According to a recent investigation by Which?, a security flaw in contactless cards could allow thieves to make high-value purchases online.
Which? Bought contactless reading technology from a “mainstream website” and were then able to remotely steal key information from contactless cards that were used on the reader. The researchers then used that data to make online purchases, one of which was a £3,000 TV.
The researchers used 10 cards (six debit and four credit, from volunteers) to assess security risks.
Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, they were able to read the card number and expiry date from all 10 cards.
They were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).
The researchers therefore assumed that without the CVV security code, they would not be able to make any purchases. However, it turned out that they could.
They ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address. They then alerted the store involved.
The current contactless card limit is £20, but by touching volunteers’ cards to our card reader, Which? was able to retrieve all the information necessary to go “on a shopping spree” since online purchases are not contactless.
Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told Which? that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.
“It’s vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers,” he said.
However, the UK Cards Association has dismissed the findings as “not a new story”.
“The method shown by Which? is not a new discovery. Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud,” said Richard Koch, head of policy at the UK Cards Association.
However, his further comment about retailers requiring more information such as the security code on the back of the card before they allow a transaction to go through appears to be at odds with the investigation’s findings since Which? was able to make online purchases without it.