22 October 2017
Find out more

Which? makes contactless card security claims

23 July 2015  |  3190 views  |  3 Source: Which?

Which? has revealed a security flaw in contactless cards that thieves could exploit to make expensive online purchases.

After easily and cheaply acquiring contactless card-reading technology from a mainstream website, our researchers were able to remotely 'steal' key details from a contactless card and use them to order items, one of which was a £3,000 TV.

Contactless payment cards tested
Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.

'Stolen' details used to order TV
We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved.

The UK Cards Association admitted that although levels of encryption have increased, it's still 'possible' for card details to be read remotely.

Find out more: How do contactless payments work? - we explain the technology

Fraudsters with contactless card readers
The limit for a contactless transaction rose from £15 to £20 in June 2012, and will rise to £30 in September this year.

But, by touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless.

Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told us that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.

He said: 'It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.'

Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100, but it's impossible to know the true scale of theft via contactless readers, as it would be hard for the victim to know whether their card details had been lifted this way.  

Comments: (3)

A Finextra member
A Finextra member | 24 July, 2015, 08:57

Nothing new here and the story should be why are there online stores still out there not mandating CV2 and checking AVS?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 24 July, 2015, 17:23

Any e-commerce merchant that accepts a transaction without CVV2 or 3DSecure is immediately setting themselves up for an undefendable chargeback.  I would be very very surprised if any merchant permitted an e-commerce transaction for £3,000 without mandatory authentication data...  would be interested in reviewing the Which? data.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 24 July, 2015, 18:45

Chargeback is bad but Mitigating Fraud Does Not Pay The Bills either. Keen to know how much extra revenues this ecommerce company gained by not subjecting genuine customers to the 2FA / 3DS friction and thereby losing them to the common problem of shopping cart abandonment. Maybe this merchant uses Stripe to process his payments: "at Stripe we've so far opted not to support 3D Secure since we believe the costs outweigh the benefits." (https://support.stripe.com/questions/does-stripe-support-3d-secure-verified-by-visa-mastercard-securecode).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Related blogs

Create a blog about this story (membership required)
visit www.innotribe.comvisit www.fivedegrees.nlvisit www.niceactimize.com

Top topics

Most viewed Most shared
Mastercard to roll out blockchain APIMastercard to roll out blockchain API
13626 views comments | 17 tweets | 28 linkedin
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
12526 views comments | 22 tweets | 28 linkedin
satelliteGates Foundation backs Ripple collaboratio...
9624 views comments | 13 tweets | 10 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
9316 views comments | 12 tweets | 23 linkedin
IBM uses blockchain to improve cross-border payments processingIBM uses blockchain to improve cross-borde...
8637 views comments | 9 tweets | 18 linkedin

Featured job

Competitive base + commission + benefits
Denmark, Finland, Iceland, Norway or Sweden

Find your next job