E&T magazine reports how researchers successfully read the card data of six credit cards and four debit cards by intercepting the wireless NFC transmissions used to communicate with payment terminals. The data read included the card numbers and expiry dates, enough information to successfully make a purchase on some online shopping sites.
Although the cards did not reveal the card-holder’s name or the three-digit security code, the researchers used the “stolen” details to order two items from a “mainstream online shop” using a faked name and address. The transaction was approved, to the researchers’ surprise.
Contactless payment is becoming increasingly popular but could face setbacks if consumers become concerned about weak security. Although the UK currently restricts transactions to a maximum value of £20, the researchers successfully used their “easily and cheaply available technology” to construct a homemade antenna, steal the card details and order a £3,000 television online.
The group used cards donated by volunteers and no individuals were harmed as a result of its findings. Richard Koch, head of policy at the UK Cards Association, told E&T that people would be protected if a criminal did use the methods demonstrated by Which? to order valuable products online.
Because the retailer did not require the card security code, they would be held liable in the case of a fraudulent transaction. The security code and cardholder’s address cannot be obtained digitally from the card itself so retailers should always request them at the time of purchase.
Koch also reassured consumers that fraud involving contactless cards is very rare. He said that losses total “less than a penny” for every £100 of transactions and that contactless payment is generally much safer than normal card usage.
Some people are likely to remain concerned about the findings of the research though, partly because it wasn’t just the card credentials that were accessible. The team also read “limited details” of the last 10 transactions made with the card, suggesting that more needs to be done to strengthen the security of contactless payments.
