October 23, 2015 8:00 pm
Updated: October 25, 2015 5:15 pm

Tap and pay cards: They’re fast and convenient but are they more secure?

WATCH: Are "tap and pay" cards putting your private financial information at risk? Anne Drewa investigates.

A A

“I refuse to use tap and pay.”

Traci Ward walked away from her contactless card because she feels the system is not secure. As soon as she received one in the mail, she went straight to her bank and cancelled it.

“I didn’t ask for this. I want it taken off so I won’t use it. I’m sticking with the chip.”


Story continues below

Most major Canadian banks and credit unions have rolled out contactless credit and debit cards across the country. They began issuing them in 2011 but the cards are starting to become widespread. If you check your wallet, you probably have a credit or debit card that uses radio-frequency identification (RFID) for making contactless payments.

“We’ve experienced a 150 per cent year-over-year growth in Interac Flash from 2014 to 2015,” according to Teri Murphy, senior manager, corporate and stakeholder relations of Interac Association.

Instead of entering your pin or signing a receipt, you just place the card on the terminal and tap. It’s convenient for the merchant and consumer, but it may make it easier for thieves to get your credit card information. Despite the convenience, these types of credit cards could also make you vulnerable to being skimmed without it ever leaving your pocket.

According to Chester Wisniewski, a senior security adviser at the cyber security company Sophos, stealing someone’s credit card information is “as simple as loading an app onto your Android Smartphone and tapping it.”

The fraudster doesn’t have to physically steal your credit card to make an electronic pickpocket. Wisniewski used his Android phone to demonstrate to Global News just how easy it is to make an electronic pickpocket in just a matter of seconds. The credit card information, according to Wisniewski, can be read through wallets, pockets and purses.

The app, available on Android phones, allows the phone to read the RFID chip on a credit card. Theoretically, if the fraudster is standing near you they could pick up the cardholder’s name, credit card number and expiry date.

“I can tap the card and read the 16 digits that are on the front and I can also read the expiration date that’s on the front. That can be enough to make purchases at some online websites,” said Wisniewski. He adds big retailers like Amazon, however, “always ask for that secret number on the back.” The app does not allow the would-be crook to pick up the three digit security number on the back of the card.


WATCH: Chester Wisniewski shows Global BC’s Anne Drewa just how easy it is to steal credit card information with an Android app.

Read More: Smartphone app that allows credit card skimming ‘real risk’ to consumers: experts

If you’re concerned, but enjoy the convenience of these cards, Wisniewski suggests investing in a protective sleeve with special shields, which can stop the radio frequency from being read by thieves. Those typically run for around $20 or less.

Between the chip, tap and pay, and magnetic strip card, Wisniewski says the chip is the safest and most secure. The tap and pay card is still more secure than magnetic strip cards according to Wisniewski. He says the advantage is tap and pay has a computer chip used for the transaction, but the magnetic strip has static information encoded in it. If the magnetic strips are stolen, a new card can be made easily, but it’s difficult for a criminal to duplicate a contactless card. He adds that an advantage to tap and pay cards for the bank is consumers will likely use their card more often.

“That’s probably why [the banks] are willing to take the risk of fraud in turn for you choosing visa instead of cash.”

Consumers are currently limited to making up to $100 per transaction with the tap and pay cards. The card holder receives the benefit of zero liability in the event of unauthorized use.  Additional security on Interac Flash is that every time you accumulate $200 worth of charges it asks you to insert your card and verify your PIN.  Interac Flash debit cards, unlike credit cards are protected against skimming, counterfeiting and fraud, including electronic pickpocketing. The information on an Interac debit card cannot be unwrapped or duplicated to produce a counterfeit card or transaction.

If time is money, then contactless cards are helping merchants cash in. Consumers can quickly make a transaction, allowing the business to process the payment quickly. Typically the lineups move faster, but since no identification is required, fraudsters can still take advantage of contactless payments.

Payment methods are constantly evolving. Murphy believes Interac Flash is an enhancement of Interac Debit, but in the future she says “we might see more deployment of mobile payments.”

© 2015 Shaw Media

Report an error

Comments

Want to discuss? Please read our Commenting Policy first.

Global News