back to article Barclaycard pay-by-bonk fraud risk exposes Amazon's security

Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security. The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry …

COMMENTS

This topic is closed for new posts.
  1. Roger Greenwood
    FAIL

    Visa

    Untrusted by me for over a decade.

  2. Richard Gadsden

    Amazon have never wanted CVV / CVV2

    Amazon orders (as distinct from Marketplace orders) are only paid for when the goods dispatch.

    Most retailers do this by pre-authorising the charge using CVV at the time of order and then charging at the time of dispatch, but Amazon have always run the much simpler system of storing the credit card details and only charging the account at dispatch.

    That does mean that Amazon can't use CVV authorisation, because they aren't allowed to store the CVV information until they're ready to use it.

    I suspect that Amazon eat their own chargebacks (and pay a lower handling fee to the CC companies) and have their own anti-fraud measures, rather than using CVV or 3-D Secure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Amazon have never wanted CVV / CVV2

      I think it has a lot to do with Kindle sales using 3G/wifi personally - few people know the CVV and it doesn't encourage impulse buys. The laughingly easy to compromise "Verified By Visa" won't work with the Kindle browser either so eating the chargebacks is probably a lot cheaper for them.

      Also Richard is spot-on about when they charge the card - that happens when the order clears packing and not before, no pre-auth on any Amazon orders.

      1. PeterI

        Re: Amazon have never wanted CVV / CVV2

        Amazon have a race condition on Kindle purchases, when my card expired I downloaded from the store sucessfully but then got an email asking me to register a new card.

    2. Brad100

      Re: Amazon have never wanted CVV / CVV2

      Under PCI you actually are allowed to store the security codes up to the point of auth and this time period has never been specifically defined, at least not in earlier versions of the DSS. However, I do agree that the standards around the protection and hanlding of the security codes make it more desireable to not handle them at all, from a compliance stand point.

  3. Usually Right or Wrong

    It's all a tradeoff

    What drives customers to sites like Amazon is the convenience of making a purchase with saved details, being able to ship to a work address or pick up from a collection point.

    What makes it convenient for fraudsters is that stolen credit cards get more mileage and goods mules don't have to be burned that often as the collection points rarely validate the photo ID, so false ID works most times and the home address is not exposed.

    While the fraud rates remain low, the cost of fraud can be passed on whilst keeping prices competitive. A recent figure from another on-line retail vendor was <1% of transactions were fraudulent and about 80% of these were detected and stopped before shipping. (Simple measures like contacting the card holder before shipping if systems picked up anomalies.)

    With figures like that, there is little incentive for a business to lock down too much and make the customer experience dificult, but a lack of CVV2 check is inexcusable.

  4. auburnman

    what's always bugged me about CVV2 is having the number printed on the card. Why not send the authorisation number to the cardholder like an (unchangeable) PIN#?

    1. Anonymous Coward
      Anonymous Coward

      Because

      People forget PINs.

      All the CVV is supposed to do is to make it impossible to use a card for CNP transactions by using the card number from a "kerchunk-kerchunk" machine style impression or from swiping the magstripe.

      The chip has different card numbers for Chip and PIN and NFC transactions.

      1. auburnman
        Trollface

        Re: Because

        Of course. I forgot cashpoints were a massive failure shortly after their introduction and were withdrawn never to be tried again.

  5. Robert E A Harvey

    I've already said I don't want contactless anything, so will maintain my previous stance.

    I have not asked for it, I don't want it.

    1. Anonymous Coward
      Anonymous Coward

      That's fine

      It's totally within your rights to do so, but I have to ask:

      What are you reveling in your shunning of new technology on a tech web site?

      1. Jimbo 6
        Holmes

        Re: "shunning of new technology"

        Because :

        new =/= (useful, reliable, trustworthy...)

        I presume you haven't noticed that some other articles on El Reg highlight *problems* with technology ? Particularly, problems that the profit-takers are happy to sweep under the carpet ?

        As the Native American saying goes, "Only an idiot tests the depth of the water with both feet..."

        1. Anonymous Coward
          Anonymous Coward

          Re: "shunning of new technology"

          @Jimbo 6 - Yes, but just because something is new and works without wires (which seems to be the main problem) doesn't mean that the people who have designed it don't know what they're doing. There seem to be a lot of people commenting on The Reg who "know" a lot more about subjects than the experts who work in those fields professionally. Guess what? Usually they don't know more, they just know about a vastly simplified version of said subject, but believe that they know everything about it.

