By: Krista V. | Cyber Threat Intelligence Analyst, NJCCIC
The United States is currently in the midst of the biggest transition of payment technology in several decades, as alternatives have emerged to provide a more secure option than the magnetic strip “swipe and sign” process used since the 1970s. Due to our longstanding use of this vulnerable payment process, the U.S. accounts for nearly half of the world’s credit card fraud, despite only 25 percent of global transactions occurring in the U.S. There was an undeniable need for more secure payment methods, and fortunately there are several promising changes underway. October 1, 2015 marked the deadline for credit card companies to issue EuroPay, Mastercard, and Visa (EMV) chip-enabled cards to their customers, and mobile Near-Field Communication (NFC) payment options are now available to millions of smartphone users throughout the country. EMV cards and mobile NFC payments both use tokenization and are considered far more secure than the traditional magnetic strip payment process. Although these technologies do not increase the security of online payments or other ‘card-not-present’ transactions, the new options available to consumers are a promising step towards reducing the impact of financial fraud in the US.
EMV chip-enabled cards, also referred to as Chip-and-PIN cards, have been in use in Europe for over a decade now, but only recently implemented in the US marketplace. The major reason for the switch: security. The EMV chip creates a unique code (known as a token) for each transaction, so the only data passed to a merchant’s point-of-sale (PoS) terminal is a random, single-use number instead of the customer’s credit card data. This tokenization process eliminates the opportunity for cybercriminals to collect and exfiltrate credit card data transmitted from the magnetic stripe, making it extremely difficult to create fraudulent accounts or make counterfeit cards. Consumers are now able to use EMV-enabled cards by inserting the card in the dedicated slot on the PoS terminal, as opposed to swiping, though many retailers throughout the country have yet to upgrade or enable the EMV features on their PoS terminals. If a card is NFC-equipped, the user can wave their card over the designated area on the PoS terminal, which reads the card data from the NFC chip.
Near-Field Communication (NFC) is an open-platform technology that uses low power, bi-directional communication protocol for the wireless exchange of information between two compatible devices in close proximity. NFC is a powered extension of Radio-Frequency Identification (RFID), and is typically considered an advanced version of the technology. NFC does what Bluetooth LE does, but with much less power. In addition to payment services, NFC can be used in a number of other ways, such as automating tasks, retrieving information, verifying identities, and sharing information between two NFC-enabled devices.
How NFC Payments Work
Working in the cybersecurity or intelligence fields can make someone slightly paranoid (or more secure, depending how you look at it), which is why the idea of paying for groceries through a wireless, contactless transaction can seem like more of a security risk than a convenience. However, if you can get past the unfamiliarity and dive into the actual processes, it becomes clear that NFC payments are a more secure alternative to the traditional magnetic strip on a PoS terminal.
To use NFC technology for payments, customers wave their NFC-equipped card or NFC-enabled mobile device within a few centimeters of the NFC-compatible PoS terminal. NFC payments work by obtaining and correlating two points of data for every transaction, RFID and an encrypted password. A special code is securely transmitted between the mobile device or the NFC-enabled card and the merchant’s payment system via NFC. The payment system then requests verification from the mobile device or card, typically in the form of a personal identification number (PIN). This feature also protects the user from inadvertently making a purchase by being too close to the payment system.
Consumers rely on the payment services to employ security architecture principles, such as shielding credit card account numbers from the view of merchants and securing the transmission of the account holder’s financial information from the bank to the mobile device. Each bank verifies account information slightly differently, and therefore have varying levels of risk. The banks that use additional levels of security, such as a multi-factor authentication method, may better protect their customers’ data. Providers are employing more security measures to make NFC payments safer for consumers. The implementation of EMV cards are helping to better secure NFC transactions (as well as the Chip-and-PIN payment process) through encrypting card data at inception. Despite some security concerns of NFC payment, it is still widely considered to be more secure than the traditional magnetic strip payment method. The newest NFC technology prevents merchants from storing credit card numbers, as each transaction generates a unique number for payment.
A common consumer concern of NFC payment technology is the risk of unintended communication of data being intercepted and stolen by another device without the knowledge of the cardholder. An attempt to intercept data from an RFID or NFC-equipped card would need to be conducted in very close proximity (typically within ten centimeters) and is largely dismissed by security professionals as a likely attack method. To provide additional security, users can carry these cards in RFID/NFC blocking sleeves or wallets. In addition, it is recommended that users secure their devices against remote and physical theft and enable Full Disk Encryption on their mobile devices for additional security.
Mobile NFC Payment Options
The iPhone maker launched Apple Pay in October 2014, allowing users to set up their “Wallet” app with credit or debit card information and complete transactions by holding their Apple device near the contactless reader and verify their fingerprint using the Touch ID sensor. The users’ payment card numbers are never stored on the device, and Apple Pay uses tokenization to ensure the privacy and security of each payment. On the Apple Watch, the consumer simply double-clicks the side button and holds the display of the Apple Watch to the contactless reader. A tap and beep confirm that the payment was sent. Should the Apple device ever be lost or stolen, users have the ability to put the device into “Lost Mode” which suspends Apple Pay and gives the user the option of remotely deleting all data from the device. The user can also make adjustments to their payment information availability through their iCloud account.
Samsung Pay is the most recent mobile payment option to launch in the U.S. and is slightly differently than Apple Pay. Launched at the end of September, Samsung Pay not only works with the NFC terminals but also claims to work with approximately 80 percent of existing PoS systems in the US, including non-NFC enabled terminals. Samsung Pay uses a technology called magnetic secure transmission (MST), developed by LoopPay *, that transmits payment by magnet. To pay, the user opens the Samsung “tap-to-pay” application on their device and slides it over the magnetic reader. To complete an NFC payment, the user opens the application and either enters a PIN or uses their fingerprint for authentication. As with most current NFC payment methods, the payment information is tokenized each time you use it, adding another layer of security. If their device is lost or stolen, consumers can use the Find My Mobile feature to locate, lock, and/or remotely wipe their devices.
*Note: Alleged Chinese hackers reportedly targeted LoopPay and breached their computer systems in February of 2015. The hackers were possibly attempting to gain information and access to the MST technology. Following news of the report, Samsung’s chief privacy officer stated, “Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network”.
On September 10th, Google launched Android Pay, a rebranded version of Google Wallet. Along with Apple and Samsung’s systems, Android Pay uses tokenization to transfer a unique code between the Android device and the PoS terminal, ensuring the customers’ payment card information is not transmitted. If the phone holding the financial information is ever lost or stolen, Android Device Manager can be used to instantly lock the device, secure it with a new password, or wipe it clean of personal information. Android Pay is widely accepted and is supported by three of the four major credit card carriers, adding a level of convenience for its users. Some participating merchants even apply loyalty points and offers automatically at checkout.
Change is Good
As these new technologies are adopted and the volume of daily transactions slowly shifts away from the traditional magnetic strip to EMV and NFC, we fully anticipate reports on new vulnerabilities discovered by researchers and tactics used by cybercriminals to attempt to compromise user data. However, despite some of the security concerns and shortcomings, these new payment options are a marked improvement over the existing infrastructure and, if universally adopted, can significantly reduce the risk of consumers and businesses.