How a contactless payment took me by surprise

If you don’t understand how this technology works, please refrain from passing comment on it.

For your information, your card can’t “broadcast” anything. When a card reader is used at the point of sale, it starts looking for any nearby RFID signatures on the correct frequency; if it finds one, it queries the data on the RFID chip inside the card using a 128-bit encryption key (so yes, it IS encrypted), and if the key matches, reads the card details and processes payment.

In addition – there is a maximum spend limit of £15, and the usual safeguards are in place to prevent rapidly draining the card in £15 increments – the bank will lock out your account if it detects suspicious activity. You’re also covered by the normal security guarantees of your card provider (Visa, MasterCard etc.), so even if you don’t trust your bank (in which case, why are you banking with them?), you have that to fall back on.

First of all, I apologise for speaking hastily, but your comments about credit cards “broadcasting” details raised a red flag – by their nature, passive RFID chips don’t broadcast, they respond to requests for their information.

Secondly, it’s not the banks or the providers which are at fault – as the Channel 4 article points out, it’s the retailers who fail to require proper security details when processing payments. Visa’s PayWave, which powers Barclays’ contactless system, carries only the card number and expiry date, and not the name of the cardholder or the CVV2 security number.

And it does so under 128-bit encryption, as I said before. I did a little basic research and apparently it’s difficult to simply scan contactless cards without having the encryption key. So what potential thieves actually have is half the details they need, which are all encrypted anyway. It’s like a pickpocket who snatches your purse only to find a broken key inside.

Sloppy reporting from the Daily Mail as usual – a provocative (I don’t want to say “scaremongering” but…) and misleading headline, and the majority of claims are unsourced. Of the two sources they’ve actually got, one of them runs an independent ATM company, so it’s in his best interests to stop contactless technology as it lets people pay (and get cashback) without withdrawing cash from his ATMs!

It’s clear that they’ve interviewed him and this RFID security bloke, taken the best (worst?) soundbites that they can, and not bothered to look into any actual scientific research on the subject. Many of the comments on the article back me up – although in true Daily Mail style, the ones that talk sense are voted down, while the paranoid ones are voted up!

There are two main issues with this idea that unscrupulous types will hang around outside tube stations waving their magic wands over everyone’s wallets. Firstly, the contact range is very small – 5cm at best – which you can easily experiment with by using an Oyster card and seeing how far it has to be from the reader before it’ll register. So they’d have to be in touching distance of your wallet, at which point it’s probably easier just to steal it. And secondly, as I’ve mentioned before, all of the data coming from these cards is encrypted.

Easier to steal it? Don’t be absurd. Wireless is what makes it easy.