Smartphones easily used to skim credit card data
Popular smartphone and free app used to get data from chip-enabled debit or credit cards
A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, security and privacy experts warn.
Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. These chips, used in many retail outlets from Tim Hortons to high-end computer shops, are read by payment machines and are supposed to be a safe and convenient way to pay for goods.
But CBC News has found out those chips can also be read with a device millions of Canadians carry with them every day — a smartphone.
Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply by holding the smartphone over a debit or credit card.
And it could be done through wallets, pockets and purses.
'Impressive and scary'
The app used the near field communication (NFC) antenna built into the Galaxy SIII phone, a feature available on many phones running Google’s Android operating system. The antenna is normally used to allow two phones to talk to each other.
Michael Legary said his company, Seccuris Inc., has investigated cases where phones paired with these apps were used to commit credit card fraud, and said the information read can be used to buy "anything from a $1.50 drink from a machine to a $4,000 to $5,000 laptop."
Legary said the app has become a tool for organized crime in Europe.
"They don't even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime," he said.
Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 centimetres — that could change with the next generation of Android smartphones.
Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driver's licences and passports.
The technology also has privacy experts concerned.
Brian Bowman, a partner with Pitblado Law in Winnipeg, said the ease with which a smartphone can be turned into a credit card skimmer is "impressive from a technology [perspective], and scary from a privacy perspective."
"The fact that you can gather those different numbers and pieces of identifiers definitely is something that Canadians need to know, that the risk is there," Bowman said.
He expects cellphone manufacturers, app developers and card issuers are going to have to "step up and find ways to combat [this] risk."
Credit card companies react
Officials with Visa and MasterCard said they were confident in the security their cards provided, but would cover a customer’s losses should someone steal cardholder information.
"Multiple layers of security and advanced fraud detection technologies that protect every Visa transaction have helped keep Visa’s global fraud rates near historic lows," Visa Canada said in an emailed statement.
"In fact, there have been no reports of fraud perpetrated by reading Visa payWave cards as shown by [CBC]."
MasterCard told CBC it has a similar policy in place.
"Though it’s rare that a fraudulent transaction would take place, in the event that unauthorized use of your MasterCard card occurs with fraudulent cards or devices, MasterCard cardholders are protected by MasterCard’s Zero Liability Policy, which means they are not held liable for unauthorized transactions," the company said in a statement.
Neither MasterCard nor Visa would agree to an interview.
CBC News asked Google why apps capable of skimming credit card information were available on the Google Play store.
Google did not comment on the apps CBC used, but said in an email it would remove any app that violated Google’s developer distribution agreement or content policies.
The apps tested by CBC were still available following Google’s comments.