Daily CSR
Daily CSR

Daily CSR
Daily news about corporate social responsibility, ethics and sustainability

Hacker’s onslaught threatening contactless payments



02/01/2018

A security trend has reversed recently in the world of currency. With decades of decline in cash payments, contactless transactions seemed to have steady wind in their sales, namely given their reputation of enhanced security. But as money slowly transfers to the virtual and contactless world, so does crime and fraud. Hard currency, with its own security systems, maybe be fighting the war on cash harder than was expected.


Since the introduction of credit and debit cards in the 1950s, when the New York Franklin bank and the Diner’s club started issuing payment cards to their customers, an increasing number of transactions have been carried out without either party having any cash in their hands or pockets. According to the UK cards association, in 1950, “In the US Diners Club issues payment payments cards aimed at diners; they operate as charge cards. Initial membership was 200 with the card being accepted in 27 restaurants. By the end of the year 20,000 people were using Diners Club.” Later on, with the appearance of chips, and then of RFID/NFC devices, and finally of smartphone payment solutions such as Apple Pay, the trend just steepened.
 
Among the factors boosting cashless payments’ gain in market shares, was convenience and a reputation for safety. Any pickpocket could slip a few bills out of a loosely-guarded wallet, but cards could be blocked when stolen, and the average thief had no idea how to crack into encrypted systems - if he did, he wouldn’t need to steal. Over the years, theft was therefore more and more associated with cash, and security with cashless payment systems. But is this still the case?
 
In a nutshell, no. Online fraud is now a rapidly rising phenomenon, for several reasons. The first factor is simply that money has moved from the cash world to the online world. In the UK alone, only 73 billion pounds are currently in circulation, a mere 2% of the nation’s entire wealth, whereas this percentage was far higher a few decades ago when more transactions were carried out in cash. Economist John Sloman explains : “The bulk of money is in the form of bank deposits not backed by cash. This totals around £1,800bn. The point is that the main purpose of money is for buying things. And for most large purchases - and many small ones too - we don't use cash.” More money online, means more thieves online. And the conjunction of NFC-cards (also called contactless cards) with smartphones has given a tremendous opportunity for petty thieves to keep exercising their trade.
 
Pierluigi Paganini describes: The difficult part of the attack is how to attract the victim into downloading an app, but assuming that the attacker was successful and the victim has the “bad” app, the app will start checking the environment around the smartphone to see if there is any credit card (of course that depends your wallet is near enough to the phone to the app to be successful). Once the credit card is detected, the app sends a message over the victim smartphone’s internet to the attacker’s smartphone. Since now the attacker received the message in his Android phone, he just needs to come close the POS machine, for the POS machine to be able to do the illegal monetary transaction.
 
Mail fraud, phishing, smartphone hacking, data sweeping, online fraud now comes in every form. At the beginning of the year, the Telegraph predicted trouble for its readers in the UK: “Online fraud is now the most common crime in the country with almost one in ten people falling victim, the latest figures have revealed. More than five and a half million cyber offences are now thought to take place each year accounting for almost half of all crime in the country.” Not so safe, after all.
 
Thomas Savare, head of Oberthur Fiduciaire, one of the largest banknote printing companies in the world, explains how cash is far more secure than it is believed to be. “We regularly file new patents covering the technologies that we implement, in two sectors of research and development in particular: security (with anti-scanner technologies or the optimal effect patches for example) and the banknotes paper durability”, he says. Year in and year out, companies such as Oberthur Fiduciaire work to keep cash clear of counterfeiting, its main risk, as “each banknote incorporates several dozens of different anti-counterfeit technologies and at least as many processes: dynamic embossing, heliography, flexography, holograms, watermarks, magnetic tapes and from now nanotechnology.
 
Cash is therefore more secure, nowadays, in many ways, than e-money, because it is harder to access, less profitable to steal, more difficult to forge and riskier to rob. Encryption gave contactless payments a reputation for unbreakable security. But as more and more daily transactions occurred, the public has realized that fraud and theft had, of course, not disappeared. “Experts expect to see an increase in online fraud as fraudsters turn their attention to online sales. Some reports indicate online retail fraud in the U.S. alone is expected to rise by 106 percent over the next three years”, reports Mobile Payments Today website. Actually, “in the interest of convenience, key security measures are discarded and fraudsters are presented with an avenue that is often less secure; therefore, easily targeted.
 
Juniper Research, in its Online Payment Fraud Whitepaper, highlights the scale of the challenge : “Online fraud is increasing and spreading rapidly across geographies and industries, despite merchants and FIs (financial institutions) investing more in fraud prevention. As soon as a new technology or process is deployed to prevent fraud, the fraudsters find a weakness to exploit or alternatively focus their attention elsewhere.” Not to mention the direct cost of fraud to the detriment of merchants: according to a 2015 survey by LexisNexis, merchants claim that fraud losses are increasing despite the companies investing more in fraud prevention. The true cost of fraud, more precisely, not counting the direct cost of the fraud, includes new insurance costs, investment and operational costs, manual review costs and chargebacks related to fraudulent and disputed transactions.
 
The discrete nature of online fraud lets criminals go on for a long time before they are eventually caught. And when they are, the absence of physical violence in their misdemeanor greatly reduces the sanction. In perspective, stealing and forging cash simply isn’t worth it. Financial firms which sell contactless payment solutions have therefore been perhaps a little over-confident that cash would soon be completely out of modern economies.