          1. Anonymous Coward
            Anonymous Coward

            Questioning their priorities rather than their skill

            I'm sure the designers have been quite professional in producing a system that is beneficial to the bottom line of the payment processing industry, they people who pay them. I'm less convinced they've designed a system that's beneficial to the cardholder. If it reduced the risk of fraud then I'm sure they'd be telling us about it, but they aren't.

            1. Anonymous Coward
              Anonymous Coward

              Re: Questioning their priorities rather than their skill

              @AC It does reduce risk of fraud and APACS do tell about it, just because you don't look in the correct places for this info, doesn't mean that it's not being put out there.

    2. sabroni Silver badge

      >>I have not asked for it, I don't want it.<<

      No, me neither, but when I contacted my credit card provider (Virgin) and asked for a card without contactless tech I was told they couldn't do it, all new cards have it built in. So you might not want it, but you're going to have a hard time avoiding it.

      Anyone know whereabouts on the card it is? Surely a quick bite in the right place would disable it permanently...

      1. Loyal Commenter Silver badge

        From what I can tell, the chip is the same one as the chip'n'pin one, the aerial runs around the outer edge of the card. Presumably cutting a notch into it, or cutting the corner off would inactivate it if it cut through the aerial. I wouldn't recommend trying it though.

        1. Anonymous Coward
          Anonymous Coward

          NFC Chips

          There is some pretty good info about cards here:

          http://en.wikipedia.org/wiki/EMV

          I would echo Loyal Commentater's caution about tampering with a card - you do not own your card and the bank are perfectly within their rights to not issue you a card if you are caught tampering with it.

        2. Chloe Cresswell Silver badge

          Barcleys

          DId that, works well to stop it.

          I have a barcley card, debit (barcleys) and debit (barcleys business) and they all came as paywave. All have the antenna cut.

          Now however, in a change of heart - maybe people complained, they will let me request a full non-paywave debit card on the personal account, but not the business. If I did use it, I'd still have to ask for a receipt all the time, because I need to prove what I used the card for!

          1. Anonymous Coward
            Anonymous Coward

            Re: Barcleys

            You do business with a company whose name you can't spell?

  6. imprecision
    Stop

    Amazon as a merchant have the choice to enforce CVV2 checks or not - it is at their liability (not the customer) if they don't and the card transaction turns out to be fraudulent. This is *their* choice as offered by the card companies.

    This is not an issue with Amazon, or any other retailer who decide to take the risk (at *their* cost) of not enforcing CVV2 checks (usually because they see a better trolley-to-order conversion ratio by not enforcing it).

    This is a failure of Barclays to produce any kind of security in their hardware. Plain and simple.

    1. Anonymous Coward
      Anonymous Coward

      Spot on

      Nothing is 100% secure and nothing ever will be. Nobody expects it to be, it just has to be "good enough".

      Having seen the way banks have treated customers who have had Chip&Pin cards cloned by shoddy hardware which has been compromised (supplied by who? Yep that's right, the card companies) then I won't go near NFC. Not a chance.

      Until the cosy little relationships between banks/police/law changes then the onus will ALWAYS be on the customer to "prove" they are not lying cheating scum. The bank will say - its all secure, not us and what do you do then? Police (much use that they ever were) will say fuck off to your bank.

      I find it amusing that anyone would trust banks, especially the egregious Barclays who are hardly squeaky clean mmm?

      1. Rob 5

        Precisely.

        Remember John Munden?

        1. Anonymous Coward
          Anonymous Coward

          Re: Precisely.

          @Rob 5

          Here is the court report on the case: http://www.alikelman.com/jobhbos.pdf

          Note, in particular the summations on Page 12 and 13.

          It's also worth pointing out that it is now law that banks have to prove in court that fraud is on the part of the customer (it wasn't then) but that this is actually what happened in this case.

          1. Rob 5

            @ AC: 16:38

            No, Job was a different case involving the Halifax making dodgy claims that customers must be crooks because the technology is infallible.

            In the Munden case, the judgement (on appeal) went against the Halifax.

            1. Anonymous Coward
              Anonymous Coward

              Re: @ AC: 16:38

              The Munden case, while pretty poor, was 20 years ago, things have changed a lot in that time.

              As for Job - Did you read the summation? It's pretty damning of Job.

