The San Diego County Crime Commission

"Connecting Law Enforcement to the Community"

5694 Mission Center Road, Ste 602-432

San Diego CA 92108


How 30 million 'Wi-Fi' credit cards can be plundered by cyber identity thieves exploiting contact less payment technology

Millions of debit and credit card holders are at risk of having their personal data mined by thieves exploiting a loophole in the latest ‘contactless’ payment technology.

Card numbers and personal details can be read almost instantly by a remote device such as a mobile phone, according to cyber-crime experts.

Contactless cards have been in use for five years and are becomingly increasingly popular as they save time for retailers and customers by speeding up transactions.

Customers use them to pay for less costly items (£20 or under) without having to key in a PIN number or scrabble around for cash. Instead, they simply scan their plastic over an electronic reader at the till.

But the new technology is vulnerable to thieves and conmen. Any stranger who found or stole one of the cards could go on a small-scale spending spree of up to £100 –as the reader requires a PIN only after five transactions in one day.

And this week The Mail on Sunday witnessed how details from the cards can be wirelessly copied by a touch screen phone –modified with parts bought on the Internet for as little as £30.

The phone –which was adjusted by security expert Martin Emms and his team of researchers at Newcastle University’s Center for Cyber crime and Computer Security –also accessed the last ten transactions made on the account.


Still making the right notes: For all the convenience that plastic brings, cash is still king... at least for now

'Zero-tolerance' police officer faces jail after being convicted of £46,000 insurance and mortgage scam

Play your cards right: The best credit cards for spending, holidays, rewards or clearing your debts

Do you shop online? How to get cash back every time you spend

By simply holding the phone near a wallet, our reporter was able to download the details within two seconds, fuelling fears that the technology could be exploited by thieves in a crowd or by brushing past someone.

The unsuspecting victim would be unaware their data had been stolen until they received their bank statement, but the stolen information could be used to make purchases online from retailers such as Amazon, who do not require a security code or further checks for most purchases.

Mr Emms, who has published a report into contactless card flaws, said: ‘We have produced a phone which speaks the same language as the cards and used this to obtain data from them.

‘With it, we have been able to strip contactless cards of the account-holder’s name, 16-digit number, and expiry date. In some cases, we have even been able to obtain the last ten purchases, which is one of the security questions asked by banks.

‘With this information alone we have been able to make purchases on Amazon. It is alarming because the information provides the basis that, with a little more research, could see thieves strip a bank account.’

Mr Emms added it was ‘reasonable to expect’ that around 30 million bank cards could be at risk of  having their data read by modified mobile phones.

In April 2012, Barclays began to issue new cards they claimed were more secure after fears were expressed about the flaws. However, they replace older cards only when they expire or a replacement is needed.

Mr Emms added: ‘Our research has exposed a number of flaws in contactless bank-card technology and we are desperate for the banks to do more before the loopholes are exploited by thieves.’

The criticisms come as Transport for London (TfL) admitted bus passengers who tap their Oyster card on to a reader when getting on a bus have had the universal £1.40 fare taken from their bank card in the same wallet instead.

TfL last night admitted it is receiving at least one complaint every day about the issue, although the number of actual incidents is thought to be much higher. TfL added that it had refunded customers who complained their fares had been debited from their bank cards.

But the problem is set to escalate at the start of next year when the ability to pay your fare with a contactless bank card is extended from buses to the London Underground.

Shashi Verma, Director of Customer Experience at TfL, said: ‘Our advice to customers is to choose which card they want to pay with and to keep it separate when touching it on the reader.’

Two weeks ago, Marks & Spencer and Pret A Manger were criticised by customers who claimed the contactless card-readers were taking money wirelessly when they intended to pay by chip and PIN.

The majority of contactless cards belong to Barclays customers, accounting for 19.3 million cards.

Britons now make 5.4 million contactless card transactions a month, up from 2.5 million at the start of the year. There are 232,000 card readers across the country.

There are plans afoot to phase out the ‘magnetic strip’ credit cards, store cards and supermarket loyalty cards in favour of contactless and chip and PIN technology.

Last night a spokesman for the UK Cards Association said: ‘We always welcome contributions from researchers on addressing potential vulnerabilities in the payments system.’

A spokesman for Visa Europe said: ‘Our latest required specification for contactless cards does block access to the cardholder name.’

Amazon said: ‘We do not comment on our methods of fraud prevention.’