210
Several banks have introduced credit cards that are “contactless”. They contain a small “RFID” chip which allows them to be used by “swiping” near, but not necessarily touching, a reading terminal. This note explains the operation of the card and the protection offered by the existing and future EFT Code of Conduct.
At least two banks have introduced “contactless” credit cards in Australia. The Commonwealth Bank (CBA) has issued customers with the Mastercard “Paypass”.2 The National Australia Bank (NAB) has issued customers with Visa “Paywave”.3
The cards may be used in some circumstances by merely passing them close to a reading terminal. The CBA says that they may be used this way for purchase of $35 or less. The NBA cards may be used this way for purchases of $100 or less.
The cards have been issued without any discussion with consumer groups or, as far as this author is aware, any public discussion at all. There are severe privacy implications which will not be discussed in this paper. 4
“Contactless” cards contain a small “Radio-Frequency IDentification” devices, usually known as an RFID. The RFID is a small capacity computer chip together with an antenna that is capable of transmitting information to a “reader” or “terminal” that must be compatible with the particular RFID device.
RFIDs come in a number of different configurations and are used for multiple purposes. An “active” RFID contains a battery which supplies power for the transmitter. A “passive” RFID relies on an external device supplying the power. Active RFIDs are more expensive and have a long range. We are concerned here only with passive devices.
A passive RFID has a relatively short range. It is activated by power supplied by the terminal and, because that power is usually quite limited, has a short range. As applied to the credit card, the device is activated when placed in proximity to a reader. It then transmits its information to the terminal. In the case of a credit card, this will, probably, be the information that is usually stored on the magnetic stripe but may be more.
The obvious question is whether the cards may be read by a “rogue” terminal and, if so, from what distance. If they can be read, then then may be “cloned”, that is, all the information reproduced and inserted into a fake card. The process is called “skimming”.
The Banks assure us that there is no danger, but these are the same people who assured us that a debit card could not be accessed by an unauthorised user unless the owner of the card disclosed the PIN. They were so confident of this that they included conclusive evidence clauses in the terms and conditions of use when the cards were first issued. This total lack of self-regulation led to the passing of the first EFT Code of Conduct in 1986.
So, are the RFID credit cards safe? It is very difficult to know. The UK introduced RFID passports in 2006 and they were “cloned” within 48 hours. The story is reported in The Guardian.5
One of the world’s leading experts on security, Bruce Schneier, wrote a short blog entry which indicated that he thought that RFID credit cards were insecure and easily “skimmed”.6 Several presentations given at the “Black hat” conferences have demonstrated RFID hacking and skimming.7 The Black hat participants are respected “hackers” and, in some cases, companies have attempted legal action to prevent presentations at the Black Hat conferences. In the trade, this is known as “security through obscurity”.
One of the banks (CBA) refers to the use of the card as “Touch N Go” which implies actual contact is required. However, the card apparently uses a device manufactured by Texas Instrument which indicates that it may be used within a 4 cm range.8 The other bank (NAB) clearly indicates that it is necessary only to come close enough to the reader for the device to be activated - 5 cm is mentioned on the website.
However, the range of the devices depends upon the power supplied by the terminal. There are claims of being able to read passports of pedestrians from a “drive by”. There are instructions available on the internet for building a small device which claims to be able to “clone” the information of an RFID credit card from a “walk past”.
Some of these claims may be bravado by Internet hackers, but some serious research has been done by reputable university IT departments. Because such research is painstaking and requires a lot of time, it is difficult for a non-expert to judge the vulnerability of the RFID chips used in the bank issued credit cards. It is also noteworthy that several US states, at least California and Washington, have passed laws making RFID skimming a criminal offence, an initiative that will surely stop it dead in its tracks.
There are multiple sites on the Internet which purport to show how to build and RFID skimmer at low cost. Since this Journal does not wish to unreasonably tempt banking lawyers, these sites will not be listed here, but an Internet search of “RFID skimming” will produce results.
A “rogue terminal” that cloned or merely accessed the information on an RFID card could make charges against the account of the cardholder. Any such use would obviously be an “unauthorised transaction” in terms of s 5.1 of the EFT Code of Conduct. This section will only consider this surreptitious unauthorised use of the card.
The current EFT Code of Conduct clearly applies to contactless credit cards since the “access device” is the card itself and does not require the user’s manual signature. There is no "code" which must be kept secret for purchases within the limits specified: see s 1.5 of the Code.
Liability for unauthorised transactions is governed by s 5 of the Code. There can be no question of liability for “careless” keeping of the secret codes under ss 5.5 and 5.6 since there is no relevant secret code.
It would take a longer note to completely analyse the application of the Code to “skims” of the RFID cards. This author has made a very preliminary analysis, “Contactless Cards and the EFT Code”, which is available on the Internet.9 Suffice to say here that this author believes that the current Code provides complete protection to the consumer against illicit “skimming”.
That hardly ends the matter since anyone who has had a problem with unauthorised use knows that it requires many, many hours of work and negotiation before the banks will acknowledge that the use was unauthorised. This is true even though the Code puts the burden of proof on the issuing institution: see s 5.5 of the EFT Code of Conduct.
ASIC is currently reviewing the Code with a view to issuing a new Code by mid-year. Will the protection against “skimming” be preserved in the new code?
There are undoubtedly people who know the answer to that, but this author is not one of them. The Review process does not inspire great confidence. There have, for example, been several “Round Table” discussions on ASIC’s proposal to include remedies for mistaken payment as part of the Code. Who attended these? “Stakeholders”. We know that BPay and APCA had representatives there, including high priced lawyers who should be knowledgeable about the subject.
But both of these organisations put in submissions to the Review that thoroughly obscured the difference between mistaken payment and finality of payment.10 Have they persisted in those views? The confusion between finality of payment and recovery of mistaken payment is explained in (Tyree 2007).
Of course, consumer organisations are also present at these meetings. Does the knowledge of their representatives match that of the major payment/bank organisations. As good as their work is, it seems doubtful that they have the expertise to deal with the confusion raised, no doubt unintentionally, by the confused submissions of these powerful organisations.
What has been the outcome of the discussions? Only the participant “stakeholders” know, and this is far from a satisfactory and transparent process. The proposals put forth in many of the submissions would substantially reduce the legal rights of consumers who have made mistaken payments.11