The questions Barclays, Visa and Amazon need to answer about contactless cards
Thus far, we’ve had very little in the way of answers. Here are the big questions I want the Information Commissioner and the Department of Business who have condemned the findings to find the answer of for us consumers.
I’ve never been personally convinced about the sense of the contactless revolution at all. As someone who has been mugged in the past, I know that thieves can use my card to make small transactions without knowing my PIN.
Sure they can only use the cards in places like Pret A Manger and only until I report the cards stolen but they can use them none the less. This is a big issue for people who are pickpocketed and don’t realise it.
But the scary thing about our exposé is that you certainly wouldn’t realise that you have been electronically pickpocketed because you would still have your Barclays Visa card in your wallet. Nothing has gone missing and nothing would seem out of place until transactions appear on your statement.
1) Why aren’t Barclays contactless Visa cards encrypted or at least only giving partial information out?
We’ve been told that the guidelines for contactless cards recommend that not all of the details on the card are transmitted over the air. So for example, the card number is but your name isn’t. In the case of Barclays, for the multiple cards we tested, every piece of detail on the front of the card is transmitted. Why is this?
Barclays said the information we collated wasn’t of use because it didn’t contain all the details needed to make a transaction. But this isn’t true, we succeeded with the world’s largest online retailer.
Amazon refused to answer any questions, they didn’t return our multiple calls and emails over the course of the last week so we have a lot of questions.
2) Why does Amazon not check the name and address of card holders before processing payments?
We were surprised that Amazon processed our transactions using a Barclays Visa that didn’t belong to the person making the order. The name didn’t match and neither did the billing address. But the transactions went through without a hitch for physical product orders and also electronic orders that were downloaded immediately.
Some might argue that the physical orders would be unlikely to have been made by criminals because their home address would have been revealed. This isn’t quite true. Online fraudsters use a practise called ‘dead letter boxing’, basically using a delivery address that doesn’t exist. So for example in a building of 5 flats using the address ‘Flat F’ in the hope that a postman will leave the item in a communal area. Or they check into a cheap hotel, pay in cash and get items delivered to them under a fake name. £35 a night is well worth receiving a laptop for example.
When it comes to digital downloads like books or music, it’s pretty obvious that items never get sent to a real world address. Using open wifi or proxy server (which masks the real location of a user) makes it impossible for the police to track anyone down.
3) Why does Amazon not ask for the security code on the back of cards before processing a transaction?
Unlike most online retailers Amazon doesn’t ask for the three-digit so called CVV numbers on the back of your credit or debit card. We think we know the answer to this question but as Amazon hasn’t responded we can’t be sure.
One of the most important features of Amazon is “one click” shopping, where you can purchase an item without having to through loads of screens and forms. Like something? Order it in one click, then you won’t have to think about it very much.
But online shopping services are not allowed to store the CVV numbers along with credit and debit card details in their shopping cart systems. So it makes sense why Amazon might decide to skip this part of the system.
What we do know
Banks and credit card companies have to pay back the victims of fraud unless they have been reckless. It’s hardly your fault if someone bumps into you on the tube and steals your card details because Barclays contactless cards are not secure. This means that if a transaction is made in your name on a website like Amazon, the money will eventually get back to you. In the case of Amazon, because it doesn’t ask for the CVV numbers, we have been told that Amazon has to cover the losses because it doesn’t follow best practise.
Finally if you have a contactless card, you might wonder how you can make your card safe. One tip I’ve picked up is to wrap your card in tin foil. It basically messes up the signal and you should be safe from data thieves. There are some wallets and purses that claim to do this as well.
There are 20 comments on this post
Hardly an expose. No encrypted data was decrypted. Many stories in the past in respect of data held on chips in cards and travel documents. Same outcome the only data available was that printed on the card or document not the secure stuff. Surprised that the Dept for Business Innovation has jumped in without any thought and totally uninformed. As a contactless customer I’m not going to lose any sleep over this. My liability is limited if my actual card is lost or stolen and the card will be disabled when reported lost/stolen anyway.
Good luck with using them in Pret, stolen or not. The machines are never working in my experience.
I agree with Dave. This is a know problem and it is just one area of new generation payment card technology using EMV (Europay, MasterCard and VISA ) and NFC (Near Field communication) standards. It has been the concern of information security specialist and was discussed at a convention in January.
What is more worrying is that some new payment cards today have this technology built-in. However, the owner may not be aware that the card has the capability, as the card is not braded as contactless.
