Cards with RFID / NFC chip technology and EMV chip increasingly replace cards with magnetic stripe.
In addition to access control cards, e-tickets, car and bike sharing cards especially NFC credit and debit cards for contactless payment are conquering the market.
They allow faster and easier payment transactions.
- Customers pay with credit or debit card with embedded radio chip without confirming it with signature and entering PIN code. Customers need only to make a short, contactless wiping movement on the side of the payment terminal (card reader) for payment. They don’t have to insert the magnetic stripe card in the payment terminal.
- For transactions up to a specific predefined amount no identification is required. Payment without signature and/or PIN code.
- The sale businesses also benefit because the payment process will be faster.
- In addition, the payment with card with RFID chip generally increases the average transaction amount over cash (sales increase).
- The costs and risks for the retailers and dealers are lower. Thanks to RFID technology less cash is in circulation. Costs, shortfalls and risks can be minimized. The security for retailers and dealers increases.
This symbol stands for NFC payment terminals for contactless payment:
Logo payment terminal (contactless payment)
More information about contactless payment: cashless.ch.
Logo website cashless.ch (contactless payment)
Structure (construction) of cards with NFC tag:
On the front of cards with an NFC tag (RFID chip, RFID transponder), mostly the following symbol is printed:
NFC cards for contactless payments
A contactless card corresponds to the size of a contact smart card in the ID1 format of 85.6 x 53.58 x 0.76 mm
The NFC tag (RFID chip, transponder) is inserted as an intermediate layer in the card, such as the following figure shows:
Layer RFID/NFC radio chip of RFID/NFC cards
The built-in card chip enables encrypted transmission of data to RFID readers in its environment. This transfer is carried out / occurs via an air interface using electromagnetic radio waves.
Contactless smart cards: ISO standards, range and frequencies
The contactless smart cards include the Close Coupling Integrated Chip Card (CICC), the Proximity Integrated Circuit Card (PICC), and the Vicinity Integrated Circuit Card (VICC).
For PICC cards the counterpart is the PCD RFID reader (Proximity Coupling Device)
These cards are designed for different (graded) ranges and follow ISO standards: ISO 10536 (CICC), ISO 14443 (PICC) and ISO 15693 (VICC).
In contactless smart cards which follow as smart cards the ISO standard 14443, an RFID transponder is embedded. This radio chip is connected to an antenna (coil) and equipped with an analog circuit (transceiver) and a digital integrated circuit (RFID chip) with a memory region. In this type of card, the antenna, for example, operates on the RFID frequency 125 KHz or 13.56 MHz. Most ISO 14443 cards use the card form factor (ISO 7810).
Example of payment terminals:
Payment terminal NFC (source: www.six-payment-services.com)
In an RFID / NFC chip of credit and debit cards personal data and financial information are stored, such as
- expiration date;
- account number;
- serial number;
- card issuer.
Security and privacy:
Indeed, cards with RFID / NFC technology allow a fast, easy payment handling.
Once RFID readers are in the close proximity NFC cards send their data uncontrollably to the RFID readers. That means data of these smart cards can be read by an unauthorized RFID readers from a distance because:
- these cards often have either no or no profound or an inadequate encryption technology.
- the range of NFC card is not limited to a specific distance; the distance depends for example also from the environmental conditions and the type of RFID reader.
- a commercial RFID reader or a smartphone with a corresponding app are sufficient in the circumstances to access data on the credit or debit card - and to use it improperly without your consent and without your knowledge (payment fraud).
An electronic data theft happens in seconds, eg in shopping centers, at airports, at stations, at the ticket office of supermarkets and retail outlets, at the train station, in the waiting room, on the train, in the elevator, on the bus, in the subway (metro), in the hotel, the restaurant, bar or other (busy) places, preferably but not exclusively with gatherings of people.
Data can be read without difficulties through clothes, luggage, handbags, sports bags, backpacks, luggage, purses, wallets, plastic and fabric bags and cases.
The data which has been spied out and read out (scanned, skimmed) is either directly misused (checkout) or used for purchases in online shops. They are also used indirectly to produce illegal digital copies and clones (again in fractions of a second).
Despite security mechanisms a residual risk of electronic data theft and payment fraud remains (each additional encryption mechanism incidentally increases the manufacturing costs and thus the output cost of a card).
Contactless RFID chips cracked.pdf
In addition, there is for example a risk of accidental payment debits, interferences between the cards and collisions .
Security code (back of your card)
Also, the security code (CVC/CVV/CSC) on the back of credit cards is not secure.
How easy this security code can be cracked without being in possession of the credit card, has been shown for example by the software company SySS GmbH, Germany (2012).
So practically, easily and quickly the contactless and cashless payments is so endangered are your data stored on the RFID chip card against unnoticed reading out of your data by unauthorized third parties.
With RFID shielding products your data stored on the RFID chip data are safe from unauthorized, illegal access.
Without RFID protection you need to trust the informations of the card issuers and the current encryption technology at the time of issuing the card (your card has a limited validity period). It's just a matter of time until a seemingly secure encryption technology is out of date and will be cracked.