Go Back   Tech Support Forum > Security Center > Computer Security News

Barclays contactless card users exposed to fraud

This is a discussion on Barclays contactless card users exposed to fraud within the Computer Security News forums, part of the Tech Support Forum category.

Thread Tools Search this Thread
Old 03-26-2012, 02:25 PM   #1
Team Manager, Articles
Rangemaster, TSF Academy
Glaswegian's Avatar
Join Date: Sep 2005
Location: Glasgow
Posts: 39,424
OS: Windows 10 Pro

My System

A flaw has been discovered in Barclays contactless bank cards that could allow customers' data to be stolen and used fraudulently without them even knowing about it.

An investigation by ViaForensics, in conjunction with Channel 4 News, has revealed that data can be lifted from Near Field Communications (NFC) chips used in Barclays contactless Visa cards by simply touching a smartphone installed with a piece of specialised software to a card. That data - which is unencrypted - can then be used to purchase multiple goods online.

"All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card," Thomas Cannon of ViaForensics told Channel 4 News. "That includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air."

Typically, this would not be enough information to perform "cardholder not present" transactions over the internet or the phone, because most retailers require the three-digit signature (CVV) code from the back of the card and a valid address. However, during the course of the research it was found that there are some major online retailers that do not require this information.

For example, Channel 4 News was able to create a new account on Amazon's website, with a different name and billing and delivery address to the card they scanned, and was able to order and receive products without any link to the cardholder. Amazon does not require the CVV code on the back of the card to process purchases.

Barclays defended its position, claiming that it is compliant with scheme rules for contactless payments, and that the information that can be obtained from a chip is the same as that which is printed on the front of the card.

"This is not an issue with contactless but with the checks undertaken for 'card not present' payments by some retailers," Barclays told Channel 4 News. "As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks."

However, the Department for Business, Innovation and Skills has called on card issuers to act quickly to address this issue and to cancel and replace cards if necessary.

"We are contacting the Payments Council, UK Cards and Barclays to get more details on the extent of the problem and to understand what urgent action is being taken to address it," said BIS in a statement. "We have always emphasised the importance of data security in initiatives such as midata, and this contactless payment facility clearly has some serious weakness in this regard."

Contactless payments technology is not just used in cards, but is also increasingly being built into mobile phones. Last year, Visa and Barclaycard rolled out 250 contactless payment terminals at the O2 in London, allowing visitors to make payments of up to 15 using their contactless credit or debit card or an NFC-enabled mobile phone.

ViaForensics conducted a similar investigation into Google Wallet last year, and found that sensitive information was also stored unencrypted on NFC chips in Android devices. However, Google defended its mobile payment service, claiming that Google Wallet is safer than using credit cards to pay for goods.

Barclays contactless card users exposed to fraud - PC Advisor
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.

PC Safety & Security::PC running a bit slow?::Photographers Corner
Glaswegian is offline   Reply With Quote
Sponsored Links

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Transfer of files from old laptop to new
Hi all: just joined andhope someonecan help. I've bought a Toshiba Satellite L750 laptop because my old laptop, a Toshiba Equium, was/is too slow. Equium uses MS Works Word Processor (.wps files) and MS Excel Worksheet spreadsheet files. My new laptop uses MS Office 2010 Starter for...
Pat3jen Microsoft Office support 5 04-05-2012 09:37 AM
GavinZach storming to 18000
Congratulations on the 18000 nice work
joeten Comments & Announcements 16 04-03-2012 03:51 AM
How to preserve your privacy on Facebook - be savvy
Facebook is in the middle of another hubbub over companies asking prospective employees for their login information for the social networking site as part of the hiring process, but you can make the obvious privacy concern a non-issue by being careful. Here are a few tips to help you enjoy the...
Glaswegian Computer Security News 0 03-26-2012 02:22 PM
Winsock error or Ipmontr.dll failed to start
I'm unable to serf internet on my home of because error 12159 ...TCP/IP protocol is not installed properly . I ran the netsh reset command and got the following message ... Initialization function inithelperdll in the Ipmontr.dll failed to start with error code 11003
sqldba2012 Windows XP Support 1 03-26-2012 11:01 AM
How to overclock a core 2 duo or quad
First let me warn you that overclocking voids warranties, creates more heat, can lower the life expectancy of a cpu and can cause system failure. You do this at your own risk. Second To overclock properly you need:- An aftermarket cooler, do not overclock with the stock cooler, a well ventialted...
greenbrucelee Overclocking 0 03-26-2012 10:36 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Post a Question

» Site Navigation
 > FAQ

All times are GMT -7. The time now is 05:01 AM.

vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2017 DragonByte Technologies Ltd.
Copyright 2001 - 2015, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts


Partially Powered By Products Found At Lampwrights.com