Research conducted by U.K.-based consumer watchdog group Which? showed the card numbers and expiration dates of contactless cards can be captured through the use of a simple scanner, opening the door for millions of users to be exposed to fraud, The Daily Mirror reported yesterday (July 23).
The group’s tests proved a handheld device placed near a “tap and pay” card could easily pick up the sensitive data. Six different debit cards and four credit cards were tested and all of them showed signs of the security flaw. The stolen information was then used to successfully purchase items online.
According to The Daily Mirror, a report of the test results stated that while the name of the cardholder and the security code were not captured during the transmission, cybercriminals are still provided with enough information to make purchases from a mainstream website.
“By touching volunteers’ cards to our card reader we got enough details to go on an Internet spree,” the report claimed.
In the U.K. alone, roughly 58 million of the types of cards used in the tests may currently be in circulation and it is possible fraudsters could steal the data by simply holding a device close to a person’s purse or wallet.
Privacy expert Peter Eisenegger, of the National Consumers Federation, told The Daily Mirror a small percentage of cards could be read from anywhere up to 20 centimeters (almost 8 inches) away.
“Even if this was to occur in 0.1 percent of cases, with more than 300 million transactions taking place last year, many consumers could be affected,” Eisenegger added.
But according to others, the threat discovered by Which? may actually be a false alarm.
The U.K. Cards Association stepped up to dismiss the findings and told The Guardian the methods shown by the testing were not a new discovery.
“Instances of fraud on contactless cards are in fact extremely rare, with losses of less than a penny for every £100 spent on contactless – far lower even than overall card fraud,” Richard Koch, head of policy at the U.K. Cards Association, explained to The Guardian.
He added that, in the majority of cases, a retailer requires more information, such as the security code and the cardholder’s address, to even begin processing a transaction.