Barclays Bank card data vulnerable to mobile phone scanning fraud

Channel 4 News has revealed fraudsters can access the data on Barclays Bank cards by scanning them with mobile phones

Channel 4 News has revealed fraudsters could acquire the data held on Barclays Bank contactless card users by scanning the cards with mobile phones.

Channel 4 News investigators read Barclays Bank contactless card details using an adapted mobile phone app.

Working with mobile phone security company ViaForensics, the investigators found that swiping the phone over a Barclays Bank contactless card yielded the name, long card number and expiry date.

Investigators said a simple nudge against a wallet would be enough for the app to read the data.

A ViaForensics spokesman told Channel 4 News: "All I did was I tapped my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, that includes the long card number, the expiry date and your name. None of it was encrypted, it was simply a case of the details coming out through the air."

Channel 4 News was only able to access the details of Barclay-issued Visa cards. Other banks and systems weren't accessible. The three-digit security code was not read by the scanner. But some retailers, including Amazon, do not require this code, making it easy to use card details to buy online.

Investigators set up an Amazon account with a different name, billing address and billing address to a card they scanned and were able buy products.

Visa and Barclays said told Channel 4 News it is permissable to access card details in this way without permission.

Barclays told Channel 4 News: "The security of our customers’ money and personal details is a top priority at Barclays, so we are understandably concerned about these transactions.

"We are compliant with scheme rules for contactless cards and our fraud guarantee refunds any fraudulent losses to customers in full. 

"The only information which can be obtained from a chip is the same as that which is printed on the front of the card – this does not include secure information such as PIN or signature (CVV) code.

“The details obtained should not be sufficient to undertake any fraudulent activity but we do depend on retailers upholding the same high standards of security when verifying payment details. 

"To be clear, this is not an issue with contactless but with the checks undertaken for ‘card not present’ payments by some retailers. 

"As a matter of urgency, we are now engaging with retailers to ensure they are undertaking adequate and robust checks. We remain committed to contactless and firmly believe that it continues to be a safe and viable payment system.”

Read more on Identity and access management products