Barclays, swipe cards and you (oh, and tin foil)
If you didnât catch our exclusive on Channel 4 News, you can find it online here.
If you have a Barclays contactless credit or debit card (ie. one with this symbol:Â 
) then the details on the card can be read using an off-the-shelf mobile phone running a special app. The card will give up the name, number and expiry date.
My producer Geoff White, who researched the story, has been looking into the story further.
The three-digit CVV number on the back cannot be read, but it turns out there are many sites, most notably Amazon, where you can make a purchase with just those three details (and Amazon will deliver to an address not matching the cardholderâs).
Consumers are shocked. Whatâs weird is that Barclays and Visa (who provide the credit service to Barclays) donât understand why. They argue that these three details can be read on the front of the card anyway, so they donât see a problem transmitting them unencrypted.
They donât seem to see that for consumers, having the card in a wallet or pocket feels secure, and the idea that the details can be read remotely makes them feel very insecure.
Barclays say they are obeying the contactless “scheme rules” laid down by Visa. (Visa declined to comment but say they support Barclays response).
So what are the “scheme rules”? We donât know, because neither Barclays nor Visa will share them with us.
The UK Cards Association told me that under the scheme rules, the name on the card should not be transmitted (mind you, the Association also did not know you can read a card with a phone, which for the industry body is a bit worrying).
When I asked Barclays about this, hereâs what they told me: “That is one version of the scheme recommendations (not the rules â the rules are separate). Because we launched contactless some years ago, our cards are built to another version (which are also still valid) which donât include that. The name aspect was added for privacy reasons, not security ones, and primarily for the US market (the guidelines are global). We have not changed that as we, and the whole industry, do not view it to be a security threat. If a retailer is processing payments without signature codes, the name isnât probably going to make a lot of difference. Our cards do constantly evolve over time of course as new functionality is added and things change.”
So basically Visa now recommends that the cardholder name is not transmitted. Barclays are ignoring that recommendation.
Because Amazon donât ask for the CVV number, they are ultimately liable for any fraud (although a customer would claim against their bank â the bank would then sue Amazon). Despite three emails and four phonecalls, Amazon never got back to us, not even to say âno commentâ. I guess when youâre the worldâs biggest e-commerce site you can do that.
Next stop on the potential blame train is the FSA. Part of the licence the FSA issues to banks requires them to have “robust” payment methods. How does the FSA go about checking that? And did they check contactless cards?
I struggled to get a clear answer on this from the FSA. They talked about international rules, and when I pointed out that as the national regulator they can decide if those rules are up to scratch, there didnât seem to be an answer. I didnât push it, as we were already fighting to get everything into a four-minute piece.
So the FSA is one avenue which needs exploring. The researcher we worked with, Thomas Cannon of viaForensics (https://viaforensics.com/) seems confident the trick can be made to work on other contactless cards, and if it does, it becomes and industry-wide story, at which point thereâll be more questions for the FSA and the UK Cards Association.
For the moment though, consumers are being given (from what Iâve heard, forced to have) contactless cards, and they cannot turn the functionality off.
If you have one, then you can of course choose not to carry it. You can buy a shielded wallet (http://difrwear.com/). Or wrap the card in tinfoil.
There. Iâve crossed the line. I am now officially writing a blog recommending tinfoil as a security solution. http://www.imdb.com/title/tt0120660/
Follow @geoffwhite247 on Twitter.
There are 6 comments on this post
I knew of this problem years ago and demanded Barclays issue me with a card that did not have contactless capability. They refused and also refused to legally indemnify me against fraud from swipe technology in writing. I further requested to know where the contactless chip was located on the card so I could gouge it out myself, again they refused to tell me where it was. Barclays are imposing this unsafe, unwanted and unwelcome card onto their customers against their wishes with no ability to opt out
If I lost any money this way I’d sue Visa
Hi Geoff – great follow-up item on this evening’s news! Once again, well done for helping raise awareness.
If anyone is interested in fabricating his, or her, own ‘anti-skim’ sleeve then a step-by-step DIY guide can be found at the following blog:
http://contactless.wordpress.com/2010/10/25/rfid-shielding-case-%E2%80%93-diy-option/
This is certainly an excellent preventative measure, and may provide a degree of protection against the average âe-pickpocketâ.
However, for (style conscious?) individuals who are really serious about protecting themselves, then something a little more robust that mere silver foil is recommended. Our sleeves, wallets and card-holders all meet US Government FIPS-201 requirements, and are specifically designed to block attacks on 13.56MHz contactless cards, and similar same-frequency, RFID devices. We didn’t recognise the wallet that was dissected in this evening’s programme – but the internals looked pretty flimsy; maybe this was a US product?
You’ll find no Bako foil in our kit â although that said, we do confess to having something of a soft spot for UK âtin-hattersâ!
Keep up the good work â itâs appreciated.
No one gets to sue Visa or Barclays because its Amazon and their slack checking/risk taking that is at fault. This is a big failure of Amazon (and all the other websites that dont use CVV/CVC checking) Amazon should use the Amazon account address to verify the cardholders address and then only deliver to that address (though I suspect they do, but allow delivery to an alternative address that the programme makers or via forensics have chosen not to highlight).
If anyone does manage to get your details Amazon make it much too easy to bypass the checks that have been put in place (and they will also send items to an address not registered against the card) over the years. I guess being big allows you to bully your acquirer into your way of thinking and at the end of the day all they want is payment, they are not concerned about Barclays/Lloyds customers (or Visa come to that).
Big Amazon failure.
As I understand it, tinfoil is only effective at reducing transmission and not eliminating it entirely. But even if common or garden foil was totally effective as a ‘security solution’, why should the onus be on the consumer to wrap their cards in foil if they don’t want to be e-pickpocketed??
It’s like a multi-national car company admitting “Yes, we are aware of a problem with the braking system in some of our models – but providing the customer doesn’t brake sharply there’s nothing to worry about”.
Have to also say that I was most disappointed with this cursory ‘Heath Robinson’ solution to a potentially very serious issue.
Why the open-and-shut case C4?
I have received one of these cards from Barclays. Its not a service I want nor asked for. I won’t use it and Barclays promise to reimburse any fraudulent transactions fills me with dread having dealt with them on a fraud issue once before. I can find no information on opting out on the Barclays website and the email form there does not seem to work at present. I’m not very impressed and will not be resorting to walking around with a pocket full of tinfoil so I suppose I will be looking at a new bank.