June 20, 2005

How Safe Are the New Contactless Payment Systems?

As the retail industry starts to embrace contactless payment in a big way—led by $41 billion retailer 7-Eleven and Chase, the nation's largest issuer of credit cards—arguments are renewing about just how safe and fraud-proof these cards will be.

Contactless advocates have argued that current contactless readers can only "see" the RF chip when it's two inches away, making unauthorized scanning for customer data quite difficult.

That two-inch argument was touted recently by 7-Eleven CIO Keith Morrow, who pointed to it as a key anti-fraud fact.

That distance varies sharply, though, depending on the equipment used to do the testing.

Shell Canada, for example, performed some of its contactless testing using the high-powered antennae that it believed thieves would use, said Mike Cooper, the $2.4 billion Canadian petroleum giant's adviser for network development engineering.

The kind of low-frequency tags popular in the United States "we could read at a distance of 10 meters," which is about 33 feet, Cooper said.

He contrasted those with the high-frequency tags used by Shell Canada, which he said could be read—with that same high-powered antennae—from about 26 inches away.

Retailers are facing strict new credit card security requirements at the end of this month, from Visa and others. To read more, click here.

The high-frequency tags "can be read from a shorter distance, so it's more difficult to snoop," Cooper said.

Chase officials disagree with the distance issue, but referred questions to Visa, one of its contactless card partners.

But Chase officials did say that the distance argument is irrelevant for their cards and customers because of several security measures—including 128-bit and triple DES encryption—that would make any improperly captured data useless.

"Even if you could skim it, with every transaction, the [authorization] code changes and that code is needed for an authorization," said David Chamberlin, first vice president for external communications at Chase Card Services.

Read the full article on CIO Insight

Posted by keefner at June 20, 2005 07:09 PM