Bank card details can be stolen with NFC-equipped phones

One of many ‘next big things’ in the world of technology is the prospect of soon being able to use your mobile phone as a way to pay for things in the real world. The vision of replacing your wallet or purse with a mobile phone capable of handling all of your payment requirements is not a new one. But with smartphones such as Samsung's Galaxy Nexus now being equipped with near-field communication (NFC) hardware – and financial institutions working closely with network operators on infrastructure – it looks like that dream will soon, finally, be realised on a broad scale.

But while NFC technology is making its way slowly onto smartphones, it's already widely used in so-called ‘contactless’ cards; many banks currently issue debit and credit cards with integrated RFID chips, allowing users to make payments for relatively small amounts without needing to go through the hassle of entering a PIN or providing a signature for authorisation. This week, the UK’s Channel 4 News revealed how easy it is to ‘steal’ data from these contactless cards, “using nothing more than an ordinary [NFC-capable] smartphone, and some specially-designed – but devastatingly simple – software”.

Channel 4 worked with security analysts viaForensics on its investigation; the company’s Thomas Cannon explained to correspondent Benjamin Cohen: “All I did was tap my phone over your wallet, and using the wireless reader on the phone, I was able to lift out the details from your card; that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air.”

The UK Card Association states that the cardholder’s name should not be among the data that are transmitted. But Barclays, the British bank at the centre of the controversy, insisted that it is “compliant with scheme rules for contactless cards”, adding that “the only information which can be obtained from a chip is the same as that which is printed on the front of the card”.

Barclays further insisted that the bigger issue is with retailers, not all of which impose strict security measures when processing card payments. While contactless payments in person - i.e. where the cardholder physically presents the payment card when making a purchase - are limited to relatively small amounts without authorisation (typically around £15 GBP / $25 USD), once the card details have been surreptitiously scanned, they can be used to make purchases of much larger items online, particularly from those retailers with fewer security checks.

In fact, Channel 4 News was able to use the limited card data swiped by the smartphone – which did not include any PIN data or the card’s CVV/CSC code, displayed on the rear signature strip – to purchase products online from Amazon. C4 News was able to do so using just the cardholder name, card number and expiry date, with no further checks required, even though the account had been set up in a different name to that on the card, with the products also being sent to an address not associated with the card. Amazon did not respond to Channel 4’s requests for comment.

The UK government Department for Business, Innovation and Skills has called for an urgent investigation, calling on Barclays and VISA to "act quickly to address this issue and to cancel and replace cards if necessary". With some 13 million customers already using contactless cards, that could prove rather costly.

While Channel 4 News wasn’t able to use the software to access data from cards issued by other British banks, the weaknesses exposed in what should be a robust and secure system is still a cause for concern, and highlights the work that still needs to be done before we can realistically rely solely on NFC-based payment solutions. It also remains to be seen whether similar vulnerabilities exist with contactless cards issued by banks outside of the UK.

You can watch the full report from Channel 4 News below:

Report a problem with article
Previous Story

MegaUpload hit with lawsuit by New Zoo Revue owners

Next Story

Windows 8 issues with Windows Home Server revealed

28 Comments

Commenting is disabled on this article.

Was waiting for this to happen, essentially when we have RFID readers running an open source / development core at the level the consumer can easily afford, all the RFID vendors that never thought about security (or did it poorly) are going to be wide open.

Some RFID technologies, like some wireless medial technology, try to rely on security through obscurity or disregard security all together.

If you are that lazy that you can't swipe a card & punch in a pin number.....well, then get hacked fool.
Just take the card, find the chip, and use a small hole punch to punch it out of the card. Other than that, use an RFID shield wallet of slip case for the card(s).

Thats why they sell RF Shielded wallets now to stop this kind of thing, or the easiest way as someone else mentioned is to just put tin foil insode the wallet, a strip fitted into the back section where the notes are stored should suffice.

BeLGaRaTh said,
Thats why they sell RF Shielded wallets now to stop this kind of thing, or the easiest way as someone else mentioned is to just put tin foil insode the wallet, a strip fitted into the back section where the notes are stored should suffice.

When I got my MasterCard, the bank I'm with gave me an RFID shielded sleeve for it.

NFC works from only a couple of centimetres away, so someone would have to get very close to steal your money.

If they haven't already implemented such features, Google and other companies should surely only broadcast card info when you're in a wallet app or whatever. Not sure why the phone would permanently broadcast card info when it only needs to when being used to pay!

Interesting, because we tried this here in Australia, and the NFC chip [u]was[/u] encrypted. Maybe it's specific to each bank?

You just need to be in the subway while someone tries to take the info using their smartphone...a little bump and you wouldn't even know about it...

That data needs to be encrypted somehow...

+1 for most banks in the US NOT using the chips on their credit/debit cards. This type of thing simply wouldn't be possible with cards that only have a mag stripe.

