Barclays, swipe cards and you (oh, and tin foil)
If you didnât catch our exclusive on Channel 4 News, you can find it online here.
If you have a Barclays contactless credit or debit card (ie. one with this symbol:Â ) then the details on the card can be read using an off-the-shelf mobile phone running a special app. The card will give up the name, number and expiry date.
My producer Geoff White, who researched the story, has been looking into the story further.
The three-digit CVV number on the back cannot be read, but it turns out there are many sites, most notably Amazon, where you can make a purchase with just those three details (and Amazon will deliver to an address not matching the cardholderâs).
Consumers are shocked. Whatâs weird is that Barclays and Visa (who provide the credit service to Barclays) donât understand why. They argue that these three details can be read on the front of the card anyway, so they donât see a problem transmitting them unencrypted.
They donât seem to see that for consumers, having the card in a wallet or pocket feels secure, and the idea that the details can be read remotely makes them feel very insecure.
Barclays say they are obeying the contactless “scheme rules” laid down by Visa. (Visa declined to comment but say they support Barclays response).
So what are the “scheme rules”? We donât know, because neither Barclays nor Visa will share them with us.
The UK Cards Association told me that under the scheme rules, the name on the card should not be transmitted (mind you, the Association also did not know you can read a card with a phone, which for the industry body is a bit worrying).
When I asked Barclays about this, hereâs what they told me: “That is one version of the scheme recommendations (not the rules â the rules are separate). Because we launched contactless some years ago, our cards are built to another version (which are also still valid) which donât include that. The name aspect was added for privacy reasons, not security ones, and primarily for the US market (the guidelines are global). We have not changed that as we, and the whole industry, do not view it to be a security threat. If a retailer is processing payments without signature codes, the name isnât probably going to make a lot of difference. Our cards do constantly evolve over time of course as new functionality is added and things change.”
So basically Visa now recommends that the cardholder name is not transmitted. Barclays are ignoring that recommendation.
Because Amazon donât ask for the CVV number, they are ultimately liable for any fraud (although a customer would claim against their bank â the bank would then sue Amazon). Despite three emails and four phonecalls, Amazon never got back to us, not even to say âno commentâ. I guess when youâre the worldâs biggest e-commerce site you can do that.
Next stop on the potential blame train is the FSA. Part of the licence the FSA issues to banks requires them to have “robust” payment methods. How does the FSA go about checking that? And did they check contactless cards?
I struggled to get a clear answer on this from the FSA. They talked about international rules, and when I pointed out that as the national regulator they can decide if those rules are up to scratch, there didnât seem to be an answer. I didnât push it, as we were already fighting to get everything into a four-minute piece.
So the FSA is one avenue which needs exploring. The researcher we worked with, Thomas Cannon of viaForensics (https://viaforensics.com/) seems confident the trick can be made to work on other contactless cards, and if it does, it becomes and industry-wide story, at which point thereâll be more questions for the FSA and the UK Cards Association.
For the moment though, consumers are being given (from what Iâve heard, forced to have) contactless cards, and they cannot turn the functionality off.
If you have one, then you can of course choose not to carry it. You can buy a shielded wallet (http://difrwear.com/). Or wrap the card in tinfoil.
There. Iâve crossed the line. I am now officially writing a blog recommending tinfoil as a security solution.Â http://www.imdb.com/title/tt0120660/
Follow @geoffwhite247 on Twitter.