Tap and pay could just as easily result in tap and steal with contactless cards, a recent investigation in the United Kingdom suggests.
Holders of millions of Barclays Bank PLC Visa contactless cards potentially could have their card data stolen from someone nearby with a mobile “reader” application, according to an investigative report from British public television Channel 4 News (see video).
Even more troubling, investigators from the TV station were able to make online purchases with the minimal card data the NFC reader in the phone retrieved from contactless-payment chips.
United Kingdom-based Barclays did not mention the potential for a data breach on its website, but media throughout the United Kingdom reported March 26 about the Channel 4 revelation.
Barclays customers who possess a contactless Visa credit or debit card could be vulnerable to the mobile “reader” software, which can enable someone possessing such a phone to steal card data by swiping or tapping it near their cards equipped with chips placed in wallets or pockets, Channel 4 reported.
Oak Park, Ill.-based ViaForensics developed the mobile software, which Channel 4 producers used to investigate whether such card breaches were possible.
“We were able to develop such a software on an Android phone and illustrate it could be used by tapping a wallet,” Andrew Hoog, chief investigation officer and co-founder of the mobile-phone security firm, tells PaymentsSource. “From our perspective, this is old news because NFC software with this capability has been established for a while.”
ViaForensics developers discovered they could retrieve information typically displayed on the front of the card and imbedded in the contactless chip–the full card number, expiration date, and cardholder surname and initials.
The finding supports industry theory that newer cards generally protect against fraudulent attempts because hackers cannot hack into vital security information, limiting their use of the data, even for card-not-present transactions because many online retailers require the card’s card verification value security code and a valid address.
But this time, the potential for such data theft is gaining more attention because estimates claim the cards held by as many as 13 million Barclays customers could be vulnerable, Hoog contends. More importantly, Channel 4 investigators were able to make purchases on Amazon.com with the minimal stolen card data, he adds.
Channel 4 investigators created a new user name on Amazon's website with a different billing and delivery address added to the stolen card information, the TV station reported on its website.
“We were able to order and receive products we purchased without any link to the cardholder,” the report stated. “Unlike some online retailers, Amazon doesn't require the three-digit security code on the back of the card, making it very easy to use for this sort of crime,” the report added. Channel 4 did not reveal the amount of the purchases, saying only the investigators were able to complete “multiple purchases.”
The ability to make purchases with this particular card data represents the major issue facing Barclays, Hoog contends.
“The fact that Channel 4 was able to make purchases at a major retailer, and Amazon allowed the transactions to go through with some information about the cardholder missing [PIN and security code], is significant,” Hoog notes.
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, agrees the most surprising aspect of the television investigation centers on the ability to make online purchases without security codes.
Unlike the chips in contactless cards, which just send information, the NFC chips powered by phones can retrieve data from other contactless chips.
Typically, the payments industry position is that fraudsters can’t get enough essential data through a contactless card breach because the PIN and CVV code are not transmitted as part of the card data through any radio frequency or NFC channels a hacker may use, McNelley tells PaymentsSource.
“It is very surprising that merchants allowed those transactions because at the end of the day, the merchant holds the liability,” she adds.
Developers do not need “special equipment” to create software that could obtain details from a contactless payment card, Hoog says.
However, software designed to obtain contactless-chip data via an NFC chip in a phone would not have wide-ranging capabilities, Hoog explains. “Certain cards would not be susceptible to this sort of breach,” he adds. “As it turned out, the Barclays Visa card can be accessed, but it did not work on other cards.”
Regardless of what further investigation reveals regarding the Barclays cards, Hoog suggests the Channel 4 research illustrates the protection a PIN can provide when it comes to enabling contactless payments, especially in EMV cards and mobile devices.
“The Google Wallet has had some security issues, but in this case the Android phone was not susceptible because a PIN is needed to enable its NFC,” Hoog says.
If someone attempted to get data from cards inside of a Google Wallet, they would not be able to get in and activate the NFC chip without a PIN. “In that regard, the mobile wallets have some nice security features built in, and it makes the Google Wallet more secure than traditional cards in this instance,” Hoog suggests.
Considering an additional PIN to enable NFC in any environment “could certainly be a good discussion to have,” he adds.
McNelley says fraud-security vendors have talked about PINs protecting contactless payments in the past as part of general discussions emphasizing layers of fraud defense.
“The harder it is to break into a system, the better the system,” McNelley says. “A determined fraudster may break a PIN code related to NFC, but is he determined enough to do it with every single consumer?” she asks.
Barclays spokesperson Andrew Bond issued a Barclays statement to PaymentsSource via email, expressing the bank’s concern for its customers’ funds and personal details, specifically in relation to the transactions that Amazon allowed with minimal card data.
“We are compliant with scheme guidelines for contactless [cards], and our fraud guarantee refunds any fraudulent losses to customers in full,” the statement said.
The statement stressed that no secure information such as a PIN, signature or CVV code became vulnerable.
As such, the Barclays statement stressed “this is not an issue with contactless [technology], but with the security checks undertaken for ‘card-not-present’ payments by some retailers.” Barclays added the bank would meet with retailers to ensure “adequate and robust” security measures would take place.
Amazon representatives were not available to comment about the fraudulent transactions completed during the investigation.
Officials from the UK Information Commissioner office were expected to meet with Barclays executives on March 26 to review the Channel 4 findings.
What do you think about this? Send us your feedback. Click Here.