RFID Technology in Payment Cards



Similar documents
Frequently asked questions - Visa paywave

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Credit Card PIN & PAY Frequently Asked Questions (FAQ)

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

What Merchants Need to Know About EMV

About Visa paywave for mobile

What is EMV? What is different?

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Chip Card (EMV ) CAL-Card FAQs

OpenEdge Research & Development Group April 2015

PCI and EMV Compliance Checkup

Visa Debit ecommerce merchant acceptance. Frequently asked questions and flowchart

Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

EMV EMV TABLE OF CONTENTS

Protecting the POS Answers to Your Frequently Asked Questions

A Guide to Contactless Cards

Mitigating Fraud Risk Through Card Data Verification

MasterCard Special Edition

YOUR BENEFITS GUIDE. Welcome to your. CIBC Classic Visa. Card

A multi-layered approach to payment card security.

HSBC Visa Debit Card. Making the most of your card. HSBC Customer Service Centre. Go to hsbc.com.au/debit

CIBC Platinum MasterCard

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

Be*PINWISE Cardholder FAQs

American Express Contactless Payments

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

Merchant Services. How to help protect your business

Preparing for EMV chip card acceptance

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

Payments Transformation - EMV comes to the US

Understand the Business Impact of EMV Chip Cards

CIBC Dividend One MasterCard

How Secure are Contactless Payment Systems?

Discover the benefits of being a CIBC Tim Hortons Double Double Visa * Cardholder.

Card Technology Choices for U.S. Issuers An EMV White Paper

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

EMV and Small Merchants:

Langara College PCI Awareness Training

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

The best of both worlds Low interest and convenience.

Trends in Merchant Payment Acceptance

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Protect Your Personal Information. Tips and tools to help safeguard you against identity theft

The Future is Contactless

FAQ on EMV Chip Debit Card and Online Usage

CIBC PETRO-POINTS MasterCard

EMV in Hotels Observations and Considerations

CIBC Dividend Platinum

Guide to credit card security

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

To all GRSB debit and credit card customers:

FAQ Credit Card (PIN & PAY)

Card and Account Security. Important information about your card and account.

The Canadian Migration to EMV. Prepared By:

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Frequently Asked Questions

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Fraud Prevention and Program Security Gord Jamieson Director Risk Management & Security Visa Canada Association

CREDIT CARD FRAUDS AND MEASURES TO DETECT AND PREVENT THEM

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Welcome to the convenience of a Bank of Melbourne. Visa Debit Card.

Welcome to your CIBC Dividend Visa * Card

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

A RE T HE U.S. CHIP RULES ENOUGH?

A Study of an On-Line Credit Card Payment Processing and Fraud Prevention for e-business

Frequently Asked Questions

FUTURE PROOF TERMINAL QUICK REFERENCE GUIDE. Review this Quick Reference Guide to. learn how to run a sale, settle your batch

Visa Recommended Practices for EMV Chip Implementation in the U.S.

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

welcome to liber8:payment

Credit/Debit Card Processing Requirements and Best Practices. Adele Honeyman Oregon State Treasury Training Specialist

Appendix. Data Tables

Euronet s Contactless Solution

Frequently Asked Questions (FAQ) on HSBC Chip Credit Cards

Guideline on Debit or Credit Cards Usage

HSBC Premier Debit Card User Guide. 13 N Bangkok, Thailand

Secure Payments Framework Workgroup

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Mobile Near-Field Communications (NFC) Payments

New Account Reference Guide

Securing the Payments System. The facts about fraud prevention

2015 NerdWallet Consumer Credit Card Report

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Transcription:

CISBC/YT Financial Crime Awareness Bulletin UNCLASSIFIED (Public Version) Inside this issue: Global/Canada 2 Credit cards 3 Debit cards 4 Remarks 5 RFID stands for Radio-Frequency IDentification. The acronym refers to small electronic devices that consist of a small chip and an antenna. The RFID device serves the same purpose as a bar code or for our purposes, the magnetic strip of a credit or debit card; it provides a unique identifier for that object. And, just as a bar code or magnetic strip must be scanned to get the information, the RFID device must be scanned to retrieve the identifying information. (www.technovelgy.com) RFID Technology in Payment Cards A US based news video regarding RFID technology and the concern over electronic pickpocketing recently circulated. Together, with a CBC news article from June 2010 regarding the technology, it caused speculation as to the validity of this as a fraud concern. Was the video clip just hyped up because a private company promoting their protective sleeves to shield these cards from potential skimming devices was featured? The purpose of this bulletin is to address the above by explaining the Radio Frequency IDentification technology (RFID) that has been implemented in credit cards in Canada. This relatively new feature of contactless payment aka Touch and Go, Wave and Pay, has been introduced by the payment card industry as a secure and convenient enhancement to expedite our daily financial transactions. Mastercard s PayPass will be 100% RFID enabled on their credit cards this year as they started in 2006 and VISA is continuing it s implementation of paywave. However, with this also comes the potential for more fraudulent criminal RFID symbol on cards activity. This bulletin was initially produced for fraud investigators but has been sanitized down to this version in order to raise awareness with the general public as we all inevitably use payment cards in some way or another. This public version of the bulletin is a compilation of both open source information and subject matter expert responses over fraud risks and privacy issues. How RFID works and Why do we have it? The embedded chip and antenna enable consumers to wave their card over a reader at the point of sale. Because no swiping or signature is required for low limit transactions, it can be almost twice as fast as a conventional cash, credit, or debit card purchase. Basically it s what the consumers wants, is what the consumers gets - convenience. It appears not only to be advantageous for consumers, but also for merchants and banks. Some studies have indicated that consumers are likely to spend January 30, 2010 electronic pickpocketing video link: http://www.wreg.com/videobeta/?watchid=8ba6f8fc-90a2-4711-90ea-1884ec348310) MasterCard: Aims to have all cards in Canada enabled with its PayPass contactless system by end of year. more money due to the ease of small transactions hence the push towards RFID. MasterCard Canada says it has seen "about 25 percent" higher spending by users of its PayPass-brand RFID credit cards. (Dubinsky, Zach. "New credit cards pose security problem" CBCNews.ca 2010-06-02).

