Researchers Claim Major Visa Contactless Card Flaw

Researchers from Newcastle University claim that a glitch in Visa’s contactless cards means criminals could covertly steal up to 999,999 in any currency from customer accounts with rogue point-of-sale (POS) machines.

The research, Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN, is being presented at the CCS 2014 conference in Arizona this week.

The flaw which the team claims to have discovered effectively bypasses the £20 limit normally placed on contactless transactions.

It means an attacker can create a rogue POS terminal on a mobile phone or at an ATM then input the amount they want to transfer. Once the POS device comes in contact with a card, the transaction is approved and the card supplies a code, which is then sent to the bank to free up funds, the researchers claim.

“With just a mobile phone we created a POS terminal that could read a card through a wallet,” said lead researcher, Martin Emms, in a statement.

“All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.”

In a typical scenario, a network of cyber-criminals around the world could collect relatively small transactions of around £200, so as not to arouse suspicion, said Emms, who works at Newcastle University’s Centre for Cybercrime and Computer Security.

Setting up the POS in an airport or underground station would also make the use of different currencies seem legitimate, he said.

The researchers maintain that once magnetic stripe-based cards are phased out across the globe in regions such as the US, fraudsters will turn their attention to chip and PIN.

However, the attack scenario has not been tested in the wild, and Visa claims there is no cause for concern.

It said the following in a statement sent to Infosecurity:

“The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world. For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”

What’s Hot on Infosecurity Magazine?