5 Things To Know About Contactless Payment

Contactless payment, also known as NFC or near field communication, is a technology that allows electronic devices to communicate wirelessly. In the case of a mobile wallet application, those devices would typically be a mobile phone and a point of sale terminal at a checkout counter. (NFC has other uses beyond credit card transactions: it can integrate with hardware—to unlock a door, for example—or it can activate software.)

Soon enough, using your smartphone as a credit card will be commonplace. By 2015, mobile contactless payments, in which you pay by holding your phone near a payment terminal, are expected to have increased by 1,077%.

Contactless payments are a faster, more convenient alternative to cash when making small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

There are five facts you should know about contactless payment:

  1. Tens of millions of people use contactless technology every day—in passports, identity cards, and transit fare cards for secure, fast, convenient transactions.
  2. These transactions are protected by multiple layers of security, which protect both retailers and consumers.
  3. Some of these security features are incorporated within a card’s microprocessor chip, while others are part of the same networks that protect traditional credit and debit card transactions.
  4. Regardless of your payment method, it is still essential that you check your bank statements regularly for unauthorized transactions.
  5. While contactless payment has been deployed in numerous settings, it is not yet available everywhere. So, assuming that you prefer not to carry large sums of cash, you’ll still need to carry a traditional credit card or, if you are traveling outside of the U.S., an EMV card.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Travel Smart With EMV Technology

Frequent fliers accustomed to traveling internationally for business are helping drive demand for EMV cards within the United States. Business travelers who have found it increasingly difficult to use their magnetic stripe cards while abroad are now requesting that American banks provide EMV, or chip and PIN cards, which are used more commonly in Europe and around the world.

“EMV” refers to Europay, MasterCard, and Visa, three financial service corporations that collaborated to establish a global standard for secure, reliable, and consistent credit and debit card transactions. These cards are also called “chip and PIN” cards because they incorporate an embedded microprocessor chip and require a personal identification number for authentication. These security measures make chip and PIN cards far more secure than the magnetic stripe cards that are standard in the United States, since the magnetic stripes containing sensitive financial data are vulnerable to skimming at ATMs and point of sale terminals. In Europe, chip and PIN technology has significantly reduced the potential for fraud in transactions where the credit card is not physically present.

JPMorgan Chase began issuing cards with embedded microprocessor chips last year in response to requests from cardholders who are frequent international travelers. And more major card issuers have followed suit by incorporating EMV technology. American Express has announced plans to release chip-based cards in the United States, as part of a “roadmap to advance EMV chip-based contact, contactless and mobile payment for all merchants, processors, and issuers.”

Most of the EMV-based cards offered in the United States are chip-and-signature, rather than chip-and-PIN, due to differences in the way payments are processed. Nevertheless, these advances in card technology are a positive step, so thank you to business travelers for pushing banks to incorporate EMB technology and making overseas travel more convenient and more secure.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Mobile Security Apps and Tips

Nearly three-quarters of Americans have never installed any type of data protection or security software on their mobile devices, leaving themselves completely open to data loss, viruses, and malware. 72% of us, to be exact, have unsecured smartphones, even as they take on an increasingly important role in our digital lives.

Update your OS: The expanding selection of mobile devices results in more complex operating systems and applications, which ultimately increases attack opportunities. One hopes that, as criminal hackers and security researchers expose new vulnerabilities, OS manufactures will role out timely updates to fix flaws.

Most OS updates require a USB connection to your Mac or PC and a desktop application that bridges the connection between your device and the manufacturer’s website. Newer OS updates can sometimes be downloaded directly to a phone through a Wi-Fi connection or your carrier’s network.

Update your applications: Just as an operating system can have a security or privacy vulnerability, so can an application. Most applications require functionality updates in order to remain compatible with OS updates. Updating an application should be fairly straightforward. Apps can usually be updated from the phone by accessing the official app store through the carrier’s network. Depending on the size of the download, a Wi-Fi connection may sometimes be necessary.

Lock your mobile device: 4-digit PINs for iPhones; or pattern recognition for Androids, are the current standard security measures. These flimsy defenses need to be updated to a more secure alternative, or at least a longer alphanumeric string, especially for the phones used for business purposes.

A very high percentage of owners lock their devices with a short PIN, and may be unaware of the alternatives to this bare minimum, such as a “non-simple” security option on the iPhone. And most PINs are weak as well as short. Five basic combinations ¾ “1234,” “0000,” “1111,” “2580,” or “0852 ¾ make up more than 10% of all PINs.

