How 30million ‘wi-fi’ credit cards can be plundered by cyber identity thieves exploiting contactless payment technology.
Millions of debit and credit card holders are at risk of having their personal data mined by thieves exploiting a loophole in the latest ‘contactless’ payment technology.
Card numbers and personal details can be read almost instantly by a remote device such as a mobile phone, according to cyber-crime experts.
Contactless cards have been in use for five years and are becomingly increasingly popular as they save time for retailers and customers by speeding up transactions.
Customers use them to pay for less costly items (£20 or under) without having to key in a PIN number or scrabble around for cash. Instead, they simply scan their plastic over an electronic reader at the till.
But the new technology is vulnerable to thieves and conmen. Any stranger who found or stole one of the cards could go on a small-scale spending spree of up to £100 – as the reader requires a PIN only after five transactions in one day.
And this week The Mail on Sunday witnessed how details from the cards can be wirelessly copied by a touch screen phone – modified with parts bought on the internet for as little as £30.
The phone – which was adjusted by security expert Martin Emms and his team of researchers at Newcastle University’s Centre for Cybercrime and Computer Security – also accessed the last ten transactions made on the account.
By simply holding the phone near a wallet, our reporter was able to download the details within two seconds, fuelling fears that the technology could be exploited by thieves in a crowd or by brushing past someone.
The unsuspecting victim would be unaware their data had been stolen until they received their bank statement, but the stolen information could be used to make purchases online from retailers such as Amazon, who do not require a security code or further checks for most purchases.
Mr Emms, who has published a report into contactless card flaws, said: ‘We have produced a phone which speaks the same language as the cards and used this to obtain data from them.
‘With it, we have been able to strip contactless cards of the account-holder’s name, 16-digit number, and expiry date. In some cases, we have even been able to obtain the last ten purchases, which is one of the security questions asked by banks.