Advertiser Disclosure

Why It's Dumb to Use Smartphones to Make Card Payments

Your card isn’t connected to the Internet on its own, but your smartphone is always connected -- and that means card payment on a smartphone can be compromised

mobile payments

Credit and debit payments have gotten a lot more complicated in the last few years, but it doesn’t look that way to the general consumer. Between NFC, MST, RFID, EMV, and all the other acronyms being thrown around, it’s difficult to tell what’s happening in the background.

It doesn’t help that marketers drummed up a fear campaign against chipped cards.

While it may look on the surface that your EMV-enabled card and an NFC-enabled smartphone are doing the exact same thing, the method in which they’re accomplishing this makes a big difference.

Chip-and-PIN vs RFID

RFID payments
RFID payments

To illustrate these differences between RFID-enabled cards and the EMV standard, think of your car radio (the “RF” in RFID stands for “radio frequency”). An RFID tag embedded in a credit or debit card consists of an integrated circuit and an antenna that is designed to pick up the radio signal sent by an RFID reader. This allows for contactless data/power transmission up to a distance determined by the size of the antenna in the RFID tag.

A standard RFID tag inlay (such as those used for retail security tags or on many trade show badges) also contains a unique tag identifier (TID), a 96-bit data string called the Electronic Product Code, and memory to store transaction and authorization codes, balances, and other personal identifying information.

The integrated circuit of the EMV-chipped cards are nearly identical to the RFID tag, with one major exception; the chips do not contain an antenna, instead utilizing electromagnetic induction, which only works within very small distance -- 10 centimeters or less. This is the same technology that allows smartphones and tablets to be charged wirelessly.

While both technologies technically transmit data via radio waves, the frequency is a major difference. Much like changing the radio frequency on your car radio plays a different radio station that’s broadcasting on that frequency, RFID and EMV chips are tuned to different frequencies, and the frequency determines the signal distance.

The Difference Between NFC and EMV

EMV Chip credit card
Credit Card with a new EMV Chip

Now you’ll read all over the Internet that NFC and EMV are two distinct things, and, while true, the statement is misleading. NFC is typically used in the context of smartphone payments -- it stands for Near Field Communication -- whereas EMV is used to describe the same type of technology embedded in cards.

EMV is simply an encryption and security standard set by the major credit card companies -- EMV stands for Europay, MasterCard, and Visa, although American Express also supports the standard -- for the NFC chips embedded in cards.

The only real difference between the two is the processing and storage capabilities of your smartphone. The way NFC works, if an NFC device that isn’t connected to the Internet were to connect to an NFC device that is connected, the non-connected device can now communicate with the Internet.

The same level of encryption occurs on a smartphone or card. In the card, it happens on the chip, and EMV is the standard for how these NFC chips should be designed. On a phone, the encryption happens in the phone’s memory.

Your card isn’t connected to the Internet on its own, but your smartphone is always connected, even when you’re not able to use it because you didn’t pay your bill. Anyone familiar with Internet security will tell you that as soon as a device is connected to the Internet, it’s compromised. No amount of encryption or security will ever 100% protect the information stored on your phone.

And this is the inherent security flaw in using your smartphone for payments. Your phone can be compromised from anywhere in the world – no proximity restrictions apply. Whereas your RFID, EMV, or magnetic-stripe card have to be physically compromised (or the information stolen in transit), a smartphone is vulnerable 24/7.

Samsung phones are particularly vulnerable because they go beyond NFC and also offer MST -- meaning Magnetic Stripe Transmission -- a technology the company obtained by acquiring LoopPay, which transmits the same unencrypted data on a magnetic stripe to a magnetic stripe reader.

Smartphone Vulnerabilities

On top of this, a smartphone destroys a large portion of the consumer security provided by a card transaction over a check. If I were to steal your credit or debit card, all I’d see is your card number and name. I wouldn’t have access to your address, social security number, birthday, or even the bank account numbers attached to your card.

If I were to steal your smartphone, I’d have access to your entire life. I’d know all your contacts, see all your communications with them, have your password, and could access a wide variety of apps. And I don’t even need to steal your smartphone to access any of this. I can trick you into downloading an app (especially on the Google Play store, which is much easier to get listed on than Apple’s App store), or install a virus by emailing or texting you a web URL.

