Hackers can bypass Visa card’s contactless limit

The firm announced that it tested the attack with five major UK banks, and had successfully bypassed the UK’s £30 limit on all tested Visa cards. The researchers, Leigh-Anne Galloway and Tim Yunusov, also found that the attack is possible with cards and terminals outside of the UK. 

These findings are extremely important as contactless payment verification limits are put in place to safeguard against fraudulent losses. 

The attack occurs by manipulating two data fields, that are exchanged between the card and the terminal during a contactless payment. A device can be utilised to intercept communications between the card and payment terminal, and thus bypassing the checks. 

The device acts as a proxy and is known to conduct man in the middle attacks. The device tells the card that verification is not needed, even though the amount is greater than £30. Then it tells the terminal that verification has already been made by another means. 

“This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.”

The attack can also be conducted using mobile wallets such as GPay, where a Visa card has been added to the wallet. It is even possible to fraudulently charge up to £30 without unlocking the phone. 

These findings highlight the importance of additional security from the issuing bank, who shouldn’t be reliant on Visa to provide a secure protocol for payments. In the first half of 2018, £8.4 million was lost to contactless fraud. 

“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” said Tim Yunusov, Head of Banking Security for Positive Technologies. “While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”

Frederik Mennes, director of product security at OneSpan commented:

“This attack requires the adversary to manipulate the data flow between the payment terminal and the payment card, which requires them to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack.”

Mennes advises merchants and consumers to do the following:

• “Banks should analyse financial transactions for all payments that they process, and try to identify fraudulent transactions as much as possible.”
• “Merchants should inspect their payment terminals regularly and make sure there are no extensions to it. Consumers should also look for strange additions to payment terminals.”
• “Consumers should keep their payment card in a screening wallet, so that it cannot be read inadvertently. They should also enable SMS notifications for new payments and contact their bank immediately if they notice a suspicious payment.”