      2. Anonymous Coward
        Anonymous Coward

        Re: Spot on

        @John Naismith - There is absolutely no evidence that any Chip and PIN card has ever been cloned. Unless you can demonstrate some? In which case, please cite sources.

      3. P. Lee
        Terminator

        Re: Spot on

        Which is why internet, NFC and banking is a problem. It opens up a world of compromise which simply wasn't there before.

        The question is, does not participating reduce the compromise risk?

  7. Jamie Kitson

    Other cards

    Channel 4 did point out in the report that other banks (HSBC and Natwest from memory) encrypt the details and so their cards weren't susceptible to the same attack, which you seem to have completely ignored in your article.

    1. Anonymous Coward
      Anonymous Coward

      Hear hear.

      It seems to me a clear design fault. The data should not be decryptable without a PIN being entered. Apparently however the system is designed so that requiring a PIN for transactions is optional, which is a stupid and obvious weakness IMO.

  8. Anonymous Coward
    Anonymous Coward

    Hmm...

    Did CH4 discover if the numbers being served were the number as printed on the card and/or included in the magstripe. While I don't think it's ideal for the card to share any unencrypted info, I understand that the numbers on the physical card, magstripe, chip'n'pin and NFC section of the card are all different. If the number shared is the NFC section's, it's going to require the manufacture of an NFC chip in order to exploit this, which I suspect it a lot more difficult than one might think.

  9. Chris Holt

    NFC readers can read NFC cards, and in other news Amazon doesnt use CV2

    I don't get this...two stories and a link between them that serves only to make the first story more significant?

  10. Mike Charalambous
    Stop

    Shame on you Barclays and Amazon

    I was pretty suprised at the demonstration by C4. The reporter has his wallet on the table and the security guy just put his mobile on top of it for a second. This was sufficient for the reporter's credit card details to be slurped by a custom android app the security guy had on his phone. The details collected were his name and the long number on the front of the card. They then created a fake account in amazon with a different home address than the reporters and bought stuff. As far as I recall the fake amazon account didn't even use the same name as the reporter.

    In essence the issues this report highlighted:

    1. Barclays have not secured the NFC component of their cards. This is a very stupid error and something that anybody with experience of contactless cards is aware of. I wouldn't be suprised if the egg heads were overrulled by the PHBs on this one.

    2. Amazon allowed the creation of a second account with a different home address and name with the nicked credit card. This means that amazon are not even doing the most basic of checks to ensure the card details correspond to the customer details.

    Basically it seems to me both companies have done a cost analysis and worked out its cheaper for customer to be ripped off and them to refund them than to deal the issue properly.

    Business as usual then.

    1. Irongut Silver badge

      Re: Shame on you Barclays and Amazon

      How are Amazon to know that this is a fake account? It could be that CC number was not connected to any existing Amazon account so they would have no way to tell. Even if it was connected to an existing Amazon account would you prevent a family having separate accounts on the same CC or someone having an account for work use with a different address? Just because the same CC is used for more than one account does not automatically mean it has been stolen even if the names and addresses are different.

      1. Anonymous Coward
        Anonymous Coward

        Re: How are Amazon to know that this is a fake account?

        By verifying the goddam CVV, like they're supposed to have been doing all along.

      2. Jimbo 6
        FAIL

        @ Irongut

        So if you are Mr Jones of Exeter, and someone places an order using your card number with the details of Miss Smith of Newcastle, you actually expect a retailer to say "oh well it *could* be legitimate, let's send that Fondleslab2" ? You might not care as Amazon are picking up the tab, but if they allowed this and *you* had to pay, you'd be pretty pissed off, I believe.

        If the CC number was not connected to any existing Amazon account, then the *initial* transaction (at least) should be subject to a 'Code 10' check (i.e. the customer must enter the address *exactly* as it is on the bank statement, and the retailer verifies this with the bank before the goods are sent. Mismatch = possible fraud. This does not prevent the retailer from accepting a different *delivery* address.)

        "Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely. This may come as a shock to you, but your family do NOT have the right to use your credit/debit card, any more than they have the right to write (and sign) a cheque in your name. At my former job (games + peripherals, mail-order: ergo, highly sellable down the pub), we were endlessly having to tell wives that they are not allowed to use their husband's card details. If you trust your spouse (or your kids) with your credit card, it's a simple enough process to get them a *separate* card, payable on your account, but with their name on it (& if the kids are at a different address - off at college, presumably - registered to their address).

        1. Mark Morgan

          Re: @ Irongut

          ""Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely."

