Contactless payment cards 'put millions at risk of fraud'
Contactless payment cards were used more than 1bn times in the past 12 months in Europe, but a security flaw means they can be "easily and cheaply" exploited for fraud, according to new research by the consumer watchdog Which?
Using inexpensive card-reading technology puchased from a mainstream website, the researchers were able to bypass security measures and remotely 'steal' key details from 10 contactless cards (six debit and four credit).
These included the card number, expiry date, and a list of the last 10 transactions carried out on the card. However, none of the cards revealed their CVV security codes (the number on the back of the card).
Although it is difficult to make online purchases without the cardholder's name and CVV code, the researchers succeeded in ordering two items – including a £3,000 TV – from a mainstream online shop using the "stolen" card details, combined with a false name and address.
Security features like Verified by Visa and MasterCard SecureCode help to ensure that fraudsters can’t easily use the cards they steal, but Which?'s tests suggest that some online shops sacrifice financial security in favour of an easier checkout.
Peter Eisenegger, a security expert who helped develop European standards for contactless cards, warned that it may be possible for criminals to obtain card readers that can read details from further away than the one in the Which? test.
"It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers," he said.
Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100. However, a spokesperson for the UK Cards Association admitted that, although levels of encryption have increased, it is still possible for card details to be read remotely.
Which? added that it is difficult to know the true scale of theft via contactless readers, as it is almost impossible for the victim to know whether their card details had been lifted this way.
"As the use of contactless payment becomes increasingly widespread, it has never been more important for banks to have robust security checks in place. Not only to ensure that sensitive data is masked, but also to flag unusual activity on a user’s account," said Ross Brewer from security intelligence company LogRhythm.
"As contactless payment limits rise to £30 in September, it is more likely that criminals will begin to target cards rather than the old-style chip and pin for a quick and easy pay day."
Laurance Dine from Verizon’s Investigative Response Team added that biometrics offers a great alternative way to authenticate individuals.
"The reasoning is simple: since everyone has a unique biological identity, let’s apply that single biological identity to cyberspace to establish trust.," he said.
"Fingerprint biometrics usually afford the easiest user interface – simply place your index finger or thumb on a reader and authentication takes place, much like the recently launched Apple Pay solution. The bigger question is whether cards as a payment device have had their day?”