SC staff hit by contactless card theft

A member of the SC team has had money taken from their bank account, apparently via a contactless card theft.

SC staff hit by contactless card theft
SC staff hit by contactless card theft

A train journey to work is a very innocuous thing. But when a man slowly bumped into me and my pocket for a bit too long, it took me a second to realise what had just happened. I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment; my bank promptly reimbursed me.

Technologically speaking, I'm very curious about how something like this happened. Contactless payment cards do contain normal RFID chips, but they also have secure microprocessors and memory, which have the ability to perform cryptographic processing. Meaning it wouldn't just give away card details to anyone who asks for them.

Europay, MasterCard and Visa, the three companies that created the EMV standard for processing card transactions say that due to the security on the card, it is not possible to steal things like a person's billing address and CVV code, so the hacker wouldn't be able to process online transactions after-the-fact.

The consumer research group Which? conducted a study back in July 2015 that refuted this however - “Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back). We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong.”

There are no statistics to show the scale of theft attributable to contactless technology fraud as it would be hard for the victim to know whether their card details had been lifted this way. Presumably in my case, as someone managed to already take money and not just card details, this person was clearly miles ahead when it came to preparation.

It got me wondering what processes a hacker would have to go through to get hold of a ‘Merchant' account and start processing genuine payments. The card readers are readily available, you can buy an iZettle contactless reader from Costco for £79. Competitor Stripe doesn't have a reader, but there are card readers available for Stripe users. PayPal and BarclayCard are also entering the arena of accepting payments through a mobile app.

It gets even more interesting when you take into consideration that someone could be taking money from the account the stolen money goes into, converting it into Bitcoins and the money is never to be seen again as all Bitcoin transactions are anonymous.

The crux of this would be getting the merchant ID and passing the resulting credit checks your chosen card processor would use to ensure you are who you say you are. I have no idea whether the individual got past this hurdle or had access to a legitmate account.

Official fraud figures show losses attributable to contactless fraud are less than 1p per £100 spent in the UK. And the UK Card Association actually showed two percent drop in card crime cases in 2014 in comparison to the previous year.