18 December 2017
visit http://response.ncr.com

Which? makes contactless card security claims

23 July 2015  |  3214 views  |  3 Source: Which?

Which? has revealed a security flaw in contactless cards that thieves could exploit to make expensive online purchases.

After easily and cheaply acquiring contactless card-reading technology from a mainstream website, our researchers were able to remotely 'steal' key details from a contactless card and use them to order items, one of which was a £3,000 TV.

Contactless payment cards tested
Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.

'Stolen' details used to order TV
We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved.

The UK Cards Association admitted that although levels of encryption have increased, it's still 'possible' for card details to be read remotely.

Find out more: How do contactless payments work? - we explain the technology

Fraudsters with contactless card readers
The limit for a contactless transaction rose from £15 to £20 in June 2012, and will rise to £30 in September this year.

But, by touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless.

Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told us that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.

He said: 'It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.'

Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100, but it's impossible to know the true scale of theft via contactless readers, as it would be hard for the victim to know whether their card details had been lifted this way.  

Comments: (3)

A Finextra member
A Finextra member | 24 July, 2015, 08:57

Nothing new here and the story should be why are there online stores still out there not mandating CV2 and checking AVS?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 24 July, 2015, 17:23

Any e-commerce merchant that accepts a transaction without CVV2 or 3DSecure is immediately setting themselves up for an undefendable chargeback.  I would be very very surprised if any merchant permitted an e-commerce transaction for £3,000 without mandatory authentication data...  would be interested in reviewing the Which? data.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 July, 2015, 18:45

Chargeback is bad but Mitigating Fraud Does Not Pay The Bills either. Keen to know how much extra revenues this ecommerce company gained by not subjecting genuine customers to the 2FA / 3DS friction and thereby losing them to the common problem of shopping cart abandonment. Maybe this merchant uses Stripe to process his payments: "at Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits." (https://support.stripe.com/questions/does-stripe-support-3d-secure-verified-by-visa-mastercard-securecode).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Related blogs

Create a blog about this story (membership required)
visit www.niceactimize.comvisit www.ebaday.comvisit www.aciworldwide.com

Top topics

Most viewed Most shared
satelliteRipple completes XRP Lockup
11165 views comments | 3 tweets | 2 linkedin
Banks tap Ethereum smart contracts for MiFID II complianceBanks tap Ethereum smart contracts for MiF...
9850 views comments | 20 tweets | 21 linkedin
Banks and fintech startups join forces on blockchain-based supply chain pilotBanks and fintech startups join forces on...
7709 views comments | 19 tweets | 22 linkedin
Nordea takes Open APIs into live productionNordea takes Open APIs into live productio...
7314 views comments | 6 tweets | 26 linkedin
Digital banking startup Loot secures £2.2 million seed roundDigital banking startup Loot secures £...
7268 views comments | 5 tweets | 11 linkedin

Featured job

Competitive
London, UK (or flexible)

Find your next job