| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to contactless payment technology and the vulnerability of contactless cards being exploited by cyber identity thieves has happened again at Barclays. In April 2012, Barclays began to issue new cards they claimed were more secure after fears were expressed about the flaws in contactless cards [18769].
(b) The software failure incident related to contactless payment technology and the vulnerability of contactless cards being exploited by cyber identity thieves has also happened at other organizations or with their products and services. The criticisms and warnings from security analysts and experts indicate that the contactless technology could be 'wide open to exploitation' by thieves, not just limited to Barclays but across the industry [18769]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article. The vulnerability in the contactless payment technology that allowed thieves to exploit a loophole and wirelessly copy card details using modified mobile phones highlights a failure in the design of the system [18769].
(b) The software failure incident related to the operation phase is also apparent in the article. The unintended charging of bank cards when users swipe their Oyster cards on London buses showcases a failure in the operation or usage of the contactless payment system [18769]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident related to the contactless payment technology vulnerability is primarily within the system. The flaw in the contactless card technology allowed thieves to exploit the system by using modified mobile phones to wirelessly copy card details [18769]. The vulnerability within the system enabled unauthorized access to cardholder information, leading to potential data theft and unauthorized transactions. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article is related to non-human actions, specifically the vulnerability in the contactless payment technology that allows thieves to exploit the system without human participation. The flaw in the technology enables modified mobile phones to wirelessly copy card details, putting millions of bank cards at risk of having their data read by unauthorized devices [18769].
(b) On the other hand, human actions also play a role in this software failure incident. The article mentions that security expert Martin Emms and his team at Newcastle University's Centre for Cybercrime and Computer Security adjusted a touch screen phone with parts bought online to demonstrate how easily card details can be stolen. Additionally, the article highlights concerns raised by Professor Ross Anderson from Cambridge University about the haphazard rollout of contactless cards without careful consideration of the consequences, emphasizing the role of human decisions in the vulnerability of the technology [18769]. |
| Dimension (Hardware/Software) |
hardware |
(a) The software failure incident occurring due to hardware:
The incident described in the article is related to a vulnerability in contactless payment technology that allows thieves to exploit a loophole in the hardware of contactless cards. Modified mobile phones can be used to wirelessly read card details from contactless cards, indicating a hardware vulnerability in the contactless payment technology [18769].
(b) The software failure incident occurring due to software:
The software failure incident in this case is not directly related to a software issue but rather to a vulnerability in the contactless payment technology that allows unauthorized access to card details. The vulnerability allows thieves to exploit the hardware of contactless cards using modified mobile phones, indicating a flaw in the design or implementation of the contactless payment technology rather than a software-specific failure [18769]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. Cyber identity thieves are exploiting a loophole in the contactless payment technology to plunder credit card details. They are using modified mobile phones to wirelessly copy card numbers and personal details from contactless cards without the card-owners knowing. This act is done with the intent to steal personal data and make unauthorized purchases, posing a significant risk to millions of bank cardholders [18769]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident related to the contactless payment technology can be attributed to poor decisions made in the design and implementation of the system. The flaws in the contactless card technology, which allowed for easy exploitation by thieves, were a result of inadequate consideration of security implications and vulnerabilities. The rushed rollout of contactless cards without thorough testing and assessment of potential risks led to a situation where millions of bank cards were at risk of having their data read by modified mobile phones [18769]. The lack of foresight in addressing these vulnerabilities before widespread adoption of the technology highlights the poor decisions made in the development and deployment of the contactless payment system. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The articles do not mention any software failure incident related to development incompetence.
(b) The software failure incident mentioned in the articles is related to accidental factors. The incident involves the accidental charging of bank cards when users swipe their Oyster cards on London buses [18769]. This accidental charging issue has led to complaints from customers and is expected to escalate when the ability to pay fares with contactless bank cards is extended to the London Underground. |
| Duration |
permanent |
The software failure incident described in the articles is more of a permanent nature. The vulnerability in the contactless payment technology that allowed thieves to wirelessly copy card details and make unauthorized transactions is a fundamental flaw in the system itself, making it a long-term issue [18769]. The flaw in the technology, which allowed for easy exploitation by thieves using modified mobile phones, was a systemic problem that required more comprehensive solutions from the banks and technology providers to address the underlying security issues. |
| Behaviour |
omission, value |
(a) crash: The software failure incident described in the articles can be related to a crash behavior. The incident involves a vulnerability in contactless payment technology that allows thieves to wirelessly copy card details using modified mobile phones, leading to potential unauthorized transactions [18769].
(b) omission: The software failure incident can also be associated with an omission behavior. Users of contactless cards have reported instances where their bank cards were mistakenly charged when they swiped their Oyster cards on London buses, indicating an omission in the system's intended function [18769].
(d) value: Additionally, the software failure incident can be linked to a value behavior. The flaw in the contactless card technology allows thieves to obtain sensitive information such as the account-holder's name, 16-digit number, expiry date, and even the last ten purchases, enabling them to make purchases online without the need for further security checks [18769]. |