Hackers can bypass verification limits on Visa cards

Researchers have described the findings as "significant" and called on banks to improve contactless payment card security

Hackers are able to bypass the £30 spending limit on Visa contactless cards by leveraging a series of security flaws.

That's according to security researchers at Positive Technologies, who claim that the flaws allow cyber criminals to compromise verification limits in 100 percent of tested cases and to steal from accounts.

When testing the attack with five major UK banks, Leigh-Anne Galloway and Tim Yunusov were not only able to bypass the verification limit "irrespective of the card terminal" but found that the attack is also possible with foreign cards and terminals.

Positive Technologies called these findings significant, noting that "contactless payment verification limits are used to safeguard against fraudulent losses".

If contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers

To bypass the £30 spending limit, attackers must manipulate the data fields exchanged between the card and terminal as a transaction is taking place.

"Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over £30 in the UK), cards will answer 'I can't do that',' which prevents against making payments over this limit," explained the firm.

"Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone."

The researchers found that cyber criminals can bypass these checks by using a device that "intercepts communication between the card and the payment terminal". They said it "acts as a proxy and is known to conduct man-in-the-middle (MITM) attacks".

Furthering the potential scope of attacks, hackers can also use mobile wallets such as GPay to take control of Visa cards and use them without even unlocking the phone.

We can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and improving the industry standard

The firm said that the discovery "highlights the importance of additional security from the issuing the issuing bank", adding that "issuers should have their own measures in place to detect and block this attack vector and other payment attacks".

Tim Yunusov, head of banking security for Positive Technologies, said: "The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing.

"While it's a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."

Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies, added: "While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.

"Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and improving the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless."

It's not the first time that researchers have uncovered security flaws in contactless payment technology.

Back in 2014, security researchers at Newcastle University demonstrated a proof of concept exploit that would enable thieves to steal £1 million from stolen contactless payment cards.