Contactless payments – a target for organised crime?
They may have been only around since 2007, but contactless payment cards are fast becoming the default way to make low-value transactions. The number of payments made with cards has risen by more than 9% a year since 2013 and now total 17 billion a year.
These figures suggest users are becoming increasingly comfortable using this new payment option. And with top retailers eagerly deploying contactless terminals, and thereby encouraging uptake, many see it as the next step in the development of the payments infrastructure.
Of course, with any new technology there are always going to be challenges to address. Perhaps top of the list is security.
To date, the banking industry has pursued the twin approaches of deploying state-of-the art security while communicating its risk mitigation approaches to both current and prospective users. However, a recent Europol report suggests these protective measures may be under increasing attack from organised crime.
The attack on contactless payments
Banks have already deployed several key strategies to protect contactless payments:
The first strategy lies in the limit placed on transaction values, offering users reassurance that any unauthorised spending is automatically capped. The second is a restriction on the number of contactless transactions that can be made in sequence. However, the Europol report observes that it has been made aware of instances where contactless cards have been purchased by criminals from individuals who then report the card as lost. The criminals then reset the card once they had reached the purchase limit, thereby allowing continued spending.
In the third strategy, contactless cards have been designed to work only within a short range of about ten centimetres. However, Europol has warned that organised crime gangs are using Android telephones to make fraudulent contactless transactions. It reports that “… several vendors in the Darknet offer software that uploads compromised card data onto Android phones in order to make payments at any stores accepting NFC payments…”
Furthermore, anecdotal comments made by industry insiders suggest that some fraudsters may be simply wandering the streets with equipment not dissimilar to store point-of-sale devices. By bumping into people and using the equipment to “read” a plastic card sitting in a wallet or handbag, “transactions” can be registered, or card details stolen, without the card owner being aware.
Europol has also warned that the fraudulent use of contactless payments may also have previously unanticipated consequences. For example, currently, when merchants detect a fraudulent transaction, they are requested to seize the card.
However, Europol highlights this might not be possible when the compromised card data is held on the purchaser’s smartphone.
So how should users of contactless payments respond?
First of all, no one should panic. The value of such crimes that Europol reports remain relatively small.
At Fujitsu, we expect the growth in contactless transaction volumes to continue. Payment system providers are keen to promote the system while users seem to value and appreciate the ease with which contactless payments can be made.
The banking industry is well aware of the challenges that new payment mechanisms present. We expect that it will continue to look to strengthen its defences, so as to maintain and – where it can – build further confidence in contactless transactions.
We expect the industry, working with its suppliers, to look to design out security flaws from its software and hardware. We also expect it to seek even closer cooperation with law enforcement agencies and security experts.
Historically, card fraud may have been given a low priority due to its fragmented nature. Closer cooperation within the industry and across borders will help identify those organised crime groups involved in contactless fraud and their strategies.
Contactless transactions have already established themselves as a payment mechanism valued by banks and their customers. There may be some challenges to be overcome, but, at Fujitsu, we remain convinced that –if appropriately managed they still have a very bright future ahead.
In addition to advising numerous UK and continental European financial services organizations, Anthony has also held senior line management positions, including as Director of Strategy for a FTSE-100 bank; Deputy Managing Director of a UK commercial bank; and Managing Director of a UK asset finance company. He has also worked in central government, advising Cabinet ministers of the development and passage of company legislation.
Anthony joined Fujitsu in February 2012.