Feeds

Barclaycard pay-by-bonk fraud risk exposes Amazon's security

NFC cards savaged in privates' slurp probe

Maximizing your infrastructure through virtualization

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security.

The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn't be such a big deal if Channel 4 News hadn't also discovered that Amazon isn't doing the basic checking which would prevent such details being used fraud.

But Channel 4 pins the blame firmly on Barclaycard, claiming:

"The government has urged Barclays to consider recalling up to 13 million credit and debit cards" after "we found the cards can also be read by mobile phones".

That shouldn't be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there's an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer's name as well as the other details, and that Amazon's security procedures are lamentable to say the least.

Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder's address. They aren't allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.

Only it seems that Amazon isn't even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.

ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: "Typically this would not be enough information to perform 'cardholder not present' transactions because retailers require the CVV2 code printed on the back, and a valid address", but not in the case of Amazon obviously.

On the other hand, the Barclaycards shouldn't have been sharing punters' names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it's far from clear what proportion of cards are over-sharing.

Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.

Using a mobile phone to make payments is a good deal more secure: most Android phones don't even power-up the NFC component unless the screen is on. However, consumers are very conservative and won't warm to the technology if it's demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren't nearly robust enough to take that kind of confidence knock.

Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it's the processes that are flawed, not the technology, even if it does make the better headline. ®

Reducing security risks from open source software

More from The Register

next story
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.