Technophobes and security pundits have been warning for a long time that it’s possible for a passerby with an RFID reader – and malafide intent – to skim debit / credit card details off of contactless cards and NFC smartphones even when they’re tucked away inside their owners’ wallets, pockets or hand bags.
I had a first hand exposure of this security hazard during a recent visit to my friendly neighborhood book lending library, which is part of a nationwide chain of libraries that makes innovative use of RFID technology. With RFID reader kiosks reading RFID tags embedded inside every book, issue and return of books has become a frictionless, self-service process across the chain. You can read more about this library chain in Innovations At A Click-And-Mortar Library.
During this trip, I selected a book and placed it on the kiosk. When I tapped the ‘Issue’ button, the kiosk read the RFID tag in the book and displayed its title on the touchscreen. But, alongside the book I wanted to borrow, I noticed another book in the list. When I pointed out the spurious entry to the store manager, she’d a quick look at the screen and told me to ignore it. It turned out that the false alarm was raised by a book being read by one of the library’s staff sitting beside the kiosk. In other words, the kiosk wrongly scanned a book that wasn’t placed on its tray but happened to be situated a couple of feet away.
As I was filing out of the library, I overheard the store manager grumbling to her colleagues about the kiosk’s temparamental behavior: On some days, it failed to identify books placed on its tray, whereas on other days like that one, it overzealously scanned books located several feet away.
I generally don’t get scared off a new payment technology just because someone somewhere claims to have hacked it and proved it to be unsafe – greater convenience tends to win me over. But, on this one, I think the aforementioned technophobes and security pundits have got a point. Based on this experience, I’m bound to be extremely cautious about contactless cards, NFC or any other RFID-based payment method in future. While the addition of one incorrect book to my library account isn’t such a big deal, I can’t say the same about my credit / debit card details getting flashed to all and sundry around me.
Having said that, let me hasten to add that the overall consumer experience with contactless and NFC payments will be shaped by the way in which the technology is implemented rather than by the technology per se. In this context, I’ll readily admit that I’ve used Transport for London’s contactless Oyster Cards regularly for two years and never faced any reliability or security problems with them during the entire period (except for still not receiving refund of the credit balance lying in the card when I’d surrendered it upon leaving the UK over four years ago!).
UPDATE DATED 8 JULY 2020:
It’s almost eight years since I wrote the above original post.
NFC Credit Cards and Debit Cards were launched last year. Not only do they support contactless payments (“TAP and Go”) but they don’t require a PIN for payments below INR 2K. More at PINless Card Payments – Innovative Or Harebrained?. They have received a huge fillip during the current Covid-19 pandemic outbreak.