Story image

Transport in NSW: do easier 'tap ons' make for compromised security?

25 May 2018

Article written by Verifi APAC regional head Andrew Reszka

Transport NSW recently announced that commuters will now be able to ‘tap on’ for single trips using their credit cards or digital wallets, leaving many wondering whether the existing Opal card payment method could soon be phased out.

This method will, of course, be more efficient for consumers using Transport NSW. The public will no longer have to worry about needing sufficient funds on their Opal cards when travelling. They can simply use their bank card or digital wallet to pay at the gate. 

These changes also make it easier for rural travellers, who have previously struggled to find a location to purchase and top up their Opal cards, particularly if their local newsagent or Post Office is closed. Furthermore, it’s an attractive proposition for tourists visiting Sydney, as they can tap and be on their way without needing to return the card at the end of their stay.

However, despite its efficiencies, this payment method may have vulnerabilities that open consumers to a gamut of security threats and higher risks of fraud. 

First and foremost, Transport NSW’s payment poles and gates are at risk of being doctored to skim cards. Undetected, this would expose consumers to account fraud and significant cybersecurity risks when tapping their credit or debit card or a card housed on their phone or smartwatch.

 Before, the Opal card established an extra barrier between scammers and users’ broader payment details, but now with a simple tap, users’ payment details, as well as a raft of other data, could immediately be in the hands of fraudsters.

With this information, defrauding actors can position themselves for an account takeover attack. This involves fraudulently using another person’s credit or debit card account – first by gathering information about the intended victim, then contacting their bank or credit card issuer to masquerade as the genuine cardholder. 

The criminal then arranges for funds to be transferred out of the account, or will change the address on the account and request new or replacement cards. By the time the consumer notices their account has been skimmed, they could be out hundreds or thousands of dollars. 

Consumers do have rights in this situation and can initiate a chargeback request to get their money back. However, it can prove to be an arduous process. If the merchant’s business name does not match the payee name that appears on the consumer’s banking statement, they may be confused as to whom they should contact before disputing the charge with their bank or card issuer.

Chargebacks cause significant resource drain and revenue loss for many businesses. To give a sense of scale to the issue, a recent Javelin research study has found chargebacks cost card issuers $11.61 billion and merchants $19.39 billion, globally in 2017. 

Without the appropriate mechanisms in place, a chargeback request can take months to remedy. Within this process, multiple parties can be substantially out of pocket, with damaging effects to revenue streams, business operations and consumer experience. 

To combat the challenges that come with advancing payment mechanisms, Transport NSW and card issuers must ensure that the right security and authentication features are in place to tackle the potential for increased threats. 

Having visibility of the back-end of payment processes and working in a closed loop environment to share information between merchants and card issuers is key to stopping fraudulent payments, as and when they occur. As is having strong front-end security mechanisms that deter defrauding actors from hacking into payment systems.

There are also a range of tools that consumers can use to better protect themselves, and that businesses can implement to support consumers’ transactions and keep them safe. 

Mobile or digital wallets are a great advancement in this space. They provide consumers with a more secure method of payment than others due to built-in tokenisation. This technology replaces card and account information with a non-sensitive numerical ‘token’, allowing authorisation and authentication within milliseconds. 

The ‘token’ is used as an identifier during the payment process and can only be traced back with a master key to the original account or card data. Better still, a digital wallet adds another extra line of security when integrated with a biometric measure to open the wallet, e.g. scanning one’s fingerprint on one’s smartphone. While these additional security measures are highly beneficial, consumers should still be wary about where they are storing sensitive data and who has access to it.

It’s likely the convenience that ‘tapping on’ without an Opal card will be welcomed by consumers. However, it’s essential that Transport NSW presents a two-fold approach to consumer security – ensuring that the right security and payment protection measures are in place, and that consumers are educated about the risks that could be associated with using their bank card and what they can do to help decrease these risks.

Voter vulnerabilities: Cybersecurity risks impact national elections
The outcome of elections have an enormous impact on the political and cultural landscape of any democratic society. 
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
Infoblox appoints channels head for A/NZ
Kenneth Cartwright’s appointment extends Infoblox’s position in secure cloud-managed network services throughout the region.