Install antivirus protection: Just like on a PC, mobile antivirus products should provide real-time protection against viruses, worms, spyware, Trojan horses, and battery-sapping malware. Adequate mobile antivirus protection guards against threats that originate via email, instant messaging, and Internet downloads. It detects data received from multiple entry and exit points, including email, instant message attachments, Internet downloads, SMS, MMS, WiFi, and Bluetooth.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Watch for New Attacks Aimed at Mobile Devices

A mobile device is an indispensible extension of your life, containing some of your most private conversations and confidential information. It’s your phone book, email, photo album, social life, and even your wallet, all rolled into one device. Chances are if you own a smartphone or tablet, it is connected to your money or financial accounts. For many, it’s like a right hand (or in my case, left hand), so it’s essential to secure your device and the information it holds.

The phone is moving in to replace the PC for the next generation. Carriers are increasing network speeds, cutting download time in half, and new phones have capacities of up to 64 GB ¾ that’s more hard drive space than my three-year-old laptop.

Software application developers are responding to this shift by focusing primarily on mobile devices, with PCs demoted to a secondary consideration. And as with any major transition to a new technology, the uncertainty and newness fosters a perfect opportunity for scammers to launch attacks.

In McAfee Labs’ report, “Securing Mobile Devices: Present and Future,” Dr. Igor Muttik states, “Despite steady progress in securing desktop computers—using safer hardware, operating systems, and applications—malware is not going extinct. With today’s explosive proliferation of smartphones, tablet computers, and other mobile devices, we have to wonder whether our pocket devices can also be secured. We might assume from our extensive knowledge in protecting desktop computers that the new wave of mobile hardware should be relatively secure because we shall benefit from the lessons we have already learned.” But so far, many have neglected to consider the security of their mobile devices.

As new tablets and smartphones are released, along with thousands of new mobile applications, hackers are working to create bugs and viruses that modify the legitimate software industry’s processes. The burgeoning ubiquity of these mobile devices offers criminals the same sorts of possibilities today that they found in PCs several years ago.

Only download mobile payment applications from a reputable app store. Check user reviews of the app and make sure to read to app’s privacy policy on what data of yours it is accessing and sharing.

Don’t do any mobile transactions over unsecured Wi-Fi connection. It’s much more secure to use your mobile data network.

Keep your mobile software current. This includes the latest updates for your operating system, mobile browser and mobile security software

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures


Mobile Payment Update: Who Will Take the Lead This Summer?

As summer heats up, so does mobile payment  – a hot topic between major credit card companies, mobile carriers, and mobile manufacturers.

First, to give you some perspective, let’s cool down and cite some statistics from November of last year, when “Cyber Monday” was the most successful ever; and mobile purchases skyrocketed on Black Friday. U.S. shoppers made nearly two and a half times as many purchases through eBay Mobile on Black Friday 2011 compared to 2010, U.S. mobile sales were up 234% overall, and Paypal Mobile reported a global increase of 516% from Black Friday 2010 to 2011. Naturally, marketers and advertisers are now positioning themselves for a 2012 “Mobile Tuesday.”

This spring, at the London 2012 Olympics, Samsung introduced a new mobile payments system in collaboration with Visa. Near-field communication technology is taking a leap forward in the form of the Samsung GALAXY S III with mobile contactless payments.  With Visa’s payWave service, users can pay for a purchase by tapping a button on the phone and then holding it to a contactless payment terminal.

Meanwhile, Wired reports that Isis, a mobile payment system developed by AT&T, T-Mobile, and Verizon, has reached agreements with a number of major retailers including Coca-Cola, Food Locker, and Macy’s to implement their system in stores nationwide later this year. Google Wallet works at hundreds of MasterCard terminals, found in locations like Macy’s, Toys “R” Us, and Old Navy, but for now, the service is only available through Sprint, on four devices (not including the iPhone). And now, Apple has come up with Passbook, an elegantly simple new app for iOS 6 that works with retailer’s existing apps and QR codes rather than NFC technology.

It’s tough to say which will come out on top. We’ve been there before – remember  Betamax versus VHS and HD DVD versus Blu-ray?

