Millions of users of Barclays Bank's contactless payment cards are at risk of fraud as their personal details can be stolen via a mobile phone, an investigation has found.
The investigation, carried out by Channel 4, revealed that mobile phones containing a standard card-reading app can be modified to steal details from contactless payment cards. This can be done simply by swiping the mobile phone over the card, even if it is in a wallet.
Contactless payment cards are fitted with a chip that contains all the important data needed to buy something, with the exception of the CVV code, and they work when held up to special readers in shops. Channel 4 alleges that these details can easily be transmitted to a mobile phone.
Thomas Cannon of ViaForensics, who helped with the investigation, said: "All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air."
Using details acquired this way, Channel 4 claims it was able to order and receive a number of goods purchased through online retailer Amazon.
The show said that Amazon does not required the use of the CVV code - the three-digit number on the back on a user's card - to complete purchases, which is where users will be exposed to potential fraud. Normally a 'card not present' transaction requires the CVV, but evidently not in Amazon's case.
The retail giant is not alone in this matter, meaning several other online shopping sites are potentially exposed to this kind of fraud.
During the investigation Channel 4 found that just Visa cards issues by Barclays were at risk; other banking and card combinations did not transmit the data.
A statement issued by Barclays denied that their contactless payment system is inherently flawed. Instead the issue lies with the retailers, they said.
"We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card - this does not include secure information such as PIN or signature (CVV) code," a Barclays statement read.
"The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details," the statement added. "As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system."
It is thought there are around 13 million users of Barclays' contactless payment cards.
Contactless payment is a booming business at the moment, with near-field communications (NFC) chips being included as standard on many smartphones. A recent report by Informa said that mobile phone-based payments are expected to top $37bn a year by 2016.
Qualys is the leading provider of on demand IT security risk and compliance solutions - delivered as a service. Qualys solutions enable...
Absolute® Software specialises in technology and services for the management and security of mobile computers and smartphones.