Why It’s Dumb to Use Smartphones to Make Card Payments
Credit and debit payments have gotten a lot more complicated in the last few years, but it doesn’t look that way to the general consumer. Between NFC, MST, RFID, EMV, and all the other acronyms being thrown around, it’s difficult to tell what’s happening in the background.
It doesn’t help that marketers drummed up a fear campaign against chipped cards.
While it may look on the surface that your EMV-enabled card and an NFC-enabled smartphone are doing the exact same thing, the method in which they’re accomplishing this makes a big difference.
Chip-and-PIN vs RFID
To illustrate these differences between RFID-enabled cards and the EMV standard, think of your car radio (the “RF” in RFID stands for “radio frequency”). An RFID tag embedded in a credit or debit card consists of an integrated circuit and an antenna that is designed to pick up the radio signal sent by an RFID reader. This allows for contactless data/power transmission up to a distance determined by the size of the antenna in the RFID tag.
A standard RFID tag inlay (such as those used for retail security tags or on many trade show badges) also contains a unique tag identifier (TID), a 96-bit data string called the Electronic Product Code, and memory to store transaction and authorization codes, balances, and other personal identifying information.
The integrated circuit of the EMV-chipped cards are nearly identical to the RFID tag, with one major exception; the chips do not contain an antenna, instead utilizing electromagnetic induction, which only works within very small distance — 10 centimeters or less. This is the same technology that allows smartphones and tablets to be charged wirelessly.
While both technologies technically transmit data via radio waves, the frequency is a major difference. Much like changing the radio frequency on your car radio plays a different radio station that’s broadcasting on that frequency, RFID and EMV chips are tuned to different frequencies, and the frequency determines the signal distance.
The Difference Between NFC and EMV
Now you’ll read all over the Internet that NFC and EMV are two distinct things, and, while true, the statement is misleading. NFC is typically used in the context of smartphone payments — it stands for Near Field Communication — whereas EMV is used to describe the same type of technology embedded in cards.
EMV is simply an encryption and security standard set by the major credit card companies — EMV stands for Europay, MasterCard, and Visa, although American Express also supports the standard — for the NFC chips embedded in cards.
The only real difference between the two is the processing and storage capabilities of your smartphone. The way NFC works, if an NFC device that isn’t connected to the Internet were to connect to an NFC device that is connected, the non-connected device can now communicate with the Internet.
The same level of encryption occurs on a smartphone or card. In the card, it happens on the chip, and EMV is the standard for how these NFC chips should be designed. On a phone, the encryption happens in the phone’s memory.
Your card isn’t connected to the Internet on its own, but your smartphone is always connected, even when you’re not able to use it because you didn’t pay your bill. Anyone familiar with Internet security will tell you that as soon as a device is connected to the Internet, it’s compromised. No amount of encryption or security will ever 100% protect the information stored on your phone.
And this is the inherent security flaw in using your smartphone for payments. Your phone can be compromised from anywhere in the world – no proximity restrictions apply. Whereas your RFID, EMV, or magnetic-stripe card have to be physically compromised (or the information stolen in transit), a smartphone is vulnerable 24/7.
Samsung phones are particularly vulnerable because they go beyond NFC and also offer MST — meaning Magnetic Stripe Transmission — a technology the company obtained by acquiring LoopPay, which transmits the same unencrypted data on a magnetic stripe to a magnetic stripe reader.
On top of this, a smartphone destroys a large portion of the consumer security provided by a card transaction over a check. If I were to steal your credit or debit card, all I’d see is your card number and name. I wouldn’t have access to your address, social security number, birthday, or even the bank account numbers attached to your card.
If I were to steal your smartphone, I’d have access to your entire life. I’d know all your contacts, see all your communications with them, have your password, and could access a wide variety of apps. And I don’t even need to steal your smartphone to access any of this. I can trick you into downloading an app (especially on the Google Play store, which is much easier to get listed on than Apple’s App store), or install a virus by emailing or texting you a web URL.
To be sure, neither EMV or RFIF cards actively send a radio signal. Both are passive devices, much like your car’s radio. You can listen to music by tuning your radio receiver to different frequencies, but the DJ will never hear you singing in your car.
Any engineer familiar with radio waves, microwave communications, or wireless networking is aware of how to change the frequency of an antenna, and networking equipment such as the Portal Router, a router that can utilize 250 percent more spectrum for Wi-Fi than current standard routers. The device was introduced at the International CES and is designed to scan and adjust frequencies automatically. Two-way ham radios and your car radio receiver work the same way.
Except, unlike an RFID tag, no special equipment is needed for the average person to communicate with an NFC chip. As I said earlier, most current-model smartphones and tablets already have NFC chips embedded in them to enable wireless charging and smartphone payments. In that sense, EMV cards can be read at the range in which you do a wireless charge.
So Why the Shift to Chips?
If both NFC and RFID tags are insecure, then why are they being implemented for more secure payments? The unfortunate answer is it has absolutely nothing to do with you as the consumer.
The reason credit card companies pushed for this technology is to shift the financial liability for fraud away from the card issuers onto the merchant.
It’s the merchant’s responsibility to provide a secure environment for you to perform a financial transaction. You’re on their property with their security cameras, wireless network, staff, and equipment. If fraud occurs on your account, it’s the fault of the merchant, not Visa, MasterCard, nor your bank.
The chances of you being robbed are no different, regardless of which card you use. The only time you’re taking on more personal risk is by storing your financial information on your smartphone.
And that’s why it’s dumb to use a smartphone for payments.
Brian, a former business analyst in the mortgage industry, writes on ethics, regulations, and technology in the banking industry. His contributions have been featured in The STreet, Huffington Post, Forbes, Fast Company, Intuit, and other major outlets.