Contactless card fraud a doddle, Which? investigation reveals
Which? researchers purchased contactless card-reading technology “easily and cheaply” from the internet, then tested 10 common contactless cards (six debit, four credit) to assess the strength of their security.
While the cards were supposedly equipped with ‘masking’ provisions to hide sensitive personal information, the consumer group easily obtained and decoded account data – including card number, expiry date and recent transaction details – using free software.
“We doubted we’d be able to make purchases without the cardholder’s name or CVV/CCV code,” an unnamed Which? researcher said.
“But we were wrong.”
Researchers went shopping with the information they had obtained, and were able to successfully place orders for expensive items on a mainstream ecommerce site, including a £3,000 television.
Concerns have previously been raised about the size of transaction allowed via contactless. When contactless cards were first introduced, transactions were capped at £15. This rose to £20 in June 2012, and is scheduled to increase to £30 this September. Transaction caps are standard across contactless cards – reducing them can be at best time-consuming, at worst impossible. This gives rise to the prospect that a lost or stolen contactless card could be used to make several payments before cancellation by the holder.
However, Which? now believes the real concern for consumers and issuers should be the ease with which payment details can be lifted from contactless cards.
“Using our card reader, we got enough details to allow us to go on an internet shopping spree – with these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless,” the researcher continued.
Recent UK Payments Council research suggests there around 58m contactless cards in circulation the UK, with £2.32bn spent using them in 2014. Official fraud figures for contactless cards show losses attributable to contactless card fraud are currently less than 1p per £100, but Which? believes it is impossible to know the true scale of theft via contactless readers, as it would be hard for a victim to know whether their card details had been lifted this way.
Which? is calling on banks to allow consumers to opt out of contactless cards if they wish. Almost all leading debit and credit card providers issue contactless cards as standard, and few allow customers to opt out of having one.
Commenting on the Which? investigation, Peter Eisenegger, a security expert who helped develop European standards for contactless cards, said: “It’s vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.”