Home / Advisory / Is your ATM Card WiFi enabled? Is the Contactless ATM Cards Safe? 3 Ways to Protect Yourself Against Contactless Payment Crimes and Scams

Is your ATM Card WiFi enabled? Is the Contactless ATM Cards Safe? 3 Ways to Protect Yourself Against Contactless Payment Crimes and Scams

Posted on
Cyber Secure India
Check if your ATM Card is Contactless with WiFi

The novel idea of using a card for purchases was described in 1887 in a utopian novel “Looking Backward” by Edward Bellamy. Bellamy used the term credit card eleven times in this novel, although this referred to a card for spending a citizen’s dividend from the government, rather than borrowing, making it more similar to a debit card.

The present form of Bank Card that we see in our wallets today, came up as a concept through the “Charge Card” scheme. These cards were required to be charged with currency and was available to the owner or user of the card to through which the payment was deducted from the balance held on the Card for purchase of goods at selected stores. In 1914, Western Union opened the first “Charge” account for its customers and provided them with a paper identification for the same. There were many larger department stores which opened ‘store charge accounts’ for their customers with paper identification, enabling the customer to make purchases on credit provided by the store. In 1950, Diners Club began opening ‘Charge Accounts’ with paper identification cards, directed at the travel and entertainment markets. The novel feature of these Cards, was that the ‘Charge Card’ could be used in a large number of stores. These stores had to enter into an agreement with Diners Club, and pay a fee to the company to avail the facility of the ‘Charge/Credit Card‘.

As the concept of “Charge Card” became more and more acceptable across many more such Non-Banking and Banking entities, these service providers jumped into the business of issuing ‘Charge Cards’, that were also providing credit facility, which could be paid up later. In 1957, American Express also entered the field, and in 1959 was the first company to issue embossed plastic charge cards to consumers (as per the ISO/IEC 7810 standards). Then came the concept of “Credit Cards” and also the availability of “Point of Sale” (PoS) Machines, attached to dial-up internet lines on telephone cables. The first Automatic Teller Machine or ATM, was set up in June 1967 on a street in Enfield, London, at a branch of Barclays Bank. These Machines, could dispense ‘cash’, to those holders of the Plastic Cards.  A British inventor named John Shepherd-Barron is credited with its invention. The machine allowed customers to withdraw a maximum of GBP10 at a time.

The penetration of the Plastic Card has now become the primary means of Banking and are seen as drivers to the steadfast growth of the Digital Economy of any country; even with the convenience of not visiting a Bank Branch. The advent of the Digital Wallet and also the wide acceptance of the Crypto Currency, has now taken over the ATM Card. The availability of the Global Payment Gateway like ‘Amex’, ‘Master’, ‘Visa’, Europay, etc (Now RuPay), had provided the linking of Banking Accounts and Cash/Credit Accounts; thus, allowing the use of ATM Card, across Bank ATMs and all forms of PoS machines at varied Merchandise Stores.

The Magnetic Strip based ATM Cards

The earlier ATM Cards (Debit, Credit or Pre-Paid Cards) carried a Magnetic Strip, that would hold the Details of the Owner. This then was swiped/read on a PoS Machine or ATM to establish the back-end connectivity to the Core Banking/Account database to perform a translation, especially Purchase (on Sale) or Withdrawal. The transaction was then summarised and a monthly/periodic statement was sent to the customer, for their payment or accounting. This Magnetic Strip based card holders were required to sign on the transaction slip and the seller was required to tally the signature of the purchaser with that on the ATM Card (signature strip).

Now, over a period of time, malicious elements had devised a methodology to use skimming techniques to steal cards. This method allowed the hacker to read the information on the magnetic strip and then clone the card or read the details on the card or magnetic strip.

Do you know why your ATM Card is got an embossed and 2D standing out etching of details on them?

An embossed card is an electronic payment card with imprinted or stamped payment card details, that can be felt above the card’s surface for taking a physical impression. Embossed details on credit cards and debit cards typically include the cardholder’s name and the card number and the Expiry Date (But never the CVV Number). Here again, these enable an electronic transaction where there is no internet connection or where there is no through-connectivity to the database of the account. One would remember using the embossed card on flights, and the purchase is done by using an equipment that allows them to make carbon impressions. These impressions may be made through the use of, what is known as a ‘knuckle-buster’ or ‘zip-zap’ device which creates a carbon copy of the embossed information, on specific form of paper provided by the Bank or the Payment Aggregator. Even today, Merchants are allowed to use embossed card devices when electronic terminals are down or when a card is damaged. This imprint paper is then processed in the back end to deduct the money at the electronic processing centres.

Magnetic Strip based Card with PIN

The problems that were encountered on provisioning and usage of the Magnetic Based card then was added with the concept of providing a PIN on the PoS to complete a transaction.

How Chip-And-Pin Cards Vis-à-vis Magnetic Strip based Card work?

