CRAFTY HACKERS are able to bypass the £30 spending limit on Visa contactless cards by leveraging a series of security flaws.
So say security researchers at Positive Technologies, who claim that the flaws allow cybercriminals to compromise verification limits in 100 per cent of tested cases.
When testing the attack with five major UK banks, Leigh-Anne Galloway and Tim Yunusov were not only able to bypass the verification limit "irrespective of the card terminal," but also found that the attack is possible with foreign cards and terminals.
Positive Technologies called these findings significant, noting that "contactless payment verification limits are used to safeguard against fraudulent losses".
To bypass the £30 spending limit, attackers must manipulate the data fields exchanged between the card and terminal as a transaction is taking place.
"Predominantly in the UK, if a payment needs an additional cardholder verification (which is required for payments over £30 in the UK), cards will answer 'I can't do that',' which prevents against making payments over this limit," explained the firm.
"Secondly, the terminal uses country-specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone."
The researchers found that cybercrims can bypass these checks by using a device that "intercepts communication between the card and the payment terminal". They said it "acts as a proxy and is known to conduct man-in-the-middle (MITM) attacks".
Furthering the potential scope of attacks, hackers can also use mobile wallets such as GPay to take control of Visa cards and use them without even unlocking the phone.
The firm said that the discovery "highlights the importance of additional security from the issuing the issuing bank", adding that "issuers should have their own measures in place to detect and block this attack vector and other payment attacks".
Tim Yunusov, head of banking security for Positive Technologies, said: "The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing.
"While it's a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."
Leigh-Anne Galloway, head of cybersecurity resilience at Positive Technologies, added: "While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.
"Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and improving the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless."
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)