MWR Research Confirms Risk of NFC Enabled Card Theft

With contactless payments increasing in popularity, MWR InfoSecurity has today warned consumers to be aware of the dangers from contactless cards.

It also issued a reminder to retailers and banks that not all fraudulent card theft is the fault of the card owner and more needs to be done to thwart scammers.

MWR has developed an application that uses NFC (near field communication) to read the information stored in the contactless chip embedded in credit and debit cards. Google Play currently has a number of similar apps available via its store that claim to do the same thing, plus the source code isn’t too difficult to find.

TV Demonstration

In a piece in ITV's Tonight programme, MWR senior research consultant - Nick Walker illustrated the simplicity of the app, and how it could be used in the wrong hands.


Explaining the process he said, “Brushing past someone, the app sends a signal to the chip in the card to query the data stored. Depending on the card type will determine just what information is returned but classically the long card number and expiry date are easily read, with the card name occasionally retrieved too.

In addition, the data usually includes metadata about the cards correct usage scenarios, such as whether the card is valid for ATM cash withdrawals, or how many pin attempts are allowed before an ATM should swallow the card. The piece that is typically missing is the CVV number [card verification value code, also referred to as CSC – card security code], however some retailers will still allow online payment transactions without this number which was introduced to prevent this type of ‘card not present’ fraud.”

Card Holder Risk

Speaking about the risk to card holders, he said, “Due to limitations in the NFC technology in use, you have to be in fairly close proximity (4-5 centimeters) to be able to extract the data, but far too often I see people place a card in a breast or back pocket having made a transaction and that leaves them open to attacks like this. The problem, I think, is that consumers just don’t know that this type of app is readily available so need to be warned that cards stored in pockets present an inviting target to modern day criminals.

To mitigate this kind of attack, cards can be stored in an RFID protected wallet – which contains a metal mesh which disrupts the signal and makes it harder for a criminal to steal the details.”

Retailer Responsibility

Speaking about the part retailer’s play in processing payments, Nick adds, “Our research identified a number of online retailers where payments could be made without the CVV number, so enabling this verification would instantly prevent the scammer using card details obtained by such an app to make purchases. However, this wouldn’t stop someone who had stolen the card details and perhaps visually observed the CVV number during a legitimate transaction.


As part of the research, a purchase was made from an online retailer during which there were a number of opportunities for the fraudulent transaction to be spotted, that weren’t. For example, the name of the card holder was incorrectly entered plus the billing address did not match – however neither was caught at the point the payment was taken.

Even after the sale had been made, it wasn’t flagged as the order was processed and a day later the goods were delivered to my door. Retailers have a part to play to thwart ‘card not present’ crime and flags should be raised when things are amiss and transactions delayed while further checks are carried out.


Nick concluded  “We all have a responsibility to prevent fraudulent transactions – the cardholder by making sure that they keep their details and payment cards secure; the retailer in having stringent processes in place to identify and halt suspicious activity and the acquirer [the merchant bank who processes the payment] to provide information of, or better still actual, fraud screening tools that will help guard against potential fraudulent transactions.”




Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.