Using an interception device, researchers trick cards, terminals and mobile wallets into making payments over the limit with no additional verification
Security researchers have discovered a means of bypassing the £30 limit on contactless payments using Visa cards, Positive Technologies said on Monday.
The attack was developed for UK contactless payment systems, but could also be made to work in other countries and on contactless mobile wallets such as GPay to which a Visa card has been added, the firm said.
Where mobile wallets are involved, the researchers were able to additionally make fraudulent payments up to £30 without unlocking the mobile device.
Researchers Leigh-Anne Galloway and Timur Yunusov found the attack worked with Visa cards from all five major UK banks and with any terminal.
Man in the middle
The findings are a blow to the contactless payments industry, where fraudulent losses have been rising.
The attack involves manipulating two of the data fields exchanged between the card and the terminal during a payment, through the use of a device that acts as a proxy.
This man-in-the-middle (MITM) attack was able to bypass checks built into both cards and terminals, Positive said.
The device tells the card that verification is not necessary even though the amount is greater than £30, and tells the terminal that verification has already been made by another means.
“This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” Positive stated.
UK Finance figures show that fraud on contactless cards and devices rose from £6.7 million in 2016 to £14m in 2017, with £8.4m lost in the first half of 2018.
Yusunov, who is head of banking security for Positive, said contactless fraud is likely to grow as criminals focus on the new technology.
“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” he said.
“While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”
Galloway, head of Positive’s cyber security resilience, said banks and customers should not rely on Visa but should implement their own security measures.
Customers can add payment verification limits and SMS notifications if their banks offer them, she said.
“While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion,” said Galloway.
“Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.”
Visa said it does not consider the issue to be a problem due to the fact that it requires thieves to physically obtain a card, and for the theft not to have been reported to the issuer.
“Likewise, the transaction must pass issuer validations and detection protocols,” Visa told Forbes. “It is not a scalable fraud approach that we typically see criminals employ in the real world.”
The company said it is not planning to update its systems to deal with the attack.
However, Galloway said the card would not necessarily have to be stolen, as the attacker only needs to get close to the card for long enough to take a payment.
Neither UK Finance nor Visa said they were aware of a case of fraud to date in which the card had not been stolen.