+5 votes
101 views
in security by (242k points)
reopened
Contactless payment - how high is the security?

1 Answer

+3 votes
by (1.6m points)
 
Best answer

How does contactless payment work?
How secure is contactless payment?
What safety precautions can you take?

Pay contactless with card or smartphone via NFC - In addition to convenience, there are also security concerns. Right?

image image

Image: <span> Jacob Lund / Shutterstock </span>

Thanks to smartphones and various banking apps or modern EC cards, you as a customer can now easily pay for your purchase in the supermarket without contact. Thanks to NFC technology, payments can be made in seconds without any cash. It's convenient, but how secure is contactless payment and is your personal data protected from third parties?

How does contactless payment work?

Contactless payment works using near field communication - better known as NFC - which in German means near field communication . If your card, smartphone or even your smartwatch comes within a few centimeters of a reader, the data is transmitted in encrypted form. This confirms the payment contactless. As a rule, payments of up to 25 or 50 euros (EC card or credit card) can be made without entering a PIN. You can recognize NFC-enabled credit or debit cards by the radio symbol. The technology is based on RFID ( R adio F requency Id entification), a technique for identifying electromagnetic waves..

image
Image: Shutterstock / Pressmaster

To make contactless payments as a customer in the shop with your mobile phone, you have to use an app such as Google Pay or Apple Pay. For more information about what NFC is, read our tips + tricks article about it. Contrary to the concern that incorrect or double amounts may be debited, we can reassure you. Contactless payment is reliable. On the other hand, there are manipulated devices that can read your data. Read what this is all about and how you can protect yourself against it in the next sections.

How secure is contactless payment?

NFC is now a standard that is often used in our digital everyday life. Safety concerns arise time and again. We have put together answers to the mandatory security risks of contactless payment for you:

Can third parties use manipulated readers to make a payment from a cell phone or a card from a pocket or handbag?

In theory, you can read data from your debit card or smartphone with a manipulated reader. With devices in public or in the dense crowd in the pedestrian zone - theoretically there is a risk that third parties can illegally debit amounts. In practice, however, this is offset by the following: The perpetrator would have to come very close to you (the distance must be four centimeters or less) and know that you even have NFC-enabled cards. Your device should also be unlocked and the payment app open. The effort here is greater than the money ultimately stolen - a simple cost-benefit calculation. Therefore, this type of theft has rarely occurred in practice - despite the fear that has been conveyed in some cases by the media.

Should the perpetrator still be able to make a debit from a smartphone or card, the debits can be digitally tracked using an ID. Another security protection for you: Girocard payments by smartphone can only be transferred to German business accounts. It is unlikely that perpetrators would be able to create an account in a false name for this effort without verification.

Tip: If you are interested in how the theft would work in theory, we recommend the following c't article including a video: It's that easy to fish for money with contactless payments..

Can criminals read the card data using a manipulated reader and then use it in online shops?

The short answer: no. If you save your credit card in a payment app, the original card number is not saved on the smartphone.
Therefore, someone cannot read the real data from your Visa or Mastercard with a manipulated reader. During the payment process, a so-called token and "Single Use Key" (Mastercard) or "Limited Use Key" (Visa) are transmitted from your smartphone to the terminal . The token is a kind of pseudo credit card number.

During payment processing, the payment network and your bank check tokens and use keys and assign them to your "real" card and person. If the information is correct, the seller receives approval and a transaction ID. If a criminal now reads your token, he cannot use it to pay in online shops. He also lacks your name. So you don't have to worry about third parties reading your card data.

My smartphone was stolen, what should I do?

Your speed of action is required here: Call your bank and have the stolen cards blocked. At German banks this is almost always possible via the free number (+49) 116 116 of the Sperr-Notruf eV. If you have lost your card and your smartphone is still at hand, the cards can usually be blocked directly via your banking app.

If the criminal opens the payment app (which is also usually PIN-protected), he or she will receive at most the last four digits from your credit card without the CVC or CVV number. If he sees the IBAN of your Girocard, however, this only enables him to make a direct debit, which can be booked back.

Can double bookings be made?

As soon as the transaction has been successfully completed on the payment terminal, the merchant would first have to activate a new transaction. To do this, you would have to hold your smartphone or card up to the reader again. A double booking is therefore not possible..

What safety precautions can you take?

If you want to save data, cash is still the best option. When paying with the card, however, there is considerably less data than when paying with Apple Pay or Google Pay, for example. You should always be aware that you are providing the providers of these services with data about your shopping behavior.

If you are concerned about your personal data being stolen, we have the following tips for you:

  • Inform your bank that you want to deactivate contactless payment. If necessary, justify this and ask for a new card that is not NFC-capable.
  • If not required, deactivate the NFC function on your smartphone. It is no longer possible for your data to be read out contactlessly via a manipulated device.
  • Get special RFID blocking covers or wallets that prevent your data from being read by unauthorized third parties.

...