Contactless Card Issues Facts or Fiction? Dave Birch 17/10/2013

Size: px

Start display at page:

Download "Contactless Card Issues Facts or Fiction? Dave Birch 17/10/2013"

Todd Nicholson
5 years ago
Views:

1 Contactless Card Issues Facts or Fiction? Dave Birch 17/10/2013

2 Agenda Consult Hyperion Contactless in the press q Why now? q What is being reported? Facts or Fiction? q Payment data theft q Distant transactions q Multiple charges q TfL Oyster / EMV Summary

Introduction to Consult Hyperion Consult Hyperion has helped some of the world s leading organisations to make the right technical and commercial choices within and around EMV, mobile, contactless

3 Introduction to Consult Hyperion Consult Hyperion has helped some of the world s leading organisations to make the right technical and commercial choices within and around EMV, mobile, contactless and NFC-enabled payments and transit ticketing. Consult Hyperion acts as the Client s Friend, adding product strategy, technical, regulatory, compliance and information security expertise into project teams within organisations considering deploying innovative new payment or identity services.

Consult Hyperion References Our Customers & Projects TfL Future Ticketing Strategy Enabling EMV payments in London transport Successful EMV Projects Deep involvement in EMV migration programs,

4 Consult Hyperion References Our Customers & Projects TfL Future Ticketing Strategy Enabling EMV payments in London transport Successful EMV Projects Deep involvement in EMV migration programs, ensuring successful product and system launch. EMV Payment Schemes Technical authoring and consultancy on EMV payment specifications, strategy, training & certification requirements. EMV in Canada In depth technical consultancy and specification development for contactless mobile & certification.

5 Agenda Consult Hyperion Contactless in the press q Why now? q What is being reported? Facts or Fiction? q Payment data theft q Distant transactions q Multiple charges q TfL Oyster / EMV Summary

Transactions Per Month 5,000,000 4,000,000 3,000,000 32.

6 Contactless Issues Facts or Fiction?: Why now? Launched August 2007 Significant increase Q Q ,000,000 Contactless Transactions Per Month 5,000,000 4,000,000 3,000, m cards 35m/month 2,000,000 1,000,000 0 Figures: UK Cards Association Contactless Transactions Acquired within the month Debit Card Credit/ Charge Card

7 Contactless Issues Facts or Fiction?: What is being reported? q Double charging q Phantom charges q Vulnerable to crime q Fraud q Hacked by mobile q Exploit by mobile q Distance charging q Is contactless safe?

8 Agenda Consult Hyperion Contactless in the press q Why now? q What is being reported? Facts or Fiction? q Payment data theft q Distant transactions q Multiple charges q TfL Oyster / EMV Summary

9 Contactless Issues Facts or Fiction?: Payment data theft Can you read someone's card without their knowledge? What can you do? - Perform an EMV transaction - Read card data What data? - PAN, Expiry date - Cardholder Name? What can you do? - Can t perform face to face payments - Can t create a magstripe card - Make online payments?

10 Contactless Issues Facts or Fiction?: Payment data theft Can you read cardholder name? q American Express q MasterCard q Visa q Cards issued before 2013

11 Contactless Issues Facts or Fiction?: Payment data theft How easy is it to obtain the card data? q Risk v Reward q NFC phones not great readers q Twitter is easier Photo: Daily Mail

12 Contactless Issues Facts or Fiction?: Distant transactions It read my card from 1m away Not possible physics Bigger antenna? Not practical Dangerous

13 Contactless Issues Facts or Fiction?: Distant transactions What is the practical range for a reader? Let s ask Marvin 7cm in ideal conditions

14 Contactless Issues Facts or Fiction?: Multiple charges Can merchant readers double charge? Extensive testing - In field - In Hyperlab - No evidence - Education & training? Firing both contact & contactless interfaces - Both payment kernels activate - Only contact transaction submitted

15 Contactless Issues Facts or Fiction?: TfL Oyster / EMV Do London buses take Oyster or EMV? q Both q Readers prioritise Oyster q Occasionally EMV card is taken Keep Oyster & Payment cards separate

16 Agenda Consult Hyperion Contactless in the press q Why now? q What is being reported? Facts or Fiction? q Payment data theft q Distant transactions q Multiple charges q TfL Oyster / EMV Summary

17 Contactless Issues Facts or Fiction?: Summary q Unauthorised reading from a mobile phone is possible q Range is short q Data read could be used on certain online sites q Cardholder name can no longer be read from contactless q Readers in stores do not read cards from a distance q <7cm q Readers in stores do not double charge q Education and training needs to be improved q TfL readers can use EMV instead of Oyster

18 For Further Information Thank you for your attention. For more information please contact: Consult Tomorrow s Transactions: Thought leadership from Consult Hyperion browse comment chyp.com/media/blog listen