My finances - with dancing protection

    Have you met people with a sticking piece of foil from their wallet? Not? Soon you will see them in all cities of the country! Who are these people? The most ordinary citizens who worry about their finances. The reason for their concern is the contactless payment cards of PayWave and PayPass technology.

    Contactless bank cards are pieces of plastic that are already familiar and familiar to us, with the only difference being that they have an antenna for transmitting information over the air. The most common types are VISA PayWave and MasterCard PayPass. Such cards can be distinguished by the corresponding symbol in the form of a wave in the corner and the name of contactless technology next to the logo of the payment system. To pay for a purchase, you just need to bring such a card to a payment terminal equipped with a special radio. And that’s all - the payment has been made. No password entry and no autographs. Speed ​​increases - queues are reduced.

    But both in everything beautiful, and in contactless payments there are disputed points. Having seen how cards of this type work, the question arises: if the seller can get the data necessary for the transaction from the card, what prevents the attacker from scanning the card and withdrawing money from it? Is it safe or not to carry a contactless credit card in my pocket?

    A bit of history

    For the first time, the issue of bank card security arose at the beginning of the 70s of the XX century, when banks were faced with an acute shortage of labor. The operators did not have time to process the shaft of securities, which were accompanied by requests for loans and their approval.

    This situation prompted banks to organize customer self-service using ATMs. To ensure trust in the new equipment, engineers had to propose a way by which users could easily, quickly and safely identify themselves. So there were cards with a magnetic stripe.

    However, in such cards with magnetic media there was and there is a serious problem called skimming. In the case of “plastic” through a skimmer, a special reader disguised as regular elements of an ATM, attackers can make a copy of the magnetic strip, and then transfer the received information to a blank card.

    In response to this, smart cards appeared in the 80s. In their appearance, they are very similar to their ancestors. Along with the magnetic strip, which is used where smart card readers are not available, a microprocessor chip is also built into the plastic of the case of such a card - actually a full-fledged computer. In the context of banking applications, it is often called the EMV chip.

    EMV is a standard created jointly by Europay, MasterCard and Visa to increase the security of bank payments. Shortly after its creation, Europay and MasterCard merged into one company, but they did not change the name of the document.
    So, due to what increased security level?

    Firstly, the complexity of fake. Two minutes of searching on the Internet and you will be offered the most detailed instructions for cloning cards with a magnetic strip, as well as several dozen options for acquiring the equipment necessary for this. Counterfeiting a card with a chip is currently considered impossible.

    The second security factor is the use of dynamic data. For each bank transaction, the EMV chip generates an individual confirmation code. In this regard, the interception of data transmitted during payment becomes meaningless.

    Thirdly, the emergence of subject verification of the holder. When using a magnetic card to confirm payment, you need to put your signature, which in most cases no one compares with the original. And it is not worth talking about the fact that it is also necessary to verify the name of the owner of the "plastic" with the identity card of its holder. When using a chip card, confirmation of each payment occurs by entering a PIN code.

    Although the EMV chip has become a serious alternative to the magnetic strip, nevertheless, it has a number of disadvantages. The most important of them is the need to ensure compatibility with the giant magnetic stripe infrastructure. To solve this problem, banks issue hybrid cards that provide both options for access to payment. But when servicing such a combined card in a magnetic strip, the security question again arises. Again there is a threat of skimming.

    It is worth noting that copying data is still possible with the chip. From smart cards issued before 2008 (MasterCard) and until 2009 (Visa), you can read enough information to make the corresponding magnetic strip, namely: number, expiration date, service code, information about the bank. For cards issued after the indicated dates, this problem no longer exists.

    Whether the scammer succeeds in using such a copy or not is a question. Like cards, there are various types of terminals. If a fraudster with a “clone” contacts a terminal equipped only with a magnetic stripe reader, then there will be no problems using it. When recognizing the code received from the card, the hybrid terminal is able to establish that in addition to the magnetic strip, it must also contain a chip. In this case, the transaction will not be completed.

    The second serious problem of the EMV chip is the low speed of the contact interface. The time required to access the chip, authorize and complete the necessary procedures is significantly longer than the transaction time on a card with a magnetic strip. In the case of queuing systems, this fact can be far more critical than the risks of fraud.

