It would seem that Barclays Bank has a lot of questions to answer, and an Information Commissioner on the warpath to deal with.
Christopher Graham is preparing to hurl his security-breach-tomahawk at the bank due to a scandal which has emerged over its contactless payment Visa cards. The cards employ NFC technology for convenient “wave and pay” shopping, but it seems that they’re highly insecure when it comes to smartphones.
A Channel 4 report showed that a smartphone with a piece of specialised software installed could be tapped against a card and pull off details (which aren’t encrypted).
Thomas Cannon of ViaForensics, mobile security experts who organised the research, told the Telegraph: “All I did was I tapped my phone over your wallet.”
“Using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air.”
Note that the pin number of the card isn’t revealed, or the security code on the rear – just the information available on the front of the Visa card. However, that’s enough to make online purchases at some retailers (such as Amazon) which don’t require the three digit security number from the back of the card. A worrying development indeed for the 15 million folks who carry these contactless cards in the UK.
Barclays defended itself by saying: “The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details.”
Still, even those “basic” details on the front of the card shouldn’t be obtainable, in unencrypted form, to anyone with a bit of software on a smartphone.
The Information Commissioner is due to meet Barclays executives on Monday, and is already talking about punitive fines.Leave a comment on this article