Major flaw discovered in Visa contactless cards

Visa Card digital trail

The £20 limit on Visa contactless cards can be bypassed by making transactions using foreign currencies, security experts from Newcastle University have found.

Normally a PIN needs to be entered to authenticate larger transactions, but researchers – and potential thieves – are able to bypass this security step and charge as much as the equivalent of £999,999.99 in dollars, euros or any other foreign currency.

The researchers found that it was possible to rig a mobile phone to act like a scanner, allowing them to trigger transfers of cash from a bank account just by passing the phone over a wallet or purse containing the card, the Daily Mail reported.

“With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet,” lead researcher Martin Emms told the paper.

“By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction,” he added. “It took less than a second for the transaction to be approved.”

Emms said that his team had not tested how Visa’s systems would react to a rush in foreign currency transactions, and whether this would be flagged as possible fraud. The research, however, had identified a “real vulnerability” in the contactless card payment protocol, he said.

“All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.” Emms added.

“We have reviewed Newcastle’s findings as part of our continued focus on security and beating payments fraud,” a spokesman for Visa Europe said.

“The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world. For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”

Related reading

Leave a comment

Comments RSS TrackBack 2 comments