'Flaw' in Visa contactless cards could help criminals steal thousands

Sarah Coles
Man paying with NFC technology on credit card, in pharmacy
Man paying with NFC technology on credit card, in pharmacy



A flaw in Visa contactless cards means that they could allow thieves to take an 'unlimited' amount of cash from them in a single transaction, according to researchers at Newcastle University.

The cards have always been vulnerable to thieves (and indeed to accidental debits by stores), who can read someone's card while it is in their pocket or their bag. To protect them, there's a £20 limit on contactless transactions.

Vulnerable

However, the researchers told a conference in Arizona that they had discovered that this limit could be bypassed, if criminals changed the currency that the terminal takes the money in. If it is switched to something else, like euros or dollars, the cards will allow thieves to take up to 999,999.99 of the chosen currency in one swipe.

%VIRTUAL-ArticleSidebar-credit-cards%
Criminals can set up a rogue terminal - either on a mobile phone or on a system like those fixed illegally to ATMs. They just put in the sum of money they want to transfer, and touch it against the card. The transaction is approved and a code is supplied by the card – all in less than a second. This code would then be sent back to the bank to free up the funds.

"With just a mobile phone we created a POS terminal that could read a card through a wallet," explains Martin Emms, lead researcher on the project. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."

He added: "The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate."

Article continues below

London Transport Network Finally Opening Up To Contactless Mobile Payments
London Transport Network Finally Opening Up To Contactless Mobile Payments



Should you worry?

The good news is that the researchers have not tried to test the back end of the system, and that the banks will have a number of security systems in place which should prevent thefts of this nature being carried out. The card and the terminal may be happy taking the cash, but fraudsters are likely to meet more resistance from the bank, and therefore the transaction will not actually be processed.

This means that this isn't an immediate threat to your card - the risk is that in the future someone could develop a way to exploit this flaw. Emms says: "Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat."

Professor Aad van Moorsel, Head of the School of Computing Science at Newcastle University and one of the authors on the paper, added: "At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe. With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature."

The good news is that by identifying this flaw, the researchers have alerted the card companies and the banks to the potential future risk, to enable them to solve the problem before the thieves find a way to take advantage of it. As van Moorsel says: "That is the purpose of our research: to find the holes and fix them before they can be exploited."

Fraud and scams on AOL Money

Copycat website warning

Scamwatch: dating website fraud

Taxman warns about new fraud risk