2016-05-04 - secure contactless payment?

contactless payment is a neat idea. unfortunately it is not very secure (1 2 3 – to name some of the issues). the main problem is that the card itself is able to allow payment w/o any interaction. how about adding one?

of course it cannot be PIN code, as the main idea was to eliminate it for “small payments”. instead card could have a sort of a small contact fields, that one would need to touch, in order to accept payment. from user's PoV it would only mean to keep card by a selected corner (say: with contacts on top and bottom). w/o closing the loop, payment would not get accepted. this way universal, remote attack becomes useless, as thief would have to have a physical access to a card first.

there is still one more problem – physical card's theft. thief can obviously close the loop manually, thus making a payment. this still gets problematic when trying to get your money back after being robbed. unfortunately circumventing this is a bit more tricky, as event “simple” biometry like fingerprints will not do, since you often touch your card with your fingertips, thus thief can try reconstructing these, base on prints you left.

for now – better safe than sorry. just disable the contactless payment method in your bank (one call to info line + using a ATM twice in my case) and sleep tight. :)