Stolen EMV cards can be used to make payments below the amount required for a PIN number, and stolen card details can possibly be registered with electronic wallets, Matthew Ngu, engineering manager with RSA, said Wednesday in a discussion on the security of contactless payment systems – including Apple Pay and Google Wallet – at the RSA Conference 2015 in San Francisco.
He added that data gleaned from chip cards can be transferred over to magnetic stripe cards, and went on to say that magnetic stripe cards should just be phased out altogether.
In the future, malware on an iPhone or Android device could be an issue – “I haven’t seen this yet, but it’s certainly a possibility,” Ngu said, adding that he has already seen instances of man-in-the-middle attacks against readers.
Could an attacker simply walk alongside someone and read an EMV card, possibly forcing random charges?
Ngu said it is possible, but that an attacker would have to be close. He explained that the EMV standard requires the card to be about an inch from the reader, and that amplifying the power could increase the distance to a “couple” of feet away.
“The thing to note about these contactless payment systems is that they’re not fraud proof,” said Ngu, who added, “but they are more secure than [magnetic] stripe-based systems.”
To improve security, merchants, banks, and processors should be using real-time authorization, monitoring usage patterns and using other fraud detection measures, and never be sending activated cards by mail. Consumers should protect their PINs, enable ‘locate my device’ features, and set limits on transactions.
For now, very few transactions are contactless, according to Chris Scott, senior software engineer with RSA, who joined Ngu on the dais. Scott, explaining that only 0.03 percent of transactions are EMV, said, “The usage is fairly low at the moment, but it’s picking up a bit, [particularly due to the introduction] of Apple Pay.”