Retail Technology
| Log in | Subscribe



Subscribe | Log in
Retail Technology
Subscribe

Contactless payment forensics finds payment NFC phones reveal card information

Contactless payment forensics finds payment NFC phones reveal card information

 

A mobile security forensics firm has demonstrated contactless payment card data leakage using a near-field communications (NFC) enabled mobile phone.

 

The demonstration by viaForensics touched a wallet containing a Barclays contactless card using an Android phone with the built-in NFC feature, such as the Samsung Nexus S, to capture the card details.

 

The firm was commissioned to investigate the data security risks that may be associated with contactless credit and debit cards by the UK’s Channel 4 News. And the NFC data leakage demonstration aired late last Friday.

 

The forensics firm said it proved some contactless payment cards could be read with NFC-enabled Android smartphones. But the amount of information they give up depends on the card type and issuer.

 

For several years the newer generation of cards should have been protected against reading complete card details and at most only give out the card number and expiry, which is of limited use to a fraudster.

 

Recently issued cards affected

 

But Ted Eull, viaForensics technology services vice president, said in a blog posting that, in demonstrating the technique to Channel 4 News, it found that there are still many cards in circulation, including recently issued cards, which are giving up the full card number, expiry, surname and initials.

 

“Typically this would not be enough information to perform “cardholder not present” transactions such as those over the Internet or the phone, because retailers require the CVV2 code printed on the back and a valid address,” he wrote. “However it was found during the course of the research that there are still major retailers online, selling high value items, that do not require the CVV2 code and accept a bogus address.”

 

He said that the NFC card reader built into some Android devices can also act as a payment card itself, and viaForensics has been engaged in research on the security of mobile payment solutions such as Google Wallet.

 

“It is worth noting that the phone does not suffer from the same issue of having its data read while in your pocket, as the NFC hardware is disabled while the screen is off,” Eull added. “Although not a new issue or exploit, this demonstration illustrates the continuing security issues faced by the payment card and mobile industries as they seek to advance convenient payment technology while providing security for the consumer.

 

Maintaining security standards

 

?Barclays issued a statement where it said the security of its customers’ money and personal details is a top priority at Barclays so we are understandably concerned about these transactions. “We are compliant with scheme rules for contactless and our fraud guarantee refunds any fraudulent losses to customers in full,” it stated.

 

?And it reiterated Eull’s point about the limited amount of information obtained in the demonstration: “The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code. The details obtained should not be sufficient to undertake any fraudulent activity, but we do depend on retailers upholding the same high standards of security when verifying payment details.?

 

“To be clear, this is not an issue with contactless but with the checks undertaken for ‘card not present’ payments by some retailers.”

?

Barclays added that it was now engaging with retailers to ensure they are undertaking adequate and robust checks “as a matter of urgency”. “We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system,” it concluded.