In a paper published in September by the Department of Computing, University of Surrey, UK, researchers demonstrated how contactless payments could be interferred with, effectively “eavesdropping” on the payment systems which use Near Field Communication (NFC) / Radio Frequency Identification (RFID) technology to transfer payment data.
With the required technology being increasingly made available, be it via card chip or NFC enabled mobile phone, the uptake of contactless payment technology has seen a rapid rise. Visa reported a 46% rise of contactless payments within Europe between December 2012 and March 2013 alone. Though seemingly without security, in the UK each individual payment has a limit of £20 and should a user make several contactless payments in one day they may be randomly asked to enter the card’s pin number as a security measure.
Through their experiments, the security researchers were able to eavesdrop on the frequencies transmitted from replica contactless payment cards using “inexpensive and off-the-shelf electronics”. They also concluded that an attacker could “assemble our receiver at low cost and easily conceal it in a backpack”.
Though they state that future work is required with actual mobile phones and contactless cards “instead of synthetic data”, in order to examine exactly what information could be extracted from such an attack, their research suggests that the use of such technology is not risk free.
The full report is available here.
Source:[Report: Eavesdropping near-field contactless payments: a quantitative analysis], Department of Computing, University of Surrey, Guildford