIN Options
But he does not have a problem with the consumer entering his regular PIN on the mobile phone because it is a device users always have with them. On the other hand, PIN pads at the point of sale are shared by thousands of consumers and have in the past been hacked, he says.
It would be safer to enter the PIN in the phone "if it's a personal device, and yours is the only PIN going to be entered in that device," says Fiske.
If fraudsters were somehow able to get the PIN, say by implanting some type of keystroke-logging software on the phone, they still would need the phone itself to make a payment, he says.
The card schemes and banks already trust devices not complying with the PIN-entry device, or PED, standard from the PCI Security Standards Council, such as handheld readers they distribute to consumers for use with chip cards to secure home banking, Fiske says. In the UK, banks even have allowed consumers to enter their bankcard PINs on TV remote controls, which the consumers then beam in their homes by insecure infrared technology to be compared with PINs on the cards inserted into set-top boxes.
Of course, banks could decide to limit NFC mobile payment the same as they do contactless card payment–to say 20 euros per transaction–after which the consumer would have to pull out their cards to do conventional transactions. This lack of consistency, however, could confuse consumers. But Whittaker and others who want to err on the side of caution note that, like contactless cards, the interface NFC mobile-payment applications would use is still vulnerable to attacks. That is why few in the industry in Europe or North America are suggesting significantly raising the purchase limit on NFC phones and foregoing a PIN, passcode or signature altogether.
Attack Potential
Banks and card schemes say they have effectively closed some of the openings for potential attacks that threaten the contactless interface.
They contend that even if fraudsters could eavesdrop on a card or phone transaction despite the short distance the card or handset has to be held to the reader, they would not be able to clone a card or phone application as they would by skimming data from a conventional magnetic stripe card.
And they would not have enough information to make a fraudulent transaction with most Web merchants, say most experts. If a fraudster skims a transaction from a contactless card or phone application and then tries to replay it for other transactions, the attack would be foiled by transaction counters or cryptograms, which all or nearly all contactless cards now support, making each transaction unique.
But this challenge-response cryptogram would not thwart a relay attack, in which a pair of fraudsters relay account information and card and terminal commands and responses to each other, even if they are many meters apart. In this way they could make purchases while an unwitting consumer gets the bill.
"They make it look like your card is next to the POS device even though it isn't," says Ari Juels, chief scientist and director of U.S.-based RSA Laboratories and co-author of a study on vulnerabilities of first-generation contactless cards. "It's a somewhat difficult attack to mount. You need a fair degree of technical sophistication."
And, of course, fraud-management software acquirers use probably would shut down the fraudulent operations eventually. Banks have closed other holes, but Juels believes the risks will grow as service providers expand the uses for contactless technology, including putting such applications on NFC phones as door keys to homes, offices or hotel rooms.
More attention should be paid to the threats, Juels says. "A one-time fraudulent payment of less than $25 is hardly catastrophic," says Juels. "But when people are able to gain entrance into a building, even a one-time event can have serious repercussions."
Those repercussions could be enough to convince many consumers to shun the new way to pay with their mobile phones or contactless cards and stick to cash. CP
