Feeds

Barclaycard pay-by-bonk fraud risk exposes Amazon's security

NFC cards savaged in privates' slurp probe

Boost IT visibility and business value

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security.

The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn't be such a big deal if Channel 4 News hadn't also discovered that Amazon isn't doing the basic checking which would prevent such details being used fraud.

But Channel 4 pins the blame firmly on Barclaycard, claiming:

"The government has urged Barclays to consider recalling up to 13 million credit and debit cards" after "we found the cards can also be read by mobile phones".

That shouldn't be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there's an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer's name as well as the other details, and that Amazon's security procedures are lamentable to say the least.

Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder's address. They aren't allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.

Only it seems that Amazon isn't even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.

ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: "Typically this would not be enough information to perform 'cardholder not present' transactions because retailers require the CVV2 code printed on the back, and a valid address", but not in the case of Amazon obviously.

On the other hand, the Barclaycards shouldn't have been sharing punters' names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it's far from clear what proportion of cards are over-sharing.

Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.

Using a mobile phone to make payments is a good deal more secure: most Android phones don't even power-up the NFC component unless the screen is on. However, consumers are very conservative and won't warm to the technology if it's demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren't nearly robust enough to take that kind of confidence knock.

Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it's the processes that are flawed, not the technology, even if it does make the better headline. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Déjà vu: Virgin Media jacks up broadband prices
Screw copper phone lines, we're UNIQUE, bleats telco
NBN Co claims 96 mbps download speeds for FTTN trial
Umina trial also delivers 30 mbps uploads, but exact rig used not revealed
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
Netflix swallows yet another bitter pill, inks peering deal with TWC
Net neutrality crusader once again pays up for priority access
New Sprint CEO says he will lower axe on staff – but prices come first
'Very disruptive' new rates to be revealed next week
EE: STILL Blighty's best mobe network, says 'Frappucino' Moore
Fresh round of network stats fisticuffs possibly on the cards here
US TV stations bowl sueball directly at FCC's spectrum mega-sale
Broadcasters upset about coverage and cost as they shift up and down the dials
EE network whacked by 'PDP authentication failure' blunder
Carrier is 'aware' of cockup, working on a fix NOW
ROAD TRIP! An FCC road trip – Leahy demands net neutrality debate across US
You crashed watchdog's site, now time to crash its ears
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?