A security flaw discovered in Visa cards could allow hackers to bypass the £30 payment limit on contactless payments, according to cybersecurity researchers.
Researchers at UK-based cybersecurity firm, Positive Technologies, said they uncovered ways to carry out what is known as a “man in the middle attack” using a proxy device that intercepts communications between a card and the payment terminal.
This device tells the card that verification is not required, despite the transaction amounting to more than £30. Meanwhile, the device then tells the terminal that verification has already been made.
Testing of the exploit with five major UK banks proved highly successful, allowing researchers to bypass the verification limit on all Visa cards involved in testing, irrespective of the card terminal. The researchers also found that this type of attack is possible with cards and terminals outside of the UK.
Tim Yunusov, head of banking security for Positive Technologies, commented: “While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.
“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing.”
Statistics published by UK Finance show that fraud on contactless cards and devices rose sharply between 2016 and 2017; from £6.7 million to £14 million.
More than £8.4 million was lost to contactless fraud in the first half of 2018 alone.
According to the researchers, this type of attack is possible because Visa “does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification”.
Research also uncovered that the attack can be conducted using mobile wallets, such as GPay, where a Visa card has been added to the wallet. In this scenario, it is even possible to skim up to £30 without unlocking the mobile device in question.
Leigh-Anne Galloway, head of cybersecurity resilience at Positive Technologies, added: “It falls to the customer and the bank to protect themselves. While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion.
“Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.”