To be sure, neither EMV or RFIF cards actively send a radio signal. Both are passive devices, much like your car’s radio.  You can listen to music by tuning your radio receiver to different frequencies, but the DJ will never hear you singing in your car.

Any engineer familiar with radio waves, microwave communications, or wireless networking is aware of how to change the frequency of an antenna, and networking equipment such as the Portal Router, a router that can utilize 250 percent more spectrum for Wi-Fi than current standard routers. The device was introduced at the International CES and is designed to scan and adjust frequencies automatically. Two-way ham radios and your car radio receiver work the same way.

Except, unlike an RFID tag, no special equipment is needed for the average person to communicate with an NFC chip. As I said earlier, most current-model smartphones and tablets already have NFC chips embedded in them to enable wireless charging and smartphone payments. In that sense, EMV cards can be read at the range in which you do a wireless charge.

So Why the Shift to Chips?

If both NFC and RFID tags are insecure, then why are they being implemented for more secure payments? The unfortunate answer is it has absolutely nothing to do with you as the consumer.

The reason credit card companies pushed for this technology is to shift the financial liability for fraud away from the card issuers onto the merchant.

It’s the merchant’s responsibility to provide a secure environment for you to perform a financial transaction. You’re on their property with their security cameras, wireless network, staff, and equipment. If fraud occurs on your account, it’s the fault of the merchant, not Visa, MasterCard, nor your bank.

The chances of you being robbed are no different, regardless of which card you use. The only time you’re taking on more personal risk is by storing your financial information on your smartphone.

And that’s why it’s dumb to use a smartphone for payments.

Compare Best Accounts Now

Ask a Question

Tuesday, 31 Jan 2017 2:21 PM
<p>I still fail to see how a smart phone payment is less safe than using a credit card in general. If I lose my credit card, anyone can use it and I have to get a new card and new number. If I lose my phone, payment info can not be used without your pin or fingerprint and can be remotely wiped. I don't carry cards anymore, I keep them locked up.</p><p>If someone steals a Samsung Pay token somehow on the internet I can remove the card from my Samsung Pay account and don't have to change card numbers. Plus my actual card number is not used with Samsung Pay so I don't have to worry about my information being stolen at some retailer (didn't that happen at Target?). Yes the phone is online and connected to the internet but so is any website you used your card number on.</p><p>Despite this I still use credit cards on the internet all the time, what other options do you have? I use PayPal or Pay with Amazon when available so small sites aren't storing my credit card information that doesn't change for years...</p><p>Your credit card could also be physically skimmed by someone as well.</p><p>It's good to look at these things and continually question security and make good decisions. But weighing the risk I'm not concerned enough to not use either my phone or credit card. I get instant alerts from my bank with every transaction so I don't worry about it much and enjoy the convenience.</p>
Wednesday, 20 Apr 2016 8:56 PM
<p>I have a buddy that's a security manager at Walmart and he told me the other day that when he was heading into the parking lot, he noticed a car with a guy sitting in it, doing nothing, but what was suspicious was there were several huge antennas on his truck. He went back inside, looked at the video, saw when the guy came into the lot and saw he hadn't made a move since getting there. When they went to approach the truck, the man realized and took off. Since we have heard lots and lots of stories like this from him, and others, we have seriously cut down on the used of credit cards while shopping ANYWHERE. It is the merchant’s responsibility to provide a secure environment for you to perform a financial transaction, but you can help alleviate the threat by reducing the use of credit cards. We use cash at most places. And certainly would not use our smartphones to make a card payment anywhere.</p>

Advertiser Disclosure: Many of the offers appearing on this site are from advertisers from which this website receives compensation for being listed here. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear). These offers do not represent all account options available.

Editorial Disclosure: This content is not provided or commissioned by the bank advertiser. Opinions expressed here are author’s alone, not those of the bank advertiser, and have not been reviewed, approved or otherwise endorsed by the bank advertiser. This site may be compensated through the bank advertiser Affiliate Program.

User Generated Content Disclosure: These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.