29 Mar 2012

Fraud fears grow over contactless bank card technology

Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.

Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology.

On Friday Channel 4 News reported that Barclays Visa contactless cards (ones which bear the symbol pictured) can be read using an off-the-shelf mobile phone running a special app.

ViaForensics, the company which carried out the research for Channel 4 News, has now shown the same technique works on a Visa debit card issued by Lloyds. And banking industry insiders have told us that all Visa contactless cards can potentially be read in this way.

The app reads the full name, number and expiry date from the card. Channel 4 News was able to use just these three details to order goods through Amazon; setting up an account under a dummy email address and having the goods shipped to an address which does not match that of the cardholder.

There are around 19 million contactless cards in circulation in the UK – Barclays accounts for around 13 million of those.

Visa, which provides credit facilities for Barclays, Lloyds and other banks, said it takes cardholder security very seriously. It acknowledges that the details are transmitted by the cards without encryption, but said these details can be gained “by a number of methods” and should not be usable without the three-digit CVV number on the back of the card.

A spokesman said: “So long as the appropriate levels of security are upheld when verifying a payment, it should not be possible for a fraudulent transaction to take place. We will continue our work, alongside card issuers and merchant acquirers, to ensure that retailers have the required security procedures in place to protect against fraud.”

But Channel 4 News has been shown a list of hundreds of websites which do not require the three-digit CVV number to make a transaction. These lists are passed around among credit card fraudsters who use them to process stolen cards.

The Information Commissioner has also raised concerns that the information the card gives out could breach data protection laws. Christopher Graham told Channel 4 News: “Just your name is personal information and if that can be accessed surreptitiously that’s a concern. If there’s been a serious breach of the data protection act we do have very significant sanctions.”

Viewers have told Channel 4 News that they have been told by their bank that they must have a contactless card and that no other option is available. Barclays confirmed that they will not offer an alternative to contactless credit cards, but they can issue a non-contactless debit card.

Meanwhile, contactless cardholders who are concerned about data leakage can buy a shielded wallet, which surrounds the cards with a thin sheet of metal.

This report won Best Security Story (Broadcast) at the BT Information Security Journalism Awards 2012.