FRAUD ALERT OVER NEW TAP AND PAY BANK CARDS
Thieves can use scanner to steal account details – even when contactless card’s in your wallet
contactless bank cards may be exposing millions of customers to the risk of fraud.
Tests show that thieves armed with scanners can capture the numbers and expiry dates on the cards and use them for online purchases.
Touted as a boon for shoppers making small transactions, the ‘tap and pay’ cards do not need a PIN number.
Instead they have a tiny antenna that links with a till terminal through NFC – near-field communication.
But a scanner held nearby can pick up this NFC data, according to Which? The consumer group’s researchers tested ten cards – six debit and four credit – and found that all of them had the security flaw.
‘Using a reader and free software to decode data, we were able to read the card number and expiry date from all ten,’ Which? reported.
‘Some cards revealed certain details of the last ten transactions, but no cards revealed the CVV security code – the number on the back. We doubted we’d be able to make purchases with- out the cardholder’s name or CVV code, but we were wrong.
‘We ordered two items – one a £3,000 TV – from a mainstream online shop using “stolen” card details, combined with a false name and address. We’ve alerted the store involved.
‘By touching volunteers’ cards to our card reader, we got enough details to go on an internet spree.’
At least 58million of the cards are in circulation, with total spending reaching £2.32billion last year.
The £20 purchase limit is to rise to £30 in September but there is no maximum online. Which? said that
90 per cent of its members have contactless cards.
Peter eisenegger, a privacy standards expert at the national Consumers Federation, said: ‘It may be possible for a small percentage of cards to be read 15-20cm from the reader. even if this was to occur in 0.1 per cent of cases, with more than 300million transactions taking place last year, many consumers could be affected.
‘It’s vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.’
The UK Cards Association, which speaks for the banks, admitted that although levels of encryption have increased it is possible for card details to be read remotely.
It stressed the value of security features,
‘Lack of security is to blame’
such as Verified by Visa, where the bank requires online shoppers to answer security questions before a purchase is authorised.
which? said: ‘This may stop some transactions, but our tests suggest that some online shops sacrifice financial security in favour of an easier checkout.
‘Presumably they believe the increased sales outweigh the chargebacks they’ll incur from banks if the store’s lack of security is to blame for a fraud.’
There is some research to suggest the scanners can capture the card details simply by being held close to a handbag or wallet while positioned near people in a shop or standing in a queue.
In theory, the distance between the card and scanner should be no more than 5cm to guarantee a connection, but experts have found they can operate over a wider range. Richard Koch, of the UK Cards Association, said: ‘Consumers are fully protected against any fraud losses on contactless cards and will never be left out of pocket.
‘Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud. The method shown by which? is not a new discovery. However, any such technology can only obtain the card number and expiry date – information that has always been available simply by looking at the front of a card.
‘The vast majority of online retailers require additional data such as the card security code, along with the cardholder’s address, which cannot be harvested electronically.’