How safe is unverified, contactless card technology?

By Marianne Curphey

Update: As of 1 Sept. 2015, the limit for unverified contactless transactions rose to £30 from £20. However, if a merchant has not updated its point-of-sale (POS) terminal software, the old £20 limit will remain in place. Retailers have as long as they like to update the POS systems, but must inform consumers whether their terminals accept the higher limit or not.

Small contactless credit card transactions go through with one simple tap at the payment terminal -- no PIN or signature needed. Retailers and consumers both rejoice at the speed and ease of these payments, especially when shops are crowded and lines are long.

Yet despite the popularity of such transactions, there is still concern about the safety of contactless payments that don't require verification. Some experts say those concerns are overblown.

In 2013, some Marks & Spencer shoppers alleged that the retailer's "contactless" payment system had taken money from their accounts without their permission. M&S responded by saying that it had tested its system and that it was "robust and fit for purpose". contactless-safety

And in November 2014 research from the University of Newcastle claimed that a glitch in Visa's contactless credit cards could allow criminals to steal large amounts of money in foreign currency denominations. Visa responded by saying it would be "very difficult" to carry out such a theft in reality.

The Newcastle researchers tested contactless credit cards that do not use a PIN, and found that the contactless cards approved "unlimited value transactions without the cardholder's PIN where the transaction is carried out in a foreign currency". The researchers added that any foreign currency transaction up to €999,999.99 went through, sidestepping the UK's low contactless transaction limit.

Dangers not present in a real-life situation
Mark Prior-Egerton, solutions marketing manager at The Logic Group, which specialises in card payments and loyalty schemes, says such high fraudulent transactions can only happen in a test environment and would not be possible in a live environment such as a shop.

"For a contactless transaction you configure the terminal to put a limit on payments in various currencies," Prior-Egerton says. "In the UK, this is £20, which means that you can't make a transaction worth more than £20 sterling via a contactless payment. If the currency is not configured, it should always default to a zero limit, which means that it can't be used to pay for goods. In the test carried out by the Newcastle researchers it appears that no limits were configured for non-UK currencies, and therefore the currency defaulted to the maximum limit [€999,999,999]."

In other words, as long as providers have correctly configured their terminals, there should not be a problem, Prior-Egerton explains.

He also disputes another common belief about contactless cards, saying it's very unlikely that cards kept in a bag or coat pocket can be compromised, as the card would need to be "within millimetres" of the hacking terminal in order for it to work.

Carelessness can lead to unauthorized transactions
Though contactless cards that allow small transactions to go through without verification are not likely to be hacked, carelessness can still lead to unwanted transactions.

For instance, if you tap your whole wallet at a terminal without separating cards and you have more than one contactless card, you may find the wrong card is charged; this is called "card clash". One example is tapping your wallet at an Oyster card terminal to pay for public transport in London, then finding later that your trip went on a contactless credit card instead of your Oyster card.

If the payment terminal identifies a collision between the two cards, it will either cancel the transaction or take money from whichever card has the strongest link to the transmitter. You can prevent the clash by putting your cards in different parts of your wallet or taking the card out of the wallet to tap it on the terminal.

"A lot comes down to the education of consumers," says Prior-Engen.

Adding extra layers of protection
In the future, card issuers and merchants may use biometric technology to authenticate payments. For instance, you'll need to verify your identity by placing a finger on a fingerprint reader, or looking into a retina scanner. That could answer some of the worries people have about contactless payment security.

For now, if you're concerned, you can buy card shields that prevent unauthorized access to personal information.

Guy Bunker, senior vice president for products at Clearswift, a company specialising in data loss prevention, says these shields, known as "RFID sleeves", are cheap but effective at protecting cards in your wallet and preventing the wrong card being debited.

See related: How easily can frausters hack contactless payments?

Updated: 1 September 2015