Contactless credit cards security

No, contactless transactions are not more secure than contact transactions. The whole contactless business has a lot more to do with making payments easier on the point of sale (and possibly enable future developments of the smartcard business) than in increasing security.

Ridiculous early US implementations aside, we have a couple things going on here:

  1. transactions less than a certain amount are authorized in nocvm mode, meaning, no card verification method - it's what you have observed
  2. transactions over a certain amount (depending on the country etc) will be asked for an online pin verification (meaning the PIN is encrypted in the PIN pad and sent over the network to the issuer for authentication), whereas contact-EMV cards will typically do an offline PIN verification where the POS asks the card's EMV chip if the PIN is OK.
    • this is more of a different kinds of usability tradeoff than a security one - offline pin allows offline authorizations on the POS where transactions need to be super fast. Both online PIN have their unique (and difficult to execute) attack vectors.
  3. with contactless the card doesn't get a chance to verify the issuing host's authenticity (ARPC verification is not done). It's one security measure of the EMV scheme that I never fully understood and with contactless it's gone so I guess I was not the only one :) but still, it's 1 security measure less

Some extra EMV tags aside, as far as I know this is the only impact of EMV+CLESS vs old-school EMV. Magstripe+CLESS, or allowing EMV fallback with CLESS results in that youtube video from the beginning of the post and is completely ridiculous.

EDIT 1: holy cow https://play.google.com/store/apps/details?id=nfc.credit.card.reader.pro2 it seems the ridiculousness is still on. Not only it reveals the card data, but the transaction history too. I mean it's on Google Play, it and a bunch of others. Don't test it with production cards.

I don't understand, Visa/MC went through so much issues on the US market with the early NFC, they went through a mountain of trouble due to early magstripe cards. Finally, EMV is here and it's secure, and then they upgrade it with NFC capability by basically reverting the security almost all the way back to magstripe levels.


Visa never pretends that contactless is more secure that chip and PIN. They only say:

  • it is more secure than cash. Well if some one gets your cash, they will use it freely, while the contactless card is limited per transaction and per day. In addition you can have the bank to block it it you declare that it has been stolen, and in some case you can prove that you could not be at the place where the expense was made. In that sense it is more secure than cash

  • it uses the same technology as chip and PIN. Not false. Simply the procedure never requires to enter the PIN, so it is no longer something you have (the card) and something you know (the code) but only something you have.

So they do not even say that it is as secure as chip and PIN, simply a rapid reading can let think that they mean it.

Now for what I think about it.

Is it as secure as chip and PIN? No. Because having the card is enough to be able to use it, while CHIP and PIN requires in addition the knowledge of the PIN code. And the bank does know it, and that is the reason why they limit the amount that can be used contactless both per transaction and per day.

So what is the sense of contactless payment? Simplicity. Banks earn money on each and every card transaction. In addition, the typology of your card usage is now a valuable data that can be used to provided targetted advertising. And banks know how they can use or sell it. So they really want that you use your card even for cheap operations where you would not type a PIN.

What make the operation possible is that it is not really interesting for an attacker. The gain/risk ratio is not really high, simply because the gain is limited per transaction and per day. So as of 2018, I am not aware of major attacks on contactless cards - beyond using a lost card for small expenses. So most banks will accept to refund you for one day of expenses, if you lose your card, because it costs less (to the bank) than the global expected gain.