Millions of Barclays card users exposed to fraud

[security curmudgeon <jericho () attrition org>]

http://www.channel4.com/news/millions-of-barclays-card-users-exposed-to-fraud

Millions of Barclays card users exposed to fraud
Friday 23 March 2012
Benjamin Cohen, Technology Correspondent

Barclays customers using contactless bank cards could have their data 
stolen without even knowing through readers in new mobile phones, Channel 
4 News can exclusively reveal.

Card readers that are now being built in as standard to mobile phones can 
be adapted to access data from these cards. Working with a mobile phone 
security company, Channel 4 News managed to take data with just one swipe, 
and then use that data to purchase multiple goods online.

This means that it would be possible to gain access to this data merely by 
nudging someone's wallet, or through clothes in a crowded public space.

The new contactless credit and debit cards contain a chip, so that when 
the card is held next to a reader a payment is made without need of a pin, 
and 13 million Barclays customers currently use them.

But our research shows that this ease of use will work for pickpocketers 
too. A mobile phone security company researched how the technology could 
be used. Thomas Cannon of ViaForensics said: "All I did was I tap my phone 
over your wallet and using the wireless reader on the phone I was able to 
lift out the details from your card, that includes the long card number, 
the expiry date and your name. None of it was encrypted, it was simply a 
case of the details coming out through the air."

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.