Fed weighs future of contactless payments

Payments industry defends security of technology at recent meeting and claims that waiters, not wireless, are the biggest security threat

You can call it 'cash 2.0': a new age of wireless payment technology that may replace even the smallest cash transactions in the coming years with the wave of a credit card or mobile phone. 

But as major corporations like CVS, McDonald's, and Walgreens begin deploying new RF, or "contactless," payment technology, the Federal Reserve is taking a closer look at the technology and is asking the payment industry and card companies, among other questions, whether the new payment systems are secure.

The rapid deployment of RF-equipped contactless payment technology was behind a meeting at the Boston Federal Reserve in May. According to interviews with those at the meeting, the payments industry argued that, while not foolproof, the new RF payments systems are a vast improvement over existing, "magnetic stripe" payments technology and that Americans' casual handling of their credit cards poses a far greater risk to sensitive financial information than wireless hackers that might target the cards.

Contactless payment technology uses RF technology embedded in credit cards, mobile phones, or USB devices to negotiate credit and debit transactions. As opposed to older generation magnetic strip technology, the RF cards can be waved in front of a card reader.

While most consumers in the U.S. have yet to use the new cards, the availability of contactless payment technology is growing by leaps and bounds. Between 18 and 20 million RF-enabled credit and debit cards were issued between 2005 and 2007, according to Randy Vanderhoof, executive director of the Smart Card Alliance, an industry group. Payment card company Visa has issued seven million of the cards globally, the majority of them in the U.S., said Brian Triplett, a senior vice president of emerging product development at Visa.

"Adoption is growing at a faster rate than any other payment technology introduced in the last 50 years," said Vanderhoof, with banks like Chase Manhattan, Wells Fargo, and Keybank among the first to issue the cards.

The major advantages of the cards are speed and convenience, especially in the realm of "small value transactions" under $25, he said. That's because RF equipped credit cards reduce the time it takes to complete a transaction by almost two thirds from cash transactions and take less than half as long as traditional credit or debit card transactions, according to a presentation given at the Federal Reserve by Peter Nash, CVS's director of store treasury operations.

That decrease in checkout time means increased customer volume for high-traffic retailers like CVS and McDonald's, compared with cash or traditional credit card transactions. And studies show that consumers who use credit cards for small purchases tend to buy more with each purchase, said Avivah Litan, an analyst with Gartner.

RF cards are also being used by transportation authorities in cities like Boston and New York, where subway riders now use contactless cards instead of tokens to pass through turnstiles.

So far, the biggest obstacle to commercial adoption has been merchant acceptance of the new platform, which requires them to purchase and install RF reader terminals and pay higher costs per transaction than with traditional magnetic stripe cards, said Litan.

Still, one security expert on the RF enabled payment cards says that bigger problems are lurking behind the scenes with contactless payments technology, about which too little is known for consumers to be put at ease about the security of their financial information.

Kevin Fu was part of a team that published research that raised concerns about the security of first-generation RF-enabled credit cards in 2006. That study revealed that some of the cards transmitted cardholders names and account numbers in the clear to reader devices, and, in some instances, were susceptible to so-called "replay" attacks in which data eavesdropped from an RF card was "played back" to a reader, which accepted the data.

Speaking with InfoWorld, Fu, who is an assistant professor of computer science at the University of Massachusetts, said that in the last year, the card industry has corrected some of the faults of the first generation of RF cards but that many cards still broadcast information like a credit card account number in an unencrypted form.

Card companies don't consider the account number to be "personally identifiable information" or PII, acknowledged Nasreen Quibria, a senior payments industry consultant at the Federal Reserve Bank of Boston.

"Stealing information from these cards is not as easy as it may seem, but I'm concerned that consumers are unaware that their information is being broadcast in the clear," Fu said.

The payment card industry continues to take a dim view of Fu's research, arguing that attacks that eavesdrop information from RF cards would be all but impossible to carry out successfully outside of the laboratory, that newer generation cards mask the account holder's name, and that an arsenal of other security features stand between fraudsters and successful transactions, including CVCs (card verification numbers) that are generated dynamically with each transaction and hefty back-end fraud detection systems, said Visa's Triplett.

