Card Security Put to Question
- Channel 4 has recently exposed a major security breach likely to be exploited with a smartphone and specially crafted software to impact the integrity of Barclays’s contactless Visa cards: customers could be robbed off their card information (number, expiration date and name).
- ViaForensics showed how easily a malicious individual could run these kinds of attacks; also, the security specialist insists that no information is actually encrypted on the card.
- Cards form other financial institutions and networks have also been tested and, however unsuccessful in the first place, these experiments (conducted by ViaForensics) highlighted that all contactless Visa cards in the UK were in fact concerned (including Lloyds TBS’s cards for instance).
- The PIN and CVV cannot be retrieved as they are not included in the chip. Nevertheless, the remaining data is sufficient to make online payments on some websites.
- Barclays was first sceptical as to the use the retrieved data to make online purchases, but has had to take this breach seriously. The UK government Department for Business Innovation and Skills requires that appropriate measures be undertaken as fast as possible, stating: “We call on the card issuers to act quickly to address this issue and to cancel and replace cards if necessary”.
- The contactless industry is especially mature in the UK, and witnesses its first public security debates. As the Olympic Games are soon to come in London, large scale deployments have been organised to promote and speed up its adoption. Barclays soon stepped in this sector (in 2007), and is one of the first banks to have proposed these kinds of cards.
- According to the bank, the possible online use points to flaws in the e-commerce process: if the cryptogram is not systematically asked for, only the front information is strictly needed to purchase goods online. MasterCard cards do not store the cardholder’s name on their chip and have not been impacted by these issues.
- Barclays still believes in the viability of the emerging contactless model. Barclaycard Global Commercial Payments has also been planning to issue contactless corporate cards (see December 2011 Insight), thus further opening its strategy as was already the case with its previous offers (including One Pulse payment and ticketing solution).