Feeds

Barclaycard pay-by-bonk fraud risk exposes Amazon's security

NFC cards savaged in privates' slurp probe

Boost IT visibility and business value

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security.

The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn't be such a big deal if Channel 4 News hadn't also discovered that Amazon isn't doing the basic checking which would prevent such details being used fraud.

But Channel 4 pins the blame firmly on Barclaycard, claiming:

"The government has urged Barclays to consider recalling up to 13 million credit and debit cards" after "we found the cards can also be read by mobile phones".

That shouldn't be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there's an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer's name as well as the other details, and that Amazon's security procedures are lamentable to say the least.

Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder's address. They aren't allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.

Only it seems that Amazon isn't even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.

ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: "Typically this would not be enough information to perform 'cardholder not present' transactions because retailers require the CVV2 code printed on the back, and a valid address", but not in the case of Amazon obviously.

On the other hand, the Barclaycards shouldn't have been sharing punters' names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it's far from clear what proportion of cards are over-sharing.

Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.

Using a mobile phone to make payments is a good deal more secure: most Android phones don't even power-up the NFC component unless the screen is on. However, consumers are very conservative and won't warm to the technology if it's demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren't nearly robust enough to take that kind of confidence knock.

Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it's the processes that are flawed, not the technology, even if it does make the better headline. ®

Seven Steps to Software Security

More from The Register

next story
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Orange spent weekend spamming customers with TXTs
Zero, not infinity, is the Magic Number customers want
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.