Barclaycard pay-by-bonk fraud risk exposes Amazon's security Channel 4 News has found out that pay-by-wave phones are compatible with pay-by-wave cards, and wants something done about it, but it's web bazaar Amazon that's lacking basic security. The investigation, which was carried out by viaForensics at Channel 4's behest, discovered that one can lift the credit card number, expiry …
Amazon orders (as distinct from Marketplace orders) are only paid for when the goods dispatch.
Most retailers do this by pre-authorising the charge using CVV at the time of order and then charging at the time of dispatch, but Amazon have always run the much simpler system of storing the credit card details and only charging the account at dispatch.
That does mean that Amazon can't use CVV authorisation, because they aren't allowed to store the CVV information until they're ready to use it.
I suspect that Amazon eat their own chargebacks (and pay a lower handling fee to the CC companies) and have their own anti-fraud measures, rather than using CVV or 3-D Secure.
I think it has a lot to do with Kindle sales using 3G/wifi personally - few people know the CVV and it doesn't encourage impulse buys. The laughingly easy to compromise "Verified By Visa" won't work with the Kindle browser either so eating the chargebacks is probably a lot cheaper for them.
Also Richard is spot-on about when they charge the card - that happens when the order clears packing and not before, no pre-auth on any Amazon orders.
Under PCI you actually are allowed to store the security codes up to the point of auth and this time period has never been specifically defined, at least not in earlier versions of the DSS. However, I do agree that the standards around the protection and hanlding of the security codes make it more desireable to not handle them at all, from a compliance stand point.
What drives customers to sites like Amazon is the convenience of making a purchase with saved details, being able to ship to a work address or pick up from a collection point.
What makes it convenient for fraudsters is that stolen credit cards get more mileage and goods mules don't have to be burned that often as the collection points rarely validate the photo ID, so false ID works most times and the home address is not exposed.
While the fraud rates remain low, the cost of fraud can be passed on whilst keeping prices competitive. A recent figure from another on-line retail vendor was <1% of transactions were fraudulent and about 80% of these were detected and stopped before shipping. (Simple measures like contacting the card holder before shipping if systems picked up anomalies.)
With figures like that, there is little incentive for a business to lock down too much and make the customer experience dificult, but a lack of CVV2 check is inexcusable.
People forget PINs.
All the CVV is supposed to do is to make it impossible to use a card for CNP transactions by using the card number from a "kerchunk-kerchunk" machine style impression or from swiping the magstripe.
The chip has different card numbers for Chip and PIN and NFC transactions.
Because :
new =/= (useful, reliable, trustworthy...)
I presume you haven't noticed that some other articles on El Reg highlight *problems* with technology ? Particularly, problems that the profit-takers are happy to sweep under the carpet ?
As the Native American saying goes, "Only an idiot tests the depth of the water with both feet..."
@Jimbo 6 - Yes, but just because something is new and works without wires (which seems to be the main problem) doesn't mean that the people who have designed it don't know what they're doing. There seem to be a lot of people commenting on The Reg who "know" a lot more about subjects than the experts who work in those fields professionally. Guess what? Usually they don't know more, they just know about a vastly simplified version of said subject, but believe that they know everything about it.
I'm sure the designers have been quite professional in producing a system that is beneficial to the bottom line of the payment processing industry, they people who pay them. I'm less convinced they've designed a system that's beneficial to the cardholder. If it reduced the risk of fraud then I'm sure they'd be telling us about it, but they aren't.
>>I have not asked for it, I don't want it.<<
No, me neither, but when I contacted my credit card provider (Virgin) and asked for a card without contactless tech I was told they couldn't do it, all new cards have it built in. So you might not want it, but you're going to have a hard time avoiding it.
Anyone know whereabouts on the card it is? Surely a quick bite in the right place would disable it permanently...
DId that, works well to stop it.
I have a barcley card, debit (barcleys) and debit (barcleys business) and they all came as paywave. All have the antenna cut.
Now however, in a change of heart - maybe people complained, they will let me request a full non-paywave debit card on the personal account, but not the business. If I did use it, I'd still have to ask for a receipt all the time, because I need to prove what I used the card for!
Amazon as a merchant have the choice to enforce CVV2 checks or not - it is at their liability (not the customer) if they don't and the card transaction turns out to be fraudulent. This is *their* choice as offered by the card companies.
This is not an issue with Amazon, or any other retailer who decide to take the risk (at *their* cost) of not enforcing CVV2 checks (usually because they see a better trolley-to-order conversion ratio by not enforcing it).
This is a failure of Barclays to produce any kind of security in their hardware. Plain and simple.
Nothing is 100% secure and nothing ever will be. Nobody expects it to be, it just has to be "good enough".
Having seen the way banks have treated customers who have had Chip&Pin cards cloned by shoddy hardware which has been compromised (supplied by who? Yep that's right, the card companies) then I won't go near NFC. Not a chance.
