Is NFC/RFID safe enough to trust it with our money?

I will readily admit that I do not feel comfortable enough to trust NFC/RFID technologies with my money. The PayPass (MasterCard) and PayWave (Visa) RFID systems have been shown to be vulnerable to hacker attacks, but these are often proofs of concept and do not always translate into real-world attacks.

Real or not, these threats do exist and I have always maintained that the current NFC/RFID payment systems use insufficient security models that will be broken as soon as RFID readers become widely available. My suspicion had been confirmed in 2008 by Dutch hackers who cloned RFID chips used in London Oyster cards.

This article is also available on Amazon Kindle. You may consider buying it, if you would like to keep it for your reference.

You would think debit cards that take money straight from your account would offer greater protection. Not quite. The current security model for contactless payments with debit cards allows the system to release a pre-defined amount to money without any checks whatsoever. In my personal view, this is as safe as stuffing your back pockets with dollar bills and getting on a crowded bus.

But, so far I’ve had little real evidence that the system is not secure. Until today, when I read this story on a popular Polish personal finance blog. One of the readers of that blog had his contactless mBank MasterCard debit card stolen and the thief had managed to complete over 20 transactions @ ~50 zł each within 15 minutes. The thief was clever and used the stolen card to purchase bus tickets, which he can sell at a discount later on. His total loot was 1080 zł (~330 USD). The victim could not block the card, because the bank’s system was off-line for maintenance, but its transactional part was on-line and happily accepted all those unauthorized purchases made by the thief.

The story does have a happy end, the card got blocked and the bank returned the money, but it illustrates the dangers of going cashless and turning all money into bits and bytes. Imagine what would happen should the card be integrated with the phone and the phone got stolen. With no money and no way to call your bank, you’d be lost. Even if you found someone who could help you and transfer some money to your account, you’d have no way to receive and spend it on your fare back home. Also, you couldn’t purchase a new phone or even make a phone call, because you’d have no money… Meanwhile, the thief would be happily using your phone and your money.

This NFC/RFID exercise was fun while it lasted, but I think that banks and card companies should consider going back to the drawing board. Technology is supposed to make our lives easier, but what we have now makes it too easy for the bad guys to get their hands on our money.