Page 2 CISBC/YT Financial Crime Global View Major financial entities across the world now offering contactless payment systems include MasterCard, Citibank, JPMorgan Chase, American Express, KeyBank, Barclays, Barclaycard and HSBC. Visa paywave and Mastercard PayPass are examples of contactless credit cards which are widespread in US, UK and now Canada. Since its introduction in 2004, Visa paywave has provided cardholders around the world with a faster and more convenient form of payment than using cash and checks. The UK (and the rest of the world) version of the contactless applications has the capability of transacting remotely, based on the limit stored in the application unlike the North American one which has no power source of their own so card data cannot easily be accessed remotely. Canada RFID credit cards surfaced in Canada in 2006 when MasterCard started aggressively pushing its PayPass cards. Today, about 90 per cent of MasterCards in the country are RFID-enabled and the company aims for 100 per cent by the end of 2010, said Scott Lapstra, vice-president of market development for MasterCard Canada. Visa has been slower to market such "proximity cards" under its own brand, paywave in Canada. Royal Bank decided only this year (2010) to make all its Visas paywave-enabled and all newly issued TD Visa cards have the feature. MasterCard PayPass But most Visa cards in Canada, including those from CIBC and Scotiabank, don't have RFID. Both Mastercard and Visa limit contactless purchases to $50 each and have pushed to have reader terminals installed mainly in high-volume, low-price businesses like big-chain coffee shops, fastfood outlets, gas stations and grocery stores. Dubinsky, Zach. "New credit cards pose security problem" CBCNews.ca 2010-06-02. Credit Cards The RFID transactions in Canada are based on the international EMV chip standard which provides the most advanced and widely adopted cryptographic security for payments today. They are designed to offer cardholders speed and convenience, most of the time cardholders will not need to sign or enter a PIN to complete a low limit transaction. Any debit or credit card with this logo is RFID enabled: "Contactless" MasterCards and Visa cards have been available in Canada for several years, but they've only recently reached the bulk of consumers as the country's biggest banks adopt them. Recent media reports surfaced due to the concern of how secure this technology is and the potential fraud risks we may be facing in the future. Videos demonstrating how easy it is to 1) acquire an RFID card reader (via ebay, Craigslist, etc.), 2) get into close proximity with anyone in public and 3) scan for personal unencrypted information embedded in the RFID cards, are raising the issues.

Page 3 Credit Cards Pros and Cons Credit card companies are claiming the following advantages for contactless credit cards: The following disadvantages have been noted with contactless credit cards: card is faster to use - faster, convenient and less fumbling for cash cards use high secure data transmission standards Merchants can cut down on lineups which boosts average sales...studies show the average "spend" rose fifteen percent for all contactless credit card users. Safer and more secure because the card does not need to leave your possession A thief armed with a suitable reader, would be able to skim unencrypted data such as card number and expiry date and in the first generation RFID cards, the cardholder s name. Although they can t duplicate the card for purchases with this limited information, it could be used to commit ID fraud. Privacy advocates are particularly concerned about this technology; it is feared that having this much information available "in the open air" will lead inevitably to problems. VISA Canada, also responded to this issue and the following is a sanitized excerpt of what was disseminated to fraud investigators across the country: Ensuring payment security is one of Visa s highest priorities. Visa paywave cards meet all of the same standards of security used in traditional card payments. All Visa contactless transactions are based on the international EMV chip standard which provides the most advanced and widely adopted cryptographic security for payments today. Security features found on every Visa paywave card include short read range and an encrypted code that is unique to a particular transaction and changes every time the card is used. This is known as dynamic card authentication and ensures that stolen card information is useless and cannot be used to create counterfeit cards or to make fraudulent transactions. In addition, Visa has safeguards to protect personal information. Minimal account information is stored on contactless cards, which is similar to the traditional security features on magnetic stripe cards or contact chip cards. In fact, newly issued Visa paywave cards do not even transmit the cardholder s name during a transaction. Q: Can someone with a card reader stand close enough to a cardholder to steal the account or card information from a contactless card without the cardholder s knowledge? Yes, but the individual would need to get very close and would need to know the location of the cardholder s card. Further, only minimal account and information is stored on a Visa paywave card, which is less than traditional magnetic stripe cards or contact chip cards. The account information contained in a contactless payment card or device contains the same minimal personal information currently found on a traditional magnetic-stripe card or chip. Contactless transactions are processed through the VisaNet system exactly the same way as traditional cards and enjoy the same level of security protections and fraud prevention. Further, Visa paywave cardholders are protected by Visa s multiple layers of security, including Verified by Visa, CVV2, Address Verification Service (AVS), Visa s neural networks, Visa s E-Promise and Visa s Zero Liability policy, which protects all Visa cardholders from unauthorized purchases.

