With the total number of contactless bank cards in circulation rising from 59 million to 119 million from 2015 to 2017 in the UK, experts are now warning card users to guard against cyber criminals looking to steal bank card details by using specialised software that can clone cards from a limited distance.
The practice of using stolen bank card details to clone cards has become so widespread that, for the first time in history, contactless fraud has overtaken check fraud which stood at £9.8 million last year.
Almost three years ago, consumer group Which? warned contactless bank card users in the UK that thieves could easily exploit a security flaw to steal key data from debit and credit cards using equipment readily available online.
Researchers tested six debit cards and four credit cards and managed to steal card details from all of them, and even managing to purchase a £3,000 television set by cloning one of the cards.
“Contactless bank cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).
“We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong. We ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address,” said a Which? spokesman.
Considering that such technology was available three years ago, it is no surprise that contactless fraud in the UK surpassed £10 million last year. While Richard Koch, the then head of policy at the UK Cards Association had said that while only obtaining the card number and expiry data wasn't enough to perform transactions, Katy Worobec, managing director of economic crime at UK Finance, now says that a lot of retailers still do not require CVV to perform transactions and therefore, stolen card details can still be used to perform unauthorised purchases.
"As contactless cards become more popular globally, it is critical for online companies to actually identify true customers from imposters to approve transactions. Just having credit card numbers, passcodes and credentials can be easily subverted by cyber criminals," says Lisa Baergen, director at NuData Security.
"It is imperative that authentication frameworks now include passive biometrics and behavioural analytics, along with a full stack of security solutions so that customers are identified by their behaviour such as how they hold a device, how hard they hit the keys and hundreds of other identifiers.
"This approach allows online companies to block fraudulent transactions even if the cyber criminal has skimmed or cloned credit card information, has credentials or even stolen a device," she adds.