Newcastle University have found major flaw to bypass £20 limit on contactless card transactions by setting the scanners to foreign currencies
A flaw in Visa’s contactless cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.
New research by experts at Newcastle University, UK, has highlighted a ‘glitch’ in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.
Side-stepping the £20 contactless cards limit, transactions can be carried out while the card is still in the victim’s pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same.
Once a ‘rogue POS terminal’ has been set up – either on a mobile phone or a system similar to those placed illegally on ATM machines – the criminal inputs the amount they want to transfer.
This is then touched against the card, the transaction is approved and a code is supplied by the card – all in less than a second. This code would then be sent back to the bank to free up the funds.
Martin Emms who is based in the University’s Centre for Cybercrime and Computer Security explained: “This lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world,” explains Emms, who is based in the University’s Centre for Cybercrime and Computer Security.
“This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless cards, makes the system more vulnerable to high-value attacks.”
Professor Aad van Moorsel, Head of the School of Computing Science at Newcastle University and one of the authors on the paper, added: “At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe.
“With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature.
“If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.”
Presenting their research at the prestigious CCS 2014 academic conference in Arizona, the Newcastle team say this flaw in the system could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems.
Martin Emms, lead researcher on the project said: “With just a mobile phone we created a POS terminal that could read a card through a wallet. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions.
“By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.
Mr Emms continued: “We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system.
“It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.
“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.”
Visa Europe told the BBC ‘the findings did not take into account ‘multiple safeguards throughout the Visa system’, adding: ‘It would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.’
It said the firm is updating its protection to require more card transactions to be authenticated online, making this kind of attack more difficult.
The UK Cards Association trade body said: “While this complex fraud may be theoretically feasible in a laboratory, it hasn’t been attempted in the real world and absolutely no money has ever been lost as a result.
“There are robust security checks in place at every single stage of a payment – by the retailer’s bank, the card scheme and the customer’s bank – which monitor, and stop, suspicious transactions. Consumers can be assured they are legally protected from any fraud losses and will never be out of pocket.”
‘Contactless cards are extremely safe – borne out by the negligible fraud losses of less than 1p for every £100 spent over the first half of 2014.’
Even though vulnerabilities have been found in contactless cards, fraud was negligible in the UK at £51,000 over the first six months of the year, which is just 0.007 per cent of contactless cards spending.