Contactless Visa credit and debit cards open to £1m theft flaw

Flaw in contactless payment cards leaves users wide open to thefts of up to £1m

Contactless Visa credit and debit cards have a built-in flaw that thieves can use to steal £999,999.99, €999,999.99 or $999,999.99 - provided that they do it in a foreign currency.

The flaw was found by security researchers at Newcastle University and demonstrated in a proof of concept. Furthermore, attackers could potentially remove funds from people's accounts using rogue mobile terminals that can make contact with cards through their bags without the victims even knowing that money is being lifted from their accounts.

The attacks side-step the £20 limit imposed on contactless card technology and can be carried out offline. "Although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point-of -ale) terminal to do the same," claims the team.

This assumption that POS terminals are all legitimate lies at the heart of the flaw. "With just a mobile phone we created a POS terminal that could read a card through a wallet," said Martin Emms, lead researcher on the project at Newcastle University's Centre for Cybercrime and Computer Security.

He continued: "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.

"We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system.

"It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat. [And] the fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate," said Emms.

Once a ‘rogue POS terminal' has been set up - either on a mobile phone or a system similar to those placed illegally on cash machines - the criminal inputs the amount they want to transfer.

The rogue terminal is then touched against the card, the transaction is approved and a code is supplied by the card - all in less than a second. This code is then sent back to the bank to free up the funds.

"This lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world," said Emms. "This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks."

Professor Aad van Moorsel, Head of the School of Computing Science at Newcastle University and one of the authors on the paper, added: "At the moment, the lowest-hanging fruit with regard to payment card fraud is the magnetic stripe.

"With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature. If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited."

The team at Newcastle University demonstrated their research at the Association for Computing Machinery Conference in Scottsdale, Arizona today.

However, Visa Europe, which developed the system, claimed that the theoretical attack demonstrated by Newcastle University would not work in the real world.

In a statement, the organisation told the Daily Mail: "We have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud. The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world.

"For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment."

Nevertheless, Visa Europe added that it will be "Updating the safeguards in the payment system' to require more transactions to come online for authentication, which would make this kind of attack more difficult" - a statement that perhaps belies its claim that there are "multiple safeguards" in place to prevent the kind of attack demonstrated by the University.