现金还是刷卡? 安全与风险

Cash or card?

It's a question we all face at the supermarket checkout.

But new research from Europe suggests paying by card may not be so safe.

"We're talking about the little machines that you stick your cards in that are not cash dispensers."

Karsten Nohl is a computer hacking expert based in Berlin. He's found a weakness in payment terminal devices used to swipe bank cards.

"The way they're attackable is very similar to how computers were attackable some 15-20 years ago… So by sending unexpected network traffic to them, you can install viruses."

"Once that is the case then card cloning, the entire copying of payment cards including pin numbers could become a large scale problem."

Karsten says it took him a few days to find this weakness. He warns it's just a matter of time before criminals learn the same trick.
 
Card fraud is already big business. 3 billion US dollars were lost to the crime in 2010, according to a report from Cambridge University.

Many countries are now introducing new cards with a microchip inside. These use a more secure payment system, called EMV. And they're currently being rolled out in China.

But Karsten Knol says the new EMV standard is not strong enough.

"Any EMV standard ever built has as its foundation the assumption that none of these payment terminals will ever be hacked and that is a na?ve assumption given how many millions of these devices exist being built by dozens of different companies with hundreds of different software versions."

So, what can victims of card fraud do? This is the key question, according to security engineer Ross Anderson from Cambridge University.

"The most important thing from the point of view of policy is whether the banks are allowed to shift the burden of liability too much on to merchants and cardholders."

Anderson says EMV payment in some countries means either the merchant or cardholder is held responsible for fraudulent payment. In other words, banks have got off the hook.

Anderson:

"Now, this is where the thing breaks down in some countries. Because if the bank can move all the liability for fraud on to either the cardholder or the merchant, the bank doesn't have an incentive to take care any more."

If that's the case, the worry is there's less reason for banks to invest in better security. So, what's the situation in China?

Chen Yu is Vice President of Marketing at payment service provider Yeepay.

"Ideally speaking there should be enough protection for the end users but in China it's still not quite there yet, there's limited protection. If you report your stolen card in time you can probably get your money back, but there's no guarantee and in a lot of situations it is has to be a case by case."

Back in the supermarket, how worried are customers about card security?

"I don't think paying by card is safe. But it's more convenient than cash."

"I guess it may not be safe, but I've never experienced any cyber crime. I think the benefit of convenience outweighs the risk."

Many experts call for an updated EMV payment standard to plug the current security holes. But so far there's no sign this is going to happen.

For CRI, I'm Dominic Swire.