Flaw in Visa’s contactless payment system could lead to fraud

Researchers from Newcastle University have discovered a serious flaw in Visa’s contactless credit cards which could allow attackers to siphon large amounts of money off users’ bank accounts without them even noticing.

To speed up transactions and increase customer convenience, when paying with contactless credit cards in the UK for anything that costs less than £20 (around $32), users do not have to enter their PIN to confirm the transaction.

Unfortunately, the researchers have discovered that this amount limit can be easily upped by simply changing the set currency into a foreign one.

“Once a “rogue POS terminal’ has been set up – either on a mobile phone or a system similar to those placed illegally on ATM machines – the criminal inputs the amount they want to transfer,” it has been explained.

“All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved,” noted lead researcher Martin Emms.

“We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.”

But, apparently, Visa isn’t worried. They say that the researchers haven’t taken into account the company’s own multiple safeguards set to prevent this type of attack, and that they believe that the results of this research could not be replicated outside a lab environment.

Whichever side is right, research like this should be welcome.

We all known that criminals are always trying to discover new ways of bypassing security measures put in place by financial organizations. Having researchers pre-emptively discover weaknesses in the systems and make organizations fix them before they are misused by attackers is a good proposition for everyone except the criminals themselves.