Contactless payments are increasingly widespread and certainly convenient, whether using credit or debit cards, or smartphones. They let people pay for goods and services without handing their cards to cashiers and often without entering their PINs.
But are there associated security risks? Can you actually trust contactless payments?
How Do Contactless Payments Work?
There are two main types of contactless payments. The first involves embedded technology in your credit or debit card, and the other concerns using a smartphone with a mobile wallet app.
Most involve radio frequency identification (RFID) and near field communication (NFC), which concern short-range, low-energy radio signals. Here’s how how each one works.
- Card-based contactless payments: Each credit or debit card with contactless technology has a unique “key” that generates a code to identify every transaction. The card issuer verifies the validity before approving a transaction. A contactless-ready card has a chip that must come within about 1.5-inches of a reader. Customers hold it close or tap it to finish the transaction and do not need to enter a PIN.
- Phone-based contactless payments: These require people to activate an NFC setting in their smartphones before attempting a payment. After that, they can wave the device near a reader, which accomplishes the same result as tapping a card. However, customers must first enter a password on their phones to make a secure payment.
- App-based contactless payments: Some companies offer mobile payment services where a person stores all their physical card information in an app, then selects the desired payment method before checking out at a website. Entering a password applies here too, but it may not if a company recognizes a customer’s device.
People around the world increasingly like the option to go contactless when paying. A study conducted by Visa found that the company processed 1 billion such transactions that previously required entering a PIN. The research also indicated that 80 percent of in-store transactions with European merchants happen through contact-free means.
What Are the Possible Contactless Payment Risks?
Contactless payments are like virtually everything else in life in that they’re not risk-free options. However, some identified threats are primarily theoretical, while others pose security concerns backed up by real-world evidence.
One fear is that hackers could conceal contactless readers, then walk by a person to make the transaction happen. A related scenario occurs when a customer unknowingly lets a payment go through by walking too close to a store’s card reader. However, these are both highly unlikely due to how cards must come within less than 2-inches of a reader.
A hacker needs to get extremely close to a targeted person and know where that individual keeps a card, then get the reader close enough to that point for a transaction to happen. That’s a lot of things happening precisely in the way a criminal needs.
According to MasterCard, even if they succeed, the transmitted information only includes the card number and expiration date, so it's a done-in-one crime. The lack of a cardholder name prevents a criminal from making fraudulent online purchases.
The second possibility of a person paying for something by walking near a card reader is even more far-fetched. After all, merchants don’t keep their readers in multiple places around a shop. Most have them near the cash register, behind the counter. They are presented to a shopper at the point of transaction.
People who are still concerned about these tiny risks could give themselves peace of mind by purchasing an RFID-blocking wallet. It shields cards from the radio waves that make contactless payments work.
Large Contactless Payments Without a Cardholder’s Permission
Maybe you’ve been on a road trip with a friend who decided to stop at a convenience store. You felt thirsty for a coffee, but instead of getting cash out of your wallet, you gave your pal your debit card and asked them to pay for the beverage. That’s a low-risk thing to do with someone you trust, although the best secure payment practice is to keep the card in your possession, even for small purchases.
However, most card issuers apply a second safeguard by limiting contactless payment amounts. The maximum transactions vary but are usually under $50. That’s an excellent security strategy, but researchers found it’s not foolproof.
They experimented with five Visa cards distributed by United Kingdom banks and found that hackers could bypass card limits with all of them. These security flaws even permitted unauthorized transactions to occur outside the UK.
Criminals could manipulate the signals passing between a card and reader by using a gadget that intercepts the communication. It instructs the reader to ignore any transaction limits imposed by the issuer.
The researchers also found that this hack applied to smartphone wallets. Interestingly, a criminal could make a transaction go through without unlocking a phone but could only charge up to the stated limit in such cases. These examples highlight the importance of checking your transaction statements regularly and carefully, looking for any strange charges.
Statistics showed that 75 percent of 2020’s e-commerce sales happened on mobile devices. Consumers’ love of technology pushed organizational leaders to explore how they could help people do traditionally in-person transactions from their phones. That’s why contactless event registration and hotel arrival or departure necessities can now often happen via apps.
These contactless activities are generally safe. However, since they transmit electronic data, everything comes down to whether the service provider or its technology partner follows appropriate procedures when collecting and storing customers’ information.
Consider researching a company’s data security protocols before using its contactless service for the first time. That information will help you determine the organization’s trustworthiness.
Compromised Devices, Passwords, and Cards
All contactless payments require a person’s card or a compatible smartphone wallet app and password. The theft of any of those could put you at risk of contactless payment fraud.
Consider the example where you use a contactless-enabled card at a busy outlet, such as a shopping center or gas station. Instead of slipping it into your back pocket after use, you unknowingly drop it onto the floor. From that point, a dishonest person could come along and use it by posing as you, at least making a small transaction.
Something similar could happen with a lost or stolen phone, although the unauthorized user also usually needs your password to complete a transaction. Always choose unique, hard-to-guess passwords for all your devices. Doing that increases the chances that a criminal won’t get very far if they have your phone and try to make a contactless payment.
Turn off any features that allow people to pay with minimum authentication checks too. Although PayPal’s One Touch service permits logging in and paying for things without typing in a password, you can disable it by going into the site’s security settings.
You Can Lower Contactless Risks
Reducing the risks of particular activities is an important part of safe, everyday life.
When people drive cars, cook meals, and engage in hobbies, they know all those ways of spending time come with potential dangers. However, proactive measures reduce the threats, whether that means wearing a seatbelt, strapping on a bike helmet, or slipping on an oven mitt before handling hot food containers.
Take a similar approach when you decide whether to use contactless methods. Card providers integrate security measures into payment mechanisms, and you can consider these options as generally safe. However, actions within your control also minimize the chances of security issues.