TECH

58 MILLION Contactless Card Details Can Be Stolen Using An 'Off The Shelf' Scanner

23/07/2015 12:56 BST | Updated 23/07/2015 12:59 BST

A Which? study has discovered a potentially massive flaw in the security of over 58 million contactless cards that are in circulation in the UK.

contactless cards

The company carried out a simple experiment using a cheap card-reading device that was purchased off the internet, they then took 10 random contactless cards and by using the scanner and some free software were able to steal the card's details straight from the chip.

Worryingly the card reader was also able to obtain the last 10 transactions that the card made. The team were then able to use the information to buy a £3,000 TV using just the stolen details.

As Which? explains: "Contactless cards are coded to 'mask' personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards."

The major problem is that while the potential criminal can't then go on a contactless spending spree they can actually do much worse.

By using the stolen details they can spend an unlimited amount of money on websites that either don't require extra verification or that don't use the VISA Verified authentication system.

While contactless usually requires the card to be within a close proximity of the reader this scanner can reportedly take the details from much further away meaning the criminal won't even need to be close by.

Security expert Peter Eisenegger warns that changes need to be made saying: "It's vital to protect consumers from fraudsters who have the knowhow to develop mobile card readers with much greater reading distances than those used by retailers."

READ MORE:

Apple Pay users will be relieved to know that its form of contactless payment is immune to the technique.

apple pay

Apple Pay uses a system called tokenisation - this allows the phone to never actually store your card details, meaning that even if the scanner could somehow pick up your iPhone or Apple Watch it'll never be able to turn the stored data into usable bank information.

if you're not using Apple Pay, the UK Cards Association has admitted that while there isn't a currently available fix, the best way to protect yourself is to only use online merchants that use VISA Verified or some other form of secondary authentication method.