An investigation performed by Channel 4 News reveals that the Barclays Visa contactless credit cards used by 13 million individuals contain a serious security flaw that could allow cybercriminals to make fraudulent banking transactions.
With the aid of researcher from ViaForensics, Chanel 4 News was able to demonstrate how someone could steal the card’s long number, its expiry date and the owner’s name simply by taping a mobile phone over a wallet that contains one of the Barclays contactless credit cards.
Advertised as being easy to use for making payments, these types of cards have recorded an immense popularity among individuals who want to perform purchases simply by holding their credit or debit cards up to a special reader.
The problem occurs because the data between the card and the reader is transferred in an unencrypted form, allowing almost anyone with a decent phone to steal someone’s details simply by pointing the device towards the card.
According to Visa and Barclays, the information that can be obtained with a simple card reader is not enough to perform fraudulent transactions because the PIN and the CVV are not exposed. Furthermore, they point the finger at retailers who don’t undertake adequate verification measures.
But in practice, the card number, its expiration date, and the name of its owner is more than enough to perform online transactions, even on sites operated by big names such as Amazon.
A simple test demonstrated that the information stolen from the card using a reader integrated into a mobile phone can be utilized to make purchases because Amazon does not require the CVV from customers.
After seeing the report, the Department for Business, Innovation and Skills announced that it would be contacting the Payments Council, UK Cards and Barclays to further investigate the situation and, if necessary, cancel and replace all the affected cards.