Which? makes contactless card security claims

Source: Which?

Which? has revealed a security flaw in contactless cards that thieves could exploit to make expensive online purchases.

After easily and cheaply acquiring contactless card-reading technology from a mainstream website, our researchers were able to remotely 'steal' key details from a contactless card and use them to order items, one of which was a £3,000 TV.

Contactless payment cards tested
Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.

'Stolen' details used to order TV
We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved.

The UK Cards Association admitted that although levels of encryption have increased, it's still 'possible' for card details to be read remotely.

Find out more: How do contactless payments work? - we explain the technology

Fraudsters with contactless card readers
The limit for a contactless transaction rose from £15 to £20 in June 2012, and will rise to £30 in September this year.

But, by touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless.

Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told us that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.

He said: 'It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.'

Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100, but it's impossible to know the true scale of theft via contactless readers, as it would be hard for the victim to know whether their card details had been lifted this way.  

Comments: (3)

A Finextra member
A Finextra member 24 July, 2015, 08:57Be the first to give this comment the thumbs up 0 likes

Nothing new here and the story should be why are there online stores still out there not mandating CV2 and checking AVS?

Matt Scott
Matt Scott - Fiserv Inc - London 24 July, 2015, 17:23Be the first to give this comment the thumbs up 0 likes

Any e-commerce merchant that accepts a transaction without CVV2 or 3DSecure is immediately setting themselves up for an undefendable chargeback.  I would be very very surprised if any merchant permitted an e-commerce transaction for £3,000 without mandatory authentication data...  would be interested in reviewing the Which? data.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 July, 2015, 18:45Be the first to give this comment the thumbs up 0 likes

Chargeback is bad but Mitigating Fraud Does Not Pay The Bills either. Keen to know how much extra revenues this ecommerce company gained by not subjecting genuine customers to the 2FA / 3DS friction and thereby losing them to the common problem of shopping cart abandonment. Maybe this merchant uses Stripe to process his payments: "at Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits." (https://support.stripe.com/questions/does-stripe-support-3d-secure-verified-by-visa-mastercard-securecode).