A group of researchers at Newcastle University in the UK has discovered a hole in Contactless Visa Cards that could be exploited by cyber criminals to steal $1M per Card without knowing their PIN. The contactless credit have been widely adopted in response the several data breaches that exposed million credit card data worldwide. In US the number of magnetic-stripe payment card fraud incidents is exploded due to the numerous attacks to the national giant retailers like Target and Home Depot.
The card issued to increment the cardholder security rely on a microchip to secure the operations and can be used for contactless transactions. In UK Visa has issued contactless payment cards that allow to make transactions without the need to read a card and provide the related PIN, of course to prevent illegal activities this type of operation are limited by the EMV system to $32, the equivalent of £20.
The PIN is required to authorize transactions with larger amounts of money, but as discovered by the researchers the new Visa cards do not recognize transactions in foreign currency, causing the approval for any transactions for sum larger up to 999,999.99 in any foreign currency.
The attack scenario is quite simple, the threat actor could setup a rogue point-of-sale (PoS) terminal on ATMs and even on mobile phones. The researchers are presenting the findings of their study today at the ACM Computer and Communications Security (CCS) conference in Scottsdale, Arizona.
“With just a mobile phone we created a PoS terminal that could read a card through a wallet,” explained Martin Emms, the project leader. “All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.”
Visa immediately started the investigation anyway several financial services company have argued that fraudulent transactions on Contactless Visa Cards hypothesized by the researchers are easy to detect in the real world.
“For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment,” Visa reported to the SecurityWeek in an email. “We spend €100m a year to beat fraud, and continue to bolster the safeguards in the payment system, which is why fraud rates stand at less than 5p in every hundred pounds. We are confident that our contactless system remains a safe, convenient way to pay,”“We are updating the safeguards in the payment system to require more transactions to come online for authentication, making it even more difficult to make this kind of fraudulent attack,” Visa explained.
The researchers explained that they haven’t tested the procedure in a real world scenario and it is plausible that security mechanisms in place could prevent similar frauds exploiting the flaw in Contactless Visa Cards.
“Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a very real, potential threat,” commented the Professor Aad Van Moorsel, Head of the School of Computing Science at Newcastle University.
“At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe. With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature. If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of this research: to find the holes and fix them before they can be exploited,”
Security Affairs – (Contactless Visa Cards, banking)