Do you know how insecure a mag stripe is? It's not quite as easy to get at than NFC, but if you buy a $10 USB reader and swipe a card, all the details will appear as plain text.

Card chips and NFC aren't the same thing - non-NFC chips are a lot more secure than the mag stripe.

Simple solution: don't let people tap their phones to your wallet... Done!

Sure there might be some situations where you are in a crowded area and someone is able to tap their phone on your ass without you noticing, but then you're just as prone to good ol' fashioned pick pocketing, so I fail to see a problem here.

jeston said,
Simple solution: don't let people tap their phones to your wallet... Done!

Sure there might be some situations where you are in a crowded area and someone is able to tap their phone on your ass without you noticing, but then you're just as prone to good ol' fashioned pick pocketing, so I fail to see a problem here.

Well you problem is that you are using logic here, and this isn't about logic, it's about creating a new "controversy"

z0phi3l said,

Well you problem is that you are using logic here, and this isn't about logic, it's about creating a new "controversy"


What jeston said is possible though, could happen on a crowded tube train, in a nightclub (especially if 2 people were grinding, lol), heck, even if someone walks particularly close on the street holding their phone in their hand.

jeston said,
Sure there might be some situations where you are in a crowded area and someone is able to tap their phone on your ass without you noticing, but then you're just as prone to good ol' fashioned pick pocketing, so I fail to see a problem here.
Thay's why I don't put my wallet in my back pocket.

goofyinthehead said,
A little late picking up on a 3 week old news story there Britain......and Neowin

http://www.nbcnewyork.com/news...Your-Plastic-116358499.html

Different thing.

People are saying, WOW they can read the CC number from within our pockets!

Fine, you have a CC number, an expiry date and then?

Name on the card?
Address?
CVV?

If a company takes just the card number and expiry date, they WILL lose when it comes to a chargeback.

Probably not worth it.

C4 News was able to do so using just the cardholder name, card number and expiry date, with no further checks required, even though the account had been set up in a different name to that on the card, with the products also being sent to an address not associated with the card. Amazon did not respond to Channel 4's requests for comment.

Um you can do that with any credit card, and on any online retailer

That's why they ask you if your billing information is the same as your residential information. The problem is that its upto the payment processor what information they should check for(ie some don't care about CVV2 codes or billing addresses), not the bank. It should be the other way around.

Razorfolds said,

Um you can do that with any credit card, and on any online retailer

That's why they ask you if your billing information is the same as your residential information. The problem is that its upto the payment processor what information they should check for(ie some don't care about CVV2 codes or billing addresses), not the bank. It should be the other way around.

Many online retailers are starting to require the CVV code on the card. Most places I buy from do and some even require the verified by visa password. That's done by bringing the system into the loop. Bad password = no charge.

Razorfolds said,

Um you can do that with any credit card, and on any online retailer

That's why they ask you if your billing information is the same as your residential information. The problem is that its upto the payment processor what information they should check for(ie some don't care about CVV2 codes or billing addresses), not the bank. It should be the other way around.

Many online retailers are starting to require the CVV code on the card. Most places I buy from do and some even require the verified by visa password. That's done by bringing the system into the loop. Bad password = no charge.

Here in Sweden, one of the banks (Swedbank) allows you to generate a bunch of "virtual" cards - the idea is that you give each online retailer a different number, so if they're fraudulent or get hacked, you can just cancel the card and the rest of your account is safe.

I wonder if NFC cards should use the same idea and transmit a different card number and expiry date - that virtual number could then only be used for transactions under £15 and from NFC-enabled retailers. That'd solve a lot of the problems presented here.

iKenndac said,
Here in Sweden, one of the banks (Swedbank) allows you to generate a bunch of "virtual" cards - the idea is that you give each online retailer a different number, so if they're fraudulent or get hacked, you can just cancel the card and the rest of your account is safe.

I wonder if NFC cards should use the same idea and transmit a different card number and expiry date - that virtual number could then only be used for transactions under £15 and from NFC-enabled retailers. That'd solve a lot of the problems presented here.

The problem is that unless there is a way to link virtual card a to physical card b then there wouldn't be a way to determine whose account to apply the charge to. As it stands right now if you get a virtual card you do it through the bank or financial institution that handles it and they will link it to your real account so when a transaction comes through they know who to apply it to.

iKenndac said,
Here in Sweden, one of the banks (Swedbank) allows you to generate a bunch of "virtual" cards [...]

There are a lot of prepay card companies that allow you to do that (or something similar). You create an account and generate a virtual card. Then you top this virtual card using a credit/debit card.

shinji257 said,

The problem is that unless there is a way to link virtual card a to physical card b then there wouldn't be a way to determine whose account to apply the charge to.

Well... the bank would link both numbers (the one printed on the card itself and the NFC one) to the same account at the time of account creation.