Visa PayWave vs. Chip & Pin

While you might feel like Captain Kirk beaming your money away at the counter, Visa’s payWave technology has some irksome qualities when compared to the old chip’n’pin method of payment. I’m going to go into some of the things I’ve noticed about it, as well as a general background on the technology and hopefully some ways to keep your borrowed money secure.

First off, what the heck is payWave? Well it’s Visa’s answer to Mastercard’s PayPass system where you use a RFID (radio enabled) credit or debit cards to complete a transaction without having to swipe or insert your card. I can’t comment on the Mastercard system because I’ve never had one of their cards, so things may be different in the priceless world of Mastercard. How do you know if you have one of these cards? Well if your card has something that looks like a wifi symbol on it – then you’re in luck.

 

Merchant Limits

My primary experience with payWave is shopping for groceries, so my balance floats somewhere around $20-70 each time I go for a run. According to Visa, merchants have set limits as to how much they will accept via payWave. At my particular grocery store it’s $50. What happens more often than not is that I’ll feel all cool and futuristic while tapping my card – only to realize I’ve got to restart and do the old chip and pin story again. Not a big deal, but definitely something that causes some confusion and delays at the till. If they tout this card as being secure – then why is this limit set so low?

Lack of PIN

The answer to the previous question is probably that the payWave is less secure than chip and pin technology. Chip and pins are using 2 factor authentication. You need the card, and you need the pin. They are two different, unrelated pieces of knowledge/possession that are required for your purchase to go through. payWave on the other hand is 1 factor. You just need the card and you can buy anything your identity-thieving-heart desires. Hence the merchant limit. I feel less secure using my credit card knowing that someone could rack up several hundred dollars in small purchases, extremely easily.

I spent How Much!?

This is something I noticed just the other day when I decided to tap rather than insert at Tim Hortons. When you tap, the transactions immediately goes through without even asking the purchaser to confirm the price or acknowledge the transaction! Once I realized that I had spent money without even the faintest clue of it’s amount – I started to recall that it seems to happen every time I use the payWave. Admittedly, this was a Chase point-of-sale terminal … so maybe not all of them do it. I’ll have to keep an eye out in future. When you use the chip – it always asks you “Your purchase will be $8.20, Press OK to continue”, before you have to enter your PIN. This confirmation is lacking in the RFID transaction flow. As soon as the cashier completes the order and asks you to pay, you should be prompted for the amount first, regardless of method of payment.

This compounds the problem mentioned above about merchant limits – if I can’t tell how much I’m paying, then how can I know if I can even use payWave without feeling the slightest bit stupid.

RFID & NFC Technology

Radio Frequency Identification (RFID) and Near Field Communication (NFC) are two sets of technologies that allow transfer of information over short ranges wirelessly. NFC is fancier in that it allows two-way communication rather than simply “reading a tag” in the RFID case. In the case of your credit card – it’s RFID because your credit card doesn’t ever receive information, it simply allows itself to be read. Although creditcards might have NFC chips in them, they’re basically used in an old school RFID fashion (like how books are tagged at libraries).

NFC is now built into some more powerful smartphones, so that means you will eventually replace your RFID payWave credit cards with your cellphone in the future. The cashier’s terminals will then accept your NFC communication as if it were a credit card. Pretty cool stuff!

This type of communication only works over short ranges (centimetres – metres) because of the microfabricated antenna designs, and the low power usage (in the case of RFID – the tag is unpowered altogether!) While that makes the technology super useful for things like using your phone to share contacts, or your credit card to pay for stuff – it also means that your private data can be accessed wirelessly!

Grab your tinfoil hat!

I mentioned above that the payWave suffers from lack of PIN technology and “two factor authentication”. This is terribly compounded when looking at the fact that your credit card number and expiry date can be “skimmed” off the air. For passive devices like credit cards, they can be read from a distance of 1 meter. Imagine a crowded subway with someone skimming the credit card numbers of everyone around them. The media calls this “RFID skimming” or “credit card skimming”, and there’s plenty of reading and youtube videos on the subject. Below is one that I found interesting because they do a live demo. Not trying to promote their products or anything – just the best video I could find of someone actually demonstrating a skim of credit card data from a payWave type card. However, this might be something worth taking a look at if you’re really worried about this stuff.

This is all well and good for a slim card that you fit in an existing wallet – but when our phones become NFC and credit card enabled … we’re going to need some mighty fashionable tinfoil pants to be able to block those signals!

 

Request for comment

I’m no expert on this stuff, just a guy doing some research – but I would love to hear what more knowledgeable people have to say about the encryption methods in place on these credit cards. Sure you can read the CC # and expiry date, but is there other unobtainable information necessary on the cards to make it work for these payWave terminals? If any of the 2600 crowd (hackers) has any links to actual demos of this stuff that would be great.

  • Jose

    What I can’t understand is why there is no large-scale petition or referendum demanding that consumers be given a CHOICE if they want RFID on their cards, licenses, and passports or not. Why is a bank or a government making the choice for us against our wills? Given the evidence against RFID, we should be able to start a revolution against them.

  • mikemurko

    Think about when cards first got their Chip and PIN technology; where you had to insert the card to make a purchase and type in your PIN, rather than swipe and sign. People must have wanted a “choice” if their card had a chip. I think this is the same change that makes purchasing easier and more secure. What would be more important is to make sure the authentication and security is enhanced with these future-tech cards.

  • Lauryn Roberts

    Facebook page ….please. Paypass is evil and needs limits

    Individuals need to contact their banks and give them “feedback” on their money not being secure.
    Got done $160 in under 1hr- cancelled card at Kmart when I discovered missing.. But too late. No food this week thanks paypass

  • Lauryn Roberts

    Yes why can’t they give us the ability to call $20 a small purchase and require pin after our set limit.. Not under $100… :(
    I’m sickened by the banks leaving their customers so easily exposed to theft/fraud…

    FB- paypass is EVIL and needs limits
    Page/group