Visa contactless payment cards can be manipulated to undergo approvals for large transactions in other currencies, according to research at Newcastle University.
The flaw in the payment protocol never asks for a PIN when the transaction in another currency is requested.
â€œWith the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature,” said Professor Aad van Moorsel, head of the School of Computing Science at Newcastle University. “If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.”
The flaw in Visa’s systems approves any foreign currency transaction of up to 999,999.99.
The presented scenario requires a POS that, unlike a credit card, never has to authenticate itself while transactions are made offline to avoid bank security checks.
Contactless credit cards are equipped with a RFID (Radio-frequency identification) chip that could be read by a smartphone via NFC (Near Field Communication). This way, a criminal could set up a POS terminal on his phone and read contactless credit cards via NFC.
“In our tests, it took less than a second for the transaction to be approved,” said Martin Emms, lead researcher on this project.
Now the criminal can easily bump into other people in crowded places, swipe a phone in a coffee shop or just install a rogue POS on ATM machines.
Also, for the transactions to appear legitimate, a criminal could set up a rogue POS in an airport, hotel or other places frequented by travelers. The rogue POS can also be configured so that transaction amounts are pre-set.
This flaw could potentially open the doors for criminals who constantly seek new methods for fraud.
â€œThe fact that we can by-pass the Â£20 limit makes this new hack potentially very scalable and lucrative,” Emms concluded.
The study, entitled “Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN,” will be presented on November 5th at the CCS 2014 academic conference in Arizona.