IoT / Stealing data from contactless cards is 'easy'
Stealing data from contactless cards is 'easy'
23 July 2015
Thieves could exploit a security flaw to steal key data from contactless debit and credit cards using equipment readily available online, consumer group Which? has warned.
It said it used “easily and cheaply” acquired technology from a mainstream website to take enough information from cards to place orders for items including a £3,000 television set.
Researchers tested six debit cards and four credit cards, and Which? said they all revealed some data.
A spokesman said: “Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.
“We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).
“We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong.
“We ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address.”
Contactless payment continues to grow rapidly in popularity, with more than £2 billion spent through the system last year, according to the UK Cards Association.
The limit for a single contactless transaction is £20 – but from September 1 onwards a higher limit of £30 will be rolled out.
The Which? spokesman said: “By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless.”
Richard Koch, head of policy at the UK Cards Association, said: “This is not a new story. Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket.
“Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud.
“The method shown by Which? is not a new discovery and was first reported two years ago. However, any such technology can only obtain the card number and expiry date – information that has always been available simply by looking at the front of a card.
“The vast majority of online retailers require additional data such as the card security code, along with the cardholder’s address, which cannot be harvested electronically. Any retailers that do not will do so at their own risk and will be liable for any fraudulent transactions.”
Photo from Philip Toscano / PA Wire