Smart Cards: Are the benefits of contactless smart cards outweigh the risks? Part 2

Convenient. Fast. Secure.

These are the exact choice of words that best describe the latest smart card innovations from credit card companies. For many of us, these are not new stuff, in fact some of you may wonder why these RF miniatures in your cards are being advertised as secured, despite the truth on the contrary.

When the magnetic stripe cards were initially introduced, credit card issuers assured card holders that they were convenient, fast, and secured. This, despite millions and millions of credit cards that had been hacked and sensitive data had been compromised since their introduction more than 50 years ago. When the contact chip cards were introduced, the same security and privacy issues were reported and the same slogan were used: Convenient. Fast. and Secure. Now that we have this latest generation of contactless credit cards,  what do credit cards companies will have to say again?

There is no need to play as devil's advocate because everybody knows, or at least many of us know that there have been security issues associated with the use of credit cards irregardless of their state of the art technologies. But that is technology, it is neutral. But sometimes we have to face the fact that we utilize what technology offers us. And it is up to us to protect our own identity. So, for the interest of the newer cardholders, I will list some benefits of RF-enabled contactless credit cards according to credit card companies, and the potential security risks that go with them then you decide.

Convenience.
Why wait in line to pay a cashier when you can checkout yourself faster? Likewise, why cope with swiping, signing and entering numbers if you can just wave and go? This is probable the best argument for using a contactless credit card. And I won't even argue with it.

This swipeless technology doesn’t have to be limited on the form of a traditional card. Many card issuers are making contactless technology available in other forms, such as mini cards, stickers that can adhere to mobile phones or chips with the size of a SIM card. They also come in fobs that can be used without searching through one’s wallet or purse. Now you can even process a contactless transaction using your smartphone.

iPhone turns contactless credit card. Image courtesy from Mobile Crunch

Faster Transaction.
Under normal transaction process, contactless transaction is relatively faster than the rest of payment methods. Consumers and cardholders prefer shopping at stores that accept faster and more efficient payment methods. I mean, how many times you have been denied from stores that only accept cash and not credit card.

• According to American Express, tests have shown that contactless transactions with its proprietary ExpressPay cards are 63 percent faster than cash transactions. 
• According to Aite Group, also have observed that "contactless payments are relatively faster than other forms of payment transactions; on average twice as fast as cash transactions.” Here are the tender times calculated in seconds for different payment modes: 
• Checks   64
• Credit/Debit   48.4
• PIN Debit   44.4
• Cash   28.5
• Biometrics   15.6
• Contactless    12.5
• According to Visa, the average tender times for the following transactions are:
• average cash transaction takes 34 seconds, 
• average magnetic stripe credit card transaction takes 24 seconds. 
• average contactless payment transactions takes 15 seconds, since there is no need to hand the card over to the cashier and there is no signature required for purchases under $25. 

Although American Express and Visa may have slight difference with their reports, but the consistency remains: contactless are faster. Now, if we translate this speed and convenience in terms of non-monetary values, they tell us that a significant reduction in transaction time can create the following benefits: increased revenue, improved customer service, enhanced operational efficiency.


Secure Transaction.
Contactless credit cards implement either one or both of the following industry-standard protocols, such as AES, 3DES, RSA, ECC, etc. They form the core standard of data encryption. Experts also say that contactless card can verify that the reader is authentic prior to any transaction. When making an online purchase, smart cards utilize SSL cryptographic protocols to establish an encrypted link between web server and a browser and provide secure communications technology between transaction to prevent eavesdropping.

For a more technical detail on 128-bit AES and 256-bit AES encryption, there is an excellent technology paper produced by Seagate Corporation (PDF only).

The EFF's US$250,000 DES cracking machine contained over
1,800  custom chips and could brute force a DES key in
a matter of days.

Cryptography experts say that AES and other forms of algorithms is nearly impossible to break. Among cryptographers, a successful break is anything faster than an exhaustive search. So far, the largest successful publicly-known brute force attack was against a 64-bit RC5 key by distributed.net. There have been several attacks on AES-128 on 2009 but nobody has successfully broke it yet.


Do you want to help somebody to break an AES encryption? You may join this small forum and see if you can help. Or if you think you are an expert hacker, maybe you can participate the elliptic curve cryptography challenge by Certicom which offers nearly $1Million to anyone who can break a large file encrypted with AES-256. Woud you accept the challenge?


But this does not mean that it is impossible to decrypt or break these algorithms, but it may take a while. You have to understand that these protocols are primarily used for protecting you from eavesdropping by cyber criminals thru ONLINE transaction and securing databases that are accessible via corporate or LAN networks. 


But will you be protected from these security measures when somebody scans your contactless cards using a concealed RF card reader close enough to skim all your credit card data without your knowledge while walking in a busy downtown area? Nothing. None of them! Hackers knew that eavesdropping via online transaction is a bit challenge or breaking a system could take a lot of resources including time. Now, some of them are changing their modus operandi by scanning the busy streets in your city. In my last episode, I will show you how easily to hack somebody's credit card. This is where the money is folks. Because they know that the air is an unprotected area to explore and to make money.


Zero Liability Protection.
Most if not all credit card companies and banks offer a Zero Liability Protection (ZLP) to credit card holders and that include your contactless credit card. Zero Liability simply means that you as a card holder is or will not be responsible for unauthorized purchases or fraudulent transactions charged to your account as long as you report the incident promptly. To read MasterCard cardholder policy on ZLP, proceed to this page. For Visa also offers Zero Liability for its cardholders, here is the link for you. 


Note that this Liability will only be provided under the following conditions:

• Your account is in good standing. 
• You have exercised reasonable care in safeguarding your card. 
• You have not reported two or more unauthorized events in the past 12 months. 

These are the benefits of having a contactless credit cards. Also some of these benefits also apply to a standard contact credit cards. I can go on and on but I think I need to pause here for now. I will be back for the last part of this series.