Barclaycard pay-by-bonk fraud risk exposes Amazon's security
NFC cards savaged in privates' slurp probe
By Bill Ray • In Broadband • At 11:13 GMT 26th March 2012
Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security.
The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry date and customer name from a Barclaycard-issued Visa card, which wouldn't be such a big deal if Channel 4 News hadn't also discovered that Amazon isn't doing the basic checking which would prevent such details being used fraud.
But Channel 4 pins the blame firmly on Barclaycard, claiming:
"The government has urged Barclays to consider recalling up to 13 million credit and debit cards" after "we found the cards can also be read by mobile phones".
That shouldn't be surprising as the cards concerned conform to the NFC (Near-Field Communications) standard, as do modern phones, and there's an expectation that NFC phones will be able to double up as cheap Point Of Sale terminals in some instances. What Channel 4 News discovered was that some cards give up the customer's name as well as the other details, and that Amazon's security procedures are lamentable to say the least.
Online retailers are supposed to check the CVV2 code, the three-digit number on the back of the card, as well as confirming the cardholder's address. They aren't allowed to store the CVV2 (in fear of compromised servers) so to enable one-click ordering retailers like Amazon only ask for the code the first time the card is used and then trust the buyer.
Only it seems that Amazon isn't even bothering to check the CVV2 the first time, so Channel 4 News was able to set up a new account and make purchases on that account using only the card number, expiry data, and name.
ViaForensics, which provided the tech for the probe, is less sensationalist about the data recovered: "Typically this would not be enough information to perform 'cardholder not present' transactions because retailers require the CVV2 code printed on the back, and a valid address", but not in the case of Amazon obviously.
On the other hand, the Barclaycards shouldn't have been sharing punters' names, but a straw poll of Visa-backed Barclaycards around El Reg Towers showed they were only prepared to share card number and expiry data as recommended by the EMV specifications, so it's far from clear what proportion of cards are over-sharing.
Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops, and Amazon will pay a transaction rate that reflects the probability of such fraud. But the reflection it casts on the security of proximity payments will be harder to shake off.
Using a mobile phone to make payments is a good deal more secure: most Android phones don't even power-up the NFC component unless the screen is on. However, consumers are very conservative and won't warm to the technology if it's demonstrably vulnerable. Electronic payments involve a chain of participants, and the failure of any link is perceived as a failure of the entire system; proximity payment systems aren't nearly robust enough to take that kind of confidence knock.
Channel 4 News did a fine job in exposing a weak link in the chain, and one which needs to be fixed, but as is so often the case in security matters it's the processes that are flawed, not the technology, even if it does make the better headline. ®