Researchers have highlighted a serious security vulnerability allowing Visa Card fraud. The Contactless Visa card vulnerability can allow attackers to bypass payment limit checks. The attackers can exploit the flaw via man-in-the-middle attacks to conduct large-scale fraud.
Contactless Visa Card Vulnerability
Two researchers from Positive Technologies discovered serious Contactless Visa Card vulnerabilities. Exploiting the vulnerability can allow attackers to conduct fraudulent transactions whilst also bypassing verification limits.
As elaborated in a blog post, two researchers Leigh-Anne Galloway and Tim Yunusov, tested the attack across five UK banks. In all cases, the researchers could reproduce the exploit bypassing the £30 limit with 100% success rate. They could even prove the success of the attack outside the UK.
The researchers demonstrated the attack using a device that intercepted the link between the payment terminal and the card. Hence, the subsequent MiTM attack could allow bypassing the verification limit.
Explaining how the attack works, the blog reads,
First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.
The attack can also affect mobile payment systems using Visa Cards.
The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone.
Dangers Associated With The Flaw
The researchers fear that such attacks could lead to massive fraud causing damage to customers and banks. According to Tim Yunusov,
While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.
Whereas, Leigh-Anne Galloway believes that the customers and the banks should adopt measures to secure contactless cards. These measures should focus on making it difficult to crack the cards.
It falls to the customer and the bank to protect themselves. While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion… Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard.
The researchers advise the users to vigilantly monitor their bank accounts for detecting any fraudulent transactions. They should also employ verification measures and alerts to keep an eye on their account activity.
Let us know your thoughts in the comments.