November 7, 2014
A flaw has been revealed in Visa’s contactless cards which may result in the approval of unlimited cash transactions without a PIN when the requested amount is in a foreign currency. Researchers at Newcastle University, UK have revealed the glitch in the Visa system which can enable the contactless cards to approve foreign currency transactions up to 999,999.99 in any foreign currency. In UK, these cards have a £20 limit per transaction but the glitch can even even that.
The transactions can be carried out even if the card is in the victim’s pocket or bag. These cards run additional security checks in offline transactions but the POS terminals don’t require such additional checks. The flaw can target POS transactions in a big way because of this lack of enforcement. This could open further possibilities for criminals to find new ways to breach data. The researchers had also created a POS terminal using a mobile phone that was able to read a card even if it was kept in a wallet.
Martin Emms, the lead researcher said in an official press release: All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved. We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.
Since the flaw bypasses the £20 limit, the new hack has the ability to spread on a massive scale. The ability to buy items costing up to £20, without the need of card terminal and PIN, has already gained popularity in UK itself. A criminal can set up a rogue POS terminal and input any amount they want to transfer. Such rogue terminals will target victims at proximity without their knowledge. This previously unknown flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks.
With the magnetic stripe option being phased out from payment cards, criminals will explore more ways to target such contactless cards.
Follow this link to see how Martin Emms demonstrates the hack for the BBC.