Inconspicuous equipment including a shopping trolley, a backpack and a small antenna were used to intercept synthesised payments card data. The information was detected at more than four times the distance it should have been, according to researchers. The UK Cards Association said that fraudsters would not be able to harvest enough details to be dangerous.
During a wave-and go transaction, customers tap or hold a card near a reader to pay for purchases of up to £20, without entering a PIN code. A key security feature of contactless cards is that they should not transmit payment information further than 10cm from a reader.
Thomas P Diakos, a researcher at the University of Surrey, built equipment that could reliably eavesdrop on synthesised payment data from a distance of 45cm. "The results we found have an impact on how much we can rely on physical proximity as a security feature", said lead academic superviser Dr Johann Briffa. "The intended short range of the channel is no defence against a determined eavesdropper."
At that distance, fraudsters could harvest information without arousing suspicion, the researchers said. The team published details of their research in a paper in the Institution of Engineering and Technology's Journal of Engineering website on Tuesday.
Source: BBC News
