ExTS Admin Starbuck Posted March 26, 2012 ExTS Admin Posted March 26, 2012 A flaw has been discovered in Barclays contactless bank cards that could allow customers' data to be stolen and used fraudulently without them even knowing about it. An investigation by ViaForensics, in conjunction with Channel 4 News, has revealed that data can be lifted from Near Field Communications (NFC) chips used in Barclays contactless Visa cards by simply touching a smartphone installed with a piece of specialised software to a card. That data - which is unencrypted - can then be used to purchase multiple goods online. "All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card," Thomas Cannon of ViaForensics told Channel 4 News. "That includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air." Typically, this would not be enough information to perform "cardholder not present" transactions over the internet or the phone, because most retailers require the three-digit signature (CVV) code from the back of the card and a valid address. However, during the course of the research it was found that there are some major online retailers that do not require this information. For example, Channel 4 News was able to create a new account on Amazon's website, with a different name and billing and delivery address to the card they scanned, and was able to order and receive products without any link to the cardholder. Amazon does not require the CVV code on the back of the card to process purchases. Barclays defended its position, claiming that it is compliant with scheme rules for contactless payments, and that the information that can be obtained from a chip is the same as that which is printed on the front of the card. "This is not an issue with contactless but with the checks undertaken for 'card not present' payments by some retailers," Barclays told Channel 4 News. "As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks." However, the Department for Business, Innovation and Skills has called on card issuers to act quickly to address this issue and to cancel and replace cards if necessary. Source: http://www.networkworld.com/news/2012/032612-barclays-contactless-card-users-exposed-257649.html?source=nww_rss Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.