The financial services industry is holding up contactless cards as effective against ATM skimming attacks. Some are even calling it the death of skimming.
“The continuing drop in fraud losses is very good news for both cardholders and the industry, and indicates that the significant investment made by the European banking sector into EMV technology, as well as into anti-skimming devices at ATMs, is now really starting to pay off,” said Lachlan Gunn, EAST’s director and coordinator.
The contactless cards remove the need to insert the card, preventing skimming devices from touching them and reading the magnetic stripe information. Even more important is that the contactless transactions use a one-time value from dynamic cryptograms.
Rather than static information found on the magnetic stripe each contactless card transaction is intended to be entirely unique. This prevents a simple replay, which is what skimming attacks typically use.
It is probably most accurate to say the new technology increases the cost of skimming attacks to the point where attackers have to evolve and focus on other vulnerabilities.
Attacking the chip and the reader is one obvious new trend, especially given the increased risk of mis-configuration. Another one is that the new cards still work with older systems (backward compatibility is often like saying backdoor). EAST mentions this is a significant problem already showing up in the data.
The risk of counterfeit EMV cards being used to withdraw cash fraudulently from ATMs in parts of the world that are not EMV compliant remains high and is leading some European card issuers to implement additional security measures.
I wonder what would happen if Banks marketed less compatibility as more secure. Imagine a billboard that said “Our new secure card: because fewer ATMs might just be a good thing.” Could banks spin new technology with reduced compatibility into a positive feature? Apple certainly made a clean break to OS X…
It raises the question whether operators are making so much money from fees (Chase is actually considering a $10 fee per ATM transaction) that the costs of skimming are still buried. In other words we might be right to expect that when skimming is costly enough then backward compatibility will end.
Even then, however, configuration, tampering and supply-chain vulnerabilities will remain a problem. Contactless can help reduce fraud risk in a couple key areas (pun not intended), but it’s far from the death of skimming.