Amazon Security FAIL: Contactless Bank Cards Vulnerable to Pickpocketing via NFC Phones
Barclays contactless bank cards are vulnerable to electronic pickpocketing via NFC-enabled phones, reported Channel 4 News in the UK. In fact "millions" of Barclays customers are allegedly at risk for having "their data stolen without even knowing through readers in new mobile phones." viaForensics helped in the investigation which then led the UK government to "urge Barclays to consider recalling up to 13 million credit and debit cards."
Not too long ago, when considering NFC mobile threats on the horizon, we asked what happens when we wave our wallets to pay? In this case with Barclays, Thomas Cannon Director of ViaForensics R&D told Channel 4, "All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air."
Some Android smartphones with built-in NFC can read contactless payment cards. viaForensics discovered the degree of data leakage depends upon the card type and issuer. Even if you were to access a Barclays card holder's full name, full card number and expiration date, in most cases fraudsters would not be able to use the stolen card data without the security code on the back.
viaForensics reported, "Typically this would not be enough information to perform 'cardholder not present' transactions such as those over the Internet or the phone, because retailers require the CVV2 code printed on the back and a valid address. However it was found during the course of the research that there are still major retailers online, selling high value items, that do not require the CVV2 code and accept a bogus address."
One such online retailer which fails in basic security is Amazon. Although viaForensics was able to lift the info via an NFC-enabled smartphone, the next step pointed out a serious vulnerability on Amazon. Channel 4 reported, "We created a new user on Amazon's website, with a different name and billing and delivery address to the card they scanned, and were able to order and receive products we purchased without any link to the cardholder. Unlike some online retailers, Amazon doesn't require the three digit security code on the back of the card, making it very easy to use for this sort of crime."
Are there other sites with lax security such as Amazon that do not require a CVV2 code and would allow a thief to use your stolen bank card info?
viaForensics Director of R&D Thomas Canon replied, "Amazon was found and reported by Channel 4 News as we tend to shy away from publicly identifying actual places where it would be easy to commit fraud. Our job in the piece was essentially to prove that cards can be read by something as innocuous as a mobile phone."
Are there any credit cards in the USA that are vulnerable to this same type of electronic pickpocketing via NFC-enabled phones?
We haven't tested any recently, but some US cards are known to give up the information, American Express being the most recent example I've seen. In some cases the US cards do not give up the actual card holder name, instead the name appears as "Valued Cardholder", which is the way it should be. However, even without the name, it has been shown that one can program the data to a blank magnetic stripe card and use it to purchase goods with, for example, the Square payment system for mobile phones. I do not believe the magnetic stripe approach would work in the UK due to our payment systems but I haven't tried it.