Data theft

Contactless Payments – but secure!

Contactless Payments – but secure!

Contactless payment is on the rise. It works in seconds and is available at more and more locations. This is made possible by so-called Near Field Communication (NFC). This works with EC and credit cards, but also with mobile devices such as smartphones or intelligent watches.

Contactless is the new keyword

In Germany, too, there are signs of increased acceptance for mobile payment, not least because of Corona. Whether in the supermarket or at the bakery next door, due to the obligation to buy a receipt and to avoid contact, many stationary merchants are now also converting their payment system to mobile payment, either by EC and credit card or even by smartphone. The website of Stiftung Warentest gives figures that show that since the start of the Corona crisis, contactless payment has risen to 50%. In December 2019 the figure was still at 35%.

Especially small amounts, usually under 25 EUR or 50 EUR, do not require an additional PIN entry. This means that payment can be made quickly and securely. The low signal strength of NFC also protects users from many, but not all, methods of misuse. We will explain further down in the blog post which risks remain.

There are two ways to pay contactless. Either directly by card or via the smartphone using an app. If the customer pays with the smartphone or another device, this is also called “mobile payment”. With Apple the function is called “Apple Pay” and with Android “Google Pay”. With Google you usually need an app from a third party provider, while with Apple everything comes from Apple. When paying, the mobile phone with the open app or the credit card is then held directly against the payment terminal and the payment is confirmed with a visual or acoustic signal.

Risks with contactless payment

One risk is the outflow of data on the payment laps. Apps that are used for payment can, for example, retrieve information about the user’s location during payment and forward it to third parties. For example, application providers can find out in which supermarket customers shop or find their favourite Italian. Especially with apps, many different services are often involved, such as the financial institution with which the customer has an account, licensors, the manufacturer of the smartphone or transaction service providers. So you should definitely take a look at the privacy policy. In particular, sections that contain “Passing on data to third parties/partners” are of primary interest.

A wireless credit card can, if criminals want it, be spied out by means of manipulated readers and can also be used for payment on the Internet, as the data is transferred 1:1, for example account number, expiry date and customer name. When credit cards are transferred to the smartphone, only encrypted copies that are only valid for the respective payment transaction are transferred.

While the risk described above tends to fall within the area of data protection, there are also attacks that could directly attack a customer’s smartphone or NFC-enabled credit card. A paper from 2019 shows that it is comparatively easy to use NFC to debit small amounts of money from smartphones or credit cards within the amount limits activated without entering an additional PIN.

An attacker only needs special software and an NFC antenna that is stronger than the one built into a standard smartphone or reader to carry out an attack at greater distances (a few meters). This attack has the additional restriction that the device must be unlocked. According to Apple, payment terminals at Apple Pay always require confirmation by means of FaceID or by pressing a button twice. With Google Pay this option is optional and can be activated and deactivated by users.

Tips for secure contactless payment

If you want to protect yourself and still want to pay contactless or mobile, you should consider the following security measures:

  • Keep the software on your mobile device up-to-date. Regular updates reduce the risk of security holes being active on your device or the apps you use
  • If your phone or card is lost, deactivate the card immediately
  • Use a special wallet that blocks radio waves
  • If you use Google Pay, protect each transaction and enable confirmation of a transaction with a fingerprint or PIN.
  • Think about turning off the NFC feature, this can be done on Android devices in the system settings and with a phone call to the bank. Apple users cannot currently disable NFC on your device

In our live hackings and seminars (online or on-site) we address these risks and show you how to protect yourself.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.