October 2, 2020
Contactless Payment: Don’t Fear the Skimmer
A longtime family friend of mine worked in the banking industry at the time when credit cards were being rolled out in Canada. In the late 1960s and early 1970s, he would drive from town to town in rural Ontario to convince skeptical bank employees that it was possible to buy groceries with a 3" x 2" piece of plastic. He tells me it was often not an easy task.
Tap technology rolled out gradually through the 2000s. Some skeptics feared that touchless technology would lead to widespread thefts. Despite some people's initial reluctance to adapt to a cashless society, the Coronavirus pandemic has forcibly transitioned many consumers to touchless payment.
Contactless payment appears to be here to stay; and now, with digital wallets available on smartphones, you don’t even need the plastic.
This past summer has transformed the term “contactless shopping” into the marketing buzzword of the year. With Covid-19 precautions remaining a huge priority for most shoppers, even the most reluctant consumers are embracing touchless technology. But what are the concerns these new converts should really be worried about?
The Old Fear
The traditional fear was of scammers lurking near by, ready to pluck your card information from thin air. Touchless cards use radio-frequency identification (RFID) to transmit data, and criminals have been successful in making hand-held scanners or using card skimmers to intercept consumers' card information transmitted by RFID.[efn_note]Roger A. Grimes , "The truth about RFID credit card fraud", CSO Online (December 19, 2017), available online.[/efn_note] But the prevalence of this method of fraud has always been low. Banks and credit card companies encrypt information transmitted by RFID so that incepted data is not necessarily useful to scammers.
Mobile wallets are reported to be even more secure. They rely on near-field communication (NFC) to transmit data within a very close range. As a result, there is a much lower risk of scanners being able to get close enough to intercept data.
In addition, even if the card information is accessible to the scammer, it would only be usable if an online vendor was violating its merchant agreement and failing to take anti-fraud precautions (by requiring a valid name, address, and security code).[efn_note]Ibid.[/efn_note]
The Payment Card Industry (PCI) Security Standards Council is a council created by credit card industry leaders including American Express, MasterCard and Visa as a form of international self-regulation. Each of the founding members share in running the commission, and all incorporate the PCI Data Security Standards (DSS) as part of the technical requirements for their respective data security compliance programs. The PCI DSS are an example of industry security standards intended to protect your card information from abuse even if a scammer is able to intercept it.
The Real Risk: Human Error
All Canadian credit cards now have a chip on them for added security. Chip transactions require you to enter a PIN. Cards still have a (less secure) magnetic strip for use in countries without chip terminals.
Contactless payment is convenient but, as with magnetic strip technology, consumers may be their own biggest enemy. Because no PIN is required, a lost credit card or stolen mobile phone potentially gives a criminal easy access to to the cardholder's account.
If you are using a card, it is useful to set a cap on the charge that can be made without a PIN to prevent thieves from racking up large bills.
If you are using a mobile wallet, your phone lock screen and app specific passwords are your only defence between a phone snatcher and potentially all your bank account information. Secure your phone to minimize this risk. This means no “1234” passcodes and use different passcodes for your device and your wallet/banking apps.
In addition, the Financial Consumer Agency of Canada offers the following tips to prevent credit card fraud:
- When you get a new credit or debit card, sign the back immediately and cut up your old card.
- Keep your credit and debit cards in a safe place, and limit the number of cards you carry on your person.
- Choose PINs that are hard to guess. Pick something that you can remember, but avoid using information related to you, such as your birthday, phone number, or address. If you have to write it down, keep the paper somewhere safe and away from your cards. Change your PIN from time to time. Your PIN and your phone password should be different.
- During a transaction, keep your eyes on the payment card at all times. If you notice anything suspicious at the point of sale, report it to your credit card issuer and the business owner.
- Be smart about your personal information. Keep your mailbox secure so that people cannot steal your bank statements or replacement cards. Shred bank statements that you no longer need.
- Report lost or stolen cards to the card issuer immediately. If you cancel your card, ask the issuer for written confirmation.
It is especially important to be careful with online and telephone purchases. Ask yourself if you know and trust the recipient of your personal information.
For online transactions:
- do not submit your personal information unless you trust the site.
- ensure that the website is secure: look for “https” (rather than "http") or the padlock icon at the beginning of the web address or the address bar.
- avoid giving credit card information over email, as it isn't secure.
- make purchases on a private device, only; avoid entering personal information on public (e.g. library or internet cafe) computers.
- if you have to use a public computer, delete your browser history and clear the cache when you're finished.
If it's absolutely necessary to make a purchase by phone, make sure you trust the person on the other end. Never give out your credit card information if you're in public or if someone may be listening in.
If someone calls you and requests your personal information, be careful! Ask where they are calling from. Tell them you will call them back. Find the organization's website, and call the phone number listed there. For more information on phone scams, click here.