viaForensics was recently contacted by Channel 4 News in the UK to assess the degree of data leakage from contactless payment cards. During an interview with the Channel 4 correspondent we were able to touch his wallet with an Android phone while he was distracted and capture his credit card details. Read the Channel 4 News story here.
Contactless payment cards can be read with the NFC feature built into some Android phones such as the Samsung Nexus S, and the amount of information they give up depends on the card type and issuer. For several years the newer generation of cards should have been protected against reading complete card details and at most only give out the card number and expiry, which is of limited use to a fraudster.
In demonstrating the issue to Channel 4 News, viaForensics found that there are still many cards in circulation, including recently issued cards, which are giving up the full card number, expiry, surname and initials. Typically this would not be enough information to perform “cardholder not present” transactions such as those over the Internet or the phone, because retailers require the CVV2 code printed on the back and a valid address. However it was found during the course of the research that there are still major retailers online, selling high value items, that do not require the CVV2 code and accept a bogus address.
The NFC card reader built into some Android devices can also act as a payment card itself, and viaForensics has been engaged in research on the security of mobile payment solutions such as Google Wallet. It is worth noting that the phone does not suffer from the same issue of having its data read while in your pocket, as the NFC hardware is disabled while the screen is off.
Although not a new issue or exploit, this demonstration illustrates the continuing security issues faced by the payment card and mobile industries as they seek to advance convenient payment technology while providing security for the consumer.