A flaw has been discovered in Barclays contactless bank cards that could allow customers' data to be stolen and used fraudulently without them even knowing about it.
An investigation by ViaForensics, in conjunction with Channel 4 News, has revealed that data can be lifted from Near Field Communications (NFC) chips used in Barclays contactless Visa cards by simply touching a smartphone installed with a piece of specialised software to a card. That data – which is unencrypted – can then be used to purchase multiple goods online.
“All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card,” Thomas Cannon of ViaForensics told Channel 4 News. “That includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air.”
Typically, this would not be enough information to perform “cardholder not present” transactions over the internet or the phone, because most retailers require the three-digit signature (CVV) code from the back of the card and a valid address. However, during the course of the research it was found that there are some major online retailers that do not require this information.
For example, Channel 4 News was able to create a new account on Amazon's website, with a different name and billing and delivery address to the card they scanned, and was able to order and receive products without any link to the cardholder. Amazon does not require the CVV code on the back of the card to process purchases.
Barclays defended its position, claiming that it is compliant with scheme rules for contactless payments, and that the information that can be obtained from a chip is the same as that which is printed on the front of the card.
“This is not an issue with contactless but with the checks undertaken for ‘card not present’ payments by some retailers,” Barclays told Channel 4 News. “As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks.”
However, the Department for Business, Innovation and Skills has called on card issuers to act quickly to address this issue and to cancel and replace cards if necessary.
“We are contacting the Payments Council, UK Cards and Barclays to get more details on the extent of the problem and to understand what urgent action is being taken to address it,” said BIS in a statement. “We have always emphasised the importance of data security in initiatives such as midata, and this contactless payment facility clearly has some serious weakness in this regard.”
Contactless payments technology is not just used in cards, but is also increasingly being built into mobile phones. Last year, Visa and Barclaycard rolled out 250 contactless payment terminals at the O2 in London, allowing visitors to make payments of up to £15 using their contactless credit or debit card or an NFC-enabled mobile phone.
ViaForensics conducted a similar investigation into Google Wallet last year, and found that sensitive information was also stored unencrypted on NFC chips in Android devices. However, Google defended its mobile payment service, claiming that Google Wallet is safer than using credit cards to pay for goods.