Banks and retailers are heading toward a 2015 deadline to replace magnetic-stripe credit and debit cards with the more secure cards that come embedded with a microchip. Security researchers have announced a critical flaw in the card system.
According to researchers at Newcastle University in the UK, the contactless function in the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99.
“ALL A CRIMINAL WOULD NEED TO DO IS SET UP SOMEWHERE LIKE AN AIRPORT OR THE LONDON UNDERGROUND WHERE THE USE OF DIFFERENT CURRENCIES WOULD APPEAR LEGITIMATE.”
Because the cards allow for contactless transactions, where consumers only need the card in the vicinity of a reader without swiping it, a thief carrying a card reader designed to read a card that’s stored in a wallet or purse could conduct fraudulent transactions without the victim ever removing their card.
Since the transaction is done offline without going through a retailer’s point-of-sale system, no other security checks are done.
WIRED said: “With just a mobile phone we created a POS terminal that could read a card through a wallet,” Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.”
In tests the researchers conducted, transactions took less than a second to be approved.