Why Apple Pay will cure NFC security headache

Mobile NFC could solve the security flaws of contactless card payments, according to experts reacting to the findings from a recent Which? report.

According to Paul Hampton, Payments Security Expert at Gemalto, mobile solutions such as Apple Pay offer "much greater security".

The statement came as Which?, the consumer protection group, revealed research showing how easily card details can be remotely captured from contactless cards using card-reading technology.

Ten cards, six debit and four credit, had their card number and expiry date captured and decoded by a commonly available reader and a piece of free software. Which? also managed to obtain details of recent transactions, but not the CVV code.

According to Hampton, these flaws could be avoided through a mobile payment solution, due to the limited information that is stored and transmitted.

"Contactless payments made with mobile phones typically don’t use real card details and usually need the user to supply either a PIN number or fingerprint in order for the phone to transmit the payment information, this prevents a fraudster with the appropriate wireless equipment from being able to capture any information," said Hampton.

The Which? research also highlighted the difficulty in finding a compromise between security and convenience. Despite the inability to capture CVV codes, Which? were still able to order expensive items online, including a £300 television, from mainstream outlets. Hampton commented:

"The payment industry always planned that the risks associated with exposing information over wireless connections would be mitigated by stronger controls put around card not present transactions made over the telephone or Internet, however, as Which have highlighted, often these controls are relaxed by merchants as the inconvenience of additional security can drive customers away from completing purchases."

Which?’s success in purchasing items online also reveals the dangers of combining a conventional card with a contactless card. While contactless cards have a £30 daily limit, this limit does not apply when the details are captured from a contactless card but then used online.

Bob Tarzey, Analyst and Director for security at Quocirca, concurred with Gemalto’s comments, arguing mobile payments offered a much more robust solution.

"(With a payment card), you put your payment card near a reader and accept you are making a payment and it happens," comments Tarzey. "People can put in place a spoof reader; if they put it near your back pocket they could capture your details.

"With mobile phones you have to activate something on the phone. A mobile phone has an inherent ability to demand a second action from the payer to allow the payment to go ahead."

Tarzey also argued mobile phones would be safer than cards if lost or stolen, citing additional protections existing on the device itself, such as PIN codes.

"With a mobile phone you can have device security; there is nothing you can do about this on a payment card."