The new technology is vulnerable to
thieves and conmen. Any stranger who found or stole one of the cards
could go on a small-scale spending spree of up to £100 – as the reader
requires a PIN only after five transactions in one day.
And this week The Mail on Sunday
witnessed how details from the cards can be wirelessly copied by a touch
screen phone – modified with parts bought on the internet for as little
The phone – which was adjusted by security expert Martin Emms and his team of researchers at Newcastle University’s Centre for Cybercrime and Computer Security – also accessed the last ten transactions made on the account.
By simply holding the phone near a
wallet, our reporter was able to download the details within two
seconds, fuelling fears that the technology could be exploited by
thieves in a crowd or by brushing past someone.
The unsuspecting victim would be unaware
their data had been stolen until they received their bank statement, but
the stolen information could be used to make purchases online from
retailers such as Amazon, who do not require a security code or further
checks for most purchases.
Mr Emms, who has published a report into
contactless card flaws, said: ‘We have produced a phone which speaks the
same language as the cards and used this to obtain data from them.
‘With it, we have been able to strip
contactless cards of the account-holder’s name, 16-digit number, and
expiry date. In some cases, we have even been able to obtain the last
ten purchases, which is one of the security questions asked by banks.
‘With this information alone we have
been able to make purchases on Amazon. It is alarming because the
information provides the basis that, with a little more research, could
see thieves strip a bank account.’
Mr Emms added it was ‘reasonable to
expect’ that around 30 million bank cards could be at risk of having
their data read by modified mobile phones.
In April 2012, Barclays began to issue
new cards they claimed were more secure after fears were expressed about
the flaws. However, they replace older cards only when they expire or a
replacement is needed.
Mr Emms added: ‘Our research has exposed a number of flaws in contactless bank-card technology and we are desperate for the banks to do more before the loopholes are exploited by thieves.’
The flaws have provoked warnings from
security analysts that the contactless technology could be ‘wide open to
exploitation’ by thieves.
Ross Anderson, professor of security
engineering at Cambridge University, also fears the contactless system
could prove a boon for thieves. He said: ‘The problem with contactless
cards is they have been rolled out in a haphazard way without careful
thought into the consequences.
‘With a modified phone, which can be put
together easily, a bank account can have its details stripped from a
contactless card in seconds. With the list of someone’s last ten
transactions, a thief can use that to answer a bank’s security question.
‘That’s not all they need to know, but a
determined thief will be able to get the other information fairly easily
and have access to your bank account.
‘Banks blame the stores and vice versa, but the people losing out are customers having their details stolen. The big beneficiaries are the firms who invented the inadequate technology – and, of course, the thieves.’
The majority of contactless cards belong
to Barclays customers, accounting for 19.3 million cards.
Britons now make 5.4 million contactless
card transactions a month, up from 2.5 million at the start of the year.
There are 232,000 card readers across the country.
There are plans afoot to phase out the
‘magnetic strip’ credit cards, store cards and supermarket loyalty cards
in favour of contactless and chip and PIN technology.
Last night a spokesman for the UK Cards
Association said: ‘We always welcome contributions from researchers on
addressing potential vulnerabilities in the payments system.’
A spokesman for Visa Europe said: ‘Our latest required specification for contactless cards does block access to the cardholder name.’
|International Education Media 15, Ealing House, 33 Hanger Lane, Ealing, London, W5 3HJ UK Tel: 0208 133 2363 E Mail|