A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, say security experts.
Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. The chips are read by payment machines, used in many retail outlets from Tim Hortons to high-end computer shops, and are supposed to be a safe and convenient way to pay for goods.
But the chips can also be read with a device millions of Canadians carry with them every day: a smartphone.
Using a Samsung Galaxy S3 -- one of the most popular smartphones available in Canada -- and a free app downloaded from the Google Play store, CBC News was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a credit or debit card.
The information could be read through wallets, pockets and purses.
The apps use the near field communication (NFC) antenna built into the Galaxy phone, and a feature available on many phones running Google's Android operating system. The antenna is normally used to allow two phones to talk to each other.
Michael Legary said his company, Seccuris Inc., has investigated cases where phones paired with these apps were used to commit credit card fraud, and the information read can be used to buy "anything from a $1.50 drink from a drink machine to a $4,000 to $5,000 laptop."
Legary said the function has become a tool for organized crime in Europe.
"They don't even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime," he said.
Although the NFC antennas in current smartphones need to be very close to a card in order to work -- no farther than 10 cm -- that could change with the next generation of Android smartphones.
Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced drivers licenses and passports.
Privacy experts concerned
According to Brian Bowman, a partner with Pitblado Law in Winnipeg, the ease with which an everyday cell phone can be turned into a credit card skimmer is "impressive from a technology, and scary from a privacy, perspective."
"The fact that you can gather those different numbers and pieces of identifiers definitely is something that Canadians need to know, that the risk is there," said Bowman.
Bowman also said he expects the cell phone manufacturers, app developers and card issuers are going to have to "step up and find ways to combat [this] risk."
Credit card companies react
Officials with Visa and MasterCard told CBC News they were confident in the security their cards provided, but would cover a customer's losses should someone steal a cardholder's information.
"Multiple layers of security and advanced fraud detection technologies that protect every Visa transaction have helped keep Visa's global fraud rates near historic lows," Visa Canada said in an emailed statement.
"In fact, there have been no reports of fraud perpetrated by reading Visa payWave cards as shown by [CBC]."
MasterCard said it has a similar protection for customers.
Though it's rare that a fraudulent transaction would take place, in the event that unauthorized use of your MasterCard card occurs with fraudulent cards or devices, MasterCard cardholders are protected by MasterCard's Zero Liability Policy, which means they are not held liable for unauthorized transactions," the company stated in an email.
Neither MasterCard nor Visa would agree to an interview.
Google did not comment on the apps used by CBC in its investigation, but said in an email it would remove any app that violated Google's developer distribution agreement or content policies.
However, the apps tested by CBC were still available following Google's comments.