Advertisement
Promo

Security threats Toolkit

Barclays rolls out contactless debit card

Tom Espiner ZDNet.co.uk

Published: 02 Mar 2009 14:55 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Barclays Bank has rolled out a contactless Visa debit card.

From Monday, Barclays customers getting new or replacement cards will receive ones containing RFID technology.  This contactless technology will allow them to use the debit card for transactions of up to ten pounds, without entering a PIN.

Owners will still be able to use the debit cards for chip and PIN transactions and for bank machine withdrawals.

The protocol behind the contactless technology has not been made available to academic security researchers, Cambridge University researcher Steven Murdoch said on Monday.

"The problem with the UK contactless system is that it's secret, which means we have to reverse-engineer it to point out vulnerabilities," Murdoch told ZDNet UK. "Contactless payment has been rolled out, but any security vulnerabilities will be pointed out after the banks can do anything about it."

Murdoch said that while security researchers were restricted from viewing the protocol, people with malicious intent would be able to examine it.

"I'm sure crooks will have a copy of the spec," he said. "People can get hold of a copy if they sign a contract saying they will not make any reports [about the protocol]. Any criminals could get hold of a copy of the specification, but academics are at a disadvantage."

A Barclays spokesperson told ZDNet UK on Monday that there had been extensive third-party testing of the contactless system, and said that security risks around contactless payments had been mitigated.

"Contactless is designed for small transactions, while users will periodically be asked for a PIN," said the spokesperson. "The card uses dynamic data authentication — in which a unique secret code is generated to authenticate each transaction — while the chip contains different information than the magnetic strip, to prevent cloning."

Tests have concluded that it would not be economically viable for criminals to subvert the system, the Barclays spokesperson added. "The cost of intercepting the information doesn't justify how much could be made out of the information," said the spokesperson.

VIDEO

Dialogue Box
Dialogue Box 7.4: The expanding digital universe

How much data will be created and stored in 50 years' time? Rupert and Charles make some extrapolations and come to a startling conclusion

View full video+

Cambridge University researchers have said they have serious security concerns about chip-and-pin payment systems. Researchers Saar Drimer, Ross Anderson, and Murdoch published a paper on Thursday detailing security flaws in the Chip Authentication Programme (CAP) used for UK payments cards. The main problem they identified is that online card payment systems using readers had been optimised for usability, to the extent of sacrificing security.

Drimer, Murdoch and Anderson said they had found design errors in CAP, including a failure to ensure "freshness of responses". Murdoch said that there were no assurances in the system that card responses were not old or generated in advance, allowing for a man-in-the-middle attack.

"The lack of freshness could be exploited through a fake chip and PIN terminal in a shop," said Murdoch. "The bank asks for a response from a card reader that it hasn't seen before, but that response could be hours or even days old."

In addition, authentication tokens are reused between point-of-sale and online banking transactions, Murdoch added. This effectively opens up the possibility of a man-in-the-middle attack online, he said..

Apacs, a UK trade association for the payments industry, said that it was familiar with the report by the Cambridge researchers. "The report hasn't said anything we are unaware of," a spokesperson for the group said. "It's important to bear in mind that those banks that have deployed two-factor authentication have reported a fall in fraud losses."

The spokesperson added that the Cambridge University researchers tested security to a different set of requirements to banks. "Banking industry requirements are usability — that card processes are easy for customers to understand, and that cards are easy to transport," said the spokesperson.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
29 out of 29 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

SSRS Business Analyst

Problem Analyst

Senior Procurement Manager - Technology/IT, MCIPS

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Climate research centre compromised

One of the UK's leading climate change research centres has had a security breach. The Climate Research Unit at the University of East Anglia (UEA) suffered a compromise of information,... More

1 comment

Government web-monitoring plans on hol...

Government plans to compel ISPs to process and store details of all web communications have been put on hold until after the next election. The Home Office told ZDNet UK on Wednesday... More

1 comment

Watchdog reveals illegal sale of phone...

The Information Commissioner's Office is preparing a prosecution file against a mobile operator's employees who allegedly sold on thousands of customers' details to a competitor. The... More

1 comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters