Do you know who has been contacting your “contactless payment card,” or those of your customers? You may not.

With today’s magnetic-stripe credit cards, you at least know who you have given your card to.

To use your account, thieves must get their hands on your card; or, if they gain access to online records, they have to get not only your credit-card number, but also its expiration date (and more recently, the authorization code on the card back).

However, the new “contactless” payment systems present new opportunities for fraudulent activity that are far less obvious than with mag-stripe cards.

A thief need not have possession of a victim’s contactless card in order to capture all the relevant information. He or she only has to intercept the data during the wireless connection between the card and a point-of-sale system.

The thief doesn’t even need to decrypt the contents. It’s enough to extract the encrypted data and use that in a transaction.

And to read the encrypted data, one only needs to get in reasonably close proximity to the victim. Contactless radio signals are very short range, but can be picked up from three to six feet. A thief can simply “walk by” the victim.

Proximity or “contactless” cards are used exclusively in physical locations which, not coincidentally, is where the majority of credit-card fraud occurs.

Worse, the majority of fraud is perpetrated by employees; by insiders, whose access to cards and ingenuity in misappropriating data are a deadly combination.

Small mag-stripe readers are easily “palmed,” for example, so the employee can simultaneously process a legitimate credit-card payment on a POS system and store the card’s data for illicit use later on.

This method is simple and reasonably covert with just a little sleight-of-hand practice.

Credit-card fraud has never been a difficult crime to commit at the point of payment.

So how can the “contactless payment card” be compromised? Not quite as easily as a mag-stripe.

As advocates point out, contactless-card data is protected with 128-bit triple-DES encryption.

But these new technology cards present some new opportunities that didn’t exist before.

For example, take a full-service restaurant where the bill is presented to the customer at the table. What if the waiter has a mini “contactless” reader in his pocket?
Such a device could read a card anywhere in reasonably close proximity; it need not even be from someone at the particular table that he is cashing out.

All that the waiter must do is to meander through the dining room, walking close to seated customers.

And given that a card is secretly read, the waiter can substitute that information in settling the check and simply pocket the cash from the customer.

Does this example sound too difficult? Or, might “contactless” payment not be permitted in full-service restaurants? OK, let’s try another scenario.

Assume that we are in a retail store that we frequent to purchase gas and pick up a soda for the road.

What if the cashier simply moves the contactless card reader to the edge of the counter, where it is directly up against the customers that typically lean against the counter while purchasing their items.

Up to the counter walks a woman with several items. The cashier says “That will be $22.75, ma’am.”

The customer sets her purse on the counter, digs into her wallet and hands the cashier $30, receives change and leaves .

Unbeknownst to the customer, however, the proximity reader has picked up data from the contactless card in her purse; she never realizes the cashier actually used the contactless card to process the order, while pocketing the cash.

Sound wild and unlikely?
In one pilot test to date, there has been at least one such unintentional/unexpected reading of a contactless card. It wasn’t done with fraud in mind, but it certainly surprised both the cashier and the customer.

Thankfully, there are solutions to such issues. But can measures be implemented to thwart all such fraudulent activity? Or even to make contactless-payment fraud more difficult?

The simplest of all methods is to simply manufacture the contactless card with a touch sensitive activation dot on the card; essentially an “on/off” switch.

Press on the dot and the card will permit its data to be read. Don’t press on the dot and the card will refuse to transmit any data via short distance radio wave.

Quite simply, the card cannot be read without the card-holder intending that it should be.

That method could be extended to incorporate fingerprint-based biometric security that will allow the card to recognize only the cardholder.

Certainly that would raise the cost of the card, but t would render a lost card useless to anyone other than the original owner.

Such contactless cards could have a fingerprint reader window in one corner of the card. Only the cardholder’s finger would activate the card.

While such measures are not presently in place, I am confident that such are being actively discussed by Providers and that many more alternative solutions have been identified. I am also confident that some type of anti-fraud measures will be incorporated in future generations of contactless cards.

Until then, opportunity for fraud does indeed exist with contactless cards and the creativity, ingenuity and tenacity of the thief should never be underestimated.

Jeff Chasney is executive vice president, strategic planning and CIO of CKE Restaurants, Inc., which owns the Hardees, Carl’s Jr., and La Salsa Fresh Mexican Grill restaurant chains.

  • How Safe Are the New Contactless Payment Systems?
  • 7-Eleven’s CIO: Contactless Payment Is Here
  • Pack-rat Approach to Data Storage is Drowning IT
  • Travel Sites Ease Privacy Rules on Personal Data
  • Data-Theft Case Proves Need For New Disclosure Law
  • August 18, 2005 – Jeff Chasney, CIO, CKE Restaurant

August 18, 2005 – Jeff Chasney, CIO, CKE Restaurants