Story image

Transport in NSW: do easier 'tap ons' make for compromised security?

25 May 18

Article written by Verifi APAC regional head Andrew Reszka

Transport NSW recently announced that commuters will now be able to ‘tap on’ for single trips using their credit cards or digital wallets, leaving many wondering whether the existing Opal card payment method could soon be phased out.

This method will, of course, be more efficient for consumers using Transport NSW. The public will no longer have to worry about needing sufficient funds on their Opal cards when travelling. They can simply use their bank card or digital wallet to pay at the gate. 

These changes also make it easier for rural travellers, who have previously struggled to find a location to purchase and top up their Opal cards, particularly if their local newsagent or Post Office is closed. Furthermore, it’s an attractive proposition for tourists visiting Sydney, as they can tap and be on their way without needing to return the card at the end of their stay.

However, despite its efficiencies, this payment method may have vulnerabilities that open consumers to a gamut of security threats and higher risks of fraud. 

First and foremost, Transport NSW’s payment poles and gates are at risk of being doctored to skim cards. Undetected, this would expose consumers to account fraud and significant cybersecurity risks when tapping their credit or debit card or a card housed on their phone or smartwatch.

 Before, the Opal card established an extra barrier between scammers and users’ broader payment details, but now with a simple tap, users’ payment details, as well as a raft of other data, could immediately be in the hands of fraudsters.

With this information, defrauding actors can position themselves for an account takeover attack. This involves fraudulently using another person’s credit or debit card account – first by gathering information about the intended victim, then contacting their bank or credit card issuer to masquerade as the genuine cardholder. 

The criminal then arranges for funds to be transferred out of the account, or will change the address on the account and request new or replacement cards. By the time the consumer notices their account has been skimmed, they could be out hundreds or thousands of dollars. 

Consumers do have rights in this situation and can initiate a chargeback request to get their money back. However, it can prove to be an arduous process. If the merchant’s business name does not match the payee name that appears on the consumer’s banking statement, they may be confused as to whom they should contact before disputing the charge with their bank or card issuer.

Chargebacks cause significant resource drain and revenue loss for many businesses. To give a sense of scale to the issue, a recent Javelin research study has found chargebacks cost card issuers $11.61 billion and merchants $19.39 billion, globally in 2017. 

Without the appropriate mechanisms in place, a chargeback request can take months to remedy. Within this process, multiple parties can be substantially out of pocket, with damaging effects to revenue streams, business operations and consumer experience. 

To combat the challenges that come with advancing payment mechanisms, Transport NSW and card issuers must ensure that the right security and authentication features are in place to tackle the potential for increased threats. 

Having visibility of the back-end of payment processes and working in a closed loop environment to share information between merchants and card issuers is key to stopping fraudulent payments, as and when they occur. As is having strong front-end security mechanisms that deter defrauding actors from hacking into payment systems.

There are also a range of tools that consumers can use to better protect themselves, and that businesses can implement to support consumers’ transactions and keep them safe. 

Mobile or digital wallets are a great advancement in this space. They provide consumers with a more secure method of payment than others due to built-in tokenisation. This technology replaces card and account information with a non-sensitive numerical ‘token’, allowing authorisation and authentication within milliseconds. 

The ‘token’ is used as an identifier during the payment process and can only be traced back with a master key to the original account or card data. Better still, a digital wallet adds another extra line of security when integrated with a biometric measure to open the wallet, e.g. scanning one’s fingerprint on one’s smartphone. While these additional security measures are highly beneficial, consumers should still be wary about where they are storing sensitive data and who has access to it.

It’s likely the convenience that ‘tapping on’ without an Opal card will be welcomed by consumers. However, it’s essential that Transport NSW presents a two-fold approach to consumer security – ensuring that the right security and payment protection measures are in place, and that consumers are educated about the risks that could be associated with using their bank card and what they can do to help decrease these risks.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.