Consumer group Which? has warned that data from contactless debit and credit cards is at risk of being intercepted by thieves.
All 10 credit and debit cards tested revealed some data, with some giving up enough
information to allow the team to place orders for expensive items.
The equipment used to carry out the interceptions was “easily and cheaply” obtained from a mainstream website, the group said – according to numerous press reports.
A spokesman said that while contactless cards are designed to ‘mask’ personal data, the technology has clear flaws.
He said that while no card gave up the three-digit CVV security code from the back of the card, one online store allowed the team to order a £3,000 television with the data gathered from one card.
“Using an easily obtainable reader and free software to decode data, we were able to read the card number and expiry date from all 10 cards,” the spokesman said.
“We were also able to read limited details of the last 10 transactions, although no cards revealed the CVV security code.
“We doubted we’d be able to make purchases without the cardholder’s name or CVV code – but we were wrong.
“We ordered two items – one a £3,000 TV – from a mainstream online shop using ‘stolen’ card details, combined with a false name and address.”
Contactless payment is increasingly popular, with more than £2bn spent using the system last year.
The limit for a single contactless transaction will rise from £20 to £30 from 1 September.
The spokesman added: “By touching volunteers’ cards to our card reader, we got enough details to allow us to go on an internet shopping spree. With these card details, the contactless transaction limit is irrelevant, because online transactions aren’t contactless.”