Feeds

Barclaycard pay-by-bonk fraud risk exposes Amazon's security

NFC cards savaged in privates' slurp probe

Top 5 reasons to deploy VMware with Tegile

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security.

The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn't be such a big deal if Channel 4 News hadn't also discovered that Amazon isn't doing the basic checking which would prevent such details being used fraud.

But Channel 4 pins the blame firmly on Barclaycard, claiming:

"The government has urged Barclays to consider recalling up to 13 million credit and debit cards" after "we found the cards can also be read by mobile phones".

That shouldn't be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there's an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer's name as well as the other details, and that Amazon's security procedures are lamentable to say the least.

Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder's address. They aren't allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.

Only it seems that Amazon isn't even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.

ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: "Typically this would not be enough information to perform 'cardholder not present' transactions because retailers require the CVV2 code printed on the back, and a valid address", but not in the case of Amazon obviously.

On the other hand, the Barclaycards shouldn't have been sharing punters' names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it's far from clear what proportion of cards are over-sharing.

Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.

Using a mobile phone to make payments is a good deal more secure: most Android phones don't even power-up the NFC component unless the screen is on. However, consumers are very conservative and won't warm to the technology if it's demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren't nearly robust enough to take that kind of confidence knock.

Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it's the processes that are flawed, not the technology, even if it does make the better headline. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.