On Friday on Channel 4, I exposed that Barclay's contactless Visa cards can be read by newer Google Android phones using specially designed but devastatingly simple software, and the details can be used to make fraudulent purchases on Amazon.
Thus far, we've had very little in the way of answers. Here are the big questions I want the Information Commissioner and the Department of Business who have condemned the findings to find the answer of for us consumers.
I've never been personally convinced about the sense of the contactless revolution at all. As someone who has been mugged in the past, I know that thieves can use my card to make small transactions without knowing my PIN.
Sure they can only use the cards in places like Pret A Manger and only until I report the cards stolen but they can use them none the less. This is a big issue for people who are pickpocketed and don't realise it.
But the scary thing about our exposé is that you certainly wouldn't realise that you have been electronically pickpocketed because you would still have your Barclays Visa card in your wallet. Nothing has gone missing and nothing would seem out of place until transactions appear on your statement.
1) Why aren't Barclays contactless Visa cards encrypted or at least only giving partial information out?
We've been told that the guidelines for contactless cards recommend that not all of the details on the card are transmitted over the air. So for example, the card number is but your name isn't. In the case of Barclays, for the multiple cards we tested, every piece of detail on the front of the card is transmitted. Why is this?
Barclays said the information we collated wasn't of use because it didn't contain all the details needed to make a transaction. But this isn't true, we succeeded with the world's largest online retailer.
Amazon refused to answer any questions, they didn't return our multiple calls and emails over the course of the last week so we have a lot of questions.
2) Why does Amazon not check the name and address of card holders before processing payments?
We were surprised that Amazon processed our transactions using a Barclays Visa that didn't belong to the person making the order. The name didn't match and neither did the billing address. But the transactions went through without a hitch for physical product orders and also electronic orders that were downloaded immediately.
Some might argue that the physical orders would be unlikely to have been made by criminals because their home address would have been revealed. This isn't quite true. Online fraudsters use a practise called 'dead letter boxing', basically using a delivery address that doesn't exist. So for example in a building of five flats using the address 'Flat F' in the hope that a postman will leave the item in a communal area. Or they check into a cheap hotel, pay in cash and get items delivered to them under a fake name. £35 a night is well worth receiving a laptop for example.
When it comes to digital downloads like books or music, it's pretty obvious that items never get sent to a real world address. Using open wifi or proxy server (which masks the real location of a user) makes it impossible for the police to track anyone down.
3) Why does Amazon not ask for the security code on the back of cards before processing a transaction?
Unlike most online retailers Amazon doesn't ask for the three-digit so called CVV numbers on the back of your credit or debit card. We think we know the answer to this question but as Amazon hasn't responded we can't be sure.
One of the most important features of Amazon is "one click" shopping, where you can purchase an item without having to through loads of screens and forms. Like something? Order it in one click, then you won't have to think about it very much.
But online shopping services are not allowed to store the CVV numbers along with credit and debit card details in their shopping cart systems. So it makes sense why Amazon might decide to skip this part of the system.
What we do know
Banks and credit card companies have to pay back the victims of fraud unless they have been reckless. It's hardly your fault if someone bumps into you on the tube and steals your card details because Barclays contactless cards are not secure. This means that if a transaction is made in your name on a website like Amazon, the money will eventually get back to you. In the case of Amazon, because it doesn't ask for the CVV numbers, we have been told that Amazon has to cover the losses because it doesn't follow best practise.
Finally if you have a contactless card, you might wonder how you can make your card safe. One tip I've picked up is to wrap your card in tin foil. It basically messes up the signal and you should be safe from data thieves. There are some wallets and purses that claim to do this as well.