Credit card data can be stolen with a wave and an app

It seems like there's a smartphone app for everything these days — including one that could be used to steal your credit card information.

A CBC News investigation has found that it’s not difficult to do.

Within five minutes, the app can be ready to go — and in the wrong hands, criminals could easily steal credit card information, without the victim knowing.

"It's always a concern when a stranger could obtain my personal information and my banking and financial information just from a simple walk by, particularly the fact that that worked so quickly," said Mandy Woodland, a St. John's lawyer who specializes in technology and privacy law.

Woodland says most of what she’s read about near-field communications skimming indicated it took 30 seconds to download information from the card.

"And that's clearly not true since you were able to do it much quicker than that," she said.

CBC News showed Woodland just how easy it is to steal the information — even from a card inside a wallet or inside someone’s pants.

The whole process only took about one second, not 30.

Technology aimed at aiding consumers

The technology is supposed to make life easier.

MasterCard calls it PayPass, Visa calls it payWave.

It allows customers to simply tap and go — quickly pay for that coffee without the hassle of a PIN number.

But it's not just easier to pay — it's easier to steal a card-holder’s personal information.

CBC News used a Samsung Galaxy SIII and a free app downloaded from the Google Play store to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card.

The Samsung Galaxy SIII is one of the most popular smartphones available in Canada.

A thief can simply walk by, pause and read the information through an unwitting person’s coat and wallet.

Then the information can be sent to another phone.

CBC News used it to buy a Coke.

'They don't even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime.' —Michael Legary of Seccuris Inc.

But it could be just as easily used to buy a tank of gas or a new computer.

Michael Legary says his company, Seccuris Inc., has investigated cases where phones paired with these apps were used to commit credit card fraud.

Legary says the information read can be used to buy "anything from a $1.50 drink from a machine to a $4,000 to $5,000 laptop."

He says the app has become a tool for organized crime in Europe.

"They don't even need to talk to you or touch you, they can get information about who you are," he said. "That may make you more of a target for certain types of crime."

Credit card companies say not to worry

Credit card companies declined interview requests from CBC News.

But in written statements, they say consumers shouldn't worry.

Visa says there been no reports of fraud perpetrated by reading its payWave cards, in the manner shown by the CBC.

"Multiple layers of security and advanced fraud detection technologies that protect every Visa transaction have helped keep Visa’s global fraud rates near historic lows," Visa Canada said in an e-mailed statement.

MasterCard, meanwhile, also says its customers are protected.

"Though it’s rare that a fraudulent transaction would take place, in the event that unauthorized use of your MasterCard card occurs with fraudulent cards or devices, MasterCard cardholders are protected by MasterCard’s Zero Liability Policy, which means they are not held liable for unauthorized transactions," the company said in a statement.

CBC News asked Google why apps capable of skimming credit card information were available on the Google Play store.

Google said in an email it would remove any app that violated Google’s developer distribution agreement or content policies.

But Google would not comment on specific apps when asked by CBC News if they violated that policy.

The apps tested by CBC were still available following Google’s comments.