Want to steal someone’s credit card information? There’s an App for that! Yes, it seems that smartphones are the latest tool in the identity and info thief’s arsenal, just a few years after it was reported that laptops were being used for to read people’s passports. And the worst part of it is, it can be done using a technology that is perfectly legal, and worse, was designed to make the life of consumers that much easier.

MasterCard calls the App PayPass, while Visa calls it payWave. Simply wave your credit card over a sensor and you’ve made a transaction, without the hassle of having to remember or enter a PIN number. But one of the unintended downsides is that it also makes it that much easier for a third party to steal your credit card information, and just as quickly and conveniently.

An investigative report was recently performed by CBC News and Mandy Woodland, a St. John’s lawyer who specializes in technology and privacy law. Using a Samsung Galaxy SIII, one of the most popular on the market today, the team downloaded a free app from the Google Play store to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card.

According to their report, a thief can simply walk by, pause and read the information through an unwitting person’s coat and wallet, and then the information can be sent to another phone. The entire process only takes five minutes to download the App, and just seconds to obtain the credit card info. After conducting the process with a team members credit card, they used the stolen information to buy a coke.

Naturally, the process could be used to pay for gas, a new computer, or plane tickets to a vacation paradise! And as Woodlands said in an interview with CBC:

It’s always a concern when a stranger could obtain my personal information and my banking and financial information just from a simple walk by, particularly the fact that that worked so quickly.

Furthermore, Michael Legary, who runs a security company called Seccuris Inc., claims they have investigated cases where phones paired with these apps were used to commit credit card fraud. Legary also claims that the app has become a tool for organized crime in Europe:

They don’t even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime.

But of course, credit card companies would like their clients not to worry. In a written statement, Visa claimed that there have been no reports of fraud perpetrated by reading its payWave cards, in the manner shown by the CBC. Citing the many layers of protection and identity security, Visa points to its record, which it claims shows historic lows of fraud. Mastercard similarly claimed that its customers are protected, specifically their MasterCard’s Zero Liability Policy. My only answer to that is, wait a while…

At the same time, Google has announced, in response to this investigation, that it would remove any app that violated Google’s developer distribution agreement or content policies. However, the app in question is still available on Google’s download site.

In conjunction with other forms of identity theft and RFID skimming, this latest revelation only adds to the growing concern that technologies which are designed for convenience are being abused to make our lives more harassed and insecure. It also raises an important issue about corporate security in the digital age.

Much like with internet security and hackers, there appears to be a constant back and forth between thieves and credit card companies, the one erecting more and more barriers of security and the other coming up with more elaborate ways to beat them. As for the rest of us, it seems we can only be vigilant. But if possible, it might be smart to purchase an Faraday pouch for your personal effects!

In the meantime, here is a demonstration of the credit card “skimming” at work.