If you shop at Amazon frequently, you might want to consider changing your quick checkout phrase to “Please don’t use my credit card to buy all the nice things.” Why? Well as it turns out, the world’s largest online retailer has a woefully underpowered security system. With just a smart phone and a little know-how, a thief can steal your card information right out of your wallet and go on a fantasy shopping spree the likes of which have never been seen before. Here’s how your accounts could be at risk.
The story first broke with a blog post by the BBC’s Benjamin Cohen. In a video on the Channel 4 News site, the technology correspondent illustrated how smart phones can be used to read contactless credit cards through pockets and purses. In this case, “contactless” refers to credit cards that contain RFID chips, which can transmit payments wirelessly through near-field communications (NFC) technology.
Consumers with contactless cards can simply hold the piece of plastic near an NFC reader to make a purchase. While this makes your credit card faster and more convenient to use, the technology also turns it into a perpetual personal information transmitter that’s susceptible to a high-tech type of fraud.
Using nothing more than a smart phone with a credit card processing app, Thomas Cannon of ViaForensics managed to lift the information from a contactless card in a matter of seconds. As he told Channel 4, “All I did was I tap my phone over your wallet and using the wireless reader on the phone I was able to lift out the details from your card, [sic] that includes the long card number, the expiration date and your name. None of it was encrypted.”
Now, this data alone isn’t necessarily enough to turn these types of cards into a tool for fraud. Many online merchants require you to enter a card code verification or card security code (which is printed on the back of your credit card) to confirm your identity before making a purchase. Since that code is physically printed on your card, it’s impossible to make fraudulent purchases unless the thief has the actual plastic in his hands.
Unfortunately, Amazon doesn’t require this code, in part because U.S. merchants aren’t allowed to store CCV/CSC information in their databases. So after logging in as himself, Cohen successfully processed a transaction using a card and billing address that belonged to someone whose info he lifted with a smart phone. The folks over at Business Insider tried the experiment for themselves and found that they too could also fraudulently use other people’s accounts to make a purchase. Under the CARD Act, consumers can’t be held liable for these fraudulent charges, but since Amazon isn’t following the best practices under the current legislation, they could be on the hook for millions.
Now, this type of fraud isn’t quite as likely in the U.S., in part because contactless cards here don’t always transmit certain kinds of information, such as the name of the customer. Also, here in the States, contactless cards aren’t as common as their magnetic-stripe cousins. However, it’s common for a card overseas to use NFC technology. In fact, there are currently more than 13 million of these cards circulating throughout the UK. As such, the Department of Business, Innovation and Skills is pushing issuers to cancel and recall their cards if the problem continues to grow.
While this is troubling news, it’s just another example of how consumers need to be extra vigilant when using mobile technology. If you want to sign up for a credit card these days, try to make sure it doesn’t use NFC chips. If it does, then consider purchasing an RFID-blocking wallet to keep your personal info where it belongs. After all, the last thing you want to show up on your recent purchases list is someone else’s frozen rabbit.