Millions of Barclays customers at risk in NFC attack

Summary:Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.

In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

In a test conducted in conjunction with a mobile forensics company, Channel 4 News reporters extracted data from a card without authorisation and used that data to purchase goods online.

In an emailed statement, the broadcaster said: "Thomas Cannon of ViaForensics told Channel 4 News : 'All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air'."

Channel 4 News was only able to access the details of Barclays-issued Visa cards. Other banks and systems weren't accessible. The UK Card Association says that guidelines state that the card holder's name should not be transmitted.

But Visa and Barclays said it was perfectly fine for people to access all your card details in this way without your permission.

Barclays responded to Channel 4 News's allegations:

"Barclays told Channel 4 News: 'The security of our customers' money and personal details is a top priority at Barclays so we are understandably concerned about these transactions. We are compliant with scheme rules for contactless and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.

"The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details."

Topics: Emerging Tech

About

Editor, ZDNet UK. Ex technology/technical editor of ZDNet UK, IT Week, PC Magazine, Computer Life, Mac User, Alfa Systems, Amstrad, Sinclair. Micronet 800, Marconi Space and Defence Systems, and a dodgy TV repair shop in the back streets of Plymouth. Can still swap out a gassy PL509 with the best of 'em.Dear Reader - contact me via our m... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.