A More Secure Mag Stripe?

Contactless RFID Enhances Security Over Mag-Stripe
A More Secure Mag Stripe?
Despite public concerns about contactless card security, industry experts say contactless technology is far superior to the existing magnetic stripe.

Earlier this month, the Identity Theft Resource Center released a statement about contactless payment cards, saying it is continuing to investigate the security of radio frequency identification technology. But proponents of RFID, or near-field communications, say the United States' use of contactless payment cards is expected to grow. RFID or NFC will likely be used by U.S. card issuers to bridge the gap between traditional mag-stripe transactions and the global Europay, MasterCard, Visa or EMV chip standard, whose use and adoption is rapidly closing in on the U.S.

RFID cards used in the U.S. contain embedded read-only microprocessor chips that use the same information contained in a traditional mag-stripe. Unlike EMV chips, which provide two-way communication between a card and card reader, RFID chips based on mag-stripe details communicate only one way.

The advantage to contactless RFID is transaction speed, since an RFID card communicates without physical contact with the card reader. Rather than being swiped, like traditional mag-stripe cards, RFID cards can communicate within 1 to 4 inches of card readers, enabling the so-called "tap and go" payment.

The concern, however, says the ITRC, is that card details may be intercepted during the transaction. "The implication in recent media articles is that it is easy to 'hi-jack' the RFID information, and that it is easy to then use this information to make fraudulent purchases," the ITRC says. "[The] ITRC has requested information from a variety of technical resources to review this assertion."

Randy Vanderhoof, executive director of the Smart Card Alliance, says those concerns are unfounded. In fact, in a white paper published last month by the Smart Card Alliance about routes the U.S. might pursue on its migration to EMV, RFID technology is touted as being one of the industry's most secure payment options. With more than 75 million contactless RFID cards already in use in the U.S., support for more contactless technology, which is compatible with EMV, makes sense, Vanderhoof says.

"In order to future-proof the technology, should the U.S. adopt a full EMV migration, we would need a plan in place to have our contactless cards evolve," he says. But an evolution of existing contactless card technology would not require much.

RFID: Superior Security

RFID technology is more secure than contact mag-stripe transactions. "The cardholder information used during a contactless payment transaction is of little to no use in creating fraudulent payment transactions," Vanderhoof says. Today, information used during a contactless transaction is generated with a strong encryption key that is known only to the card issuer. And issuers verify that dynamic card information before a payment is approved.

Gartner Analyst Avivah Litan says that type of dynamic verification makes contactless transactions more secure than existing contact mag-stripe transactions. "There is something called dynamic CVV code, which the card brands, Visa, MasterCard, have built in to these contactless cards," she says. "That means that when you use a contactless card, you have an algorithm that is attached to your card." And since a criminal, even if he were able to intercept card data during a transaction, does not know the algorithm, he would not be able to come up with the right security code.

"You could actually get stronger security on contactless cards through stronger cardholder authentication," Litan says. "We're not low on technology solutions. We're low on agreements and mandates to move forward to make stronger cardholder authentication a requirement. It's more of a business practice issue than it is a technology issue."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.