Hackers could steal basic data from contactless payment cards enabling them to carry out online transactions up to £3,000 of value, says consumer association Which?.
Utilising what they describe as ‘easily and cheaply’ available technology, the group’s researchers were able to read data from six credit cards and four debit cards including the card numbers and expiry dates.
"Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards,” said a Which? spokesman.
"We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).”
To their surprise, even such limited amount of data and the absence of the card-holder's name and the security code were enough to place orders online in some cases.
"We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address."
This is not the first case when researchers pointed to the weakness of contactless transactions. E&T magazine reported in 2013 on a study by Surrey University researchers demonstrating that contactless data transmissions could be easily intercepted by home-made equipment.
Contactless payment continues to grow rapidly in popularity. The UK Cards Association estimates customers spent more than £2bn last year using contactless.
And although the limit on the contactless transactions is rather low, currently £20, the data intercepted during the payments could be enough to allow the hacker to spend much more.
"By touching volunteers' cards to our card reader, we got enough details to allow us to go on an Internet shopping spree,” said the Which? spokesman. “With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless."
However, the UK Card Association reassured that consumers are fully protected against such fraud losses.
"Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless - far lower even than overall card fraud,” said Richard Koch, head of policy at the UK Cards Association.
"The method shown by Which? is not a new discovery and was first reported two years ago. However, any such technology can only obtain the card number and expiry date - information that has always been available simply by looking at the front of a card.”
He added that most online retailers require additional data such as the card security code, along with the cardholder's address, which cannot be harvested electronically. Any retailers that do not require the security information will be liable in case of fraudulent transactions, he said.
Watch E&T’s interview with Johann Briffa from the University of Surrey about intercepting data from contactless transmission with simple home-made equipment.