Security research organisations in the USA have already started to develop card sleeves/wallets that prevent cards from being read without the owner’s knowledge. Only when it is removed from the sleeve can the card be read.
One bit of advance is to keep your wallet /purse/bag with your contactless payment card close to you and don’t leave it exposed so that someone can get close to it to read the details wirelessly.
Great article and research Ben – it’s a story that’s been waiting to be told. We’ve spent the past three years trying to raise awareness of the potential vulnerabilities associated with this new technology; although here in the UK some will argue we’re in denial. Our findings have been collated into a suit of (free to download) PDFs, which can be found at our main website: browser search for ‘RFID PROTECT RESOURCES’
Hope this information proves helpful in some way, and once again well done for breaking this story here in the UK.
The bags work, by the way. See the video.
http://www.chyp.com/media/blog-entry/its-in-the-bag
Unlike others in this predominantly American-led sector, with RFID PROTECT (a UK-based company) customers can have RFID shielding sleeves, ID badge holders and e-passport wallets delivered to their doorsteps within approximately 48hrs from the date of purchase.
RFID PROTECT has law enforcement involvement, evidenced by its Bedfordshire police partnership status and it has become a leading resource for individuals interested in learning more about the ‘e-pickpocket’ phenomenon.
Learn more at: http://www.rfidprotect.co.uk/products.html
What I don’t understand is why this would only work for the Barclays cards, from what I can read the Card number, cardholder name and expiry were exposed. The cardholder name being the only thing in breach with UK guidelines. Any other card would expose cardnumber and expiry during NFC transactions as well.
Further down the track it states Amazon does not check cardholder name, address or require a CVV. So basically the only information Amazon uses for a successful transaction is cardnumber and expiry (which is visible from any issued NFC card, Visa or Mastercard).
So why is this issue only occuring with Barclays cards? Or are we talking about two different issues here that somehow merged into one article? The two being, Barclays being in breach by sending cardholder name along, and Amazon’s willingness to wear fraud by only checking card number and expiry date?
If people are so concerend about this digital age that is going bonkers with wireless technology (that is not safe) then there is a tutorial on Youtube how to locate your RFID Chip on your Debit/Credit card and destroy it using a Drill. This obviously will disable the contactless system but allows you to use the card. If Banks really want to make a secure card, then they would do away with Chip and Pin and use Chip and Finger Print reader (Biometric security), this could also be applied for online purchases by inserting your card into a biometric reader the you hook up to your laptop or pc. But then again, I guess the bankers would not want to invest in this technology cause it might cost a bit too much and would affect their annual bonus.
I did implement credit card payment systems for other online shops in the past, and i think i can answer some of the questions here:
1: Why aren’t Barclays contactless Visa cards encrypted
This wouldn’t be significantly more secure, you could still read all the (now encrypted) data from the card. You would need a second password to decrypt the data again, for example something the Card holder could memorize, or a Password, PIN or CVV to unlock the card. However a 4 digit pin or 3 digit CVV number is useless as an encryption key, just because the computer could simply try all 1000 possible CVV numbers to decrypt the data – and this can be done in seconds.
3: Why does Amazon not ask for the security code on the back of cards before processing a transaction?
The security code on the back of the card is not necessarily required by the bank for a successful transaction. Merchants are prohibited from storing CVV, CVV2, CVC2 & CID per PCI standards ( https://www.braintreepayments.com/blog/merchants-are-prohibited-from-storing-cvv2-csc-per-pci-standards ), but if you have any recurring charges, the merchant can charge your card without the CVV number.
Anyone see the channel 4 bit the other day? What was that all about then? Massive problem with Barclaycard contactless e-pickpockets, but don’t worry just wrap em in a bit of silver foil a la Blue Peter. Here’s a cover-up I prepared earlier…
Patrick,
To answer your question the reason that other banks cards could not be read with the mobile phone is because they are almost certainly not contactless enabled.
Barclays are the market leaders and the only bank with any real volume of cards in the market place.
The technology is excellent but as with all cards there is a risk to fraud if someone is really intent on committing it.
There is a an easy and cost effective way to solve this problem for all the banks and give the cardholder the confidence in contactless technology which is to post their cards in a secure envelope (as the name and address is visible through the window section adding further risk) and by keeping them in a small card sleeve whilst in the wallet which can also give longevity to the card as well as protect it from potential electronic pickpocketing.
Our company already supply both one being a patent protected secure mailing envelope here in the UK.
