Which? reveals contactless card flawResearcher 'lifts' enough details to order £3,000 TV

22 July 2015

contactless payment card

Which? has revealed a security flaw in contactless cards that thieves could exploit to make expensive online purchases.

After easily and cheaply acquiring contactless card-reading technology from a mainstream website, our researchers were able to remotely 'steal' key details from a contactless card and use them to order items, one of which was a £3,000 TV. 

Contactless payment cards tested 

Our researchers tested 10 cards (six debit and four credit, from volunteers) to assess security risks. 

Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards.

We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back).

We doubted we'd be able to make purchases without the cardholder's name or CVV code - but we were wrong. 

'Stolen' details used to order TV

We ordered two items - one a £3,000 TV - from a mainstream online shop using 'stolen' card details, combined with a false name and address. We've alerted the store involved. 

The UK Cards Association admitted that although levels of encryption have increased, it's still 'possible' for card details to be read remotely. 

Find out more: How do contactless payments work? - we explain the technology  

Fraudsters with contactless card readers 

The limit for a contactless transaction rose from £15 to £20 in June 2012, and will rise to £30 in September this year. 

But, by touching volunteers' cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren't contactless. 

Peter Eisenegger, a security expert who helped develop European standards for contactless cards, told us that it would be possible for criminals to obtain card readers that could read details from further away than the one in the Which? test.

He said: 'It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers.'

Official fraud figures for contactless cards show losses attributable to contactless fraud are less than 1p per £100, but it's impossible to know the true scale of theft via contactless readers, as it would be hard for the victim to know whether their card details had been lifted this way.  

More on this...