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

“BYOD”? Mobile Security Tips for Small Businesses

Many employees have come to expect that they should be able to use personal smartphones and other mobile devices at the office. This creates problems for IT managers. A company’s IT staff may have a solid grasp on company-issued laptops, desktops, and even mobile phones, but it is almost impossible to control the results when employees begin connecting various types of personal devices to the company’s network. When you get that brand new Droid, load it up with apps, and then plug it into your work PC in order to update or sync necessary files, your company’s IT guy has to worry about whether that last app you downloaded might infect the entire network.

A study by ESET/Harris Interactive found that fewer than 10% of people who use personal tablets for work have enabled auto-locking with password protection. Only one in four secure the personal smartphones they use for work, and only one in three adequately protect their laptops. With well over 50% of employee’s personal devices left unsecured, lost phones, laptops, and tablets constitute a significant data breach risk.

Corporations that do allow employees to use personal devices at work have responded to this problem by implementing a BYOD (“bring your own device”) policy to help IT staff manage these devices and ensure network security.

So, what’s the difference between personal and employer-issued mobiles in the workplace? The short answer to this question is: there is no difference.

A smartphone provided by your employer requires a “company mobile liability policy.” This means they not only provide and pay for your mobile device, they also dictate what you can and can’t do on the device. In many situations, the employer may have remote capabilities to monitor activity and, in the event of loss or employee termination, wipe the data.

“Employee mobile liability policies” are for employees who prefer to BYOD. While these employees may pay for their own devices and their monthly data plans, but the same restrictions can (and should) be imposed on employees who use personal devices at work. If you choose to use your personal device for work purposes, at any time, for any reason, your employer will more than likely want control over that device. This means that, again, your employer may have remote capabilities to monitor activity wipe your device’s data if it is lost or you resign or are fired.

In both situations, the employer will be liable for leaked data. So if you choose to BYOD, be prepared to give up some liberties.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Security Snapshot: How Is EMV Safer?

To understand why EMV credit cards—or “chip and PIN” cards—are safer, first we must understand  standard magnetic stripe cards. The familiar magnetic stripe, which can be seen on all credit cards carried in the United States, has been around for more than four decades.

The security technology behind the magnetic stripe has been compromised, since the availability of card reading and writing tools makes it easy to decipher the data stored on the magnetic stripe. Criminals use these tools to create skimming devices and other hacking methods.

EMV, on the other hand, is a relatively new technology with plenty of built-in encryption. According to the Smartcard Alliance, “[EMV] transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal using Static Data Authentication (SDA), Dynamic Data Authentication (DDA) or Combined DDA with application cryptogram generation (CDA). EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions.”

In simple terms, the data is thoroughly scrambled.

The cardholder verification process is another factor enhancing EMV card security, by ensuring that the person attempting to make the transaction is, in fact, the legal cardholder. EMV supports four cardholder verification methods: offline PIN, online PIN, signature, or no cardholder verification. With a regular magstripe credit card, the only possible verification option is to check the ID of the person presenting the card, which cashiers only sometimes do, and may even create a false sense of security. The primary verification method for online purchases is to request the CVV or credit verification value, which is visibly printed right on the card itself.

So get ready, because “chip and PIN” is coming, and it’s more secure than the cards in your wallet, not to mention the most ubiquitous card outside the United States.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

How to Handle a Credit Card Breach While Abroad

One of the best and worst parts of traveling overseas is being immersed in a different language. My wife and I once got lost in Naples, Italy. When we pulled over and asked a stranger for directions, he answered in rapid Italian, which we don’t speak. We had no idea what he was saying, but were mesmerized just watching him talk. After two minutes he stopped, so we said “Grazie!” and kept moving. Now imagine if you had to deal with credit card fraud in a foreign country, and couldn’t find any English-speakers to assist you.

Fortunately, you only have to deal with your own credit card company, rather than any overseas officials. Victims of fraudulent credit card charges only wind up paying the unauthorized charges if they fail to detect and report the credit card fraud within 60 days. A 60-day window covers two billing cycles, which should be enough for most account-conscious consumers who keep an eye on their spending. During that time, you are covered by a “zero liability policy,” which was invented by credit card companies to reduce fears of fraud no matter where in the world you travel. Under this policy, the cardholder may be responsible for up to $50 in charges, but most banks extend the coverage to include charges under $50.

You can effectively stop fraud in its tracks by checking your statements online every day. If you only check every week or month, you will have to dispute that many more charges if and when your account is eventually compromised. If you fail to recognize and dispute unauthorized transactions on your credit card statements, you take responsibility for the fraudulent charges.

So, to prevent credit card scams, take the time to watch your statements. This extra layer of protection requires special attention. If you check your email daily, you ought to be able to check your credit card statements daily, too, right? Once a week is sufficient, and even once every two weeks is acceptable. Just be sure to refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Preparing for Your Summer Vacation Overseas

If you plan to travel abroad this summer, you should be aware that your usual credit or debit card may not work overseas. In other countries, particularly in Europe, EMV or “chip and PIN” cards are standard. Many merchants will not or cannot accept U.S. cards with magnetic stripes, which could put you in a difficult position when you need gas or have to buy a train ticket.

But proper planning can prevent travel headaches:

Cash is king. No matter where you are in the world, everyone accepts cash. While cash can be a security risk, so is not having any. Exchange some currency at your local bank before you leave, since you might need some foreign money the moment you step off the plane. But exchange the bulk of your money once you have arrived at your destination to get the best rates.

Traveler’s checks are still a good option. Traveler’s checks are now available in the form of an EMV debit card. American Express, Visa, AAA, and Wells Fargo are just a few of the institutions that offer traveler’s checks.

Carry photo ID. When paying with a regular credit card, always have a valid ID available. A merchant who is accustomed to accepting EMV cards may feel skittish about your regular credit card, and may require that you present a photo ID.

Train station kiosks require EMV. Many people travel on trains, especially when touring foreign countries. Purchasing tickets can be difficult, as most rail stations have ticket kiosks that require an EMV card (or cash only). Most train stations do also have a manned ticket booth that will accept cash, but be warned that the lines are often very long. Buying online ahead of time is also an option.

Gas pumps also require EMV. In the late hours of the evening, or early in the morning it is not uncommon for a gas station to be unattended, but with self-service pumps left open. However, these pumps generally only accept EMV cards. This is when planning ahead is essential. If you know you will be traveling all night, get gas ahead of time, or you may end up searching for a gas station with an attendant in the wee hours.

Toll roads are tricky. In a Fodors.com forum discussing European toll roads, one user advises, “In France, sometimes a US credit card works, and sometimes it won’t. If it won’t and you have a line of cars behind you all honking their horns, it won’t be a good scene. The credit card toll booths that I’ve seen don’t take cash as an alternative. The credit card machine ‘eats’ your ticket, so backing up (even if there are not cars behind you) won’t work. We had to have an attendant close her toll booth, come over to ours, take our cash, and then we got going.”

So, all that being said, carry cash, try to travel during the day, and be aware of your options are at night.

Read more personal stories and advice at www.GetFluentC.com.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

How EMV Impacts International Travel

In the United States, credit and debit cards rely on magnetic stripe technology. The magnetic stripe is the black, brown, gold, or silver band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store your account number. When the card is swiped through a “reader,” the data stored on the magnetic stripe is accessed. Card readers and magnetic stripe technology are inexpensive,  readily available and  vulnerable to fraud.

The other, more secure type of credit card is called “EMV,” which stands for Europay, MasterCard, and Visa. According to the Smartcard Alliance, “EMV is an open-standard set of specifications for smart card payments and acceptance devices. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.”

If you have plans to travel internationally this summer, you may have problems using your U.S. magnetic stripe card abroad, as many other countries, particularly in Europe, have made the EMV card the new standard.

The Smartcard Alliance explains:

“U.S. travelers are reporting troubles using their magnetic stripe cards while traveling. Aite Group has estimated that 9.7 million U.S. cardholders experienced magnetic stripe card acceptance issues when they traveled internationally in 2008, costing banks $447 million in lost revenue. The most common areas where travelers may face issues are at unmanned kiosks for tickets, gasoline, tolls and/or parking, and in rural areas where shop owners do not know how to accept magnetic stripe cards.”

To avoid payment problems, follow these steps:

  • Ask your bank if they offer an EMV card. Most major banks do, including Bank of America, Chase, Citibank, U.S. Bank, and Wells Fargo.
  • Pay in cash.
  • Don’t expect your debit cards to work at payment terminals. Yes, your debit card requires a PIN, but that doesn’t make it an EMV card. You should be able to use your debit card to get cash from ATMs.
  • Inform your bank you will be traveling, otherwise they may flag your card for fraud.
  • Visit GetFluentC.com to share your story and learn more.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures