SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Transport in NSW: do easier 'tap ons' make for compromised security?
Fri, 25th May 2018
FYI, this story is more than a year old

Transport NSW recently announced that commuters will now be able to ‘tap on' for single trips using their credit cards or digital wallets, leaving many wondering whether the existing Opal card payment method could soon be phased out.

This method will, of course, be more efficient for consumers using Transport NSW. The public will no longer have to worry about needing sufficient funds on their Opal cards when travelling. They can simply use their bank card or digital wallet to pay at the gate.

These changes also make it easier for rural travellers, who have previously struggled to find a location to purchase and top up their Opal cards, particularly if their local newsagent or Post Office is closed. Furthermore, it's an attractive proposition for tourists visiting Sydney, as they can tap and be on their way without needing to return the card at the end of their stay.

However, despite its efficiencies, this payment method may have vulnerabilities that open consumers to a gamut of security threats and higher risks of fraud.

First and foremost, Transport NSW's payment poles and gates are at risk of being doctored to skim cards. Undetected, this would expose consumers to account fraud and significant cybersecurity risks when tapping their credit or debit card or a card housed on their phone or smartwatch.

 Before, the Opal card established an extra barrier between scammers and users' broader payment details, but now with a simple tap, users' payment details, as well as a raft of other data, could immediately be in the hands of fraudsters.

With this information, defrauding actors can position themselves for an account takeover attack. This involves fraudulently using another person's credit or debit card account – first by gathering information about the intended victim, then contacting their bank or credit card issuer to masquerade as the genuine cardholder.

The criminal then arranges for funds to be transferred out of the account, or will change the address on the account and request new or replacement cards. By the time the consumer notices their account has been skimmed, they could be out hundreds or thousands of dollars.

Consumers do have rights in this situation and can initiate a chargeback request to get their money back. However, it can prove to be an arduous process. If the merchant's business name does not match the payee name that appears on the consumer's banking statement, they may be confused as to whom they should contact before disputing the charge with their bank or card issuer.

Chargebacks cause significant resource drain and revenue loss for many businesses. To give a sense of scale to the issue, a recent Javelin research study has found chargebacks cost card issuers $11.61 billion and merchants $19.39 billion, globally in 2017.

Without the appropriate mechanisms in place, a chargeback request can take months to remedy. Within this process, multiple parties can be substantially out of pocket, with damaging effects to revenue streams, business operations and consumer experience.

To combat the challenges that come with advancing payment mechanisms, Transport NSW and card issuers must ensure that the right security and authentication features are in place to tackle the potential for increased threats.

Having visibility of the back-end of payment processes and working in a closed loop environment to share information between merchants and card issuers is key to stopping fraudulent payments, as and when they occur. As is having strong front-end security mechanisms that deter defrauding actors from hacking into payment systems.

There are also a range of tools that consumers can use to better protect themselves, and that businesses can implement to support consumers' transactions and keep them safe.

Mobile or digital wallets are a great advancement in this space. They provide consumers with a more secure method of payment than others due to built-in tokenisation. This technology replaces card and account information with a non-sensitive numerical ‘token', allowing authorisation and authentication within milliseconds.

The ‘token' is used as an identifier during the payment process and can only be traced back with a master key to the original account or card data. Better still, a digital wallet adds another extra line of security when integrated with a biometric measure to open the wallet, e.g. scanning one's fingerprint on one's smartphone. While these additional security measures are highly beneficial, consumers should still be wary about where they are storing sensitive data and who has access to it.

It's likely the convenience that ‘tapping on' without an Opal card will be welcomed by consumers. However, it's essential that Transport NSW presents a two-fold approach to consumer security – ensuring that the right security and payment protection measures are in place, and that consumers are educated about the risks that could be associated with using their bank card and what they can do to help decrease these risks.