Hackers can intercept data transmitted between contactless cards and payment terminals using easily available and portable electronic devices, a study of Surrey University researchers has found.
Focusing on the currently prevailing Near Field Communication (NFC) standards, used in most modern payment cards, the researchers have found that especially in crowded supermarkets, contactless data transmission is vulnerable to be intercepted by determined individuals. All that is required is a simple antenna, an off-the-shelf receiver and a laptop equipped with a digital acquisition card.
“In this study, we have proved what researchers have been talking about for some time – that contactless design in itself is by no means a security feature,” said Johann Briffa, the lead researcher of a study published in the latest issue of the Institution of Engineering and Technology’s Journal of Engineering.
“Despite the fact that the NFC standard officially requires about five centimetres, we have managed to receive the same information as the terminal at the distance of 50 to 60 centimetres.”
Although the reliability of the interception decreases with the distance, in the 50 - 60cm range, almost 100 per cent of the eavesdropping attempts performed by the researchers were successful. Even more disconcerting, however, is the fact that the equipment the team used was far from advanced.
“We haven’t used anything that is extremely sophisticated or extremely expensive,” said Briffa. “For example the receiver that we have basically fits into a rather small box.”
The receiver, comfortably hidden in a backpack, could be connected to a simple loop of wire, a small metallic cylinder or even to a cage of a shopping trolley that functions as an antenna intercepting the data without raising any suspicion.
It has been the first time such simple equipment has been used in a study focusing on vulnerabilities of NFC and the team hopes the results will stir the debate about the vulnerability of the popular standard and encourage application designers to delve into the security aspects of the technology.
“With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats,” said Eleanor Gendle, IET Managing Editor at The Journal of Engineering. “It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”
Currently, some 23 million contactless cards are in use in the UK alone. The NFC standard is also frequently used by smartphones for short range radio communication.
As this method of stealing private data attacks in the moment when the device needs to be in use, there is little an individual user can do to protect himself.
“When the card is not at use, for example if it’s an NFC enabled mobile phone, one thing that can be done is to switch the NFC off until it’s actually needed,” Briffa said. “In the case of cards, there exist wallets that act as faraday cages and shield the device against the transmission, however, none of these would help in our setting,” he concluded.