Security transparence needed
Where contact cards had been used for years for payment applications, a high level of confidence has been built. Contactless cards are developing now a lot quicker. There is the need to build the same confidence from the public at large. Confidence is event more difficult to build for contactless cards than for contact cards, as there is some sort of magic in making a contactless transaction.
The industry has already developed a set of security explanations, and of course security evaluations and certifications. Whenever these are questioned there is the need to come up with a detailed position demonstrating payment cards, especially contactless payment cards are secure. For instance, explaining to the public processes we are all familiar with, such as triple DES encryption of exchanged data, or dynamic card verification value will raise the confidence level into the technology. All PayPass transactions start with a cross authentication between the card and the terminal, thus ensuring a card will not disclose its secrets nor even make any exchange with an unauthenticated terminal. This challenge – response authentication can make use of Dynamic Data Authentication techniques (DDA) in order to make the exchange a strong authentication method.
Counters are also used as a means to ensure data in the card has not been tampered with between two transactions. Transaction data are signed and encrypted using secret keys, unique to each card. As the data is encrypted in the card, skimming (illegitimately reading a contactless card from a distance) is either useless or harmless, as skimmed information does not allow to create a cloned card.
Well-known attacks like SPA (Simple Power Analysis) and DPA (Differential Power Analysis) can be conducted on a contactless card. The scientific community is ready to provide countermeasures to ensure cards are resistant to such attacks.
We are, as usual, in a permanent run between more attacks and more security measures. This is something the industry is accustomed to. But, this time, as the contactless card is adopted quicker than any other means of payment in the past, the need for explanations and public confidence is even higher.
The whole industry has to participate in these explanations and demonstrations campaigns, and to support card issuers in answering public concerns.