Barclays customers using contactless bank cards could have their data stolen without even knowing through readers in new mobile phones, Channel 4 News can exclusively reveal.
Card readers that are now being built in as standard to mobile phones can be adapted to access data from these cards. Working with a mobile phone security company, Channel 4 News managed to take data with just one swipe, and then use that data to purchase multiple goods online.
This means that it would be possible to gain access to this data merely by nudging someone’s wallet, or through clothes in a crowded public space.
The new contactless credit and debit cards contain a chip, so that when the card is held next to a reader a payment is made without need of a pin, and 13 million Barclays customers currently use them.
But our research shows that this ease of use will work for pickpocketers too. A mobile phone security company researched how the technology could be used. Thomas Cannon of ViaForensics said: “All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air.”
All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. Thomas Cannon, ViaForensics
Channel 4 News was only able to access the details of Barclay issued Visa cards – other banks and systems weren’t accessible. The UK Card Association says that the guidelines state that the card holder’s name should not be transmitted.
But Visa and Barclays said their system did not breach privacy guidelines.
In a statement, the bank said that customers’ security is a “top priority”, but added: “We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.
Barclays said that the issue is not with contactless cards, but with the checks undertaken for ‘card not present’ payments by some retailers.
“The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details,” the statement added. “As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system.”
But Channel 4 News found out how easy it is to use the card information gathered using a mobile phone. We created a new user on Amazon’s website, with a different name and billing and delivery address to the card they scanned, and were able to order and receive products we purchased without any link to the cardholder. Unlike some online retailers, Amazon doesn’t require the three digit security code on the back of the card, making it very easy to use for this sort of crime.
We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary. Department of Business, Innovation and Skills
The government Department for Business, Innovation and Skills has called for urgent action: “The Channel 4 News investigation has revealed serious security flaws in the payment procedures of some of the contactless card operators.”
BIS said that standards are in place designed to prevent this, and that all operators should comply with them: “We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary. We are contacting the Payments Council, UK Cards and Barclays to get more details on the extent of the problem and to understand what urgent action is being taken to address it. We have always emphasised the importance of data security in initiatives such as midata and this contactless payment facility clearly has some serious weakness in this regard.”
Amazon has not responded to our request for comment. Amazon is just one of many websites that doesn’t require any additional information in order to turn basic credit and debit card details into purchases.