Transactions with contactless bank cards are increasingly popular in Slovakia, and while their convenience makes them attractive it also raises questions about their security. Among other supposed incidents, one user had money stolen from their bank card via a portable point of sale device on public transport, but experts are diverting increased attention to preventing future abuse.
Though banks and card companies deny the story about card money being stolen via portable devices, they also insist customers who follow standard usage are entitled to be compensated for any such losses.
“One of the evergreen myths about contactless payment cards is that it is possible to get money and personal data without noticing – for example when travelling by mass transport or at other places with a high concentration of people,” Miroslav Lukeš, general director of MasterCard for the Czech Republic, Slovakia and Austria, told The Slovak Spectator.
Lukeš explains that a contactless transaction can be carried out only when the card is only some four centimetres from the point of sale (POS) device while the latter has to be activated to accept the transaction. Moreover, all POS devices are connected to an electronic system what means that each transaction is traceable, and that POS devices that are not connected to the system are not functional.
The country’s largest bank Slovenská Sporiteľňa (SLSP) as well as other big players like VÚB Banka, Tatra Banka or ČSOB bank all insist they have not have registered any such incident.
“After the introduction of contactless cards abroad abuse has not increased in any way,” mBank spokesman Tomáš Palovský said. “Moreover, Slovak contactless cards are among the world’s most secure.”
Face-to-face transactions with chip or smart EMV cards is a situation where fraud risk is low, said Eric Brier, chief security officer at Ingenico Group, a manufacturer of POS devices.
“The main risks are still in environments when the card is not present,” Brier told The Slovak Spectator.
On the other hand, Nethemba a Slovak IT security company, does point out some new security risks.
In April 2012 at Hackito Ergo Sum in Paris, Renaud Lifchitz published his presentation “Hacking the NFC credit cards for fun and debit” about serious vulnerabilities in NFC payment cards. Three years later Nethemba analysed the security of currently-issued NFC (near field communication) payment cards in Slovakia and Czech Republic. Their revelations were shocking – all NFC payment cards can be read without any further authentication, the only prerequisite is physical proximity, Pavol Lupták of Nethemba told The Slovak Spectator.
“Potential attackers could identify the card issuer, the card owner and card number including the date of expiration and information about missing PIN tries,” said Lupták.
“Moreover, what is the most critical – transaction history that was physically available on almost half of tested cards,” said Lupták.
Based on the transaction history it is possible to create, for example, the geographical profile of the card holder or estimate his or her solvency.
“Such information can be abused, for example, for targeted marketing or getting data about the movement of the given person,” said Lupták. “Many e-commerce websites do not require CVC/CVV code during payments, but three pieces of information – name of the card holder, the number of the card and the date of its expiration – that can usually be easily obtained from the NFC card. This increases the risk of abuse.”
Lupták is not aware of any man-in-the-middle (MITM) attack on POS devices in Slovakia when special devices were inserted between the POS device and the buyer allowing the culprit to manipulate the sum leaving a bank account. However, this is not a hypothetical scenario.
Nethemba has carried out a security analysis of approximately 30 Czech and 60 Slovak NFC payment cards to find out whether card issuers have reacted to the previous security issues or not. On this sample of chosen cards, they have revealed that most NFC payment cards in Slovakia and Czech Republic still store sensitive information.
Banks argue that only limited transaction data can be obtained while none of them are sensitive.
“These data cannot be used for abuse of the card,” Tatra Banka spokeswoman Zuzana Povodová said.
In case of the theft of personal data, Lukeš of MasterCard said that the cards are emitting a minimum volume of information and thus the risk that the identity could be stolen is very low.
More contactless payments
In Slovakia contactless payments by bank cards can be done up to the sum of €20, which limits losses if a card is lost or stolen. For higher amounts a PIN is required.
Card companies Visa Europe and MasterCard report increasing popularity of contactless bank cards as well as transactions in Europe generally, and Slovakia specifically.
The share of contactless payments at merchants in Slovakia accounts for more than 38 percent of all transactions, while in the Czech Republic it is 60 percent and in Poland 39 percent, Visa Europe said in mid 2015.
Most problems or fraud still occur when people are simply negligent.
“The card must stay in sight of the user and inserted only in secure devices,” said Brier. “In case of doubt, it is safer to use another means of payment, for example cash. However, it must be noted that with credit card payments, card holders are protected in terms of financial liabilities.”
Lukeš of MasterCard recalls that contactless cards enable their holders a higher extent of supervision because when making a payment its holder does not need to hand it over to someone else.
“A unique authorisation code for each transaction secures that it is not possible to carry out fraudulent transactions by entering the same code,” Lukeš said.
Disclaimer: The articles included in the “Banking” supplement were created by authors enrolled in the educational programme organised by The Slovak Spectator in cooperation with the University of Economics in Bratislava. The programme seeks to train journalism students on how to cover business- and economy-related issues. The articles were prepared in line with strict journalistic ethical and reporting standards.
3. Jun 2016 at 6:30 | Barbora Šimoničová and Dominika Bányainová