Visa contactless payment cards can be manipulated to undergo approvals for large transactions in other currencies, according to research at Newcastle University.
The flaw in the payment protocol never asks for a PIN when the transaction in another currency is requested.
“With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature,” said Professor Aad van Moorsel, head of the School of Computing Science at Newcastle University. “If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.”
The flaw in Visa’s systems approves any foreign currency transaction of up to 999,999.99.
The presented scenario requires a POS that, unlike a credit card, never has to authenticate itself while transactions are made offline to avoid bank security checks.
Contactless credit cards are equipped with a RFID (Radio-frequency identification) chip that could be read by a smartphone via NFC (Near Field Communication). This way, a criminal could set up a POS terminal on his phone and read contactless credit cards via NFC.
“In our tests, it took less than a second for the transaction to be approved,” said Martin Emms, lead researcher on this project.
Now the criminal can easily bump into other people in crowded places, swipe a phone in a coffee shop or just install a rogue POS on ATM machines.
Also, for the transactions to appear legitimate, a criminal could set up a rogue POS in an airport, hotel or other places frequented by travelers. The rogue POS can also be configured so that transaction amounts are pre-set.
This flaw could potentially open the doors for criminals who constantly seek new methods for fraud.
“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative,” Emms concluded.
The study, entitled “Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN,” will be presented on November 5th at the CCS 2014 academic conference in Arizona.
I wonder if this will delay phasing out the, ever-so-crackable, magstrip.
It worth mentioning the VISA’s response to the claims:
In a report on the BBC, Visa Europe said that “we have reviewed Newcastle’s findings as part of our continued focus on security and beating payments fraud” and that their research “does not take into account the multiple safeguards put into place throughout the Visa system”, adding that it would be “very difficult to complete this type of transaction outside of a laboratory environment.”
Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.