Smartphones easily used to skim credit card data

A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, security and privacy experts warn.

Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. These chips,used in many retail outlets from Tim Hortons to high-end computer shops,are read by payment machines andare supposed to be a safe and convenient way to pay for goods.

But CBC News has found out those chips can also be read with a device millions of Canadians carry with them every day a smartphone.

Using a Samsung Galaxy SIII one of the most popular smartphones available in Canada and a free app downloaded from the Google Play store, CBC was able to read information such asa card number, expiry date and cardholder name simply by holding the smartphone overa debit or credit card.

And it couldbe donethrough wallets, pockets and purses.

'Impressive and scary'

The app used the near field communication (NFC) antenna built into the Galaxy SIII phone, a feature available on many phones running Googles Android operating system. The antenna is normally used to allow two phones to talk to each other.

• How the smartphone is changing how you pay for stuff

Michael Legary said his company, Seccuris Inc., has investigated cases where phones paired with these apps were used to commit credit card fraud, and saidthe information read can be used to buy "anything from a $1.50 drink from a machine to a $4,000 to $5,000 laptop."

Legary said the apphas become a tool for organized crime in Europe.

"They don't even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime," he said.

Although theNFC antennas in current smartphones need to be very close to a card in order to work no farther than 10 centimetres that could change with the next generation of Android smartphones.

Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driver's licences and passports.

The technology also has privacy experts concerned.

Brian Bowman, a partner with Pitblado Law in Winnipeg, said the ease with which a smartphone can be turned into a credit card skimmer is "impressive from a technology [perspective], and scary from a privacy perspective."

"The fact that you can gather those different numbers and pieces of identifiers definitely is something that Canadians need to know, that the risk is there,"Bowman said.

He expects cellphone manufacturers, app developers and card issuers are going to have to "step up and find ways to combat [this] risk."

Credit card companies react

Officials with Visa and MasterCardsaid they were confident in the security their cards provided, but would cover a customers losses should someone stealcardholder information.

• When will paying with your smartphone go mainstream?

"Multiple layers of security and advanced fraud detection technologies that protect every Visa transaction have helped keep Visas global fraud rates near historic lows," Visa Canada said in an emailed statement.

"In fact, there have been no reports of fraud perpetrated by reading VisapayWave cards as shown by [CBC]."

MasterCard told CBC it has a similarpolicy in place.

"Though its rare that a fraudulent transaction would take place, in the event that unauthorized use of your MasterCard card occurs with fraudulent cards or devices, MasterCard cardholders are protected by MasterCards Zero Liability Policy, which means they are not held liable for unauthorized transactions," thecompany said in a statement.

NeitherMasterCard nor Visawould agree to an interview.

CBC News asked Google why apps capable of skimming credit card information were available on the Google Play store.

Google did not comment on the apps CBC used, but said in an email it would remove any app that violated Googles developer distribution agreement or content policies.

The appstested by CBC were still available following Googles comments.