Mobile payment security under scrutiny

Near Field Communications (NFC) enables the transfer of information stored on a customer's credit card or phone to a retailer's Eftpos terminal.

In New Zealand NFC is being embraced by Paymark and the three mobile telcos -- Vodafone, Telecom and 2degrees -- which are in the process of creating a special mobile payments platform called a Trusted Service Manager.

But how secure is NFC and what can we learn from contactless card payment systems already in the market?

University of Auckland honorary researcher Peter Gutmann says consumers have grounds to feel concerned about security. He observes that banks, which have already deployed NFC-type payment mechanisms through contactless credit cards, claim that electronic readers can only read credit card details within a very short distance, usually a few centimetres, and that this guards against the possibility of person's credit card details being unknowingly detected.

"But wind up the power and use antennas that detect longer distances and the credit cards have no protection, no encryption whatsoever, the credit card number is there," he warns.

There have been some well-documented overseas experiments highlighting the dangers of contactless credit cards, most notably the work of Kristin Paget. And locally at Kiwicon 2011, NFC was a major topic of interest. Kyle Gibson, director of Wellington security consultancy Confide told Computerworld last year that the idea of just "bumping" phones together or passing them over a point-of-sale scanner to transfer funds without even the protection of a PIN is worrying.

Gutmann says that at a recent conference in Australia, he rigged up a reader with a battery and as he walked around the crowded room it beeped everytime it could detect a person's credit card information. He hastens to add that he had not enabled the reader to download the information -- merely to detect if it was possible to do so.

"The thing is we don't know how secure it [NFC] would be," says Gutmann.

"The rule of thumb given by security companies is that once a new electronic service gets to 15 percent market share the bad guys start attacking it."

MasterCard country manager Albert Naffah denies that contactless payments are insecure.

He says that "electronic pickpocketing" is a "fallacy which is a story invented by 'security experts' who happen to be selling some sort of solution."

"The fact is that in markets such as Australia and Canada which have led the world in contactless payment adoption, average fraud levels have declined."

He emailed Computerworld a fact sheet from MasterCard regarding its PayPass contactless credit card service, which was first launched in New Zealand during the Rugby World Cup in 2011. The fact sheet claims contactless cards are at least as secure as other credit cards because:

" The PayPass card never leaves your hand when you make a payment. It means you are in absolute control;

" There are no accidental payments -- your card must be tapped against the reader at the checkout to work;

" You also don't need to worry about being billed twice. Even if you tap more than once at the checkout, you'll only get billed once for the purchase;

" And MasterCard's Zero Liability protection means cardholders are covered from the costs of unauthorised transactions.

But NFC and contactless payment technology also removes the mental barrier to spending money, Gutmann says.

"Academic studies have shown that the physical act of signing your name to something, for example when you write a cheque, provides a significant psychological barrier to overcome when spending money."

This is slowly being eroded by the move to, first PIN numbers in cards, and now the ubiquitous forms of contactless payment. Gutmann says that even having the cash in your pocket -- in notes and coins -- is a physical representation of the amount consumers have and so makes them hesitate to spend it.

The banks counter this by setting a nominal limit for contactless payments, and a transaction over this amount requires a PIN number. For the MasterCard PayPass card, the limit is set at $80.

In addition to being an expert in cyptography and security, Gutmann has a background in cognitive psychology. This combination of academic disciplines has prompted him to write a book -- the manuscript is currently with his publishers -- that examines the way systems are designed, not for ordinary users, but for the people that create them.

"Geeks have this nasty habit of designing technology which is really cool and works for them, but doesn't work for anyone else," Gutmann says.

He is also part of an international judging panel for a competition to develop a new password hash algorithm which would make it more difficult for hackers to break.

The intention is to raise the standard of password encryption in e-commerce. Gutmann says the reality is that passwords are inherently insecure, but they remain the best defence against hackers.

"To paraphrase Churchill [who was speaking about democracy as a form of government]: 'passwords are the worst form of authentication, except for all the others.'" Entries to the Password Hacking Competition (see www.password-hashing.net) close on January 31, 2014.