Smartphones are now used to make "contactless" credit card payments
for small purchases, but a recent experiment has raised questions about
the security of such transactions.
An experiment has revealed that debit and credit card data transmitted during contactless credit card payments can be picked up from a distance of nearly half a metre, more than four times the transmission distance deemed safe.
During a wave-and go transaction, customers tap or hold their debit or credit card near a card terminal to pay for purchases of up to £20 without entering a PIN code. Contactless cards systems use different security features to hide banking details, including encryption, and authentication mechanisms to check whether details should be transmitted.
A key security feature of contactless card payments is that they should not transmit payment information further than 10cm from a reader. But a researcher at the University of Surrey built equipment capable of eavesdropping on contactless card payment data from a distance of 45cm. The researcher used a pocket-sized antenna, equipment in a backpack, and a shopping trolley to pick up data that had been fabricated to behave exactly like payments card information.
The UK Cards Association said that fraudsters would not be able to harvest enough details using such techniques to be dangerous. Fraudsters harvesting debit and credit card numbers and expiry dates would not be able to clone cards, and would find it difficult to make a bogus transaction.