Contactless cards: Is the RFID skimming threat overblown?


Several years ago, credit unions and other card issuers had to tackle the EMV liability shift. As CU Times recently reported, with chip-cards now nearing full adoption, contactless payments may be the new frontier for U.S. card issuers.

Contactless cards are widely used in Europe, Canada and other parts of the world. And while the U.S. lags behind in the market, the concept is simple: Rather than swiping a magnetic strip or dipping a chip-card, contactless cards allow users to pay by tapping their card at a merchant’s point-of-sale terminal.

According to an article on CNBC, research conducted by consulting firm A.T. Kearney suggests banks and card issuers could generate an estimated $2.4 billion in incremental card-related earnings over the next five years by introducing contactless cards. “The research also found that consumers are more likely to use the payment method for small, frequent transactions in categories like groceries, drug stores and fast food- restaurants,” the article stated.

The “tap and go” transactions are considered a more efficient and convenient way of paying. But is it secure? Some research suggests contactless cards, which do not require a signature or PIN, are less secure if they are stolen, because the thief does not need to authenticate the purchase.

Consumers may also have concerns about skimming. Technology does exist that allows criminals to skim information from the cards by using RFID, or radio-frequency identification. However, experts in fraud prevention have explained that RFID-related crime is essentially non-existent in the real world. According to an article on CSO, RFID crime is unlikely to happen because second generation RFID-enabled credit cards encrypt and protect the information they transmit. Not all RFID-enabled cards are second generation and protected, but first-generation cards have not been created for years.

Secondly, the article explains, RFID crime is not a great payday for criminals when compared to the effort and risk. A thief would have to be sitting or standing in close proximity to a bunch of RFID-enabled products – likely in a public place with cameras and security.

On the flipside, criminals have better and more efficient ways to obtain information instead of purchasing an RFID scanner, which is not a cheap investment. “For one, it’s cheaper for a criminal to buy credit card numbers on the dark web instead of purchasing a RFID scanner,” Eva Velasquez, president/CEO of Identity Theft Resource Center, said to Lifehacker. “They could also do some hacking and steal these numbers much faster than going person to person with a scanner.”

Despite the lack of hard data suggesting RFID fraud is a threat to consumers, products like RFID-blocking wallets and purses are popping up in stores more frequently. But experts say there are better and more traditional ways to guard against fraud.

Vickie Walker, senior product manager of CO-OP Financial Services, considers the topic to be a great opportunity to open the door for cardholder education.

“Issuers should leverage this opportunity to communicate the convenience and speed of transacting with contactless cards and promote awareness of its advanced security features,” Walker told the New York Minute.

Walker said card issuers should explain “the information transmitted from the actual plastic is minimal (account number and expiration date); and the fraudster would need to be in very close physical proximity (less than two inches) to be able to capture the card data.”

She also noted that during the authorization of the transaction, a dynamic one-time-only number is generated specific to that transaction. This makes it extremely difficult, if not impossible, for the fraudster to replicate the advanced encryption technology used to generate the one-time number.

Lastly, Walker explained “cardholders should have the reassurance contactless payments are not only a convenient and a quicker way to pay, they are also much more secure than swiping or dipping and entering a PIN. All this goes back to cardholder education as a critical key driver to contactless adoption.”

Leave a Reply