Millions of debit and credit card holders are at risk of having their personal data mined by thieves exploiting a loophole in the latest ‘contactless’ payment technology.
Card numbers and personal details can be read almost instantly by a remote device such as a mobile phone, according to cyber-crime experts.
Contactless cards have been in use for five years and are becomingly increasingly popular as they save time for retailers and customers by speeding up transactions.
Customers use them to pay for less costly items (£20 or under) without having to key in a PIN number or scrabble around for cash. Instead, they simply scan their plastic over an electronic reader at the till.
But the new technology is vulnerable to thieves and conmen. Any stranger who found or stole one of the cards could go on a small-scale spending spree of up to £100 – as the reader requires a PIN only after five transactions in one day.
And this week The Mail on Sunday witnessed how details from the cards can be wirelessly copied by a touch screen phone – modified with parts bought on the internet for as little as £30.
The phone – which was adjusted by security expert Martin Emms and his team of researchers at Newcastle University’s Centre for Cybercrime and Computer Security – also accessed the last ten transactions made on the account.
By simply holding the phone near a wallet, our reporter was able to download the details within two seconds, fuelling fears that the technology could be exploited by thieves in a crowd or by brushing past someone.
The unsuspecting victim would be unaware their data had been stolen until they received their bank statement, but the stolen information could be used to make purchases online from retailers such as Amazon, who do not require a security code or further checks for most purchases.
Mr Emms, who has published a report into contactless card flaws, said: ‘We have produced a phone which speaks the same language as the cards and used this to obtain data from them.
Contactless cards are also being accidentally charged when users swipe their Oyster cards on London buses
‘With it, we have been able to strip contactless cards of the account-holder’s name, 16-digit number, and expiry date. In some cases, we have even been able to obtain the last ten purchases, which is one of the security questions asked by banks.
‘With this information alone we have been able to make purchases on Amazon. It is alarming because the information provides the basis that, with a little more research, could see thieves strip a bank account.’
Mr Emms added it was ‘reasonable to expect’ that around 30 million bank cards could be at risk of having their data read by modified mobile phones.
In April 2012, Barclays began to issue new cards they claimed were more secure after fears were expressed about the flaws. However, they replace older cards only when they expire or a replacement is needed.
Mr Emms added: ‘Our research has exposed a number of flaws in contactless bank-card technology and we are desperate for the banks to do more before the loopholes are exploited by thieves.’
The flaws have provoked warnings from security analysts that the contactless technology could be ‘wide open to exploitation’ by thieves.
Ross Anderson, professor of security engineering at Cambridge University, also fears the contactless system could prove a boon for thieves. He said: ‘The problem with contactless cards is they have been rolled out in a haphazard way without careful thought into the consequences.