A GBP 50 daily loss
The paper tells contactless cardholders their cards can not only be read from a large distance, but also tampered with, and unlawful transactions can be performed while users keep their card in their pocket. Everyone, when reading such a paper is ready to abandon any slight intention to use any contactless card or contactless device, at least for the next decade!
But what's the reality behind such alarming news? The starting point is a White Paper published by Eurosmart, "the Voice of the Smart Secure Industry", called "RFID technology security concerns: Understanding Secure Contactless device versus RFID tag"(2). The White Paper pursues the same objective as previous documents issued by the Smart Card Alliance in the US: to establish clearly in the minds of decision makers and the public at large the difference between insecure RFID and secure contactless devices such as cards and passports.
Eurosmart document, is clear and balanced, based on scientific and technological evidence, and provides reassurance not only to the industry, but also to issuers, and more globally to everyone involved in the design and the operation of a contactless payment or identification system. Eurosmart document bases its security analysis on the knowledge of the industry, and on scientific works. Eurosmart demonstrates security is part of the smart cards / smart objects industry, it just requires the appropriate technology decisions and implementation measures.
So, why such a fuss about contactless cards used for transit and contactless payment in the UK? Frightening people always makes paper (or on-line news) sell. It is also part of a context when the British Government admitted having lost personal data of 25 million people. Fraudulent transactions and identity theft are a permanent fear, and some examples are used to raise fear among the public. This comes in a context when opponents to ID cards in the UK are using everything they can to raise fears among the public in order to increase pressure on the government to abandon the project. And there is always some opposition to new technologies.
What can we do? The answer is only: educate, educate, educate…. And, as an Industry, we have to use all communication means to ensure all smart cards / smart objects are correctly implemented and actually use all the security resources available in the products.