Contactless cards not a security risk, say experts in Singapore

Despite recent HK scare, they say this payment mode is well-protected by security measures

Some contactless or "tap-and-go" cards, such as those with the Visa payWave
Some contactless or "tap-and-go" cards, such as those with the Visa payWave feature, are protected by cryptographic security, which generates different authentication codes for every contactless transaction. PHOTO: LIANHE ZAOBAO

SINGAPORE - Banking figures here have reassured customers using contactless or "tap-and-go" cards, such as payWave, that there is no security risk despite a major scare in Hong Kong.

They say this type of payment is very well-protected by security measures, and that card fraud rates here are still very low.

The Hong Kong Monetary Authority (HKMA) recalled some cards last week, after news reports said contactless cards contained more personal information than was allowed. No instances of fraud were reported.

Demonstrations by the media there showed information, including card number, expiry date and the holder's name, could be obtained from contactless cards issued by several banks, using near field communication (NFC) applications installed on mobile phones.

The HKMA ordered at least seven banks - including DBS Hong Kong and OCBC Wing Hang Bank - to recall cards. The reports are the latest in recent years to question contactless cards' vulnerability to NFC skimming, or "electronic pickpocketing".

Card numbers and expiry dates can be read from contactless cards issued in Singapore, using apps that can be downloaded for free. The worry is that the information will be used for card scams.

But contactless cards - most commonly those with the Visa payWave or MasterCard PayPass feature - have been largely fraud-free so far, Association of Banks in Singapore director Ong-Ang Ai Boon told The Straits Times.

"The overall credit card fraud rate is about 0.02 to 0.03 per cent, of which 80 to 90 per cent of the cases are card-not-present situations, usually during overseas online transactions. On this front, we advise consumers to shop online only on 3D-Secured websites."

3D Secure refers to "three-domain" security, an online authentication protocol covering the merchant, card issuer and the Internet.

Visa country manager for Singapore and Brunei Ooi Huey Tyng said that there has been no electronic pickpocketing fraud case reported since payWave cards were rolled out in Singapore, and a mandate was introduced in Asia in April this year to ensure holder's name transmission is not possible on newly issued contactless cards.

"(Electronic pickpocketing) is complex to execute in reality, and the data contained on the cards offers very limited potential for fraud," Ms Ooi said.

For NFC pickpocketing to work, the phone would have to be right on top of the card, and the three-digit CVV security number would not be detected in any case.

PayWave cards are also protected by cryptographic security, which generates a different authentication code for every contactless transaction, along with VisaNet at the back-end, which analyses transactions in real time for possible fraud.

A MasterCard spokesman said its cards do not contain holder's names in its contactless application on chips, adding that data captured by an NFC app is not enough for card forgery or online transactions.

Ms Grace Cheng, who co-founded credit card adviser GET.com, added: "Visa and MasterCard holders are also protected by a $100 cap per contactless transaction."

In any case, HKMA's concerns are not applicable in a local context, Mrs Ong said. "As far as we see, it is a matter of personal data protection - a matter of privacy, not security. That is a mandate by HKMA, but there is no similar requirement in Singapore yet," she said.

When contacted, the Monetary Authority of Singapore (MAS) did not comment on whether it shares HKMA's concerns, but stressed existing measures have proved effective. It added: "MAS will continue to monitor the situation, and if necessary, consider additional measures to protect consumers."

No further enhancement to credit card security is being discussed, Mrs Ong said, even as the financial industry continues to work towards creating a cashless consumer economy.

Ms Cheng said: "The tap-and-go payment makes small purchases a breeze for consumers, and also helps raise business productivity by reducing customer servicing time and manpower reliance.

But while card security is tight, "we strongly recommend that consumers stay vigilant and maintain a good habit of checking their credit card statements regularly.''

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on October 22, 2015, with the headline Contactless cards not a security risk, say experts in Singapore. Subscribe