A security flaw at the heart of contactless credit cards could allow criminals to steal vital data -- and ultimately money -- despite the presence of supposedly watertight systems to mask that information.
The consumer watchdog Which? reports that it was able to use commercial card scanners available online to steal enough data from 10 contactless cards to successfully order a £3,000 TV.
Researchers for Which? were able to touch its volunteers' cards to a standard reader, and then go on an "internet shopping spree" despite not having access to the three digit security code on the reverse of the card, or even the name and address of the owner.
"With these card details, the contactless transaction limit [currently £10, moving to £30 in September] is irrelevant, because online transactions aren’t contactless," a spokesman told the Guardian.
The UK Card Association (UCA) reports that there are now more than 44.8 million contactless cards in the UK, accounting for 46 percent of all cards compared to 29 percent at the same point in 2014. There are also 1.2 million contactless payments on TfL services every day.
However the UCA said that the findings were "not a new discovery", saying that the rate of fraud for contactless cards was lower as a percentage of money spent than overall card fraud.
Richard Koch, head of policy at UCA, said: "The method shown by Which? is not a new discovery and was first reported two years ago. However, any such technology can only obtain the card number and expiry date -- information that has always been available simply by looking at the front of a card."
The news will doubtless boost the confidence of companies like Apple introducing new forms of contactless payment that use unique device IDs, not card numbers, to authorise payments -- though they have been shown to have their own issues.
Source
The consumer watchdog Which? reports that it was able to use commercial card scanners available online to steal enough data from 10 contactless cards to successfully order a £3,000 TV.
Researchers for Which? were able to touch its volunteers' cards to a standard reader, and then go on an "internet shopping spree" despite not having access to the three digit security code on the reverse of the card, or even the name and address of the owner.
"With these card details, the contactless transaction limit [currently £10, moving to £30 in September] is irrelevant, because online transactions aren’t contactless," a spokesman told the Guardian.
The UK Card Association (UCA) reports that there are now more than 44.8 million contactless cards in the UK, accounting for 46 percent of all cards compared to 29 percent at the same point in 2014. There are also 1.2 million contactless payments on TfL services every day.
However the UCA said that the findings were "not a new discovery", saying that the rate of fraud for contactless cards was lower as a percentage of money spent than overall card fraud.
Richard Koch, head of policy at UCA, said: "The method shown by Which? is not a new discovery and was first reported two years ago. However, any such technology can only obtain the card number and expiry date -- information that has always been available simply by looking at the front of a card."
The news will doubtless boost the confidence of companies like Apple introducing new forms of contactless payment that use unique device IDs, not card numbers, to authorise payments -- though they have been shown to have their own issues.
Source
Comments