Contactless payments have been revealed to be unsecure, following an investigation that revealed Barclays customers could have their card data stolen without even knowing about it.
A report by Channel 4 News found that readers for Barclays Contactless cards can be adapted to access data. The readers are now being built in as standard into mobile phones, and 13 million Barclays customers currently use them.
Working with a mobile phone security company, Channel 4 News managed to take data with just a swipe, and then use it to purchase multiple goods online. It said it would be possible to gain access to this data merely by nudging someone's wallet, through clothes, in a crowded public space.
Thomas Cannon of ViaForensics told Channel 4 News that he was able to get the long card number, expiry date and owner's name just by tapping his phone over a wallet. “None of it was encrypted, it was simply a case of the details coming out through the air,” he said.
The investigation was only able to access the details of Barclays-issued Visa cards. The UK Card Association says guidelines state that the cardholder's name should not be transmitted.
Barclays told Channel 4 News: "The security of our customers' money and personal details is a top priority at Barclays so we are understandably concerned about these transactions.
“We are compliant with scheme rules for Contactless, and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.
“The details obtained should not be sufficient to undertake any fraudulent activity, but we do depend on retailers upholding the same high standards of security when verifying payment details. To be clear, this is not an issue with Contactless but with the checks undertaken for ‘card not present' payments by some retailers.
“As a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to Contactless and firmly believe that it continues to be a safe and viable payment system.”
Channel 4 News was able to complete a transaction which did not require the CVV code.
The Government Department for Business, Innovation and Skills, said: “Channel 4 News's investigation has revealed serious security flaws in the payment procedures of some of the contactless card operators.
“There are standards in place which are designed to prevent this and all operators should comply with them. We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary.”