Page 4 Debit Cards INTERAC Association confirmed that there are currently no RFID debit cards in Canada. However in the near future, Interac Flash will be introduced as the new contactless enhancement of Interac Direct Payment. INTERAC was contacted in regards to RFID and debit cards in Canada, and the following comments were put together for this public bulletin on 2010-01-20 on Electronic Pick Pocket : Issue There have been some media stories in the United States indicating that fraudsters can steal card data from contactless enabled credit and debit cards using a small computer device positioned near the wallet/card. Message INTERAC debit cards are protected from the electronic pick pocket fraud tactic. In addition, the new INTERAC Flash contactless enhancement of INTERAC Debit is also protected against this fraud tactic. INTERAC Flash leverages EMV chip security. The con tactless transactions in the US tend not to leverage these standards. In addition, INTERAC Flash leverages RF enabled smart card technology, which is designed to protect sensitive infor mation and adheres to an ISO standard 14443. We do not use RFID technology. Finally, the IN TERAC system does not allow for card-not-present transactions. Further, given the structure of INTERAC Online, stolen cards and even PINs cannot be used to complete Internet transactions. Liability Contactless debit and credit transactions continue to be protected by the same fraud guarantee as standard transactions, i.e. financial institutions claim to be liable for any fraudulent transactions charged to the contactless cards. However, banks are not liable for the identity theft that the RFID card can encourage. A number of products are available on the market that will allow a concerned carrier of RFID-enabled cards or passports to shield their data. The most popular one used would be the protective sleeve that encases the card. It is a legitimate concern since recently, even UK RFID enabled passports were compromised. In 2008, cross-border Visa: Has 31 million cardholders in Canada but would only disclose that "several million" of those contain its paywave RFID technology. Major issuers are Royal Bank and TD. Notable nonplayers are CIBC and Scotiabank RFID enabled NEXUS passes were re-issued with the added protective card sleeves and an awareness notice.

CISBC/YT Financial Crime Portfolio Comments and suggestions are welcome for future publications. We acknowledge CISBC/YT partner agencies that have contributed to this bulletin. CISBC/YT Phone: 604-264-2727 The mandate of CISBC/YT is to be a strategically-focused organization which ensures the timely production and exchange of criminal information and intelligence among CISBC/YT member agencies. It shall provide facilities for the collection, analysis and dissemination of significant criminal intelligence to aid in combating the spread of organized crime in British Columbia, Yukon Territory and Canada. The Financial Crime Portfolio is responsible for reporting on the activities seen in BC/YT within this criminal market as it pertains to Organized Crime. Intel is gathered from all financial crime sections in law enforcement as well as Category II agencies that deal in this area... CBA, FINTRAC, CRA, BCSC, Canada Post and GPEB to name a few. Promoting inter-agency co-operation within our BC Law Enforcement community Please contact the bureau should you wish to share any information with us. www.cisc.gc.ca/cisbc-yt Remarks It appears that the main issue is that these RFID cards are openly susceptible to criminals who can skim for information that is not encrypted by using readily available card readers. The credit card number, the expiry date, and in the first generation RFID cards, the cardholder s name, are not encrypted by the credit card companies. It is true that with only this information at hand, no counterfeit cards or purchases can be made - i.e. fraudulent purchases cannot be made in person or in cards-notpresent situations (over the phone or internet as they still require the 3-digit security code from the back of the card that can t be acquired via the card reader). However, it does mean that card- holder information can be easily obtained without the card being physically taken from the cardholder. This means that there is more of a chance for Identity theft which always is followed by Identity Fraud. With this initial information from the cardholder, one can then acquire more information from the victim by calling them up ( spoof calls ), impersonating the bank and asking for them to confirm the security digits on the Potential ease of skimming data back of their card. The Canadian Bankers Association has mentioned that they have seen an increase in these types of spoofing calls this year. This trend is exactly the same as what the United Kingdom had experienced with the introduction of RFID cards a few years earlier. In conclusion, although the potential is there for individual skimming, the current debit skimming techniques and point of sale terminal thefts used by the criminals allow them access thousands of payment cards in a shorter time. Therefore, the older MO s are still more profitable and feasible than RFID skimming from one individual at a time, but that doesn t mean they won t be utilizing this method, so STAY AWARE!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information