2 min read

UK Visa Contactless Cards Flaw Could Be Used in Fraud

Lucian Ciolacu

November 04, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
UK Visa Contactless Cards Flaw Could Be Used in Fraud

Visa contactless payment cards can be manipulated to undergo approvals for large transactions in other currencies, according to research at Newcastle University.

The flaw in the payment protocol never asks for a PIN when the transaction in another currency is requested.

What Happens to Your Stolen Credit Card Data? A glimpse into the underground economy

“With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature,” said Professor Aad van Moorsel, head of the School of Computing Science at Newcastle University. “If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.”

The flaw in Visa’s systems approves any foreign currency transaction of up to 999,999.99.

The presented scenario requires a POS that, unlike a credit card, never has to authenticate itself while transactions are made offline to avoid bank security checks.

Contactless credit cards are equipped with a RFID (Radio-frequency identification) chip that could be read by a smartphone via NFC (Near Field Communication). This way, a criminal could set up a POS terminal on his phone and read contactless credit cards via NFC.

“In our tests, it took less than a second for the transaction to be approved,” said Martin Emms, lead researcher on this project.

Now the criminal can easily bump into other people in crowded places, swipe a phone in a coffee shop or just install a rogue POS on ATM machines.

Jimmy John`s POS System Hacked; 216 Stores Affected

Also, for the transactions to appear legitimate, a criminal could set up a rogue POS in an airport, hotel or other places frequented by travelers. The rogue POS can also be configured so that transaction amounts are pre-set.

This flaw could potentially open the doors for criminals who constantly seek new methods for fraud.

“The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative,” Emms concluded.

The study, entitled “Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN,” will be presented on November 5th at the CCS 2014 academic conference in Arizona.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read