Technical Article - Can RF Technology Effectively Prevent Credit Card Fraud?

One good thing about Target’s massive data breach is that it has taught people that even the most robust security systems can be hacked. Target, by all accounts, was a classic example of a multi-layered system whose defenses outstripped the already stringent safeguards required by Visa and MasterCard. But the hackers got in anyway, sparking an immediate outcry about why credit card transactions in the U.S. are so insecure, and calls for contactless cards that don’t require physical contact like “swiping” through a reader. To quell the outcry, Visa, MasterCard and American Express have been insisting that retailers install smart card readers by October 2015 or be held solely responsible for fraud losses.

After all, smart cards (cards with embedded ICs that contain encrypted information and secure processing capabilities, but still require contact to swipe) have been widely used in developed countries since 1983 and have greatly reduced theft. It took that long for the United States to get here, and although fraud cost retailers and banks more than $12 billion in 2013, it is obviously cheaper than the cost and complexity of updating retail POS systems. But the Target hack opened Pandora's box, and even if the cards themselves were not the tool used to attack Target, and the information obtained was likely encrypted using a 128-bit password (and therefore useless to hackers), the trend towards more advanced payment technology is unstoppable.

But even a big step toward widespread smart card use won’t bring retail into the 21st century, as technology evolves. Today’s standard is contactless smart cards that use wireless communication, which doesn’t require a physical “swipe” between the card and the reader, and smartphone-based near-field communication (NFC) technology that eliminates the need for physical cards altogether. But a key fact rarely mentioned in the furor over the Target breach is that there was nothing wrong with the cards themselves.

The problem isn't the cards

The criminals who attacked Target installed malware on Target store POS terminals, using a "memory crawler" tool to grab data temporarily stored on the terminals during transactions. However, the malware was installed on the company's terminals through Target's web server, which can grant hackers access to Target's terminals. Once installed on the terminal, the malware will set up its own control server on Target's network and store all the stolen data in Target's own data repository until the hacker uninstalls it.

Of the more than 40 antivirus tools Target used to scan its network for malware, none found it or deemed it malicious after finding it. The software, called BlackPOS, can be purchased on cybercrime forums for about $2,000 and is designed to bypass firewalls and install on POS terminals. So, in simple terms, the thieves entered from the "back end" rather than the front end of the POS terminal, and the corporate server was the point of entry, not the POS terminal.

All POS terminals collect data, whether or not they require contact to swipe. The question is: What makes contactless cards more secure than standard cards? And will they make a big difference in credit card theft? For a system like Target's, it probably won't make much of a difference, but for most of the more common terminal thefts, it would certainly be a big improvement over current systems, since thefts that target the terminals themselves are far more frequent. To illustrate where the U.S. stands in terms of payment security, let's look at the current viable alternatives to magnetic stripe cards—smart cards, contactless cards, near-field communications, and, unlike the previous three, RFID.

Not so smart option

In a passive RFID system (the most common type), the card reader transmits a weak signal that is captured by a loop antenna on the card (Figure 1), which is calibrated and uses the tiny power generated to respond to the card reader's query and identify the user. The control system matches the identity code with information in a database for authentication. In this regard, RFID and contactless payments have two basic things in common: they both use wireless technology, do not require a physical connection between the POS reader and the target being read, and combine ICs and memory for data storage. But their similarities end there, and there are more differences, such as:

Passive RFID tags are very cheap (usually less than 10 cents), so they are ideal for large-scale tracking of anything that can have an RFID tag placed or inserted. Active RFID tags have batteries inside so they can send bursts of signals, but they are much more expensive and are not widely used.

RFID tags have little "IQ," whereas both contact and contactless "smart" cards have significant security features, including secure microprocessors, memory and cryptographic processing capabilities.

The distance between an RFID tag and a reader can be from about 15cm (passive) to 192m (active), whereas for security reasons contactless cards can only be read from a distance of about 0.6m.

Figure 1: RFID tags use a minimal number of components, the largest of which is the loop antenna that captures the weak signal from the reader.

RFID has naturally evolved into an application technology where its power makes it advantageous, such as passports that include a photo of the holder. In 2005, Wal-Mart launched a program requiring its top 100 suppliers to attach RFID tags to boxes and pallets of goods shipped to its distribution centers, a program that was later expanded to all suppliers. The company reports that out-of-stock items with RFID tags are replenished three times faster than before the program was implemented. The U.S. Department of Defense and many other companies have followed suit, and today passive RFID technology is widely used in many industries.

In short, while RFID systems are ubiquitous in tracking applications, they are not smart enough and have limited security features, so they cannot be used for transaction processing except in a few cases.

smart card

Smart cards (Figure 2) must be mentioned here because they were the first cards designed for transaction processing to overcome the security limitations of "dumb" magnetic stripe cards. Smart cards provide important security features, including active cryptographic authentication using symmetric DES (Data Encryption Standard), 3DES (Triple DES), or public key RSA cryptography (key lengths up to 1024 bits).

Figure 2: Generic smart card showing contacts for accessing internal electronic devices

Smart cards use an embedded IC containing memory and a microprocessor, with eight exposed metal pads terminating the DC power supply, reprocessing of the POS reader, clock signals, ground, and serial I/O. The onboard processor (currently typically a 32-bit RISC processor running at up to 32MHz) executes instructions, while the controller manages the flow of data to and from the card and reader. Smart cards also contain three types of memory: ROM for permanent storage of instructions, RAM for temporary storage, and E-PROM for running application programs.

Contactless Cards

Contactless cards retain the components and security features of the above smart cards, but they replace the electrical contacts of smart cards with radio frequency functions similar to those in RFID, and they do not require physical contact with the POS card reader. In addition, they also improve security through the following measures: you do not need to enter a PIN for each transaction, but after a certain number of transactions, the card reader will require the user to enter a PIN to maintain security.

There is also a limit on the amount per transaction, which is currently quite low. Contactless cards were first used for electronic ticketing in South Korea in 1995, and many people in the United States may remember the Speedpass system deployed by Exxon in the late 1990s, which is still in use at many Exxon gas stations today. Since then, MasterCard, Citibank, JPMorgan Chase, American Express, and many other organizations have begun to adopt contactless technology. Current systems using contactless technology include Visa's PayWave, American Express's ExpressPay, and MasterCard's PayPass system.

About the Author

Barry Manz is president of Manz Communications, Inc., the technical media relations agency he founded in 1987. He has worked with more than 100 companies in the RF, microwave, defense, test and measurement, semiconductor, embedded systems, optical, and other markets, and has written articles for print and online trade publications, as well as white papers, application notes, seminar papers, technical reference guides, and web content. He is a contributing editor to the Journal of Electronic Defense, editor of Military Microwave Digest, co-founder of MilCOTS Digest magazine, and editor-in-chief of Microwaves & RF magazine.