Card use in stores has started to evolve from chip and pin to wave and go. Customers are able to simply wave their card in order to complete a transaction without inputting any data or providing a signature. Customers can tap or hold a card near to the reader and pay for purchases of up to £20.
When creating synthesized payment data, a key security feature was said to be that the data could not be transmitted further than 10cm from a reader. However, a researcher from the University of Surrey has built equipment which can reliably transmit data from 45cm. The team published details of their research in the Institution of Engineering and Technology’s Journal of Engineering website on Tuesday.
“The results we found have an impact on how much we can rely on physical proximity as a security feature,” said leading academic supervisor Dr. Johann Briffa. “The intended short range of the channel is no defense against a determined eavesdropper.”
Researchers used a pocket-sized cylindrical antenna, equipment in a backpack, and a shopping trolley to pick up data that had been fabricated to behave exactly like payments card information. These kinds of items would be entirely inconspicuous in a store environment and would fail to rouse suspicion from wave and go users.
Although it is unclear how data can be used once it is picked up. Researchers have started to look at how contactless card security devices can be hacked in order to reveal payment details.