Skip to main content

Stealing details from contactless card payments is easy

If you're afraid that using contactless payment systems means someone could easily steal your credit card info and use it to buy a £3,000 TV, you’re totally right.

That is according to Metro (opens in new tab), which says thieves could exploit a security flaw to steal key data from contactless debit and credit cards using equipment readily available online.

It quotes a consumer group named Which? that says it used ‘easily and cheaply’ acquired technology from a mainstream website to take enough information from cards to place orders for items including a £3,000 television set.

Researchers tested six debit cards and four credit cards, and Which? said they all revealed some data.

A Which spokesman said to Metro: “Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.”

“We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).”

The spokesman also said they managed to use that data and buy a couple of items. One of them was a £3,000 TV, purchased from a “mainstream online shop”.

“We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong,” he says.

“We ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address.”

UPDATE: Paul McEvatt, Lead Security Specialist and Cyber Consultant UKI at Fujitsu has commented: “This discovery is not particularly new, however it once again highlights the growing security risk associated with contactless payments – it is no surprise that it continues to put users off the technology.

“According to Fujitsu’s recent research into digital enablement, more than one in five of us will now always use a digital service when it is offered by an organisation. Yet, despite the surge in usage, concerns still remain. Of the 12 per cent of UK consumers who said they never use digital services when offered to them, the second highest reason given for this was security concerns.

“Companies are no longer fighting against individuals, but a sophisticated cyber criminal industry, with intentions to steal data and use it for malicious purposes. As such, to mitigate the risk the banking industry should look to continue to investigate ways to counter these threats and deploy state-of-the-art security, continuing to communicate users on how to protect themselves from such fraud.

"By highlighting the security measures being taken both internally and for their customers, banks will be reiterating their dedication to the contactless payment industry. This is an opportunity for banks to step-up and challenge the newly emerging key players in this market.”

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.