Millions of Barclays customers could be exposed to fraud as a new technique for stealing account details from contactless payment cards has been revealed.
An investigation from Channel 4 News has shown that private account details can be lifted from a contactless card from Barclays simply by placing a smartphone with the right software near to it.
Retailers and payment providers have been slowly introducing contactless payment systems into their operations in order to speed up transactions in-store, and this new security threat will be of major concern to the industry.
Mobile phone security company ViaForensics researched how the technology could be abused and has warned just how easy it is to take information from the cards.
“All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name,” Thomas Canon of ViaForensics said.
“None of it was encrypted, it was simply a case of the details coming out through the air.”
The fraud technique uncovered by Channel 4 News can obtain all of the account details listed on the front of Barclay issued Visa cards – other banks and systems were inaccessible via the scam – but can not take secure information such as PIN or signature (CVV) code not embedded in the card’s chip.
Some online retailers such as Amazon do not require the CVV (a three digit number on the back of a payment card) in order to buy goods via their sites, which means goods could be bought via these sites using information electronically stolen from contactless cards.
Barclays released a statement stating: “The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details.
“As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system.”
Contactless technology allows consumers to purchase goods at the point-of-sale simply by swiping cards on a terminal, much like the Oyster system used by Transport for London, but participating retailers only permit low level transactions, usually under £15, to be made via this system.
Retailers which have at least trialled contactless payments in their high street stores include Greggs, WHSmith, Wilkinson and Clintons.
A statement from the government Department for Business Innovation and Skills read: “We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary.
“We are contacting the Payments Council, UK Cards and Barclays to get more details on the extent of the problem and to understand what urgent action is being taken to address it.
“We have always emphasised the importance of data security in initiatives such as midata and this contactless payment facility clearly has some serious weakness in this regard.”