Contactless Credit Card Vulnerability

Currently deployed contactless credit card are vulnerable to bump-and-relay attack. Roaming harvesters, equiped with modified readers that relay signals into a stolen transaction exchange network (STEN), bump into a contactless credit card carrier. Roaming spenders, equiped with a device that replays contactless card signals relayed through STEN, make purchases anywhere contactless credit cards are accepted. STEN matches harvesters and spenders on-demand.

Note that this vulnerability is not high risk for card issuers because:

  • Most contactless payment cards are currently used for small amount transactions of limited types (i.e. tranportation, vending machine, etc.)
  • STEN is difficult to setup, avoid detection, and defend.
  • Profit sharing at large scale is difficult.

Still, I could see small scale localized operations happening because the cost of investment and risk of capture are both low IMHO. Thankfully, there are several solutions to this vulnerability, some of which are already being implemented.

One obvious solution is to require two-phase commit for transactions above certain size. Another more low-tech solution, which I have not seen anyone propose yet, is to provide RF-shield sheath for cards so they can't be read unless the cardholder takes it out. I like this soution the best because:

  1. It's simple and effective
  2. No change is needed to existing systems.
  3. Solves the multiple-contactless-cards-in-a-wallet problem as well.
  4. Creates branding/marketing opportunities.