View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Contactless cards expose Barclays users to fraud: report

A Channel 4 investigation has found that personal banking details can be swiped from a card via a mobile device

By Vinod

Millions of users of Barclays Bank’s contactless payment cards are at risk of fraud as their personal details can be stolen via a mobile phone, an investigation has found.

The investigation, carried out by Channel 4, revealed that mobile phones containing a standard card-reading app can be modified to steal details from contactless payment cards. This can be done simply by swiping the mobile phone over the card, even if it is in a wallet.

Contactless payment cards are fitted with a chip that contains all the important data needed to buy something, with the exception of the CVV code, and they work when held up to special readers in shops. Channel 4 alleges that these details can easily be transmitted to a mobile phone.

Thomas Cannon of ViaForensics, who helped with the investigation, said: "All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air."

Using details acquired this way, Channel 4 claims it was able to order and receive a number of goods purchased through online retailer Amazon.

The show said that Amazon does not required the use of the CVV code – the three-digit number on the back on a user’s card – to complete purchases, which is where users will be exposed to potential fraud. Normally a ‘card not present’ transaction requires the CVV, but evidently not in Amazon’s case.

The retail giant is not alone in this matter, meaning several other online shopping sites are potentially exposed to this kind of fraud.

Content from our partners
Powering AI’s potential: turning promise into reality
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline

During the investigation Channel 4 found that just Visa cards issues by Barclays were at risk; other banking and card combinations did not transmit the data.

A statement issued by Barclays denied that their contactless payment system is inherently flawed. Instead the issue lies with the retailers, they said.

"We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code," a Barclays statement read.

"The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details," the statement added. "As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system."

It is thought there are around 13 million users of Barclays’ contactless payment cards.

Contactless payment is a booming business at the moment, with near-field communications (NFC) chips being included as standard on many smartphones. A recent report by Informa said that mobile phone-based payments are expected to top $37bn a year by 2016.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.