Countless Visa customers may be at risk of fraud according to a recent discovery by cyber security experts.
Researchers found a flaw which could let hackers to bypass the verification limits on the company’s contactless cards.
Positive Technologies tested the tactic with five major UK banks and successfully bypassed the £30 ($36) maximum spend on cards, irrespective of the terminal.
They also found that this attack is possible outside of the UK, but didn’t specify which countries may also share the vulnerability.
Leigh-Anne Galloway and Tim Yunusov from the firm, based in London, say the attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment.
If a payment needs an additional cardholder verification, including payments over the £30 limit, cards will respond by saying ‘I can’t do that’.
Then the terminal uses country specific settings which demand that the card or mobile wallet provide additional verification from the cardholder.
That includes the entry of the card’s PIN or a fingerprint authentication via a smartphone app.
Positive Technologies found both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal.
Their gadget acts as a proxy and conducts what is known as a man in the middle (MITM) attack.
Their tool tells the card that verification is not necessary, even though the amount is greater than £30.
The device then tells the terminal that verification has already been made by another means.
This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.
The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone.
‘The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,’ said Tim Yunusov, Head of Banking Security for Positive Technologies.
‘While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.’
Researchers advise that contactless card users need to be vigilant in monitoring their bank account statements to catch fraud early
They also advise, if available with their bank, implementing additional security measures such as payment verification limits and SMS notifications.
‘It falls to the customer and the bank to protect themselves,’ said Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies.
‘While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.
‘Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard.
‘Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.’
Fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017 and £8.4 million was lost to contactless fraud in the first half of 2018, according to UK Finance.
Nicola Hussey, the Director of Communications for UK Finance, said: ‘Incidents of fraud involving the contactless technology on payment cards and devices is low, with robust security features in place while no contactless fraud has been recorded on cards still in the possession of the original owner.
‘Customers are fully protected against any losses and will never be left out of pocket in the unlikely event they are the victim of this type of fraud, unlike if they lose cash. If a customer loses their card or it is stolen, they should report it to their card issuer as soon as possible.
‘Customers should always follow the advice of the Take Five to Stop Fraud campaign to protect themselves from fraud, and be wary of any requests out of the blue asking for personal or financial details or to transfer money.’