Contactless card vulnerability: lose £30 just by bumping into someone

money-256280_1920An interesting article from Roi Perez of SC Magazine, which should cause concern for all of us who use contactless payment cards. On Perez’s morning commute, a man bumped into him on the train. So far, so normal. But the ‘bump’ lasted “a bit too long”, which raised Perez’s suspicions. “[It] took me a second to realise what had just happened,” he reports. “I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment”.

While Europay, MasterCard and Visa – the three founding companies responsible for the EMV standard for processing card transactions – say that “the industry has made every effort to ensure that customers are protected from fraud”, they acknowledge that “[no] system is perfect, and there is always scope to go on reviewing and developing security protections.”

Card readers are available for as little as £79. A Which? study from July this year tested ten contactless payment cards, and confirmed that, “using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.”

The contactless card limit is now £30, but there are no limits to online transactions because they aren’t contactless. As Which? explained: “By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree.”


One Response

  1. Piers 23rd October 2015