Flaws have been discovered that allow hackers to bypass the payment limits on Visa contactless cards.

Positive Technologies tested the attack with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal.

Researchers Leigh-Anne Galloway and Timur Yunusov also found that this attack is possible with cards and terminals outside of the UK. The findings are significant because contactless payment verification limits are used to safeguard against fraudulent losses, which have been increasing in recent years.

According to UK Finance, fraud on contactless cards and devices rose from £6.7 million in 2016 to £14 million in 2017 – with £8.4 million lost to contactless fraud in the first half of 2018 alone.

The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification, cards will prevent against making payments over this limit.

Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone.

Positive Technologies found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal, acting as a proxy to conduct man in the middle attacks.

First, the device tells the card that verification is not necessary, even though the amount is greater than £30. It then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.

The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone.

The discovery highlights the importance of additional security from the issuing bank, which should not be reliant on Visa to provide a secure protocol for payments. Instead, Positive Technologies argued that issuers should have their own measures in place to detect and block this attack vector and other payment attacks.

"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."

A statement from Visa made clear that it takes all security threats to payments seriously, with industry and academic efforts to harden payment security being appreciated.

“Variations of staged fraud schemes have been studied for nearly 10 years, in that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world. Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one per cent.

“Contactless cards are very secure," it continued. "The fact is, as the use of contactless cards has increased around the world, Visa’s global contactless fraud rate has declined by 33 per cent between 2017 and 2018, and declined by 40 per cent in Europe between 2017 and 2018.

"Using the same secure technology as EMV® Chip, contactless cards are extremely effective in preventing counterfeit fraud by using a one-time use code that prevents compromised data from being re-used for fraud.”

Share Story: