A More Secure Mag Stripe?Contactless RFID Enhances Security Over Mag-Stripe
Earlier this month, the Identity Theft Resource Center released a statement about contactless payment cards, saying it is continuing to investigate the security of radio frequency identification technology. But proponents of RFID, or near-field communications, say the United States' use of contactless payment cards is expected to grow. RFID or NFC will likely be used by U.S. card issuers to bridge the gap between traditional mag-stripe transactions and the global Europay, MasterCard, Visa or EMV chip standard, whose use and adoption is rapidly closing in on the U.S.
RFID cards used in the U.S. contain embedded read-only microprocessor chips that use the same information contained in a traditional mag-stripe. Unlike EMV chips, which provide two-way communication between a card and card reader, RFID chips based on mag-stripe details communicate only one way.
The advantage to contactless RFID is transaction speed, since an RFID card communicates without physical contact with the card reader. Rather than being swiped, like traditional mag-stripe cards, RFID cards can communicate within 1 to 4 inches of card readers, enabling the so-called "tap and go" payment.
The concern, however, says the ITRC, is that card details may be intercepted during the transaction. "The implication in recent media articles is that it is easy to 'hi-jack' the RFID information, and that it is easy to then use this information to make fraudulent purchases," the ITRC says. "[The] ITRC has requested information from a variety of technical resources to review this assertion."
Randy Vanderhoof, executive director of the Smart Card Alliance, says those concerns are unfounded. In fact, in a white paper published last month by the Smart Card Alliance about routes the U.S. might pursue on its migration to EMV, RFID technology is touted as being one of the industry's most secure payment options. With more than 75 million contactless RFID cards already in use in the U.S., support for more contactless technology, which is compatible with EMV, makes sense, Vanderhoof says.
"In order to future-proof the technology, should the U.S. adopt a full EMV migration, we would need a plan in place to have our contactless cards evolve," he says. But an evolution of existing contactless card technology would not require much.
RFID: Superior SecurityRFID technology is more secure than contact mag-stripe transactions. "The cardholder information used during a contactless payment transaction is of little to no use in creating fraudulent payment transactions," Vanderhoof says. Today, information used during a contactless transaction is generated with a strong encryption key that is known only to the card issuer. And issuers verify that dynamic card information before a payment is approved.
Gartner Analyst Avivah Litan says that type of dynamic verification makes contactless transactions more secure than existing contact mag-stripe transactions. "There is something called dynamic CVV code, which the card brands, Visa, MasterCard, have built in to these contactless cards," she says. "That means that when you use a contactless card, you have an algorithm that is attached to your card." And since a criminal, even if he were able to intercept card data during a transaction, does not know the algorithm, he would not be able to come up with the right security code.
"You could actually get stronger security on contactless cards through stronger cardholder authentication," Litan says. "We're not low on technology solutions. We're low on agreements and mandates to move forward to make stronger cardholder authentication a requirement. It's more of a business practice issue than it is a technology issue."