Visa Contactless Cards Vulnerable to Fraudsters: ReportResearchers Say Proxy Machine Can Bypass Transaction Limits Via Man-in-the-Middle Attack
A newly discovered vulnerability in Visa's contactless payment cards could allow fraudsters to bypass the payment limit of £30 ($37) at a number of U.K.-based banks, according to researchers at the security firm Positive Technologies.
Although the researchers limited their tests to U.K. banks, the vulnerability apparently could be exploited in other countries as well, the researchers explain in a blog.
Researchers Leigh-Anne Galloway and Tim Yunusov say they were able to manipulate two data fields that are exchanged between the card and the terminal during a contactless payment. This was done by using a proxy machine that manipulates the transaction data between the card and the payment gateway, essentially creating a man-in-the-middle attack, the researchers report.
The researchers successfully tested a proxy machine with five U.K. banks, which they did not name. They discovered that the vulnerability is common to all Visa-issued contactless cards regardless of the bank and the locality of the person using the card, according to the blog.
"Positive Technologies tested the attack with five major U.K. banks, successfully bypassing the U.K. contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal," the researchers note.
The researchers say that an attack using the proxy machines can go through Google Pay by adding Visa to a digital wallet.
Visa recently estimated that in Europe, more than two-thirds of face-to-face transactions occur using contactless payments, and nearly 60 percent of the face-to-face transactions in Canada and the U.K uses this type of payment system.
In the U.S., contactless card transactions ae relatively rare, with only about 3 percent of cards falling into this category, CNBC reports.
In the U.K., card holders can make contactless card payments of up to £30 simply by waving their debit, credit or other smart cards over a handheld payment device reader. The technology also allows card holders to use devices such as a smartwatch and e-wallets for contactless payments via their mobile phones.
Tracking the Payment Gateway
For contactless payments over £30, U.K. banks require additional verification methods to complete a transaction, the researchers explain in their blog. For contactless transactions outside of the U.K., a country-specific verification processes, such as a PIN or fingerprint, are needed to complete the transaction.
But the Positive Technologies researchers note that both of these mechanisms can be bypassed by the proxy devices that enable a fraudster to conduct a man-in-the-middle attack, where the communication between the payment device and the card is altered.
For transactions over £30, the proxy device intercepts the communication data between the card and the payment gateway, which prevents the verification process by the card and also transmits a false message to the payment gateways stating that the verification process has been achieved through other means, the researcher says.
Positive Technologies did not immediately reply to Information Security Media Group's request for comment. The researchers told Forbes that they were able to make payment up to £101 by using the proxy device and the man-in-the-middle attack.
"So that means if you found someone's card or if someone stole your card, they wouldn't have to know your PIN, they wouldn't have to impersonate your signature and they could make a payment for a much higher value," Galloway told Forbes.
Although the threat is relatively new, it poses a big potential challenge to the banks, Galloway told Forbes. "While it's a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers," she said.
A Visa spokesperson told Forbes that the non-availability of physical cards can limit the scope of the man-in-the-middle attacks described by the researchers because they require the use of a stolen contactless card for which the theft has not yet been reported.
"Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world," the Visa spokesperson added.
A spokesperson for Visa did not immediately reply to a request for comment, including on whether fraudsters have waged any attacks along the lines of what the researchers demonstrated.