Industry News

UK Visa Contactless Cards Flaw Could Be Used in Fraud

Visa contactless payment cards can be manipulated to undergo approvals for large transactions in other currencies, according to research at Newcastle University.

The flaw in the payment protocol never asks for a PIN when the transaction in another currency is requested.

What Happens to Your Stolen Credit Card Data? A glimpse into the underground economy

“With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature,” said Professor Aad van Moorsel, head of the School of Computing Science at Newcastle University. “If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.”

The flaw in Visa’s systems approves any foreign currency transaction of up to 999,999.99.

The presented scenario requires a POS that, unlike a credit card, never has to authenticate itself while transactions are made offline to avoid bank security checks.

Contactless credit cards are equipped with a RFID (Radio-frequency identification) chip that could be read by a smartphone via NFC (Near Field Communication). This way, a criminal could set up a POS terminal on his phone and read contactless credit cards via NFC.

“In our tests, it took less than a second for the transaction to be approved,” said Martin Emms, lead researcher on this project.

Now the criminal can easily bump into other people in crowded places, swipe a phone in a coffee shop or just install a rogue POS on ATM machines.

Jimmy John’s POS System Hacked; 216 Stores Affected

Also, for the transactions to appear legitimate, a criminal could set up a rogue POS in an airport, hotel or other places frequented by travelers. The rogue POS can also be configured so that transaction amounts are pre-set.

This flaw could potentially open the doors for criminals who constantly seek new methods for fraud.

“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative,” Emms concluded.

The study, entitled “Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN,” will be presented on November 5th at the CCS 2014 academic conference in Arizona.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.


Click here to post a comment
  • It worth mentioning the VISA’s response to the claims:

    In a report on the BBC, Visa Europe said that “we have reviewed Newcastle’s findings as part of our continued focus on security and beating payments fraud” and that their research “does not take into account the multiple safeguards put into place throughout the Visa system”, adding that it would be “very difficult to complete this type of transaction outside of a laboratory environment.”

    Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.