    All this necessitated the creation of payment technologies that would combine the best aspects of both magnetic and chip cards and at the same time have a minimum of disadvantages. NFC contactless bank cards claim this role.

    About contactless technology

    As the physical basis of the contactless banking payment mechanism, NFC technology is used. NFC (Near Field Communication) is a short-range wireless high-frequency communication that enables the exchange of data between devices located at a distance of about 10 centimeters. In fact, this is a simple extension of the RFID contactless card standard (ISO 14443), combining the interface of a smart card and a reader into a single device. NFC technology in the field of banking applications allows you to replace an outdated, but familiar magnetic strip with a more modern solution, without being limited to bank cards. Payment can also be made with other payment instruments, whether it is a cell phone or an RFID sticker pasted on any convenient item.

    In contactless cards, the information necessary for conducting transactions is stored on the card chip. There are two types of such cards.

    The first embodiment is characterized by the presence of only a contactless interface located on a card with a magnetic strip. This type is intended mainly for the United States. In fact, the contactless module is static and duplicates information stored on the magnetic strip.

    The second option is more secure than the first. In such a card, it is necessary to have two interfaces interacting with the chip: a contact (soldered element resembling a SIM card) and non-contact (RFID tag). Cards of this type comply with the EMV standard. They not only retained the advantages of their “chip counterparts”, but also became more convenient:

    - The contactless card always remains with its owner. It does not need to be handed over to the seller for transfer through a reader or inserted into a terminal. Especially nice is the termination of the practice, in which, when paying for lunch, you must come to terms with the fact that the waiter took the card and left to pay for your order, serve other visitors, drink tea, etc.

    - On contactless cards, in order to increase the speed of service, payments without additional authentication are allowed. For Russia, this amount is 1,000 rubles, for Ukraine - 200 hryvnias, and, for example, for Thailand - 700 Thai baht. This does not mean that you cannot make contactless payment for a purchase whose value exceeds this amount, just in this case you will have to go through an authentication procedure.

    Making payments in small amounts without authorization was made possible due to the fact that international payment systems have headed for an increase in the speed of payment. So Visa set the maximum allowable time for transactions to be 30 seconds. For the same purpose, Visa launched the Visa Easy Payment Service program, according to which all points of sale should not require identification cards from customers when purchasing less than 1,000 rubles.

    The new payment technology is becoming indispensable at mass service points where speed is critical, for example, in transport. The seconds saved with contactless cards significantly reduce customer queues and waiting times.

    But what about security?

    PayPass and PayWave cards use an RFID chip operating at 13.56 MHz. Thanks to him, there is an exchange of data between the card and the terminal. However, an attacker can easily intercept this information with an alternative RFID scanner.

    Contactless card manufacturers call the solution to the problem the fact that the range of RFID tags is 3-5 cm. But this argument is very controversial, because long-range readers with a radius of action of more than 30 cm already exist. So far they have sufficiently large antennas in their composition, which does not detract from the fact of their existence.

    Thus, having an RFID scanner, you can generate a transaction request and carry out an attack on the card. Of course, this data is not enough to create a clone, but a number of phishing attacks can be quite successful.

    Meanwhile, both legislators and payment systems support the holder of funds in this matter. The amount of payments up to 1,000 rubles disputed by the cardholder is returned without further investigation and as soon as possible. This is largely due to an interest in the development of micropayments and a constant increase in cash flows. This is clearly indicated by one of the most discussed laws adopted - 161-ФЗ “On the National Payment System”. If earlier, in fraud with bank cards, you had to prove your innocence to the owner of a compromised card, which in Russian courts often did not end with anything good, then from January 1, 2014. the situation is radically changing. In accordance with article 9 of the said law, the bank is obliged to reimburse the client the amount of the transaction completed without his consent after receiving notification of an unauthorized transfer of funds. And only after that proceed with the investigation of the incident. Modern fraud monitoring systems, however, will not allow bank customers to abuse the right to constantly dispute transactions. Those who want to cash in on false calls can be quickly identified.

    So is it worth using contactless bank cards or not? Most likely worth it. It is not only convenient, it is almost safe. But if there are still doubts about the security of transmitting your card data over the radio frequency channel, then shielding the card with a foil envelope will solve this problem. And we will increasingly meet people with a sticking corner of the foil from the wallet.

    Also popular now: