© Michael Roland

English
07/02/2013

Contactless: “Unintentional payments possible”

The British retailer Marks & Spencer recently received complaints about contactless payments. Payments were allegedly charged to cards that the customer did not want to use for payment, and there were allegedly double payments in some cases. A security expert from Hagenberg University of Applied Sciences explains how this can happen, and why this will also affect Austrian customers.

Around 250,000 contactless payments are made at Marks & Spencer every week. Since last year, customers at all 644 of the chain`s outlets in Great Britain have been able to pay by holding their card up to the terminal for just a few seconds thanks to near field communication (NFC) technology. There have been few problems, but it seems that the system does not always work as smoothly as claimed by contactless proponents, as the BBC reported a few days ago.

Shocked Marks & Spencer customer
A customer from Sussex complained to Marks & Spencer because her NFC-capable Smile card was charged even though she intended to pay with her regular Lloyds debit card. "I put my card into the reader and the assistant was asking whether or not I wanted cash back. Before I could answer, the transaction came up as complete and the till issued a receipt so I hadn`t put in a Pin at all at that stage. I queried it with an assistant and she looked rather puzzled and looked at the receipt and compared it to my card and realised that the numbers didn`t tally," she said. She recognised that the four digits on the receipt belonged to a Smile card she had in her purse, which she was holding in her other hand – more than four centimeters from the terminal. She was all the more surprised, since she did not know that her Smile card was equipped with a contactless function.

But is it even technically possible for a payment to be charged when a contactless payment card is in a wallet, and is more than just a few centimeters away from the terminal? "The 30 to 40 centimeters that are described in the BBC report seem to be rather unplausible to me, but I would not rule it out 100 percent," explained Michael Roland, researcher at the NFC Research Lab Hagenberg, in an interview with futurezone. Roland already discovered an

.

When is a payment triggered?
The researcher completed a test with three terminals that will be used by Austrian merchants for contactless payment, and found: "No matter how I hold the card up to the terminal, I was unable to conduct a payment with the card much farther away from the terminal than five centimeters." Roland also documented his test with pictures. "This leads me to believe that the people were simply not aware of the fact that they were holding their wallets close to the terminal. A problem is that the cards are recognized next to the terminal, not just straight in front of it," the researcher said.

"Better information for customers"
According to Marks & Spencer, it has received a total of five complaints. In some cases, payments were also mistakenly charged twice. According to Marks & Spencer, the incorrect charges were refunded. The organization in Great Britain that represents credit card companies said: "I think that we have to provide better information for our customers that they must not place their wallet or purse in close proximity to the terminal."

Roland from the research lab in Hagenberg does not understand how such a double payment can be charged. "When a payment is initiated at the register and the payment is then made by NFC, the payment is concluded and its success or failure, or any error, is shown on the register. The cashier sees that the payment has been made, and on typical cash registers cannot initiate an additional payment." And according to the standard for contactless credit cards, no NFC payment can be made as soon as a card is inserted into the terminal. Roland`s test seemed to bear this out: "On the credit card terminals that I tested, the NFC reading unit and the contact-based reading unit are so far apart that it is virtually impossible to unintentionally initiate an NFC transaction before the card can be inserted into the terminal."

Problems when there are two NFC-equipped cards
But this does not seem to apply in all cases: "It`s a different story with magnetic stripe readers. More than once, I was able to trigger an NFC transaction before I could pull the card through the reader." There are also problems when two NFC-equipped cards are within range of the terminal. The standard stipulates that the terminal can only be active when there is only one card within range, but the terminal manufacturers do not always comply with this requirement.

"Two of my three readers use the logically first card when there are multiple cards in range. The `logically first card` is the card that has precedence in the anti-collision protocol. Under the ISO/IEC 14443 Type A communication protocol, this is the card with the lower chip ID (UID), and under the ISO/IEC 14443 Type B protocol, it is the card that responds in the earlier timeslot. When two cards with different protocols (Type A and Type B) were in range, I was not able to identify a specific order," Roland explained. "My third reader recognized when multiple cards with the same protocol were within range and did not complete a transaction."

"Surprised that such problems were not recognized"
This will especially be a problem when contactless cards are ubiquitous – and when people have a debit card, credit card and customer card from retailer X, all of which are equipped with NFC, and when people have more than one NFC card in their wallet. "It would be relatively easy to solve the problem when the terminal manufacturers would comply with the standards. I was surprised that such problems were not recognized by the credit card companies during certification," Roland said.
The researcher thinks that there will also be problems in Austria, when all debit cards will be equipped with NFC by 2015. When people don`t take their card out of their wallet, and when people knowingly or unknowingly have multiple payment cards in their wallet, this will certainly cause problems. I also think it is very realistic that someone will unknowingly put their wallet too close to a contactless terminal, thereby unintentionally triggering an NFC transaction."

Solution: "PIN entry for all payments"
For this reason, Roland from the NFC Research Lab suggests that a PIN should be required for all payments, including those under EUR 25. "This should prevent most problems of this kind. For me, the advantage of NFC is not making payments without a PIN, but that you don`t need a new card every year because the card has been destroyed by mechanical wear, especially from poorly maintained payment terminals."