In the Media

Barclays 'contactless' cards exposed to fraud

PUBLISHED March 23, 2012

An investigation found users of the bank's "contactless" debit or credit cards, designed to make payment when held next to special "readers", could have their details stolen without their knowledge.

But Channel 4 News found that special "readers" built into new mobile phones can take data from the cards in wallets and pockets in just one swipe.

Using data taken from a card, researchers commissioned by the programme were able to buy "multiple goods online" through

The programme said it was only able to "access the details of Barclay issued Visa cards" as other banks and systems weren't accessible.

Thomas Cannon, of ViaForensics, a mobile phone security company which undertook the research, said: "All I did was I tapped my phone over your wallet.

"Using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name.

"None of it was encrypted, it was simply a case of the details coming out through the air." Guidelines from the UK Card Association state that the card holder's name should not be transmitted.

On Friday night the Information Commissioner, Christopher Graham, raised the prospect of potential fines for Barclays, which he said had "big questions" to answer. Officials from his office are due to meet with Barclays executives on Monday.

"We must investigate and find out what's gone wrong," he told the programme.

"If there's been a serious breach of the data protection act we do have very significant sanctions (available).

"The combination of the technology being able to pick your pocket and some lax standards at the online retailers is a worry."

He added: "So far as customer is concerned your personal information has gone missing and there's potentially identity fraud, costs on your account. OK you can be reimbursed but this shouldn't be happening."

The Department for Business, Innovation and Skills called for urgent action amid the claims of "serious security flaws".

"There are standards in place which are designed to prevent this and all operators should comply with them," a spokesman said.

"We have always emphasised the importance of data security in initiatives such as midata and this contactless payment facility clearly has some serious weakness in this regard."

A Barclays spokesman admitted the bank was "understandably concerned about these transactions".

But he denied details could be obtained in order defraud a customer but that "as a matter of urgency we are now engaging with retailers to ensure they are undertaking adequate and robust checks".

He added: "We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system."

Amazon was unavailable for comment. Amazon is just one of several websites that does not require any additional information in order to turn basic credit and debit card details into purchases.

It is estimated there are at least 15 million such "contactless" cards in circulation in Britain.