Researchers from Newcastle University have discovered a major flaw in contactless VISA cards.
In the United Kingdom, these cards don’t recognise transactions that are made in non-UK currencies and can be tricked into allowing a transaction of up to 999,999.99 to go through.
In the UK, contactless payment cards are supposed to have an upper limit of £20 per transaction which allows consumers to make purchases by simply tapping their card on the scanner, without the need to enter their PIN. This hack basically ignores that £20 contactless limit for transactions, allowing a hacker to easily transfer more money without being observed.
“With just a mobile phone we created a POS terminal that could read a card through a wallet,” explains Martin Emms, lead researcher on the project.
“All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.
“We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.
“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.”
Lancope chief technology officer TK Keanini said he was happy that this was discovered, and ultimately fixed. “Over the next 12 to 24 months, as more payment technology is brought online, we are likely to see a rise in new vulnerabilities like this,” he said.
“The worry, however, should not be that a single transaction for $999,999.99 can be carried out. The real concern should be that 999,999 transactions for $0.99 can be executed. The former will stick out like a sore thumb, whereas the later is much harder to detect in this day and age.”
Last month, President Obama announced that federal payment cards are to receive added security measures, including Chip and PIN, from January.