“Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.” this from an article on the Channel 4 website today (29th March)
I contacted one of our Senior Security Consultants for comment on this.
This is nothing new as it was reported 5 years ago in late 2007. I recall reading that this new technology could put holders of such cards at risk from ‘contactless pick pocketing’
The main difference is that now other new technology such as Smartphones equipped with suitable, easily available software is now available to the bad guys to intercept the holder’s non-encrypted Name, Primary Account Number (PAN) and Expiry Date transmitted by the contactless card to the payment reader.
Normally, such information by itself should not lead to a successful fraud transaction as other details such as holder’s address, PIN and/or CVV number on the card are required to enable an approved card transaction to take place. So whilst the contactless card and card reader providers look to make their end of the transaction more secure e.g. by making the range from a reader to card very small or zero – a la Oyster – so making it difficult for the intercepting smartphone, as they too would have to be very close to the user to read the information. For example, if the reader range is limited to 2.5cm/ 1 inch radius then the interception technology typically has to be within 18cm / about 7 inches. Of course they may just look at encrypting the data stream from the contactless card to the reader just as online transactions are protected by SSL encryption.
Of course, if web sites such as Amazon have allowed card transactions to take place with only Name, PAN and Expiry Date details that goes against VISA and other card provider rules so they must review their practices as a matter of urgency. Meanwhile, whilst all this is going on, concerned users could go out and buy themselves a metal shielded wallet
for their cards to stop the ‘contactless pickpocketing’ of information by the fraudsters!
PCI DSS states that the CVV must not be stored anywhere except briefly when the card is authorised for use as payment then securely deleted. But the sellers of goods know they must use all the elements described else it will be they who will lose out as they are not
following the rules for using credit cards. It is the sellers who need to get their act together – I must admit I cannot remember any time when I have not been required to give all the details either over the phone, by post, email or Internet. Given that it was reported in the Channel 4 article that lists of websites which do not require CVV are shared by fraudsters though, clearly there is a huge risk being taken by the websites who allow this.
As for the contactless cards – like all new and emerging technologies -the initial security requirements will change in response to new and emerging threats as has always been the case. Users are more savvy now than ever they were so that helps as well in combating fraud. I take it you check your bank and credit card statements item by item on a monthly basis? If there has been fraud typically your bank will refund you after
an investigation and if the seller has been negligent they will be liable to fines and penalties and possible withdrawal of card payment services.
If you or your business need support with PCI-DSS compliance or other security related issues, you can visit the website http://www.advent-im.co.uk/pci_compliance.aspx