View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
July 24, 2015

Why Apple Pay will cure NFC security headache

Gemalto argues that contactless cards cannot touch mobile NFC in the security field.

By Alexander Sword

Mobile NFC could solve the security flaws of contactless card payments, according to experts reacting to the findings from a recent Which? report.

According to Paul Hampton, Payments Security Expert at Gemalto, mobile solutions such as Apple Pay offer "much greater security".

The statement came as Which?, the consumer protection group, revealed research showing how easily card details can be remotely captured from contactless cards using card-reading technology.

Ten cards, six debit and four credit, had their card number and expiry date captured and decoded by a commonly available reader and a piece of free software. Which? also managed to obtain details of recent transactions, but not the CVV code.

According to Hampton, these flaws could be avoided through a mobile payment solution, due to the limited information that is stored and transmitted.

"Contactless payments made with mobile phones typically don’t use real card details and usually need the user to supply either a PIN number or fingerprint in order for the phone to transmit the payment information, this prevents a fraudster with the appropriate wireless equipment from being able to capture any information," said Hampton.

The Which? research also highlighted the difficulty in finding a compromise between security and convenience. Despite the inability to capture CVV codes, Which? were still able to order expensive items online, including a £300 television, from mainstream outlets. Hampton commented:

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

"The payment industry always planned that the risks associated with exposing information over wireless connections would be mitigated by stronger controls put around card not present transactions made over the telephone or Internet, however, as Which have highlighted, often these controls are relaxed by merchants as the inconvenience of additional security can drive customers away from completing purchases."

Which?’s success in purchasing items online also reveals the dangers of combining a conventional card with a contactless card. While contactless cards have a £30 daily limit, this limit does not apply when the details are captured from a contactless card but then used online.

Bob Tarzey, Analyst and Director for security at Quocirca, concurred with Gemalto’s comments, arguing mobile payments offered a much more robust solution.

"(With a payment card), you put your payment card near a reader and accept you are making a payment and it happens," comments Tarzey. "People can put in place a spoof reader; if they put it near your back pocket they could capture your details.

"With mobile phones you have to activate something on the phone. A mobile phone has an inherent ability to demand a second action from the payer to allow the payment to go ahead."

Tarzey also argued mobile phones would be safer than cards if lost or stolen, citing additional protections existing on the device itself, such as PIN codes.

"With a mobile phone you can have device security; there is nothing you can do about this on a payment card."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.