The Hong Kong Monetary Authority (HKMA) on Monday asked all banks issuing contactless payment credit cards to review their security measures and conduct risk assessments, after it was found that mobile phone applications could be used to obtain information from these cards in a matter of seconds.

Apple Daily reported that so long as the credit cards—usually payWave or PayPass—employed Near Field Communication (NFC) technology, the app “Banking Card Reader” could instantly extract information such as credit card number, card expiry date and transaction record, regardless of card association.

The app “Cardtest” could ascertain the same information, as well as the cardholder’s name, within three seconds. Tests conducted by Apple Daily also showed that the apps worked best when the phone was within two centimetres of the card.

visa paywave
Visa payWave. Photo: Coastline Credit Union via Youtube.

NFC technology, which has become increasingly popular in supermarkets, convenience stores, cinemas and restaurants, allows transactions—usually of less than HK$1,000—to be processed with a quick tap of the card and without the cardholder’s signature.

Honorary President of the Hong Kong Information Technology Federation Francis Fong said that criminals could use the apps to steal credit card information and purchase goods on websites with few security checks, then resell the goods for cash.

Alternatively, criminals could call cardholders and ask for further card details by posing as bank employees, he said.

The Hong Kong Monetary Authority. Photo: Wikicommons.

The HKMA said that if personal details had been leaked through these cards, the banks would already have breached regulations, DBC reported. Officials also asked the banks to conduct relevant risk assessments.

In 2012, the HKMA asked banks issuing NFC credit cards to only include the most necessary personal details, and to exclude those that could be extracted from the card, such as cardholders’ names.

As of Saturday, an NFC credit card supplier used by two banks was found to have stored clients’ names on cards, prompting the two banks to notify their clients of the potential security flaw.

Karen is a journalist and writer covering politics and legal affairs in Hong Kong for HKFP. She has also written features on human rights, public space, regional legal developments, social and grassroots activism, and arts & culture. She is a BA and LLB graduate from the University of Hong Kong.