Cyber criminals “skimming” bank card details with increasing regularity

Cyber criminals “skimming” bank card details with increasing regularity

With the total number of contactless bank cards in circulation rising from 59 million to 119 million from 2015 to 2017 in the UK, experts are now warning card users to guard against cyber criminals looking to steal bank card details by using specialised software that can clone cards from a limited distance.

The practice of using stolen bank card details to clone cards has become so widespread that, for the first time in history, contactless fraud has overtaken check fraud which stood at £9.8 million last year.

Almost three years ago, consumer group Which? warned contactless bank card users in the UK that thieves could easily exploit a security flaw to steal key data from debit and credit cards using equipment readily available online.

Researchers tested six debit cards and four credit cards and managed to steal card details from all of them, and even managing to purchase a £3,000 television set by cloning one of the cards.

“Contactless bank cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

“We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong. We ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address,” said a Which? spokesman.

Considering that such technology was available three years ago, it is no surprise that contactless fraud in the UK surpassed £10 million last year. While Richard Koch, the then head of policy at the UK Cards Association had said that while only obtaining the card number and expiry data wasn't enough to perform transactions, Katy Worobec, managing director of economic crime at UK Finance, now says that a lot of retailers still do not require CVV to perform transactions and therefore, stolen card details can still be used to perform unauthorised purchases.

"As contactless cards become more popular globally, it is critical for online companies to actually identify true customers from imposters to approve transactions. Just having credit card numbers, passcodes and credentials can be easily subverted by cyber criminals," says Lisa Baergen, director at NuData Security.

"It is imperative that authentication frameworks now include passive biometrics and behavioural analytics, along with a full stack of security solutions so that customers are identified by their behaviour such as how they hold a device, how hard they hit the keys and hundreds of other identifiers.

"This approach allows online companies to block fraudulent transactions even if the cyber criminal has skimmed or cloned credit card information, has credentials or even stolen a device," she adds.

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles