Safe as houses?

BANKING TECHNOLOGY: CARD PAYMENTS are about to get quicker and easier for Irish consumers and retailers alike, but will the …

BANKING TECHNOLOGY:CARD PAYMENTS are about to get quicker and easier for Irish consumers and retailers alike, but will the arrival of contactless payments put your hard-earned cash at risk?

The debit card in your wallet will soon have an RFID chip inside it, with both AIB and Bank of Ireland changing over to the new cards from this year.

RFID, which stands for radio frequency identification, is a contactless technology that is already in use across Europe and the US. The technology works through small chips that are activated by an external electrical power source that creates enough conductive power in the antenna to make the chip respond.

In the case of card payments, the retailer’s terminal activates the chip, and any information exchanged between the two devices is encrypted.

READ SOME MORE

This isn’t the first time Irish consumers will get their hands on the contactless technology. Commuters already have RFID in their wallets, with smart cards used on public transport systems such as the Luas, and in passports. But although the technology has been around for several years, it is only in 2012 that Irish shoppers will be asked to entrust their bank accounts to it in any great numbers.

The arrival of RFID in Irish banks brings many benefits. It’s simple and fast to use, convenient for retailers and consumers and, according to card services providers, secure.

The technology is aimed at small payments, typically under €20, opening up retailers and businesses that usually didn’t accept cards for such payments to the new technology, such as cafes, entertainment, taxis and even vending machines.

The card can even be used without having to remove it from your wallet. Consumers simply hold their wallet up to a retailer’s terminal to register the payment, meaning no one handles the card. Simply tap and pay, and you are ready to walk away from the till in seconds.

“There is a bit of mystique, of course, it’s something new that a lot of people haven’t tried before,” says Lewis Nolan, vice president of market development with Visa Europe’s contactless division. “What we’ve found is once people have carried out an initial transaction, or seen it working, it demystifies quite quickly.”

New technology is often viewed with suspicion. When the idea of chip and pin cards was first mooted, concerns were raised about security and the possibility of fraud due to the absence of signatures.

Inevitably, similar concerns have been raised about the new generation of contactless cards. Although you no longer run the risk of someone spying your debit card number at the till, the new cards bring with them new concerns.

At present, cardholders have what is known as two-factor authentication: something you have (the card) and something you know (the PIN). With contactless cards, you won’t always need a PIN for transactions under a certain value.

There are a few precautions that have been put in place to protect consumers against fraud.

After a certain number or value of transactions, a PIN will be requested. Security checks can be random too. So even if someone does pick up your card, it’s unlikely they would be able to charge much to it before the PIN authentication is required, rendering it almost useless.

The security of the transmissions from the card is also a concern for users. There are many stories online alerting people to the possibility their cards may be cloned by someone simply standing a few yards away from them, using cheap equipment and a little technical know-how.

However, experts say it’s rare for them to be intercepted in any meaningful way.

Transactions are encrypted, and retailers who sign up to take the payments are subjected to the same checks that are in place for chip and pin cards.

The cards also have a reasonably short range.

“The contactless technology works within a very close proximity, so people should not be concerned their card details can be captured by someone just walking by them,” says Una Dillon, head of card services and payments with the Irish Payment Services Organisation (Ipso).

“The individual should need to be within approximately 15mm of the card. There are millions of RFID cards already operating in the UK since 2007 and no noticeable security issues have arisen in this respect.”

Visa insists its security is robust enough to withstand attacks by malicious users, intent on getting their hands on your card details. About 25 million cards are in use in Europe as of 2011, with millions of transactions taking place, and according to Nolan, there have been no reports of any widespread problems.

“To be able to decrypt the message, you have to have a Visa-approved terminal,” he says.

That doesn’t mean RFID hasn’t been compromised in the past. In 2008, the system used for authenticating British Oyster travel cards was hacked and the details were published online. Although the payments firms are continually examining security, so too are the hackers.

“Cloning is technically possible on NFC,” said Conor Flynn, founder and security principle of Information Security Assurance Services (IFAS). “But a lot of the integrity is down to the implementation of the bank or payment organisation.”

There have been reports of using a cheap reader on eBay to lift card details from unsuspecting users, including the number, name and expiry date, by passing close to them with a reader. However, Mastercard’s contactless cards, which use PayPass technology, do not transmit the name, sending only the card number and expiry date over the air, along with a unique security code for each transaction.

According to Visa, the information contained in its cards is also limited.

“The data that flows in a contactless card transaction is more limited than in a full chip and pin transaction,” says Nolan. “There isn’t enough data to recreate a clone of the card or to go online and to be able to provide enough detail and information to carry out an ecommerce transaction.”

The decision to limit the “tap and go” transactions to smaller figures also makes it less lucrative for potential fraudsters to steal the information from a single card.

Nolan says there is no need to treat the card differently from your existing chip and pin card in terms of where you store it. If you’re not quite convinced, there are a number of companies offering RFID shielding wallets, which use metal lining to create a mini Faraday cage for your cards and stop the chip being activated.

Consumers can also help the process by being more aware of the cards they carry, and, according to Flynn, treating them like cash.

“People should consider the device as the equivalent of cash,” he said. “If you use your device and don’t have to provide a PIN, someone can spend money. That’s a big risk.”

There’s also the additional risk that consumers may not pick out a fake payment among the genuine ones, as the transaction limits are low.

Should your card be compromised, however, the new cards to be issued to Irish customers will have the same protections as current cards.

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist