Skip to content

Contactless Bank NFC Card Security

Contactless bank NFC cards allow you to pay for your purchase without contacting the payment card with the terminal: you don’t need to stick anything in, remember the PIN code, sign checks with a bad-writing pen, you don’t need to count bills and dig into your pockets in search of trifles.

NFC sellers also like cards, because they allow you to speed up the payment process and thus increase the throughput of the cashier.


Contactless bank cards use NFC technology for data transfer: a chip and an antenna are placed on the card, which “respond” to a request from a payment terminal at a radio frequency of 13.56 MHz.

Different payment systems use their own standards: Visa payWave, MasterCard PayPass, American Express ExpressPay and so on. But they are arranged in a similar way.

The range of data transmission via NFC is a few centimeters. Therefore, the first barrier of protection is physical. The reader, in fact, needs to be attached close to the card, which is quite difficult to do unnoticed.

But you can make a custom reader that works at a greater distance. For example, researchers from the British University of Surrey have demonstrated the ability to read NFC data at distances up to 80 cm using a compact scanner. Such a device may well quietly “interrogate” contactless cards in public transport, shopping centers, airports and similar crowded places.

You can do without a reader. At the Hack In The Box conference, Spanish hackers Ricardo Rodriguez and Jose Villa created the Android Trojan concept, which turns the victim’s smartphone into something like an NFC relay.

As soon as an infected phone is near a contactless card (smartphones are often physically near a wallet – for example, in one bag), it sends an alert to the attackers about the availability of the transaction via the Internet. Fraudsters activate a regular payment terminal, bring their NFC-smartphone to it. Thus, a “bridge” is created over the Internet between the NFC card and the NFC terminal, remote from each other at any distance.

The Trojan can be distributed in a standard way, for example, bundled with a “hacked” paid application.


Contactless transactions are protected by the EMV standard (the same as bank cards with a chip). Unlike a magnetic track, which can be simply copied, this focus does not work with a chip. At the request of the terminal, the microcircuit generates a one-time key each time. This key can be intercepted, but it will no longer be suitable for the next transaction.

Security researchers have repeatedly questioned the security of EMV, but so far no really hacking scenarios have been made public … Or I haven’t found one.

But there is one detail. In the standard implementation, the protection of chip bank cards is based on a combination of crypto keys and a user entering a PIN code. With contactless transactions, the PIN code is usually not requested, so that only the crypto keys of the card chip and terminal remain.

It is possible to make a terminal that will read card data “from the pocket” of the client. But this terminal must have cryptographic keys received from the acquiring bank and the payment system. Keys are issued under an agreement with a legal entity, that is, with an acquiring bank. What is also not easy to get.


There is another level of protection – limiting the maximum amount of a contactless transaction. This limit in the settings of terminal equipment is set by the acquirer bank, guided by the recommendations of payment systems.

Payment for a large amount will be rejected or require additional confirmation (signature, PIN) depending on the settings of the card issuing bank. When trying to sequentially withdraw a few amounts below the threshold, an additional protection system should also work.

But a team of British researchers from the University of Newcastle, in 2014 or something, reported that they had discovered a gap in the protection of contactless transactions of the Visa payment system. If you request a payment not in pounds sterling, but in a foreign currency, then the threshold limit does not work. And if the payment terminal is not connected to the Internet, then the maximum amount of a fraudulent transaction can be up to a million euros.


You can find out information about a bank card through NFC: the EMV standard allows the storage of certain data in unencrypted form in the memory of the card chip. Such data may include the card number, several recent transactions and so on (which information and how is stored in the chip is determined by the issuing bank and payment system). This data can be read using an NFC-smartphone, installing a completely legal application on it … And then pay for purchases.

For example, the British edition for consumers “Which?” Using an accessible NFC reader and free software, the number and expiration date were decoded for all ten cards tested. And they made an order in the store on this card. The possibility of such an order is due to the fact that not all stores require a CVV code card.