On Friday, British TV saw a report from Channel 4 News which claimed that Barclays banking customers who used contactless cards could have their data stolen without their knowledge.
The report claimed that millions of Barclays customers were exposed to fraud.
When I watched Benjamin Cohen's report on Channel 4 News, I thought it was entertaining and I am always supportive of anything that helps keep information security at the forefront of people's minds.
However, in the commentary that arose afterwards, I wondered if others might be getting concerned about Near Field Communication (NFC) Technology and contactless payments, when they should be more concerned about a much older problem.
The data that the news report showed being recovered using NFC was no more than any shopkeeper has after seeing your card, nor the person standing behind you in the queue. If NFC is used for a transaction by "bonking" the card only (no other information required) then Barclays requires that the financial sum involved is relatively small.
Being able to pick up this data in the way shown is not a new "exploit", as such. The news item has highlighted that the new generation of mobile phones, with in-built NFC, are now more widely available and therefore make it a lot easier to acquire these basic credit card details. A lot easier with the new mobile devices – yes. But is that really the problem?
The real issue for me is that online retailers, especially ones that trade as extensively as Amazon, are able to undertake "cardholder not present" transactions without the corroborative information required by the relevant standards. As Channel 4's piece showed, the transaction required neither the CVV number (security number of the back of the card) nor even the cardholders billing address.
To do this, Amazon, must have been given a dispensation by whoever does their processing (their acquiring bank), and that bank is not Barclaycard.
I can only assume that Amazon has such an enormous online presence that their acquiring bank is willing to waive some of what is normally required by the standards.
There is little for consumers in the UK to worry about, as we are protected when making credit card transactions, and unless the CVV is provided as part of the transactions, then the liability for any fraud falls somewhere between the retailer, card issuer and acquirer.
If we were to assume that in this case Amazon had agreed to assume all of the liability, then it must be worth their while to take the ensuing risks for the ease it offers their customers. It would be a business risk trade-off: increased sales versus potential fraud.
So, I think it leaves us with a couple of questions about contactless payment to consider:
- How worried are you that someone knows your credit card face details? It feels like an invasion of privacy, so it will concern some people.
However, put the question another way, i.e. how worried should you be? I suspect the answer is many people would not be that worried, as these details are widely known.
Having said that, I suspect the increasing ease with which this can be done will prompt the card issuers to collaborate. They could provide mechanisms that protect the data further, if only because customer trust is such a vital issue for both retailers and card issuers.
- Are you happy completing transactions with a retailer that sacrifices transaction security for ease of use?
Where the customer is not taking the risk, I suspect most will prefer ease of use over security. That is, until any fraud becomes so widespread that users are finding themselves spending as much time telling the card issuer about fraudulent transactions, as they do ordering their items.
Image of stolen data, courtesy of Channel 4 News.