Newcastle University researchers have found a security flaw in Visa's contactless payment card system that allows hackers to bypass the £20 limit and take out up to 1 million of any foreign currency – for example, more than £2 million if taken in Kuwaiti Dinars.
A five-strong research team, led by Martin Emms, reported on 1 November that it has found a “glitch” in the system that allows EMV (Europay, MasterCard and Visa) users to buy items costing up to £20 without having to insert their card into a terminal or input their PIN number.
The researchers found a flaw in Visa's contactless credit cards which means they will approve unlimited cash transactions without a PIN, when the amount is requested in a foreign currency.
Exploiting this, the researchers set up a ‘rogue' POS terminal on a mobile phone that could bust the cash limit and reset it at up to 999,999.99 of any foreign currency. The terminal can even carry out transactions while the card is still in the victim's pocket or bag.
“Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS terminal to do the same,” the researchers explained.
Their findings have provoked a war of words with Visa.
Professor Aad Van Moorsel, head of the school of computing science at Newcastle University, insists this is “a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems”.
But in response, Visa dismissed the claims as “no cause for concern”, while admitting: “We are updating the safeguards in the payment system to require more transactions to come online for authentication, making it even more difficult to make this kind of fraudulent attack. This process was already underway before we were made aware of the Newcastle research.”
In its statement, the company added: “The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world.
“For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”
Martin Emms confirmed it was a real vulnerability, adding: “By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.
“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.”
Providing an independent view on the reported flaw, electronic payments expert Dr Guy Bunker, senior vice president for products at Clearswift, told SCMagazineUK.com via email: “Firstly this is a vulnerability, rather than something that has been seen ‘in the wild'. However, the fact it has been published means it will, no doubt, be in the wild shortly.”
Bunker said: “The researchers acknowledge the fact there are some back-end systems that are designed to detect and prevent fraud. Which is a good thing. The real question is what to do next? The obvious piece is to improve the authentication and authorisation mechanism of the card – if there is a flaw, then it should be fixed. Fixing is costly, but at the end of the day, this is what needs to happen.”
Bunker advised payment card users: “The easiest solution is to purchase a wallet or purse with RF shielding (available from all good online retailers!) – which prevents remote access to the card by anyone. This includes yourself. So, if you want to use a contactless terminal, you will need to remove the card from the wallet. This also gets around one of the other challenges – whereby ‘the wrong card' is charged.”
Newcastle's Professor Van Moorsel added: ““At the moment, the lowest-hanging fruit with regard to payment card fraud is the magnetic stripe. With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature.
“If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of this research: to find the holes and fix them before they can be exploited."
The research team of Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon and Aad van Moorsel are presenting their findings at this week's CCS 2014 academic conference in Arizona.