          Why? This is a PITA. Some credit card companies issue additional cards against the primary card holder's account with exactly the same 16-digit card number, start date, expiry date and even CVV2 number - Tesco Visa I'm looking at you. Which means on the few websites which do check for this then my wife can't use her credit card if I have an account on the site too e.g. Paypal. Thankfully many credit card companies, Barclaycard included, issue additional cards against the primary card holders account with a different 16-digit number.

  11. PaulWizard
    FAIL

    Saw this one coming

    Barclays sent me a replacement Visa card in February with contact-less tech. Called them up and asked for a non contact-less card instead, was told they can't do that, but could give me an electron card without contact-less instead!!

    When asked why I didn't want the contact-less card I pointed out I worked in info sec, dabble in electronics and also a radio ham (No beard, sorry) and the technology was unsafe (if I can read my details from the cards, so can criminals). I was then issued with the usual propaganda:

    Cards can only be read from a few centimetres away - No, that's a limitation of the reader, not the card.

    Transactions are limited to £10/£15 - Only if details are used to make "contact-less" payments, not if used elsewhere.

    Bank would cover any fraud so I wouldn't be liable for any fraudulent transactions - Yeah that's great, and they are very good at doing that promptly (having been screwed over by a large high street phone supplier handing my bank details (via direct debit forms) over to some con artist) but that doesn't cover my inconvenience having my life disrupted whilst I have to deal with it and wait for new cards etc. I would much rather not expose myself to the risk thank you very much.

    Even had the cheek to ask "Wouldn't you like the convenience of being able to walk into a coffee shop and just swipe to pay?" What's so inconvenient about typing in 4 numbers?

    End result, having banked with them for > 30 years, I changed banks.

    According to a colleague, who banks with someone else, when issued with contact-less cards recently, he rang up and they have the option of non contact-less cards. Shame mine couldn't do that.

    1. Florence

      Non contact-less option

      I received a contact-less card from BoS a couple of years ago, called the number printed on the associated literature and at first I was also told they couldn't change it.

      I hadn't actually read the small print yet - started to as I was explaining my security objections on the phone and read I could go to my local branch and request a normal card. Read it out to the CS agent , who probably put me on hold for a bit, but in the end I did get a normal card.

      So err, yeah, read the small print, don't just listen to the guy/girl on the phone.

      Having said that, I'm entirely willing to believe Barclays would offer no such option.

      1. PaulWizard
        Unhappy

        Re: Non contact-less option

        I was trying to keep it short :) I had spoke to bod on phone who couldn't help, he booked me an appointment with a chap at the local to where I work branch, as he wasn't able to do anything to help. Bloke I'm booked with rings up in advance as he was a business manager and was rarely at that branch so couldn't understand why I was booked to see him. Spent about half hour going through the points above on the phone (he was the chap who asked "didn't I want the convenience..."). He couldn't help either (other than to say he didn't believe they did it) so I went to see the personal banker at the branch. He rang through several departments and eventually said the best they could do was offer me the electron. He also said that it was exactly the same as a Visa, good job I double checked before taking him at his word!!. So no option, or at least none that three separate employees could give me. As I understand it from what I was told from each person, this is all down to how in bed with each other Barclays and Visa are. The other banks don't have the same special relationship :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Saw this one coming

      @Paul - The cards are NFC, not RFID, they cannot be read from more than a few centimeters.

      Also, even if they could be read, what happens? You need a bank issued reader and a merchant account for the money to go into. This means that the bank has your name and address and a lovely breadcrumb train heading all the way to your door.

      1. PaulWizard
        Happy

        Re: Saw this one coming

        NFC is simply a modified version of RFID, one thats supposed to employ shielding to restrict the range. That's all well and good for standard readers, but it's essentially radio, therefore equipment can be built (and probably already exists) to talk to them at a greater distance. As for "bank issued reader", well I got mine from Ebay (I don't think they are a bank??). You can pick up a standard reader for about £50 and be able to read the card, or, as the article sugests, an NFC equiped smartphone ;)

        1. Anonymous Coward
          Anonymous Coward

          Re: Saw this one coming

          Ok, NFC is modified RFID but RFID which uses induction to power it, hence the distance limits.

          Also, you may have a reader, but then what? Where does the money go?

          1. PaulWizard
            WTF?

            Re: Saw this one coming

            I think you may be missing the point, I'm not reading "money" from the card, I'm reading the card holders name, long card number, start date and expiry date. That is then enough information to be used elsewhere, such as say Amazon. Did you miss the article and skip straight to the comments?