If Barclays and all the banks who are planing rollouts took this initiative on board we would not be having this conversation.
By using this added layer of security the potential risk is taken way.
Barclays cards are encrypted whilst sent in the post but the potential problem is escalated when they are used for the first time when the card is activated.
Even when the card is switched off before it is activated, with the relevant software protocol the information can be skimmed and the potential fraudster just waits for activation to commence.
If the cards are shielded this potential fraud is not possible.
Some issuers are already shielding their cards both in the post with our secure foil lined envelope and card sleeves.
In the United States where the contactless market is more mature banks are starting to take this very seriously now and many are using shielding products.
What information can be gained is another question and not for me to say but more importantly it’s about making sure the cardholder doesn’t lose confidence in this technology before it really takes off.
For more information contact
chris.Benton@fredsecure.com
To Chris Benton (fredsecure.com), I tried to purchase a foil lined sleeve from you, but it appears that all you’ve got by way of a online presence is a registered domain.
Good luck with your new business and in the meantime, I’ll be buying my sleeves from RFID Protect (long established, UK-based and police partnered!) – shipping within 48hrs.
Ta
D Max,
Thanks for your message and sorry we do not market or sell our products online to the consumer.
We have the only patent protected contactless window mailing envelope solution that we sell supply to the contactless card issuers in volume globally for the secure distribution of their cards whilst in transit to the cardholder.
Chris, here’s hoping our banks contact you soon. Ignoring the potential for e-pickpockets to skim sensitive data, whilst in the post, seems a pretty cavalier attitude to me. Channel 4’s report demonstrates actual proof of concept! A staggering development – why haven’t our press made more of this?
Clearly there’s a market for your product – as well as a potential problem for anyone who already has one of these particular cards. By 2012 it’s estimated that over 29 million British citizens will carry some form of RFID enabled device. Even if the banks wise up and begin issuing cards in one of your company’s patented mailing envelopes – end users could still be at risk from e-pickpockets (i.e. once they remove the card from your envelope). Think of the millions of cards already in circulation!
Until these vulnerable cards are recalled, people would be wise to shield them. For those on a budget – use tin foil or a crisp packet by all means. But for the sake of a couple of quid, I’d rather opt for something that’s up to industry standards. The US Government requires RFID shielding devices to meet with FIPS-201 standards. Loads of info at:…
I have to agree with D Max on this one. What the hell happened to this story? And what exactly were those, “questions Barclays, Visa and Amazon need to answer about contactless cards”?
I was first alerted to the possibility of ‘e-pickpocketing’ by a colleague. It was he who informed me that Channel 4 was to run a story “that could blow the whole thing wide open.” I was considerably bemused after watching the item; the big exposé transformed into high farce.
A little digging on my own part has revealed an interesting fact:-
Barclays – Channel 4 Competition
Channel 4 and Barclays obviously get along quite nicely thankyou very much. The reporter who had thought it a good idea to stir up the hornets nest probably thought twice after being offered the choice between P45 or Blue-Peter style embarassment on prime-time TV.
Just received one of these. Contacted Barclays
Complaints to say I do not want one and why
don’t they ask customers before sending them
out given the recent bad press, channel 4 stuff
etc etc. Not feasible given the volumes
involved says he.
Then the complaints guy says contactless cards
are now sent out when the old card comes to
the end of its expiry date and customers like
me who don’t want one have to go to their
Barclays Branch and request an old type debit
card without the contact less stuff.
What’s that all about!
I’ve just received my shiny new contactless Barclaycard and it went straight into the shredder. Barclaycard Customer Service assure me that they can’t issue any cards without this feature/security risk so tomorrow I close my account.
I have just had someone open an account in Amazon using my credit card and they bought an item for a couple of hundred pounds. Amazon just stonewall and email me as though I have given the number to someone else and have told me to contact the police or my bank if I cannot find identify the charge. They say they will need a court order to divulge any details on a separate account. They use the data protection law to refuse to give me any details on who bought what and when. My credit card company is going to try to retrieve the funds but given that Amazon are in extreme denial at the moment I am somewhat worried. I have cancelled my account with Amazon as it is rather creepy being in tandem with some identity thief who can operate the fraud from within a protective shield provided by the Data Protection Act. Looking at the conduct of our MP’s past and present it would not suprise me at all if it was the case that this legislation had been deliberately designed to assist rather than hinder fraud.
Why do you care about Amazon? They take this hit on this, it’s not your problem. Call your credit card issuer and decline the charge and life goes on.