Originally Posted by Channel 4 News

Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.

Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology.

On Friday Channel 4 News reported that Barclays Visa contactless cards (ones which bear the symbol pictured) can be read using an off-the-shelf mobile phone running a special app.

ViaForensics, the company which carried out the research for Channel 4 News, has now shown the same technique works on a Visa debit card issued by Lloyds. And banking industry insiders have told us that all Visa contactless cards can potentially be read in this way.

The app reads the full name, number and expiry date from the card. Channel 4 News was able to use just these three details to order goods through Amazon; setting up an account under a dummy email address and having the goods shipped to an address which does not match that of the cardholder.

There are around 19 million contactless cards in circulation in the UK - Barclays accounts for around 13 million of those.

Visa, which provides credit facilities for Barclays, Lloyds and other banks, said it takes cardholder security very seriously. It acknowledges that the details are transmitted by the cards without encryption, but said these details can be gained "by a number of methods" and should not be usable without the three-digit CVV number on the back of the card.

(snip)

Originally Posted by Matt D (Post 35406913)

I'm surprised there's been no thread about this.

Fraud fears grow over contactless bank card technology



... unfortunately Amazon and some other online retailers don't use the three-digit CVV number... :rolleyes:


This reminds me of all the talk a while back about being able to remotely read someone's RFID-chipped passport using a laptop and special scanner.

Originally Posted by Hom3r (Post 35406931)

Correct me if im wrong, but this contactless method (I have a Barclaycard with this) is limited to small amounts of around £10/20, and still require a pin ?

Originally Posted by Hom3r (Post 35406931)

Correct me if im wrong, but this contactless method (I have a Barclaycard with this) is limited to small amounts of around £10/20, and still require a pin ?

Originally Posted by Matt D (Post 35406938)

The issue with this is that the cards transmit the cardholder's name, the card number, and the expiry date... all unencrypted.

If someone obtains that information, they can then use the card details to make purchases online (at sites like Amazon, which don't use the CVV number), without any of the "small transaction restrictions" that are in place when physically using the contactless card in a shop.


EDIT:

The original C4 News story - http://www.channel4.com/news/million...posed-to-fraud

Originally Posted by Maggy J (Post 35406943)

The answer is simple, keep youur card inside a shielded wallet .What's on offer seems expensive though.Cheapest seems to be about £40:(



I wish I still had my metal business card wallet, it would have been perfect.However I see there are some as low as a tenner.:)

Originally Posted by gazzae (Post 35406942)

Would they not also require your address? Is there not a check to make sure the Invoce address matches?

Originally Posted by Maggy J (Post 35406943)

The answer is simple, keep youur card inside a shielded wallet .What's on offer seems expensive though.Cheapest seems to be about £40:(

Originally Posted by danielf (Post 35406958)

Erm, and what if you actually want to use the card for its intended purpose?

Originally Posted by Matt D (Post 35406952)

Well, you'd think so, but according to C4's investigation they were able to purchase items from Amazon using different billing and delivery addresses to those of the cardholder.

Originally Posted by Hom3r (Post 35406931)

Correct me if im wrong, but this contactless method (I have a Barclaycard with this) is limited to small amounts of around £10/20, and still require a pin ?

Originally Posted by Matt D (Post 35406918)

It is rather dodgy that someone with an NFC-enabled phone could essentially pickpocket you without ever actually touching your wallet.

Sure, once you report a card as lost or stolen or fraudulently used, it gets blocked... but if the card is still in your wallet, how long would it take for you to realise someone has read the info and gone off to spend your money?

Originally Posted by Matt D (Post 35406918)

It is rather dodgy that someone with an NFC-enabled phone could essentially pickpocket you without ever actually touching your wallet.

Sure, once you report a card as lost or stolen or fraudulently used, it gets blocked... but if the card is still in your wallet, how long would it take for you to realise someone has read the info and gone off to spend your money?

Originally Posted by Chris (Post 35407026)

In which case, the critical weakness is with Amazon, not with the Visa card. They should be verifying that the purchaser is in possession of the card by collecting the CVV at point of sale, but they're not (presumably because they think it interferes with their one-click impulse buying engine). They should also be cross-checking addresses but again, they want to operate a gift delivery service so their product offering is taking precedence over card security measures.

Originally Posted by Chris (Post 35407076)

A tinfoil hat for your credit card? :D

Originally Posted by mertle (Post 35407137)

indeed inconvenient but actually works been advice in yankie land which this stupid techno been out for abit.

http://pamela99.hubpages.com/hub/Ide...als-New-Access

Originally Posted by Tim Deegan (Post 35407142)

Yeah, very inconvenient. It would be far better if the banks increased their terrible security, especially AMEX who believe it or not, are the worst.

Originally Posted by mertle (Post 35407144)

Indeed it seems they want make life easier for crims. You know what I would not be shocked they wont refund fraud at some point.

Originally Posted by Tim Deegan (Post 35407147)

Well they certainly aren't making any more difficult for them. The potential is there for very strict security, but they don't seem to want to use what is available to them.

Originally Posted by mertle (Post 35407159)

true they blame costs for not implenting the tech but for what fraud costs surley it would balance. Now would love to see the figures of implenting to fraud costs. Not forgeting it would be bank v bank totals.

I glad mine at moment not one these but believe others barcleys got plans it stupid.

You can stand near them get apps on devices which will scim them just by standing next to someone as long the persons wallet near the it will read it.

Originally Posted by Tim Deegan (Post 35407170)

It shouldn't really be a big cost issue. Many of the merchant services and gateways already request far more information than the banks actually check. The banks have the details to cross check, so it would just be a case of the banks catching up with the gateways and merchants service suppliers.

Originally Posted by Matt D (Post 35406938)

The issue with this is that the cards transmit the cardholder's name, the card number, and the expiry date... all unencrypted.

Originally Posted by Anonymouse (Post 35407227)

This sounds like a silly, obvious question, I know, but...why is this information transmitted unencrypted?!

And don't say it's because of cost - how much more does it cost the banks etc. in fraud claims? If they'd just ensure it's encrypted, end of problem...well, at least until some genius proves the Riemann Hypothesis, that is. :p:

Originally Posted by mertle (Post 35407189)

thanks my bank given us software online but secerity already high it interfered:shocked:.

We have password thing too if buy anything online they now second layer you go through.

Originally Posted by mertle (Post 35407189)

Now the only thing about shops is if your asked password or question it could be recorded.

Originally Posted by mertle (Post 35407189)

In privacy in bank little easier to have that extra barrier.

Originally Posted by mertle (Post 35407189)

The other is identity that again could be faked.

Originally Posted by mertle (Post 35407189)

The problem also is people themselves they dont want jump through hoops to shop. This why this stupid idea came from ease shopping. People hate queuing longer necessary hate pin, everything in speed.