The Daily Star newspaper is reporting that a new device has surfaced online which has the ability to clone 15 contactless bank cards a second.
According to the publication, the scanner skims details from contactless cards of people standing nearby and is able to capture encrypted data onto blank cards using specialised software.
The device, named the Contactless Infusion X5, can read any bank card from 8cm away and will read 1024 bytes per second, equivalent to 15 bank cards per second, The Daily Star alleges.
The kit is sold for up to £500 or distributed more cheaply via anonymous “darknet” markets, and includes the reader with built-in battery, a USB cable, 20 blank chipped credit cards and software.
This tech allegedly allows them to extract the card's number and even the holder's name, address and a mini-statement.
Refuting all these claims, The UK Cards Association (UKCA), the trade body for card payments, confirmed to SCMagazineUK.com by email that, “the only information which could ever be obtained from contactless card is the card number and expiry date – the same information you see by looking at the front of a card.”
“It is not possible to create a card that would work in a shop or at an ATM with this data, as it does not include any of the cryptographic keys needed to make a payment,” said the UKCA.
The UKCA went on to confirm that,”there is also no way anyone can obtain the security code on the back of the card, your name and address, or your bank account details. None of this information is available through the contactless system.”
According to the UKCA there were 159.1 million contactless transactions in February 2016 which equivalent to about 63 a second, as customers continue to vote with their wallets by using cards to pay for low-value purchases.
Overall, there were 1.182 billion transactions using cards in February, compared to 1.071 billion in February 2015. The average contactless transaction has continued to grow in value to £8.28, reflecting the impact of the increase to £30 of the contactless payment limit. So contactless card spends seems to be on the rise.
The story comes at a time when major news outlets are rife with speculation on whether or not contactless card fraud is even possible.
A post which showed up on a Russian Facebook page claimed that fraudsters could be slyly using POS (Point Of Sale) terminals to steal up to £30 at a time. But that's not the case, according to the UKCA.
Speaking to tech blog Techradar, Giles Mason, media relations manager for the UK Cards Association said that, "In order to be able receive any money from a card payment, a retailer account must be set up with an acquiring bank.”
However despite these claims from Mason, The Guardian Newspaper has reported that Consumers are at risk of falling victim to fraudulent payments made on contactless credit and debit cards that have already been cancelled following a loss or theft.
Research conducted by The Guardian has revealed that banks do not automatically validate many contactless payments, allowing thieves to continue to use stolen cards even after they have been cancelled.
According to The Guardian this is because some payments – such as those made to travel on London's tube network – are allowed through as offline transactions and only checked after the fact. According to The Guardian, one bank said that virtually all transactions for less than £15 were not immediately checked.
