‘Major flaw’ discovered in Visa’s contactless cards: Thieves could bypass £20 limit to steal up to 999,999.99 – so long as it’s in a foreign currency
Visa’s contactless credit cards are at risk of attack due to a flaw that means they will process unlimited cash transactions without asking for a PIN.
Experts from Newcastle University discovered that if the money is requested in a foreign currency, the cards will approve transactions of up to 999,999.99 in any of these currencies.
This sidesteps the current £20 contactless limit imposed on the technology – and transactions can be carried out even if the card is still in the victim’s pocket or bag.
Presenting their research at the CCS 2014 academic conference in Arizona, the Newcastle team said this flaw could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems.
With just a mobile phone we created a POS terminal that could read a card through a wallet,’ explained Martin Emms, lead researcher on the project.
HOW CONTACTLESS CARDS WORK
Contactless debit or credit cards let people pay for items worth up to £20 without entering their PIN.
The cards feature a small chip that emits radio waves.
To pay for something, users hold the card within a few centimetres of a payment terminal, which then picks up the signal and processes the transaction.
Although contactless transactions don’t ask for a PIN, card issuers limit how many contactless transactions can be made before the PIN is requested, to prevent fraudulent activity.
‘All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions.
‘By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.
‘In our tests, it took less than a second for the transaction to be approved.’
The researchers continued that they have not yet tested the back end of the system, and stressed it is likely banks will use security systems to prevent this kind of fraud.
‘Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to … fraud by criminals who are constantly looking for ways to breach the system,’ Mr Emms said.
‘The fact that we can bypass the £20 limit makes this new hack potentially very scalable and lucrative.
‘All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.’