Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
News
All Security Company News »

Channels

Retail banking Security Payments

Keywords

Cards E-commerce Eftpos
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Which? makes contactless card security claims

Source: Which?

Which? has revealed a security flaw in contactless cards that thieves could exploit to make expensive online purchases.

After easily and cheaply acquiring contactless card-reading technology from a mainstream website, our researchers were able to remotely 'steal' key details from a contactless card and use them to order items, one of which was a £3,000 TV.

Contactless payment cards tested
Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.

'Stolen' details used to order TV
We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved.

The UK Cards Association admitted that although levels of encryption have increased, it's still 'possible' for card details to be read remotely.

Find out more: How do contactless payments work? - we explain the technology

Fraudsters with contactless card readers
The limit for a contactless transaction rose from £15 to £20 in June 2012, and will rise to £30 in September this year.

But, by touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless.

Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told us that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.

He said: 'It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.'

Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100, but it's impossible to know the true scale of theft via contactless readers, as it would be hard for the victim to know whether their card details had been lifted this way.  

Channels

Retail banking Security Payments

Keywords

Cards E-commerce Eftpos
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Sponsored: [Webinar] Payments systems are evolving quickly: Is your institution ready?

Comments: (3)

A Finextra member
A Finextra member 24 July, 2015, 08:57Be the first to give this comment the thumbs up 0 likes

Nothing new here and the story should be why are there online stores still out there not mandating CV2 and checking AVS?

Report abuse
A Finextra member
A Finextra member 24 July, 2015, 17:23Be the first to give this comment the thumbs up 0 likes

Any e-commerce merchant that accepts a transaction without CVV2 or 3DSecure is immediately setting themselves up for an undefendable chargeback.  I would be very very surprised if any merchant permitted an e-commerce transaction for £3,000 without mandatory authentication data...  would be interested in reviewing the Which? data.

Report abuse
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 July, 2015, 18:45Be the first to give this comment the thumbs up 0 likes

Chargeback is bad but Mitigating Fraud Does Not Pay The Bills either. Keen to know how much extra revenues this ecommerce company gained by not subjecting genuine customers to the 2FA / 3DS friction and thereby losing them to the common problem of shopping cart abandonment. Maybe this merchant uses Stripe to process his payments: "at Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits." (https://support.stripe.com/questions/does-stripe-support-3d-secure-verified-by-visa-mastercard-securecode).

Report abuse
Join the discussion

Write a blog post about this story (membership required)

[Webinar] Payments systems are evolving quickly: Is your institution ready?[Webinar] Payments systems are evolving quickly: Is your institution ready?
Trending

  1. Central banks embark on tokenisation project

  2. Revolut valuation raised 45% by investor

  3. Mastercard launches virtual card app to simplify travel and business expenses

  4. Apple offer to open up NFC payments access set for EU approval - Reuters

  5. Blair Institute sets out 'progressive vision' for fintech

Research
See all reports »
The Future of UK Fintech - 2015-2035

The Future of UK Fintech - 2015-2035

Definitive Differentiators - Forging a future-proof payments model

Definitive Differentiators - Forging a future-proof payments model

APP Fraud Liability: A Guide for Banks

APP Fraud Liability: A Guide for Banks