Readers in mobile phones that help users make payments without taking out their credit cards may be exposing critical payment information. An investigation by the U.K.’s Channel 4 News and a mobile security company found that credit and debit cards issued by Barclays (NYSE:BCS) were the main source of data leaks, but the point of leak came while making purchases on Amazon.com (NASDAQ:AMZN).
The investigation began with a researcher tapping a card reader-enabled phone over a reporter’s wallet that contained a Barclays card. The reader was able to lift card details, including the card number, the expiry date, and the card owner’s name. No information was encrypted, according to the report. Data from cards of other banks couldn’t be lifted.
The researcher then used the information to create a user profile on Amazon’s web store whose name differed from the one on the card, and successfully ordered products. Although the data lifted had not included the three-digit CVV2 number on the back of the card, Amazon did not require the security code for the purchase to go through.
“Typically this would not be enough information to perform ‘cardholder not present’ transactions because retailers require the CVV2 code printed on the back, and a valid address,” said a statement from ViaForensics, which provided the technology for the investigation.
Channel 4 News reported that the British government had “urged Barclays to consider recalling up to 13 million credit and debit cards.”
A Barclays statement placed the blame on Amazon. “We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full,” it said. “The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details.” Amazon declined comment.
To contact the reporter on this story: Aabha Rathee at email@example.com
To contact the editor responsible for this story: Damien Hoffman at firstname.lastname@example.org