Consumer association magazine Which? has highlighted a security flaw in contactless card systems, which, if combined with a lack of checks by retailers, could be exploited by thieves to make expensive online purchases.
Researchers bought contactless card-reading technology from a mainstream website before using it to remotely "steal" key details from a contactless card.
The researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks.
With an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards. Limited details of the last 10 transactions were also exposed.
Even without the names of the card holders and the CVV security code (the number on the back), the Which? team were still able to make two purchases, one for a £3,000 TV.
The "stolen" card details, combined with a false name and address, were used to order the TV from a mainstream store. Which? quickly notified the store involved.
The hack relied on getting volunteers to tap their cards onto a bogus card reader.
It might be possible for crooks to develop mobile card readers that worked from a greater distance, Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told Which?
Official fraud figures show losses attributable to contactless fraud are less than 1p per £100, a very small percentage of the overall figure.
Some payment security experts, such as consultant Dave Whitelegg, have expressed scepticism about the level of real risk revealed by the Which? exercise.
David Kennerley, threat research manager at security firm Webroot, said the research only highlighted known risks (an example from earlier research can be found here) rather than revealing any new threat. He added that the research, while not ground-breaking, was nonetheless timely given the recent UK debut of Apple Pay.
“While this Which? research hasn’t revealed anything that we weren’t already aware of it’s always good to keep highlighting security flaws in these types of technologies,” Kennerley explained. “With the emergence of Apple Pay and other ‘easy pay’ tech it’s clear we’re entering the age of the digital pickpocket.”
“As with any new technology there are going to be fraudsters, those looking to take advantage of the situation and seeking ways to drain our mobile wallets and debit cards," said Kennerley.
"Consumers need to make themselves more aware of different techniques that fraudsters use to access their money; the easier it is for you to pay, the easier it is for criminals to steal,” Kennerley added.
Perhaps the greater issue revealed by the study was that some retailers may be authorising purchases without verifying names and addresses.
“Online merchants also need to be held accountable, and all online transactions should require the correct billing address information and CVV code without exception,” Kennerley concluded. ®
Laurance Dine, managing principal at Verizon’s Investigative Response Team, also focused his concern on the issue of the apparent lack of security by retailers exposed by the exercise.
“I don’t think the fact it is contactless is the issue here, as a traditional card skimmer would be able to take those details even from a traditional chip and pin purchase," Dine said.
"What concerns me more is that Which? was able to use the card details to make purchases without the cardholder's name or CVV code, using false names and addresses. This is particularly worrying as they claim to have bought large items from mainstream stores in this way," he added. ®