…And so does your Maestro Card.

Just one week after reporting about a Man-In-The-Middle vulnerability of Number26, I was poking around a little more. Unfortunately, there is more negative findings to write about Number26. This time about their physical cards, the MasterCard and Maestro to be precise.

So what is this all about?

Every modern credit card has a little golden chip on it. This is called the EMV-Chip. Instead of just storing the credit card number (as the magnetic stripe does), it is a tiny computer performing individual signing jobs, whenever you use the card. And just like every computer, it also has some writable permanent storage. It doesn’t surprise, since it allows to change the pin.

Now, being curious about almost everything I have and do, I thought I might try to read all the stored and revealable content on that chip. I don’t quite know what I expected, but I didn’t see this one coming.

The data on the cards

Besides revealing the full card number and expiration date, which already makes me want to put my NFC cards in a tinfoil hat case, as well as information that I didn’t try to understand yet, it reveals your recent transaction history with both date and amount (including currency). You can see more details about that in the second screenshot:



NFC scan of my Numebr26 MasterCard (click to enlarge)

I was surprised, that any shop you buy at could see how much money you spent over a certain timespan. But not only stores, even your spouse or friends do have access to this data in just the matter of seconds with their phone. Most annoyingly, I didn’t find any information in Number26’s Terms and Conditions or Privacy Policy. When I asked their support about what historic transaction data is stored on the card, the first answer was, that the card isn’t storing any information. After showing them the facts and providing a way to read their own cards, the support was suddenly (as always) not available to comment on this issue.

I have scanned my remaining credit cards. None of them were saving any historic transaction details. So if you are privacy cautions or even have to hide something, maybe a recurring pharmacy expense or a gift for your wife/girlfriend/mistress, you are better off using another card.

Scanned Cards

with transaction history

Number26 MasterCard

Number26 Maestro

Fidor Smart Mastercard/Maesto combination (sources: @ReneHesse, t3n)

without transaction history

Germanwings Gold VISA

Germanwings Gold Mastercard

Consorsbank VISA debit

Comdirect VISA

Try it yourself

There is a free version of the Credit Card Reader NFC (EMV) on Google Play. If your android phone supports NFC, you can read the contents of your NFC Cards with it. If you found any other cards that store the transaction history, I’d be happy to see a comment from you.

tl;dr

Their cards store payment amount and date of your last purchases for everyone to read via NFC.

2016-02-09 22:45

I have posted this link on their facebook asking why there is nothing in the privacy statement page. It got one reply stating “Very interesting. Also works with my number26-card.”. Instead of getting a reply they deleted it.

2016-02-10 12:55

Here is an example how you can see that someone might have been somewhere else where they claimed to have been. The currency clearly gives away that that person has been to the Czech Republic on the 23rd of January.



My wife and me have been to the Czech republic. But what if she didn’t go with me and I just found out she was somewhere else than she claimed? (click to enlarge)

2016-02-10 14:16

After all the claims that this is behavior shared between all Mastercards, I went to buy some cookies and paid it with my Germanwings Gold Mastercard that tested negative yesterday. What if I never used it? I got worried. But now I can confirm that even after using the card using the chip, no record of any transaction can be found reading it with the NFC scanner.

Follow-Up

Number26 has released a new support center, which also covers the NFC cards extensively. Read more about it in this post.