Wave and pay is the new way to shop. How easy is it to steal information from your wave-and-pay card?

VISA’s payWave technology has reached a record 3 million transactions per month in September, and compulsive buying is giving retailers something to look forward to. There’s a per-transaction limit of $80 dollars using payWave, but are the new cards as secure as you’d like them to be?

Launched in 2011, consumers have taken it aboard with abandon as the ease of touch-and-go means there’s no fumbling with change or remembering to key in the right pin number, according to reports from Visa.

Specifically designed to replace the use of cash, its rollout has been helped by partnering with major businesses such as the Warehouse, Countdown, BP, and Pak’nSave. Retailers are charged a stipulated merchant fee that’s paid to the bank for every transaction, as opposed to Australia, which has no extra fee.

While New Zealand consumers adapt the technology there are concerns about the security of touch-and-go systems.

Forbes reported as far back as two years ago that hackers or those with the know-how, can easily steal all the data required to make fraudulent transactions, all invisibly and without ever touching your person with investments – all with a few hundred dollars of investments.

Caroline Ada, Visa’s country manager for New Zealand and the South Pacific, allays consumers’ fears, highlighting the use of EMV (Europay, MasterCard and Visa) technology as the most significant protection for consumers.

EMV is a global standard for inter-operation of chip cards, chip-card capable point-of-sales (POS) systems, and ATMs.

It’s a highly technical process that matches the details on a card with a POS system through one-use codes and several gates of authentication.

Ada’s view is that EMV is incredibly  hard to break and clone (taking the information from your card to be “placed” onto a blank card), and probably outside the realms of most fraudsters.

Stealing info, cloning cards

However, it is certainly possible to steal the information required to swipe money from your account. One security researcher achieved such an attack just last month.

Money hacker Peter Fillmore created an Android app that can clone some of Australia's most popular contactless credit cards. The Aussie boffin probed the protocols behind Visa and Mastercard payment cards and proved the viability of an attack by successfully using cloned versions of his credit cards to shop at supermarket chain Woolworths, and buy beer at a Sydney pub, according to The Register.

The attackers would however need to conduct the fraud before the next time the victim swiped their card or an error would occur. With a transaction limit of $80 in New Zealand, it means customers won’t have their life savings taken.

As for fraudsters posing to be a point-of-sale vendor? There are several hoops you have to jump through for the bank to become a “legitimate” vendor, Ada says.

“There’s a credit check. Risk assessment check. A bunch of things before the bank will allow your account to be set up,” she says.

Ada says not only is it incredibly hard to become a legitimate vendor, those who’ve tried to trick the system have had minimal success.

Cardholders are also protected by Visa’s Zero Liability Policy – meaning cardholders are not held liable for fraudulent or unauthorised transactions.

“Customers tell us Visa payWave is fast becoming their preferred form of payment. It is three times faster than paying with cash and just as secure as a traditional card," Ada says.