Contactless card fraud? Easy. All you need is an off-the-shelf scanner

Which? study finds slurped details are dead easy for crims to abuse online

Got Tips? 63 Reg comments

Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases.

Researchers bought contactless card-reading technology from a mainstream website before using it to remotely "steal" key details from a contactless card.

The researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.

With an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards. Limited details of the last 10 transactions were also exposed.

Even without the names of the card holders and the CVV security code (the number on the back), the Which? team were still able to make two purchases, one for a £3,000 TV.

The "stolen" card details, combined with a false name and address, were used to order the TV from a mainstream store. Which? quickly notified the store involved.

The hack relied on getting volunteers to tap their cards onto a bogus card reader.

It might be possible for crooks to develop mobile card readers that worked from a greater distance, Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told Which?

Official fraud figures show losses attributable to contactless fraud are less than 1p per £100, a very small percentage of the overall figure.

Some payment security experts, such as consultant Dave Whitelegg, have expressed scepticism about the level of real risk revealed by the Which? exercise.

David Kennerley, threat research manager at security firm Webroot, said the research only highlighted known risks (an example from earlier research can be found here) rather than revealing any new threat. He added that the research, while not ground-breaking, was nonetheless timely given the recent UK debut of Apple Pay.

“While this Which? research hasn’t revealed anything that we weren’t already aware of it’s always good to keep highlighting security flaws in these types of technologies,” Kennerley explained. “With the emergence of Apple Pay and other ‘easy pay’ tech it’s clear we’re entering the age of the digital pickpocket.”

“As with any new technology there are going to be fraudsters, those looking to take advantage of the situation and seeking ways to drain our mobile wallets and debit cards," said Kennerley.

"Consumers need to make themselves more aware of different techniques that fraudsters use to access their money; the easier it is for you to pay, the easier it is for criminals to steal,” Kennerley added.

Perhaps the greater issue revealed by the study was that some retailers may be authorising purchases without verifying names and addresses.

“Online merchants also need to be held accountable, and all online transactions should require the correct billing address information and CVV code without exception,” Kennerley concluded. ®

Laurance Dine, managing principal at Verizon’s Investigative Response Team, also focused his concern on the issue of the apparent lack of security by retailers exposed by the exercise.

“I don’t think the fact it is contactless is the issue here, as a traditional card skimmer would be able to take those details even from a traditional chip and pin purchase," Dine said.

"What concerns me more is that Which? was able to use the card details to make purchases without the cardholder's name or CVV code, using false names and addresses. This is particularly worrying as they claim to have bought large items from mainstream stores in this way," he added. ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration


Keep Reading


Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago
Someone yelling at their voice assistant

Amazon, Apple, Google, IBM, Microsoft speech-to-text AI systems can't understand black people as well as whites

Lack of varied training data to blame, say researchers
Abstract images of time and the mind

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

Lawsuit argues event bosses breached deal by failing to prevent audience hostility

There's a black hole lurking within 1,000 light years of Earth – and you can see stars circling it with the naked eye

Disclaimer: Black hole not visible, southern hemisphere required
Las Vegas in the sunshine

It's Black Hat and DEF CON in Vegas this week. And yup, you know what that means. Hotel room searches for guns

Black Hat Because it's America, it's 2019, and after more mass shootings, let alone Mandalay Bay, no one's taking chances

Somewhere, way out there, two black holes, one large and one small, merged. And here on Earth, we detected the gravitational wave blast

When science fact is better than science fiction
A couple holding hands

Imagination and Apple, sitting in a tree, l-i-c-e-n-s-i-n-g GPU tech semi-secretly: Brit chip designer strikes iGiant deal

Meanwhile, Samsung semiconductor fab hit by power cut

Russian super-crook behind $20m internet fraud den Cardplanet and malware-exchange forum pleads guilty

Now 29-year-old faces years in the clink after long battle to bring him to justice

Biting the hand that feeds IT © 1998–2020