Security flaws in contactless cards and worrying gaps in retailers’ fraud checks were laid bare again this week with new research from consumer advice group Which?
After purchasing a contactless card reader from a “mainstream” website, the researchers tested 10 cards.
They explained the following:
“Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).”
More worrying still was that the researchers were able to use these few stolen details to go on an internet shopping spree, buying a £3000 TV from a “mainstream online shop.” No CVV number was needed and they used a false name and address.
A security expert Which? spoke to claimed that thieves may in the future develop contactless card readers which could operate remotely, presenting an even bigger threat for users.
Industry watchers claimed the flaws exposed in the research were previously known about, but remain concerning.
“The payment industry always planned that the risks associated with exposing information over wireless connections would be mitigated by stronger controls put around card not present transactions made over the telephone or internet,” argued Gemalto payments security expert, Paul Hampton.
“However, as Which? has highlighted, often these controls are relaxed by merchants as the inconvenience of additional security can drive customers away from completing purchases.”
He added that contactless payments made via smartphones are a more secure way to transact as they typically don’t use real card details and require a PIN or fingerprint to authenticate.
LogRhythm managing director for international markets, Ross Brewer, added that the research raises some urgent questions.
“For a start, if banks are aware of the problem, why has it not been solved? The fact that the card details are not masked is a concern and banks should have, by now, found a way to ensure the data is not so freely available to thieves,” he argued.
“In addition, and potentially more worrying, is the fact that the researchers were able to buy goods online without needing the registered address of the cardholder, or the CVV code. Correctly supplying this information should be the very minimum required for a transaction to go through successfully.”
He said that banks need to get better at spotting unusual account activity, as the raising of the contactless limit to £30 in September may attract more thieves.
“Which? has exposed the problem, now it is up to organizations to fix it so consumers can ‘tap and go’ without concern,” Brewer concluded.
Laurance Dine, managing principal at Verizon’s Investigative Response Team, claimed the security gaps shown in the research prove two-factor authentication is needed for payments.
“For example, biometrics offers a great alternative way to authenticate individuals into systems, applications and data securely. The reasoning is simple: since everyone has a unique biological identity, let’s apply that single biological identity to cyberspace to establish trust,” he added.
“Fingerprint biometrics usually afford the easiest user interface – simply place your index finger or thumb on a reader and authentication takes place, much like the recently launched Apple Pay solution.”