Could your contactless bank card be vulnerable to virtual pickpocketing?

March 1, 2016 by Ahmad Lotfi, The Conversation
Credit: Shutterstock

Thieves technically no longer need to reach their hands inside your pockets to steal the money from your purse or wallet. A recent viral photograph of someone on busy public transport with a point-of-sale card reader sparked fears that virtual pickpockets could swipe such a device against passengers' bank cards and take money from their accounts without them realising. But how vulnerable are we to such attacks?

Contactless payment cards include a small antenna, a memory bank and an embedded microprocessor that can perform secure calculations and communications. A card reader sends out an electromagnetic field that both supplies power to the chip in the card and exchanges data with it via radio signals. When this happens, it sets up a connection that can code and decode information so payment details can be sent securely.

The fact that the chips can be passively read in this way without further action from the card's owner means that any active device brought close to the card can establish a link with it and complete a transaction. This means that the idea that you can be virtually pickpocketed by someone carrying a secret card reader is correct. But the thief would have to correctly locate where in your clothing or bag your card was and then bring their device within 5cm of it. And the likelihood of finding yourself in such close contact with someone carrying a is very small.

Smartphones – ‘active technology’. Credit: Shutterstock

Of course, if your card itself is stolen then thieves can use it repeatedly to take money from your account. Even if you report the card lost or stolen and a block is applied to further activity, transactions can be processed by offline card readers and so won't encounter the block and so the money will still be transferred.

Minimal risk

Despite these flaws, the risks of theft remain so small compared to the total amount of usage that they're practically insignificant. There are over 79m contactless cards now in circulation in the UK (as of December 2015) and more than 140m contactless transactions are made each month. So far, errors and reported crimes have been rare. The total annual contactless fraud loss was £153,000 compared with total spending of over £2.3 billion in 2014.

Contactless cards do come with built-in security. The chip on the card generates a unique coded message (cryptogram) and digital signatures to protect the payment from being intercepted. Banks set a limit on the number and value of transactions that can be made via contactless payment and repeated payments are forbidden.

One way of making more secure would be to move to an active technology (as opposed to the passive chips) such as that found in smartphones or other devices that run programs such as Apple Pay or Android Pay. These devices create their own "near field communication" signals that are switched off when not being used to prevent accidental or unauthorised payments.

While you still have a contactless card, however, there is a more low-tech way of protecting your money. A metal case, protective sleeve or even some aluminium foil will prevent a device's signals from reaching the card. Or you could avoid putting your card where it can be easily accessed. Despite the minor security drawbacks, contactless cards have proven to be a very useful communication standard and provide connectivity and convenience for many innovative applications.

Explore further: In the UK, bPay offers fob, band or sticker options

Related Stories

In the UK, bPay offers fob, band or sticker options

June 29, 2015

Method of payment: "Cash or credit?" The two options sound so yesterday. In the UK, technology support in banking offers a new type of menu—band on the wrist, fob or sticker. The three new devices from UK Barclaycard were ...

MasterCard, Zwipe announce fingerprint-sensor card

October 18, 2014

On Friday, MasterCard and Oslo, Norway-based Zwipe announced the launch of a contactless payment card featuring an integrated fingerprint sensor. Say goodbye to PINs. This card, they said, is the world's first contactless ...

Security card with a one-time password and LED display

March 6, 2013

Infineon Technologies AG and Bundesdruckerei GmbH have developed a new security smart card with an LED display and a one-time password. This new technology is centred around a security chip in the card which generates a one-time ...

Recommended for you

Tech titans join to study artificial intelligence

September 29, 2016

Major technology firms have joined forces in a partnership on artificial intelligence, aiming to cooperate on "best practices" on using the technology "to benefit people and society."

US prepares to cede key role for internet

September 29, 2016

The US government is set to cut the final thread of its oversight of the internet, yielding a largely symbolic but nevertheless significant role over the online address system.

Android's Nougat update isn't flashy, but still pretty handy

September 28, 2016

Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first. But it offers a number of practical time-saving features, plus a ...

Disabled man gets license, shows driverless tech's potential

September 28, 2016

Former Indy Racing League driver Sam Schmidt has done a lot in the 16 years since an accident left him paralyzed from the neck down. He runs a racing team and a foundation. He's raced a sailboat using his chin. But the man ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

Nik_2213
not rated yet Mar 01, 2016
Uh, quoted 5cm range is for a standard reader. What if it is hacked with a much bigger search-coil ? Best to have that foil sleeve or insert in your wallet, to be sure, to be sure...

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.