  12. Tim #3

    Liability

    Where does liability rest with these transactions? I understood that several banks/ card issuers used the Verified by Visa registration to move liability from them to the customer, is this in the same boat?

    1. Anonymous Coward
      Anonymous Coward

      Re: Liability

      As with all card transactions, the law explicitly states that the bank has to prove that the customer is the source of the fraud.

  13. arthvr
    Boffin

    tin foil is the answer

    There is money to be made by someone who produces a tin foil lined wallet - perosnally I don't carry my Barclaycard anywhere since they give me the new type.

    1. sugerbear

      Re: tin foil is the answer

      Just keep the card near to your (non-nfc) mobile phone. The signal of the phone will swamp the card.

      All Amazon's fault this one.

      1. Anonymous Coward
        Anonymous Coward

        Re: tin foil is the answer

        @sugerbear. How does that work then?

    2. Jimbo 6
      Black Helicopters

      Re: tin foil lined wallet

      Have you never heard the phrase "keep it under your hat" ?

    3. John McCallum

      Re: tin foil is the answer

      I have seen on the internet someone selling wallets made from woven stainless steel wire.I kid you not.

      1. PaulWizard
        Black Helicopters

        Re: tin foil is the answer

        Have a look at SkimStopper, basically selling people tin foil envelopes to put your cards/passport in.

        1. Jan 0 Silver badge

          Re: tin foil is the answer

          but, does it work if the foil isn't earthed?

          I've read that Datatags can be read when stuffed deep into a bicycle frame.

          1. Anonymous Coward
            Anonymous Coward

            Re: tin foil is the answer

            @Jan 0 - A bicycle frame is not a Faraday Cage, in that it allows signals in the top and bottom. The idea of these wallets/envelopes is that the completely enclose the card (and also don't touch it, thereby inadvertently making it an aerial). This would make the wallet/envelope function as a Faraday Cage which no signal can pass into/out of.

            1. Jan 0 Silver badge

              Re: tin foil is the answer

              The seat post, bottom bracket and head tube block the holes in a bicycle frame. Given that the shortest wavelength used for RFIDS is ~30mm (10GHz), a bicycle frame doesn't need to be hermetically sealed.

              How good a Faraday Cage can a foil or mesh lined wallet be if it's not earthed?

  14. Anonymous Coward
    Anonymous Coward

    How ATM fraud nearly brought down British banking

    Banks, who trusts them. Nothing changes.

    http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/

    1. Anonymous Coward
      Anonymous Coward

      Re: How ATM fraud nearly brought down British banking

      That was a corrupt group of individuals, not a bank as a whole. It was very serious, but is not something which could happen these days due to the vastly increased use of audit, also the use of third party hardware appliances rather than in house coded apps for key generation/random number generation etc.

      If you aren't going to trust your bank, who do you trust with your money? I would wager a mattress stuffed with tenners is not as secure as a bank, also doesn't have a guarantee from the Government that you'll get your money back.

  15. This post has been deleted by its author

  16. SImon Hobson Bronze badge

    Yeah right !

    >> Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops

    And the required hoops ? No doubt prove the unprovable. They will claim that their system is secure (as they do with Chip&PIN), and therefore show that the transaction had to have been made with your card. Since you still have the card and it's never been out of your possession then you must have used it. QED - required hoops attempted and failed. I know someone who had his bank account maxed out just after pay day - and the hoops his bank made him jump through (how do you prove that you didn't make purchases in your home town ?) It caused him a not inconsiderable amount of hassle - and the Police were actively unhelpful and even threatened to arrest him for trying to get evidence preserved (he went to one place the card had been used to ask if they had CCTV of the purchase and could they preserve it - something the Police weren't prepared to do).

    I too got a contactless Barclaycard - I too wrote to them and said I don't want it and **won't** carry it. Needless to say, they won't provide a card without, so I don't carry it (I have other cards without that). I was tempted to see what a few seconds exposure to 850W of 2.4GHz (standard domestic microwave) would do to the chip !

    As for the "convenience", well I tend to find that it's convenient to hand over a small sheet of paper with a portrait of the Queen on it and/or a few small metallic tokens. They've served me well enough over the years, I can control the exposure to risk (I can't lose more than I'm carrying), and I've yet to find an establishment that doesn't take this old fashioned payment method.

This topic is closed for new posts.

Other stories you might like