New vulnerabilities give hackers the ability to bypass the payment limits on Visa contactless cards regardless of the card terminal, according to new research from Positive Technologies.
In a July 29 press release, Positive Technologies said that researchers tested the flaws several times with five major UK banks and with cards and terminals outside of the UK. They found that the limits could be bypassed 100% of the time and could allow an attacker to steal from accounts.
“The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer 'I can’t do that,' which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone,” the press release said.
Checks were bypassed by using a device acting as a proxy to intercept communication between the payment terminal and the card, an attack known as man in the middle (MITM). These MITM attacks can also be accomplished using mobile wallets, allowing a fraudster to charge up to £30 without unlocking the phone.
“The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” according to the release.
"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Tim Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number-one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."