Researchers at Newcastle University have identified a major vulnerability in Visa’s contactless cards that could allow hackers to steal huge amounts of money from users’ accounts without their knowledge.
Contactless credit cards allow users in the UK to make transactions that cost less than £20 without entering their PIN, speeding up the process and improving customer convenience. However researchers have found that the limitation on the amount can be increased by changing the default currency into a new one.
“With just a mobile phone we created a POS terminal that could read a card through a wallet,” Martin Emms, lead researcher of the project noted in a statement about the findings. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions.”
“By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.”
The good news is that the research team haven’t tested how Visa’s system reacted to a rush of foreign currency transfers, and whether it would flag them up as a possible fraud or not.
But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.
“Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system,” Emms said.
Since cyber criminals are exploring all possible ways to break into the system, they will exploit this vulnerability sooner or later. The researchers also said that the payment protocol does not clearly mention a way in which the banks would handle this inconsistency. However, Visa doesn’t seem to be worried. They said that the researchers hadn’t considered the multiple safeguards they employ to prevent such types of attacks. They also ruled out the possibility of similar attacks being replicated outside the lab.