Security still a main concern

Dubai

In a race to promote widespread adoption of contactless payment cards and mobile wallets, both public and private sector organisations across the Middle East are unknowingly exposing their customers to a range of security risks.

“Most of these contactless systems utilise Radio Frequency Identification (RFID) technology, which due to its simplicity and low cost now finds use in a wide range of applications such as NOL cards, Salik tags, identity badges used by businesses, anti-theft store tags, home security systems and keyless entry systems for cars,” Nicolai Solling, Director of Technology Services at Help AG, told Gulf News.

He said that NFC technology is based on existing RFID standards and there is a potential risk when it comes to radio frequencies. They are vulnerable to certain kinds of attacks. “With the right antenna, hardware and software, the card can be cloned and the data stolen and you don’t need physical access to the card,” he said.

NFC and RFID use the same frequency but NFC is more secure and encrypted than RFID and the data can only be transferred from a very small distance.

Encryption

Recent research has shown that even the complex encryption that has been touted to become the next industry standard for this technology can be cracked. Using low-cost RFID readers and cryptographic deciphering, attackers can very easily read the information on these cards, allowing them to create “clones” which can be used to syphon funds or gain unauthorised access.

Solling believes that consumers need to be made aware of these risks.

For example, Governments decided to make e-passports in 2003 to store biometric data. They embedded the key details on a chip on the passport. The problem was when they came out with the e-passport, the key they used to encrypt the access to the chip was very basically done.

So in less than three years, it was already broken. Despite this, he said that governments are still continuing with these e-passports as heavy investment was involved.

“You can scan your e-passport with your NFC smartphone and can get full details of the passport owner,” he said and showed it to me.

Similarly is the case of NOL and Salik cards. “When you are in a crowded train, a person with a RFID reader can stand next to you and read out the information on your card. It all depends on the antenna. If it is strong the RFID reader can get access from a distance,” he said.

“You can buy a cloning RFID device from China on eBay for $37 (Dh136). It is not a fool-proof technology. My advice is not to put too much money on the e-wallet,” he said.

Secure payments

But according to Julian Phillips, vice-president, acceptance and commercial development at MasterCard UAE, NFC-enabled credit and debit payment cards are very secure as it is EMV compliant, but Salik and NOL cards are not EMV compliant. Chip cards are very secure and have multi layers of security.

“In a contactless payment card transaction, all the details of the cardholder are not sent. Like a debit card, the merchant has to bring the device to the reader and the user taps the card and enters the PIN. It is very secure,” he said.