Visa card vulnerabilities enable contactless limit bypass

Researchers at security firm Positive Technologies are warning of vulnerabilities in Visa cards that could be used to steal unlimited sums from accounts, urging banks and customers to take precautions.

Researchers Leigh-Anne Galloway and Timur Yunusov were able exploit the vulnerabilties to bypass verification limits on Visa contactless cards in tests at five major UK banks.

They were able to bypass the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal. The researchers also found that this attack is possible with cards and terminals outside of the UK.

Positive Technologies said the findings are significant because contactless payment verification limits are used to limit fraud losses.

The researchers said the bypass works by manipulating two checks that are exchanged between the card and the terminal during a contactless payment.

The first is designed to block instant payments greater than £30 and the second is designed to require additional verification from the cardholder if the requested amount is above the threshold, such as entry of the card personal identification number PIN or fingerprint authentication on a mobile phone.

The researchers found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy in what is known as a man in the middle (MitM) attack.

The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means.

This attack is possible because Visa, which was alerted to the flaws in 2018, still does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.

The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. It is even possible in this scenario to charge up to £30 fraudulently without unlocking the mobile phone, the researchers found.

According to UK Finance, transactions carried out using contactless payment saw a 31% increase in 2018, compared with 2017. In February 2019 alone, Britons made 644 million contactless transactions worth £5.9bn, up 20.6% compared with the same period the year before.

The use of contactless payments is increasing, but figures from Action Fraud, the UK’s national fraud reporting service, reveal that a total of £1.18m was stolen by fraudsters from contactless users in 2018, up from £711,000 in 2017.

The researchers said the discovery of the vulnerabilities highlights the importance of additional security from the issuing bank, which should not rely on Visa to provide a secure protocol for payments. Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks,” they said.

“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” said Tim Yunusov, head of banking security for Positive Technologies.

“While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”

The researchers advise that contactless card users need to be vigilant in monitoring their bank account statements to catch fraud early and, if available with their bank, implement additional security measures such as payment verification limits and text message notifications.

“It falls to the customer and the bank to protect themselves,” said Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies.

“While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise.

“Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless,” she said.

In September 2018, MoneySuperMarket research revealed security concerns about contactless technology. The comparison website surveyed more than 2,000 people and 55% of them were concerned about the security of tap-and-go technology.

Banks are experimenting with various other types of technologies to balance strong security with a good user experience.

In March 2019, Computer Weekly reported that NatWest had launched a trial of payment cards equipped with biometric technology to increase security for contactless payments above £30.

On receiving the new cards, customers will be able to store and activate fingerprint-based verification themselves. Once the feature is active, if the customer places their finger on the card corner where their biometric information is stored, contactless payments above £30 will be authorised without the need to enter their PIN.