A mobile phone reads the information of a credit card via mobile app "Banking Card Reader". Phones with near field communication (NFC) technology can instantly extract credit card information such as the card number, expiry date and transaction records. Roy Liu / China Daily

Some chips for contactless payment found to contain unsecured names of holders

Bank and personal data watchdogs in Hong Kong are investigating how names of contactless credit card holders could be read by unauthorized mobile devices. But experts said the isolated incident should not put the security of contactless payment platforms in doubt.

Near field communication technology (NFC) has become a regular feature on Android devices lately for its potential in data transfers and mobile payments.

Contactless payment pioneer Octopus has enabled payments via mobile phone for Taobao shopping. And Telecommunications giant, PCCW, earlier this year managed to enroll thousands of users onto its own payment platform Tap&Go through big shopping discounts at a local grocery chain.

The NFC chips on Android devices could also pick up numbers and expiry dates from credit cards containing contactless chips. Such exposure is considered safe - as names were essential for online transactions. A card number alone is also not considered to be personal data protected by local laws.

The Hong Kong Monetary Authority (HKMA) in 2012 instructed banks to not store cardholders' names on contactless chips. Three years later, however, a TV reporter managed to read the name from his colleague's Sogo Department Store credit card issued by Bank of China (Hong Kong) and ordered a pair of earphones from Amazon.

The same trick was also performed on a Compass Visa card issued by DBS. Both banks had reported the irregularity to the bank regulator before the report was aired on Monday. But the Bank of China (Hong Kong) only began recalling contactless cards on Wednesday afternoon.

The HKMA on Wednesday named all seven banks that breached the data rule in a move to get a response from banks. Apart from the two banks mentioned, the others were China CITIC Bank International, Bank of Communications (Hong Kong), ICBC (Asia), OCBC Wing Hang Bank and Dah Sing Bank.

The Office of the Privacy Commissioner for Personal Data has also opened an investigation into the data breach. The office's information technology adviser Henry Chang noted that as not all banks using the payment platform were affected by the data breach, the flaw was likely to have occurred locally.

Cheng Lee-ming, a City University of Hong Kong expert in security encoding, suspected the names in the cards had not been encrypted properly. They could be easily decoded by mobile apps. He suspected the contactless chip supplier could be faulted for its failure to secure sensitive data stored on cards.

The incident could be a setback for public confidence in contactless payments. But Francis Fong Po-kiu, Hong Kong Information Technology Federation honorary president, said it might actually illustrate the superior security of payments by mobile devices over those by physical cards.

NFC functions on mobile devices, for instance, could be turned off by users. The Octopus app requires registration of specific cards, while the payment function of Tap&Go requires activation by password.

Henry Chang said there were persistent fears about data theft among customers new to contactless or mobile payments. But platforms widely adopted across the world like MasterCard's PayPass have been scrutinized extensively. They have been in use for years and had proved to be safe.

Secretary for Financial Services and the Treasury Ceajer Chan Ka-keung also assured the public the regulatory system could handle such problems. "Whenever there is a new technology, there is usually a process," he added.

kahon@chinadailyhk.com

(HK Edition 10/15/2015 page6)