FRAUD WARNING OVER ‘TAP AND PAY’ BANK CARDS
Millions face rip-off risk if they make contactless payments
contactless bank cards may be exposing millions of customers to the risk of fraud. Tests show that thieves armed with scanners can capture the numbers and expiry dates on the cards and use them for online purchases. Touted as a boon for shoppers making small transactions, the ‘tap and pay’ cards do not need a PIN.
Instead they have a tiny antenna that links with a till terminal through NFC – near-field communication. But a scanner held nearby can pick up this NFC data, according to Which?
The consumer group’s researchers tested ten cards – six debit and four credit – and found that all of them had the security flaw.
‘Using a reader and free software to decode data, we read the card number and expiry date from all ten,’ Which? reported. ‘Some cards revealed certain details of the last ten transactions but no cards revealed the CVV security code – the number on the back.
‘We doubted we’d be able to make purchases without the cardholder’s name or CVV code, but we were wrong.
‘We ordered two items, one a £3,000 TV,
from a mainstream online shop using “stolen” card details, combined with a false name and address.
‘By touching volunteers’ cards to our card reader, we got enough details to go on an internet spree.’
At least 58million of the cards are in circulation, with total spending reaching £2.32billion last year. The £20 purchase limit is to rise to £30 in september but there is no maximum online.
Peter eisenegger, of the national Consumers Federation, said: ‘It may be possible for a small percentage of cards to be read 15-20cm from the reader.
‘even if this was to occur in 0.1 per cent of cases, with more than 300million transactions taking place last year, many consumers could be affected.’
The UK Cards Association, which speaks for the banks, admitted that although lev-
‘May sacrifice financial security’
els of encryption have increased, it is possible for card details to be read remotely.
It stressed the value of security features, such as Verified by Visa, where online shoppers answer security questions before a purchase is authorised.
which? said: ‘This may stop some transactions but our tests suggest that some online shops sacrifice financial security in favour of an easier checkout.’
There is some research to suggest the scanners can capture the card details simply by being held close to a handbag or wallet while positioned near people in a shop or standing in a queue.
In theory, the distance between the card and scanner should be no more than 5cm to guarantee a connection, but experts found they can operate over a wider range.
Richard Koch, of the UK Cards Associa- tion, said: ‘Consumers are protected against fraud losses on contactless cards.
‘Instances of fraud on contactless cards are extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower than overall card fraud.
‘The method shown by which? is not a new discovery. However, any such technol- ogy can only obtain the card number and expiry date – information that has always been available simply by looking at the front of a card.
‘The majority of online retailers require additional data such as the card security code, along with the cardholder’s address, which cannot be harvested electronically.’