A train journey to work is a very innocuous thing. But when a man slowly bumped into me and my pocket for a bit too long, it took me a second to realise what had just happened. I called my bank and found out that said individual had managed to steal £20 from my account via a contactless card payment; my bank promptly reimbursed me. Technologically speaking, I’m very curious about how something like this happened. Contactless payment cards do contain normal RFID chips, but they also have secure microprocessors and memory, which have the ability to perform cryptographic processing. Meaning it wouldn’t just give away card details to anyone who asks for them. Europay, MasterCard and Visa, the three companies that created the EMV standard for processing card transactions say that due to the security on the card, it is not possible to steal things like a person’s billing address and CVV code, so the hacker wouldn’t be able to process online transactions after-the-fact. The consumer research group Which? conducted a study back in July 2015 that refuted this however – “Contactless cards are coded to ‘mask’ personal data, but using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards. We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code (the number on the back). We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong.”
Source: SC staff hit by contactless card theft – SC Magazine UK