Until the cosy little relationships between banks/police/law changes then the onus will ALWAYS be on the customer to "prove" they are not lying cheating scum. The bank will say - its all secure, not us and what do you do then? Police (much use that they ever were) will say fuck off to your bank.
I find it amusing that anyone would trust banks, especially the egregious Barclays who are hardly squeaky clean mmm?
@Rob 5
Here is the court report on the case: http://www.alikelman.com/jobhbos.pdf
Note, in particular the summations on Page 12 and 13.
It's also worth pointing out that it is now law that banks have to prove in court that fraud is on the part of the customer (it wasn't then) but that this is actually what happened in this case.
Did CH4 discover if the numbers being served were the number as printed on the card and/or included in the magstripe. While I don't think it's ideal for the card to share any unencrypted info, I understand that the numbers on the physical card, magstripe, chip'n'pin and NFC section of the card are all different. If the number shared is the NFC section's, it's going to require the manufacture of an NFC chip in order to exploit this, which I suspect it a lot more difficult than one might think.
I was pretty suprised at the demonstration by C4. The reporter has his wallet on the table and the security guy just put his mobile on top of it for a second. This was sufficient for the reporter's credit card details to be slurped by a custom android app the security guy had on his phone. The details collected were his name and the long number on the front of the card. They then created a fake account in amazon with a different home address than the reporters and bought stuff. As far as I recall the fake amazon account didn't even use the same name as the reporter.
In essence the issues this report highlighted:
1. Barclays have not secured the NFC component of their cards. This is a very stupid error and something that anybody with experience of contactless cards is aware of. I wouldn't be suprised if the egg heads were overrulled by the PHBs on this one.
2. Amazon allowed the creation of a second account with a different home address and name with the nicked credit card. This means that amazon are not even doing the most basic of checks to ensure the card details correspond to the customer details.
Basically it seems to me both companies have done a cost analysis and worked out its cheaper for customer to be ripped off and them to refund them than to deal the issue properly.
Business as usual then.
How are Amazon to know that this is a fake account? It could be that CC number was not connected to any existing Amazon account so they would have no way to tell. Even if it was connected to an existing Amazon account would you prevent a family having separate accounts on the same CC or someone having an account for work use with a different address? Just because the same CC is used for more than one account does not automatically mean it has been stolen even if the names and addresses are different.
So if you are Mr Jones of Exeter, and someone places an order using your card number with the details of Miss Smith of Newcastle, you actually expect a retailer to say "oh well it *could* be legitimate, let's send that Fondleslab2" ? You might not care as Amazon are picking up the tab, but if they allowed this and *you* had to pay, you'd be pretty pissed off, I believe.
If the CC number was not connected to any existing Amazon account, then the *initial* transaction (at least) should be subject to a 'Code 10' check (i.e. the customer must enter the address *exactly* as it is on the bank statement, and the retailer verifies this with the bank before the goods are sent. Mismatch = possible fraud. This does not prevent the retailer from accepting a different *delivery* address.)
"Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely. This may come as a shock to you, but your family do NOT have the right to use your credit/debit card, any more than they have the right to write (and sign) a cheque in your name. At my former job (games + peripherals, mail-order: ergo, highly sellable down the pub), we were endlessly having to tell wives that they are not allowed to use their husband's card details. If you trust your spouse (or your kids) with your credit card, it's a simple enough process to get them a *separate* card, payable on your account, but with their name on it (& if the kids are at a different address - off at college, presumably - registered to their address).
""Would you prevent a family having separate accounts on the same CC" ? - Yes, absolutely."
Why? This is a PITA. Some credit card companies issue additional cards against the primary card holder's account with exactly the same 16-digit card number, start date, expiry date and even CVV2 number - Tesco Visa I'm looking at you. Which means on the few websites which do check for this then my wife can't use her credit card if I have an account on the site too e.g. Paypal. Thankfully many credit card companies, Barclaycard included, issue additional cards against the primary card holders account with a different 16-digit number.
Barclays sent me a replacement Visa card in February with contact-less tech. Called them up and asked for a non contact-less card instead, was told they can't do that, but could give me an electron card without contact-less instead!!
When asked why I didn't want the contact-less card I pointed out I worked in info sec, dabble in electronics and also a radio ham (No beard, sorry) and the technology was unsafe (if I can read my details from the cards, so can criminals). I was then issued with the usual propaganda:
Cards can only be read from a few centimetres away - No, that's a limitation of the reader, not the card.
Transactions are limited to £10/£15 - Only if details are used to make "contact-less" payments, not if used elsewhere.
Bank would cover any fraud so I wouldn't be liable for any fraudulent transactions - Yeah that's great, and they are very good at doing that promptly (having been screwed over by a large high street phone supplier handing my bank details (via direct debit forms) over to some con artist) but that doesn't cover my inconvenience having my life disrupted whilst I have to deal with it and wait for new cards etc. I would much rather not expose myself to the risk thank you very much.
