NFC-enabled handsets can be adapted to take data from Barclays-issued Visa cards, allowing fraudsters to make purchases on websites that do not ask for secure data such as the CVV code. This is a wake-up call for Barclays that it must secure these data, possibly via encryption. After this, issuers must do more to promote the safety and benefits of contactless cards in order to boost adoption.
A joint investigation by Channel 4 News and viaForensics, a mobile phone security company, has found that smartphones using near field communication (NFC) technology can be used to steal details from Barclays contactless credit and debit cards, which are currently used by 13 million customers. Barclays has asserted that it is compliant with industry regulations for contactless cards and has pointed out that it guarantees to refund, in full, any fraudulent losses suffered by customers.
Despite this, concerns remain that customers' data are at risk, given that by simply brushing a smartphone against a wallet containing one of these contactless cards, investigators were able to obtain details such as the card number, the expiry date of the card, and the name of the holder.
This information would be sufficient to then obtain goods online from retailers such as Amazon that do not require users to submit the card verification value (CVV) code. However, only Visa cards issued by Barclays were found to be susceptible to this problem, as cards from other banks and systems were not accessible. Therefore, by encrypting the data on its customers' cards, Barclays should be able to resolve this issue and restore confidence in its security measures and in the contactless cards arena in general.
Issuers may also consider working in conjunction with online retailers to enhance the security of online payments. This is something that Barclays is now looking into by "engaging with retailers to ensure they are undertaking...robust checks," according to the bank.
Despite this, the damage may already have been done to the UK's contactless cards industry. Datamonitor's 2011 Financial Services Consumer Insight Survey found that 36% of those consumers who do not have a contactless card say they are worried about security issues if the card was lost or stolen. Clearly then, given the issues with Barclays' data security, concerns around contactless cards are valid and the vulnerability of Barclays' cards to fraud could act as a public relations disaster and deter consumers from adopting or using contactless technology.
Having said this, Datamonitor researcher Jamie Corbett believes that there are also other key barriers to the widespread adoption of contactless payments in the UK. These include the lack of infrastructure currently in place, coupled with the fact that a low proportion of card holders have a contactless-enabled card. These problems are compounded by the failure of the industry as a whole to adequately promote the technology to customers or merchants.
While there are now an estimated 60,000 contactless-supporting terminals in the UK, this is negligible in comparison to the total network of more than 1 million point-of-sale (POS) readers. Added to this is the fact that, as of December 2011, only 13.9% of card holders in the UK had a contactless-enabled card.
Despite the security concerns that have now arisen, Barclays has played the largest role in boosting these numbers to date, while Superdrug and Waitrose are among the most recent retailers to announce plans for the installation of contactless POS terminals across their stores. However, bigger players such as Tesco appear reluctant to commit to the technology beyond isolated pilot schemes. As well as resolving security concerns, the payment card industry has a long way to go if it is to boost contactless acceptance, as well as the number of contactless card holders and users in the UK.
For further information about this topic please read the Datamonitor report Contactless Payments: Waving Cash Goodbye (October 2011, CM00139-003) and contact jcorbett@datamonitor.com.