Researchers at the U.K.’s Newcastle University recently uncovered a security flaw in Visa’s contactless payments system.
The flaw is disturbingly simple: when the amount is requested in a foreign currency, the system will approve unlimited cash transactions without a PIN, while the card is still in the victim’s pocket or bag.
The transactions can be valued up to 999,999.99 in any foreign currency — while the system limits transaction in the U.K. to a maximum of £20 before a PIN is required, making the purchase in a foreign currency sidesteps the £20 limit.
“With just a mobile phone, we created a PoS terminal that could read a card through a wallet,” lead researcher Martin Emms explained in a statement. “All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions.”
And in a crowded public place, it could be very easy to do. “By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction,” Emms added. “In our tests, it took less than second for the transaction to be approved.”
Emms envisions a scenario in which multiple attackers distributed across the world could collect small transactions of about €200 at a time for a central rogue merchant.
Read the Full Article: Source – eSecurity Planet
http://www.esecurityplanet.com/network-security/researchers-hack-contactless-visa-cards.html
Leave a Reply
You must be logged in to post a comment.