NXP Semiconductors has developed a touch sensor that can be built into contactless payment cards and passports to prevent their details being read or payments taken without the user’s active permission.
Payment cards and passports that support the near-field communications (NFC) protocol are normally used with scanners that demand the chip is within touching range. Earlier this year, ViaForensics demonstrated that it was possible to read account numbers and personal details held on contactless payment cards simply by getting a mobile scanner close to owners’ pockets.
High-power scanners can potentially read the details on cards at the range of a few metres. Since the introduction of passports that include embedded chips, a market has sprung up in metal-shielded wallets that vendors claim will stop the holder’s details from being read surreptitiously.
NXP engineers built a capacitive touch sensor, similar to those now commonplace in mobile phones, into prototypes of a plastic payment card that uses the company’s contactless chips. Patrick Niessen, system architect at NXP, said in the technology’s most basic form “you need to swipe the top of the card while it is sitting on the reader and it will only make a transaction after you have done that”.
The sensor can detect more complex gestures than swipes, using them as codes to unlock the cards or by reading successive letter and number shapes as a PIN code. “Inside, it looks like a matrix of pads but it’s not like a keypad. It has very accurate resolution and the technology is powerful enough to do handwriting recognition. If my PIN is 1234, it will recognise that but also the way in which I write it.”
Arne Burghardt, system engineer at NXP, says embedding a capacitive touch sensor inside a cheap plastic card presented challenges such as a floating ground, which makes it harder for the sensor to detect the change in capacitance as the user’s finger approaches the sensor. The current version works with a standard contactless scanner that can provide enough power for both the sensor and the embedded security chip. “Nevertheless, we are continuing development to allow use with an NFC-enabled smartphone so you can authorise payments from the phone,” said Burghardt.
Niessen said the technology could also protect conventional payment cards that rely on PINs: “There was an issue in Germany where they introduced a banking-card reader for PCs. The problem was that you had to enter your PIN on the PC. If you have to type your PIN on an insecure device then the system is broken. By having the capacitive touch sensor on the card itself, the PIN cord need only be stored within the card itself – it need never leave the card. Only I know the code and only I can do the transaction.”