To address the problems posed by the Magnetic Strip based readable ATM Card, the industry came out with the Chip-And-Pin Cards. Here, the ATM Card were embedded with a ‘Chip’, with encrypted information and this Chip was able to be read by a reader over an encrypted channel. The ‘two-factor authentication‘ was available through a ‘4 Digit’ PIN, that was to be remembered by the ATM Card Holder, and which is to be inputted when prompted by the PoS Machine. The Chip-and-Pin ATM Cards were also integrated to the ATM Machines along with the PoS Machines, which were at the Merchandise Stores. The recent Chip-and-Pin Cards now are made available with a ‘6-Digit’ PIN for enhanced security, thus offering 10,00,000 numeric combinations (where as the earlier 4-digit PIN allowed 10,000 combinations); making it difficult for the cracker to guess the PIN.

From a customer’s perspective, using a Chip-and-Pin card is more user friendly than the the older Magnetic Stripe cards. When making a purchase, Chip-and-Pin cardholders simply insert the card into the merchant’s (POS) terminal, so that the microchip can be read by the machine. The PoS terminal then prompts them to enter their PIN, in order to authorize the transaction. In contrast, the magnetic stripe cardholders were required to swipe their cards through the PoS terminal and then sign a printed receipt. The Security Feature on Chip-and-Pin card, also included aspects like self-destruction of data on the chip when chip was subjected to attempted tamper. Also, there were difficulty to replicate the chip on a particular card, which was built as a Security Feature. Through these measures, chip-and-Pin cards reduce the risk of credit card theft. After all, thieves could also connive with the PoS owners and make transactions by providing fake signatures; and also, simply authorize transactions using cards with skimmed magnetic strips. The Chip-and-Pin card also offered additional security by means of punching in a PIN, which only the owner was aware of. The Owner was also able to change the PIN, either through a Tele-Authentication mechanism or the Web-Services which the Banks offer.

Contactless or WiFi enabled Credit/Debit Cards

Post year 2015, the market started getting cards with the tag line “tap and go” or “tap to pay,”  or “The Card Stays in your Hand”, etc. This was the advent of the Contactless or WiFi enabled Credit/Debit Cards. If you card is got a symbol of the “WiFi” then you hold a “Contactless Card”. A contactless card uses RFID technology to enable to hover or tap the card over a Card Reader terminal, thereby enabling a contactless transaction. The card emits short-range electromagnetic waves containing your credit card information to be captured by the point-of-sale (PoS) system and processed to complete the transaction.

Cyber Secure India
Check for your card for WiFi or Contactless allowed

Contactless payment” is that mode of payment using a “Contactless or WiFi Enabled ATM” used by means of a no-touch form of payment using a credit, debit or gift card on a Point-of-Sale (PoS) system which is embedded with the essential secure technology. Contactless-equipped cards use Radio Frequency Identification (RFID) technology and Near-Field Communication (NFC) to process transactions where possible. These “Contactless Cards” is in addition to the Chip-and Pin, but here when a user chooses to use the ‘Contactless’ feature, the Antenna in the ATM Card uses the NFC over an encrypted WiFi channel and is allowed to be read by the PoS machine, and completes the transaction without punching in a PIN. Here again, the chip in the ATM Card allows you to “hover”  or “proximity” instead of “insert”.

Are Contactless Payments and the Contactless Cards secure?

The specific feature of “Contactless Cards”, enable the aspect of not handing over the card to the PoS Operator. Also, the Card Details that is printed on the Card can be masked, and is not required to be seen by the handler. The card is not subjected to physical scanning by insertion, hence enabling security, especially cloning attempts.

During Pandemic, the card turned out to be a boon, especially when the handling was restricted and was only to be touched by the owner. This  then ensured that any virus or infection is not accumulated of transported, thereby increasing the chances safety against transmission and infection.

The threat to these “Contactless Cards” should not be also neglected. There have been crimes where criminals have used PoS or Reader Machines on bags or back-pockets to carry out a ‘Consent less’ reading and enabling a transaction (as this does not require punching of a PIN).

The Reserve of India (RBI) has recently announced that in the contactless transaction limit be maintained at Rs 5,000 on each transaction as a capping, to avoid large losses to card holders. Yet there is no limit on the number of transactions. The “Contactless Cards” also come with its advantages and disadvantages. The chances of crime or scams through Contactless Cards, cannot be ruled-out.

3 Ways to Protect Yourself Against Contactless Payment Crimes and Scams

  1. Where you store and physical security of the Cards: The Storage of the Card and the Handling of the “Contactless Cards” need to be done with caution. The fact that the card comes in contact with PoS without consent is a threat. Malicious intent of bringing a PoS Machine to a Card held in a bag or a wallet or pocket, is a matter of concern. Also, that the “Contactless Cards” transaction can be completed without punching a PIN, is also a matter of concern. The Card does provide a lot of convenience, but it also has its own risks.
  2. Invest in a RFID-Blocking Wallet: The Contactless Cards also need to be protected from ‘Consentless Card Reading’. There are Carry Pouches and Bags which perform blocking of the Card from being read over WiFi of the RFID. One can purchase them and carry their card in them. The usage of the card can only be done, when the Card is out of the RFID-Blocking container.
  3. Use the Banking App that allows management of the Contactless feature: A ‘Contactless Card’ issued by a Bank, should also be provided and managed through a Bank Provided App (for Mobiles). Insist on an App from your Card Provider, that allows you to manage the “Contactless Cards” features; like ‘setting of monitory limit per transaction’ or ‘disabling of the WiFi’ or ‘allowing management of limit on the WiFi based transaction’, etc.
%d bloggers like this: