Google Wallet, Apple Pay. These are services most people nowadays are pretty familiar with even if they’re not using them. They’re Google and Apple’s mobile payment or digital wallet services that let you pay for purchases using your smartphone, so you can potentially enjoy a shopping spree with only your phone in-hand. These services are backed by a technology called NFC, or Near Field Communication. “Gone are the days of searching for your wallet. The wasted moments finding the right card,” Apple promises. Sounds nice, right? Unfortunately, by now we know all too well that any new technology aiming to afford us a convenience—especially a technology that’s connected to our financials—is a target for cybercriminals.

A juicy new opportunity for hackers

hackers gonna hackNFC technology basically throws some longstanding security measures out the window. No wonder it’s such a juicy target for hackers. A few years ago Singapore’s operators launched commercial NFC services and the rest of the world was not too far behind.  

You see, credit cards have a unique system in place that differentiates between two scenarios:

  1. “Card Present,” where you’re physically making a purchase at a brick-and-mortar merchant and you swipe your card.
  2. “Card Not Present,” where you’re making a purchase online or over the phone and you simply provide your card details.

Until recently, these two worlds were mostly separated. The CVV2 number, which many of us know as simply those three digits on the back of our card, is something merchants should require we give them in “Card Not Present” scenarios. It’s physically printed on our card rather than saved in the data on our card’s magnetic strip. So if a hacker breaches a payment processor or a brick-and-mortar merchant’s system, like in the incident I’m sure you remember of the Home Depot hack, he won’t be able to use the stolen card to make purchases online or over the phone because he won’t have the required CVV2 number.

Our cards have another value: the CVV number. Unlike the CVV2 number, the CVV is embedded in the card’s magnetic strip. When we make purchases online, the CVV value gets recorded along with the rest of our credit card information that’s used to complete the purchase. With this, hackers who steal credit cards from online merchants can use those stolen credit cards to make purchases online.

How does the difference between the CVV and the CVV2 keep us more secure? First of all, it helps banks understand where a breach originated from. If the bank sees a spike in “Card Present” fraud, where no CVV2 number was presented, it helps fraud analysts focus on the breached merchant since they know not to look for breaches in online or phone merchants. Second, fraud detection techniques overall differ between “Card Present” and “Card Not Present” scenarios, which hugely simplifies matters when it comes to preventing fraud. But with NFC, this ever important differentiation gets obliterated.

Convenience at a (potentially very pricey) cost

With NFC or digital wallet apps, users use their “Card Not Present” information to register for a service like Google Wallet or Apple Pay in order to make “Card Present” transactions. Essentially, these apps bridge the two scenarios and allow fraudsters to take credentials from “Card Not Present” transactions and use them in the real world, where buying high-value items is much easier. Note that purchasing credentials in the underground economy for making real-world purchases like this gets very pricey, making NFC even more lucrative to hackers. With this, it’s no surprise that Apply Pay was exploited by fraudsters shortly after its inception.

So what are people doing about it?

Protect YourselfTo combat this new threat, some banks have added new protocols like requiring additional authentication when registering to use a digital wallet service. But, because these measures are both bank-specific and service-specific, all it takes is one bank not requiring the extra authentication for fraudsters to pounce. These type of “loopholes” are exactly what they’re looking for on a regular basis.

Mobile payment services offer hackers yet another opportunity for stealing our credit card information and our identities. Considering NFC’s undoing of the differentiation between the “Card Present” and “Card Not Present” scenarios, it may also take anti-fraud teams longer to identify the root of any breach. On the other hand, with the growing popularity of NFC services, banks might add additional layer of protection to keep themselves and their customers safe. We can only hope that this is what will happen as more people adopt digital wallets, so they can enjoy a service that’s not only simple, but also secure.