We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip main navigation

The million dollar contactless payment

What happens when a the security design for a payment system is incomplete, i.e. does not cover all of the possible scenarios.
In this video, I’ll talk about payment security in terms of completeness of the security design. The design needs to be complete, otherwise it’s the same as having securely locked the front of your house, whilst leaving the back door wide open. A good example can be found in contactless cards. The design seems complete. You can make small contactless purchases under 30 pounds. Simply tap and go, no pin required. But if you wish to pay for larger items over 30 pounds, you need to put your pin in to prove that you are the valid cardholder. This stops lost and stolen cards being used to make expensive purchases without the pin and thereby limits the security risk.
So how is the back door being left open? The contactless card knows that you cannot make a purchase over 30 pounds without using the pin. The system prevents that. However, the card does not know what 30 pounds is in, say euros or dollars. So although the card will prevent a 100 pound contactless purchase without the pin, the card will quite happily accept a 1 million dollar or a 1 million euro contactless purchase. The design is not complete. The back door has been left wide open.
In this video Martin talks about what happens when the security design for a payment system is incomplete.
In this case the design of contactless card payments has a set of well defined rules which state that when you pay with contactless you are limited, in the UK, to £30 and when you want to make a payment over £30 you must enter your PIN.
Unfortunately the security design for contactless payments is not complete. It leaves out one rather important detail: what is the £30 contactless payment limit when you are paying in Dollars, Yen or Euros?
This simple omission leads to a very large security vulnerability; the million dollar contactless payment.
This article is from the free online

Cyber Security: Safety at Home, Online, in Life

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education