A security flaw in contactless payments discovered overseas may soon affect U.S. consumers.
The U.K. consumer technology and product review site Which? — similar to the Consumer Reports stateside — recently exposed a flaw in most forms of contactless payments, which may leave millions of consumers susceptible tot credit fraud.
Using readily available, mainstream equipment and software, Which? was able to capture the numbers and expiration dates of cards provided to them by each of the 10 volunteers who participated, six of them debit cards and four credit cards. Which? then made purchases with the captured data, including an almost $4800 television. Each of the purchases were made online on popular websites using fake names and addresses.
Though Which? researchers said that the purchases were difficult to make without the CVV codes, they found that some retailers will sacrifice security to make the sale. Also, the information that was obtain could've easily been written to a blank credit card and used in a store with the traditional swipe method.
Contactless payment has become increasingly popular in the U.S. with the introduction of smartphone applications like Apple Pay and smartcards. The payment method typically uses one of two types of technologies: radio-frequency identification (RFID) and near-filed communication (NFC).
RFID was the compromised technology in the test, as all 10 cards utilized embedded RFID tags. While the platform is more popular overseas, as more retailers there have the equipment to accept them, some U.S. cards come equipped with the technology. Even if a consumer doesn't use that function of the card, a passerby with the equipment to read them may still be able to steal that information.
Both RFID and NFC encrypts the data before relaying it to the processor, but Which?'s off-the-shelf software solution was able to circumvent the measures. It is uncertain if the same or similar solution will also work for NFC.
If you are in need of new payment processor software for your business, contact 911 Software today.