There are moments when you need to look at technology as a preventative thing. Internet security is like that, a purchase that all devices should have, if only for the “what if” case scenario. Now, there’s a gadget appearing designed to stop the “what if” moment from happening to your credit card.
Everywhere you go, you see contactless payment systems provided.
Supermarkets, malls, book shops, theatres, fast food, slow food, clothing, and anything else; paying without needing to swipe your credit and debit card is the way we’re headed, and before too long, we’ll even be there with smartphones as well, as companies like PayPal, Apple, and Samsung try to find a good middle ground that makes us feel safe and secure while we use our smartphones to pay the bill.
But that’s still a little off, and right now we have to deal with paying the “Tap and Go” concept which is to tap your debit or credit card against the payment system, and then leave.
It’s quick, easy, and something consumers seem to like, as it makes payment efficient with no need to check who you are. Generally, there’s a cut off amount, with a maximum of $100 allowed to be transferred in any one payment, but this doesn’t usually bother anyone.
Apparently, though, as much as we like the convenience offered through this technology, scammers are interested in taking advantage of the tech, using current wireless transfer technology to skim your cards, and charge purchases to you.
We’ve heard the stories before, and there have been numerous reports citing how the act of skimming cards worked, applying mobile phones, tablets, and NFC-equipped computer terminals to make the steal possible.
If you’re a little skeptical at the thought, don’t worry, because we were too, and we weren’t alone.
Some of the creators of the contactless payment technology have thrown up similar question marks over the years, citing that much of the reason these issues have popped up have been to sell wallets.
“Certainly a year ago, there were lots of commentary around technology to scan cards and capture information,” said Matt Barr, MasterCard’s head of Market Development in Australia, in an interview to GadgetGuy in 2013.
“When you went and found out who was creating the noise, it turns out that they were trying to sell a wallet — a metal wallet — to protect cards, so unfortunately it’s players out there creating a fear to sell a product.”
But testing a skimming application with phones and tablets at GadgetGuy, we’ve seen how it’s possible to take information off a card, with some of the credit and debit cards also showing previous purchase history to NFC readers.
Most of the applications we tested weren’t holding the information for long periods of time, but that doesn’t necessarily mean the application couldn’t, and if an app is created to skim information from a card, it could just as easily store this for a long enough period to compile the card numbers for active use, with the scammer then finding a way to utilise the credit card information to charge up some purchases.
And because contactless payments tend to be under a hundred bucks per purchase, the charges aren’t likely to appear as if anyone has taken your money, or a lot of it, anyway. Add it up, though, and this could end up being a small fortune for some people, especially if the dodgy charges continue.
Testing it out for ourselves and skimming our own cards, we found that you have to get pretty close with a phone to do this.
In fact, if we were to try this on someone else’s back pocket, we’d pretty much be tapping their backside with our phone and then coming up with a stupid excuse as to why we would ever do such a thing, a conversation that could well get us knocked out, arrested, or both.
So the phone isn’t likely to be a big skimming tool, but a bigger device possibly could, with a small tablet or laptop computer paired with a relatively inexpensive radio frequency and Near-Field Communication reader, one that produces just a large enough field to pick up on card signals within a metre distance, or possibly further.
With that, all it takes is the communication of the reader and a specialised application to grab details from your contactless cards, and this could happen anywhere. Close proximity if the NFC reader is low-power, or further back if it isn’t, and since we’re all receiving these contactless cards, whether or not you actively use them, we all may be at risk.
It’s this set of concerns that led people to measures that could be seen as preventative.
In the past few years, we’ve seen those aforementioned specialised wallets and card holders designed to ward against this sort of threat, often with metals built into the design that apparently stop the NFC attack from taking place, which isn’t technically an attack, but rather a cold read or an NFC tap from afar.
The success of these doesn’t appear to be proven, and so a couple of Australians came up with an alternative concept, creating a jammer for your wallet that sits inside and blocks any would be scammers from stealing those details when the attempt is made.
“We originally started ArmourCard a couple of years ago,” said Tyler Harris, Director of ArmourCard. “I was reading a lot of stuff about radio frequency identification, [and] I was a little concerned about our own privacy.”
These concerns, followed by some tinkering, resulted in a credit-card like gadget that aims to block any would-be scammers by interrupting the 13.56MHz frequency RFID-based cards communicate on and blocking it outright.
“We jam 50mm on either side,” said Harris, adding “when it gets interrogated by someone trying to skim you or you’re near a check out terminal, and it will instantly power up.”
Once the specialty card is powered up, it will block the signal, meaning you can’t scan the wallet directly to a PayWave or PayPass terminal, so if you want to use the Tap and Go functionality to pay for something, you’ll need to either temporarily disable the ArmourCard by touching the right corner’s disable button, or alternatively, take out the card and tap it directly to the terminal bypassing the ArmourCard altogether.
According to ArmourCard’s people, the technology isn’t powered on all the time, only switching on when it is needed. Because of this, it’s expected to be usable for at least two years, with benching of the technology and its battery suggesting that used ten times a day, it would last for those two years. Used less, and you could possibly get a year or two more without any problems.
One thing we are hearing is that scamming is taking place through terminals that may have been hacked, for instance in a taxi, and unfortunately, this product won’t help with this at all. In these instances, you’re tapping the card to a possibly hacked terminal, and transferring funds through that terminal, rather than being skimmed without your knowledge, which is what ArmourCard seeks to prevent.
We’d be remiss not to come back to MasterCard’s position on the matter, though, which said (back in 2013) that the technology wasn’t likely to result in a theft of information that could lead to your details used in such an aggressive way.
“Our view is there was never any significant material risk,” said Matt Barr, adding that “the scanners could never capture enough information to create an online transaction because you don’t get names. You can get 16 digits, you can get expiry date, but that’s all.”
“You can’t get enough information to create another transaction, and you certainly don’t get enough information to create another contactless transaction,” said Barr in one of our Naked Geeks programs.
“There’s a thing called the dynamic CVC [customer verification code] on contactless cards. It generates a single use number every time, [and] there’s an algorithm on the card, so even if you scanned the card and got an instance of the dynamic CVC, you’d never be able to create another transaction,” he said. “The card and the terminal are looking for the next number in the sequence.”
As far as we’ve been able to tell, some card reading apps may have the ability to read card names as well as card numbers, but as for the customer verification code, we’ll have to refer to Barr’s and MasterCard’s knowledge on this one.
Ultimately, we’re filling ArmourCard under the “preventative” measure, with a gadget aimed at the potential blocking of what scammers can do, even if it might not necessarily happen.
“We have insurance for your house, insurance for your car, antivirus for your computer,” said Harris. “Why wouldn’t you protect your cards?”
The ArmourCard is available now for $49.95 in select electronic shops, online, and Vodafone stores across the country.