Contactless payment is on the rise. It works in seconds and is available at more and more locations. This is made possible by so-called Near Field Communication (NFC). This works with EC and credit cards, but also with mobile devices such as smartphones or intelligent watches.
Contactless is the new keyword
In Germany, too, there are signs of increased acceptance for mobile payment, not least because of Corona. Whether in the supermarket or at the bakery next door, due to the obligation to buy a receipt and to avoid contact, many stationary merchants are now also converting their payment system to mobile payment, either by EC and credit card or even by smartphone. The website of Stiftung Warentest test.de gives figures that show that since the start of the Corona crisis, contactless payment has risen to 50%. In December 2019 the figure was still at 35%.
Especially small amounts, usually under 25 EUR or 50 EUR, do not require an additional PIN entry. This means that payment can be made quickly and securely. The low signal strength of NFC also protects users from many, but not all, methods of misuse. We will explain further down in the blog post which risks remain.
There are two ways to pay contactless. Either directly by card or via the smartphone using an app. If the customer pays with the smartphone or another device, this is also called “mobile payment”. With Apple the function is called “Apple Pay” and with Android “Google Pay”. With Google you usually need an app from a third party provider, while with Apple everything comes from Apple. When paying, the mobile phone with the open app or the credit card is then held directly against the payment terminal and the payment is confirmed with a visual or acoustic signal.
Risks with contactless payment
A wireless credit card can, if criminals want it, be spied out by means of manipulated readers and can also be used for payment on the Internet, as the data is transferred 1:1, for example account number, expiry date and customer name. When credit cards are transferred to the smartphone, only encrypted copies that are only valid for the respective payment transaction are transferred.
While the risk described above tends to fall within the area of data protection, there are also attacks that could directly attack a customer’s smartphone or NFC-enabled credit card. A paper from 2019 shows that it is comparatively easy to use NFC to debit small amounts of money from smartphones or credit cards within the amount limits activated without entering an additional PIN.
An attacker only needs special software and an NFC antenna that is stronger than the one built into a standard smartphone or reader to carry out an attack at greater distances (a few meters). This attack has the additional restriction that the device must be unlocked. According to Apple, payment terminals at Apple Pay always require confirmation by means of FaceID or by pressing a button twice. With Google Pay this option is optional and can be activated and deactivated by users.
Tips for secure contactless payment
If you want to protect yourself and still want to pay contactless or mobile, you should consider the following security measures:
- Keep the software on your mobile device up-to-date. Regular updates reduce the risk of security holes being active on your device or the apps you use
- If your phone or card is lost, deactivate the card immediately
- Use a special wallet that blocks radio waves
- If you use Google Pay, protect each transaction and enable confirmation of a transaction with a fingerprint or PIN.
- Think about turning off the NFC feature, this can be done on Android devices in the system settings and with a phone call to the bank. Apple users cannot currently disable NFC on your device
In our live hackings and seminars (online or on-site) we address these risks and show you how to protect yourself.