"Each (contactless) transaction is unique. There's data that's generated on the card itself, then encrypted and sent through the network for validation of the transaction," Triplett said. "It's not just the 16 digit account number. You have to have additional information."

"If you look at fraud on card platforms versus other kinds of payments, it's a small fraction," he said.

Triplett noted that card issuers like Visa reviewed Fu's research when it came out but concluded that they had the "right level" of security in place for stakeholders in the payments system: consumers, banks, and merchants.

Still, the payment industry may be making at least one concession, turning a recommendation that RF cards be shipped with protective mailing shields into a mandate, Triplett said. The shields prevent eavesdropping of card information while the card is still in its mailing envelope -- a technique that Fu and his fellow researchers used to obtain card information.

Outside of that, the payment card industry is limited in what it can do by a legacy infrastructure of card readers that can't handle RF transactions. That means that even new RF cards have to sport magnetic stripes that contain cardholder and account information on them in unencrypted form, said Triplett.

"You have to look at the complete picture, and when you get the full picture, you see that the RF makes (payments) more secure," he said. Besides, if all else fails, consumers have zero liability for fraudulent transactions.

Still, payments industry experts anticipate a long-running arms race between the payment card industry and increasingly sophisticated fraudsters who will be motivated to test the limits of the new system, especially as contactless payments features migrate to cell phones and other devices.

Still, Fu and others say that the payment industry's preference for keeping the details of how its contactless technology works under wraps will make it difficult to assess how well the industry is standing up to hackers.

"Public scrutiny is important," he said. "It's great that they're doing work in-house, but we won't know if it's not working unless there's public scrutiny and openness," Fu said.

SSL is one such example of a widely used encryption technology that has been vetted and improved through the efforts of independent researchers, Fu said.

Crucial components of the contactless payment system, such as the protocols used in contactless transactions and the algorithms used to generate the dynamic transaction codes, should also be open to scrutiny from independent security researchers and cryptographers, Litan and Fu agreed.

"I think the dynamic CVC code is a good security scheme, but the only reason I say its good is because (the payment card industry) told me. I haven't heard that from a third party researcher," she said.

But security researchers interested in the inner workings of the RF technology shouldn't hold their breath, according to Triplett at Visa.

"We're aggressive in having people look at risk and inform us, and we share that information with critical stakeholders, but that's not something we're going to open up to industry groups to report on," Triplett said.

That approach limits visibility into the industry's system but could prove disastrous if hackers were able to crack a critical payment component like the algorithm for creating the dynamic CVC codes, Litan said.

In the end, though, the debates about possible hacks are academic, especially when compared to the quotidian nature of most credit card fraud, which often stems from ordinary theft or sloppy behavior, such as restaurant patrons in the U.S. handing over their magnetic stripe card to waiters and waitresses before paying their bill, said Jania.

Despite that, the security of the new payments technology is an issue that consumers are concerned about, said Karen Webster, a researcher at Market Platform Dynamics.

"There seems to be a schism between the perception and the reality (of security risk), but clearly in the mind of the consumer, it's an issue," she said.

For now, security in contactless payments is a small issue because despite the millions of RF cards issued, readers are still hard to find and there's no evidence that contactless payments are catching on with consumers.

A survey of around 4,000 16-to-43-year-olds by Market Platform Dynamics in 2006 found that the cards were being used for only around two percent of purchases under $25, according to information presented by Karen Webster of Market Platform Dynamics.

But as readers become more plentiful (CVS, for example, has installed 40,000 RF-enabled, signature capture Payment Terminals in 5,400 stores) and "killer apps" like payments through mobile devices take off, the payments industry will have to be poised to respond to increased interest from hackers and fraudsters.

"As payment mechanisms and form factors change, we can expect the security methodologies to evolve along with them," said Jack Jania, vice president for financial services at secure card maker Gemalto.

The U.S., for example, may soon join the EU and countries like Mexico in embracing the EMV (Europay, MasterCard, and Visa) standard for authenticating debit and credit card payments. 

"I see it as being inevitable," Jania said. "Security is like a staircase that you're always climbing." 

Copyright © 2007 IDG Communications, Inc.