Even had the cheek to ask "Wouldn't you like the convenience of being able to walk into a coffee shop and just swipe to pay?" What's so inconvenient about typing in 4 numbers?
End result, having banked with them for > 30 years, I changed banks.
According to a colleague, who banks with someone else, when issued with contact-less cards recently, he rang up and they have the option of non contact-less cards. Shame mine couldn't do that.
I received a contact-less card from BoS a couple of years ago, called the number printed on the associated literature and at first I was also told they couldn't change it.
I hadn't actually read the small print yet - started to as I was explaining my security objections on the phone and read I could go to my local branch and request a normal card. Read it out to the CS agent , who probably put me on hold for a bit, but in the end I did get a normal card.
So err, yeah, read the small print, don't just listen to the guy/girl on the phone.
Having said that, I'm entirely willing to believe Barclays would offer no such option.
I was trying to keep it short :) I had spoke to bod on phone who couldn't help, he booked me an appointment with a chap at the local to where I work branch, as he wasn't able to do anything to help. Bloke I'm booked with rings up in advance as he was a business manager and was rarely at that branch so couldn't understand why I was booked to see him. Spent about half hour going through the points above on the phone (he was the chap who asked "didn't I want the convenience..."). He couldn't help either (other than to say he didn't believe they did it) so I went to see the personal banker at the branch. He rang through several departments and eventually said the best they could do was offer me the electron. He also said that it was exactly the same as a Visa, good job I double checked before taking him at his word!!. So no option, or at least none that three separate employees could give me. As I understand it from what I was told from each person, this is all down to how in bed with each other Barclays and Visa are. The other banks don't have the same special relationship :)
@Paul - The cards are NFC, not RFID, they cannot be read from more than a few centimeters.
Also, even if they could be read, what happens? You need a bank issued reader and a merchant account for the money to go into. This means that the bank has your name and address and a lovely breadcrumb train heading all the way to your door.
NFC is simply a modified version of RFID, one thats supposed to employ shielding to restrict the range. That's all well and good for standard readers, but it's essentially radio, therefore equipment can be built (and probably already exists) to talk to them at a greater distance. As for "bank issued reader", well I got mine from Ebay (I don't think they are a bank??). You can pick up a standard reader for about £50 and be able to read the card, or, as the article sugests, an NFC equiped smartphone ;)
I think you may be missing the point, I'm not reading "money" from the card, I'm reading the card holders name, long card number, start date and expiry date. That is then enough information to be used elsewhere, such as say Amazon. Did you miss the article and skip straight to the comments?
@Jan 0 - A bicycle frame is not a Faraday Cage, in that it allows signals in the top and bottom. The idea of these wallets/envelopes is that the completely enclose the card (and also don't touch it, thereby inadvertently making it an aerial). This would make the wallet/envelope function as a Faraday Cage which no signal can pass into/out of.
The seat post, bottom bracket and head tube block the holes in a bicycle frame. Given that the shortest wavelength used for RFIDS is ~30mm (10GHz), a bicycle frame doesn't need to be hermetically sealed.
How good a Faraday Cage can a foil or mesh lined wallet be if it's not earthed?
That was a corrupt group of individuals, not a bank as a whole. It was very serious, but is not something which could happen these days due to the vastly increased use of audit, also the use of third party hardware appliances rather than in house coded apps for key generation/random number generation etc.
If you aren't going to trust your bank, who do you trust with your money? I would wager a mattress stuffed with tenners is not as secure as a bank, also doesn't have a guarantee from the Government that you'll get your money back.
This post has been deleted by its author
>> Any losses incurred by this kind of fraud would be refunded by Barclaycard, once the customer has jumped through the required hoops
And the required hoops ? No doubt prove the unprovable. They will claim that their system is secure (as they do with Chip&PIN), and therefore show that the transaction had to have been made with your card. Since you still have the card and it's never been out of your possession then you must have used it. QED - required hoops attempted and failed. I know someone who had his bank account maxed out just after pay day - and the hoops his bank made him jump through (how do you prove that you didn't make purchases in your home town ?) It caused him a not inconsiderable amount of hassle - and the Police were actively unhelpful and even threatened to arrest him for trying to get evidence preserved (he went to one place the card had been used to ask if they had CCTV of the purchase and could they preserve it - something the Police weren't prepared to do).
I too got a contactless Barclaycard - I too wrote to them and said I don't want it and **won't** carry it. Needless to say, they won't provide a card without, so I don't carry it (I have other cards without that). I was tempted to see what a few seconds exposure to 850W of 2.4GHz (standard domestic microwave) would do to the chip !
As for the "convenience", well I tend to find that it's convenient to hand over a small sheet of paper with a portrait of the Queen on it and/or a few small metallic tokens. They've served me well enough over the years, I can control the exposure to risk (I can't lose more than I'm carrying), and I've yet to find an establishment that doesn't take this old fashioned payment method.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
