22 October 2016
Some smartphone NFC apps can steal data from contactless credit cards. Photo: Bloomberg
Some smartphone NFC apps can steal data from contactless credit cards. Photo: Bloomberg

HKMA warns banks about security loopholes with NFC credit cards

The Hong Kong Monetary Authority (HKMA) ordered banks Monday to conduct a thorough review of the security of their credit cards.

Tests had shown that a couple of smartphone apps using near field communication (NFC) technology could extract the private information of cardholders, Apple Daily reported Tuesday.

Banking Card Reader and Cardtest, when opened on an NFC-enabled handset, can retrieve the credit card number, expiry date and some transaction details when placed near a contactless credit card, such as a Visa (PayWave), MasterCard (PayPass), American Express or JCB card.

In tests conducted by reporters, Banking Card Reader could retrieve cardholder information in one second, while Cardtest could do the same in three seconds.

Hong Kong Information Technology Federation (HKITF) honorary president Francis Fong Po-kiu warned that information gathered by such apps could be used by scammers to make purchases on shopping websites with a lower level of security.

The scammers could also pretend to be staff from the credit card issuers.

Since they have the information relating to the card, the cardholders would be vulnerable to being defrauded.

With a credit card using NFC technology, the cardholder can make purchases at supermarkets, convenience stores, cinemas and restaurants with a tap of the card, just like with an Octopus card, no signature being required.

The limit per transaction is usually HK$1,000 (US$129).

Police have yet to receive any reports of fraud related to NFC credit cards or the NFC smartphone apps. 

Nevertheless, they advised cardholders to store their credit cards properly and review their transaction records regularly.

Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) senior consultant Leung Siu-cheung suggested that cardholders put their NFC credit cards in a metallic sleeve or cover the credit cards with tin foil to prevent card data from being stolen.

– Contact us at [email protected]


EJI Weekly Newsletter