Millions of Barclays customers at risk in NFC attack

Millions of Barclays customers at risk in NFC attack

Summary: Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

TOPICS: Emerging Tech

Up to 13 million UK customers of Barclays Bank are vulnerable to losing payment card details through a mobile phone attack, ZDNet UK has learned.

In a report due to be transmitted on Channel 4 News on Friday, the broadcaster is to say that contactless readers in mobile phones can be reprogrammed to extract card data from Barclays cards when they come near each other, even through clothing, wallets or bags.

In a test conducted in conjunction with a mobile forensics company, Channel 4 News reporters extracted data from a card without authorisation and used that data to purchase goods online.

In an emailed statement, the broadcaster said: "Thomas Cannon of ViaForensics told Channel 4 News : 'All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air'."

Channel 4 News was only able to access the details of Barclays-issued Visa cards. Other banks and systems weren't accessible. The UK Card Association says that guidelines state that the card holder's name should not be transmitted.

But Visa and Barclays said it was perfectly fine for people to access all your card details in this way without your permission.

Barclays responded to Channel 4 News's allegations:

"Barclays told Channel 4 News: 'The security of our customers' money and personal details is a top priority at Barclays so we are understandably concerned about these transactions. We are compliant with scheme rules for contactless and our fraud guarantee refunds any fraudulent losses to customers in full. The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.

"The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details."

Topic: Emerging Tech

Rupert Goodwins

About Rupert Goodwins

Rupert started off as a nerdy lad expecting to be an electronics engineer, but having tried it for a while discovered that journalism was more fun. He ended up on PC Magazine in the early '90s, before that evolved into ZDNet UK - and Rupert evolved with them into an online journalist.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It is amazing that a large Bank with such PCI-DSS presence, and recognised programme should not grasp the full ramifications of Card information, aligned with Smart Cell Phone security (or insecurity) , or implications.
    Having worked on this area of technology for a large bank, I saw these issues, and alerted them over a year ago. Until we see the Banking Security Fraternity starting to think more ‘technological’ security, and less ‘Tick-Box’, maybe, only then will there be improved of the levels of security delivered to the end user.
  • It's entirely fair for the bank to defend themselves by stating that the card number, expiry date and name from the magnetic stripe are insufficient to authorise a transaction and therefore not a security risk. Someone with this information would still need a PIN and/or CVV number to authorise. What other data did the journalist that reported this have, and how did they get that information? How can a journalist and major media group put together a report suggesting this is a security risk when it clearly is not (given the information declared above). This is just poor journalism. It's been possible to copy card data from mag stripe cards for many years (perhaps not as easily as in the NFC case described above), hence the move to chip and PIN. The data extracted is clearly shown on the front of the card too - is that insecure?

    If we moved away from mag stripe altogether (to chip and PIN), then extracting the data from mag stripe would not be possible, but we maintain mag stripe for ease of use of cards internationally (in countries where Chip & PIN may not be prevalent). It's fair to say that the latest technology, namely NFC, when mixed with out-of-date technlogy such as mag stripe has raised a concern here, and this needs examined (remove mag stripe completely from standard UK issued cards, perhaps?) but it's not critical enough for fraudulent activity.

    The reference to PCI-DSS is misinformed (wrong terminology for starters). PCI, comprising PA-DSS would not have an issue with this data being exposed, as it's insufficient to authorise a transaction. The reference is also contradictory, as it's precisely this kind of compliance that helps ensure security within the technology of the banking world therefore the accusation that the bank are not taking it seriously is not fair comment.

  • Iain has a point, but researchers have demonstrated it can be done with contactless payment cards.

    The problems are known to security specialist, who are working with some of the card issuers. However, this it is just one problem area of the next generation payment card using EMV (Europay, MasterCard and VISA ) and NFC (Near Field communication) standards. It has been the concern of information security specialist and was discussed at a convention in January.

    What is more worrying is that some new payment cards today have this technology built-in. However, the owner may not be aware that the card has the capability, as the card is not braded as contactless.

    Security research organisations have already started to develop card sleeves/wallets that prevent cards from being read without the owner’s knowledge. Only when it is removed from the sleeve can the card be read.

    One advance is to keep your wallet /purse/bag with your contactless payment card close to you and don’t leave it exposed so that someone can get close to it to read the details wirelessly.

  • I take Iain's point that the card does not provide every detail to enable somebody to conduct a fraudulent transaction. However, it does provide some very useful details to kick off an identity fraud. Lifting somebody's details from a card by NFC is less intrusive than taking the physical card to read and, if the card is taken, the user will probably notice and cancel at some point; this isn't necessarily the case if details are taken by NFC.

    If (as some suggest) we start to see a shift towards a 'virtual wallet' on nfc-enabled mobile phones then the card owners' information won't be printed visibly outside the device as it is on a card. If done effectively then security mechanisms should be able to prevent the user's identity being broadcast whatever account you're using - there are plans in place to support this at the moment - but this kind of flaw in security is really going to be counterproductive in terms of the public perceptions it sets and trust in NFC-enabled transactions.

    Pretty unfortunate PR for the Visa/Barclays combo, too....
  • Barclays is right to point out that Web sites shoud use the CCV code; but given that sites as large as Amazon don't, and that contactless scanners could collect large numbers of card details to use for fraud, the threat level is rather higher than someone copying down the details off the front of your card. It's always better to exceed the minimum security bar than scrape past it.

    Simon Bisson and Mary Branscombe
  • Anybody can tell me that if a credit card number is insufficient to authorise a transaction, why does PCI-DSS require you to protect the credit card number?

    Why VISA and MasterCard do not need to devise a scheme to protect the credit card number, while the merchants need to follow PCI-DSS (an organization formed by VISA, MasterCard and other brands) to protect the credit card numbers?