999,999.99 it’s a big number...

By Dr. Guy Bunker @guybunker

Mobile cash

This week there was an announcement of a new vulnerability in contactless pay cards.

In essence, while the card, in the UK, is restricted to a maximum £20 per transaction, when dealing with foreign currency, the restriction is 999,999.99... in the currency of your choice. Pick US Dollars and it will be worth more than Yen! The vulnerability can be easily exploited with a modified mobile phone, and because it is contactless, in theory you can just walk past the ‘victim’ and run up a substantial bill. A wander around a shopping mall and it could be a lucrative day’s work for the cyber-criminal.

Firstly this is a vulnerability, rather than something that has been seen ‘in the wild’. However, the fact it has been published means it will, no doubt, be in the wild shortly.

The researchers acknowledge the fact there are some back end systems that are designed to detect and prevent fraud. Which is a good thing. Banks and credit card companies are good, really really good at detecting fraud so I believe that if someone tried to put a bill of $999,999.99 on my card (apart from blowing the limit) it would be spotted. But what if it was $1000 or $100... an amount most cards can readily handle without suspicion. (Unless you happen to be scanned for the umpteenth time in one day...)

The question is what to do next? The researches saw there is a flaw in the design and/or the implementation. So, the obvious thing is to remove the flaw, improve the authentication and authorisation mechanism of the card. Seems pretty obvious to me. However, fixing is costly, but at the end of the day, this is what needs to be done to protect the customer, you and I. We have seen a number of high risk vulnerabilities aired in the media recently, which have affected millions of servers in the past 12 months, think of Heartbleed, Shellshock and the other various Open Source issues – these have been fixed (or patched as we say) for the greater good. At least, until the next one appears. Is there any reason this particular vulnerability in the next generation payment cards be treated differently? While flaws (bugs) have cost businesses millions of pounds to fix (not the ‘fix’ itself to the vulnerability, it’s the rolling it out into the devices which costs the time and money), the pros far outweigh the cons. Keeping critical information safe... reducing business risk... protecting company and customer reputations.

What can people do before the flaw is fixed? The easiest solution is to purchase a wallet or purse with RF shielding or even a single protective credit card sleeve (available from all good online retailers!) This prevents remote access to the card by anyone, including you. So, if you want to use a contactless terminal, you will need to remove the card from the wallet, which could be seen to defeat the whole purpose of contactless payments, ease of use and all that. However, this also gets around one of the other challenges these cards have – whereby ‘the wrong card’ is charged or multiple cards are charged.

Remember this story: Contactless cards: how safe is your money? If you have multiple contactless cards, how does the system know which to use – other than the first it comes across? So, I would suggest using an RFID shield anyway, even when the issues relating to $999,999.99 being potentially removed from your account have been resolved, I still wouldn’t want to walk down the street and lose £20 to anyone with an appropriately modified phone.