Card Not Present Fraud , Fraud Management & Cybercrime

Visa Contactless Cards Vulnerable to Fraudsters: Report

Researchers Say Proxy Machine Can Bypass Transaction Limits Via Man-in-the-Middle Attack
Visa Contactless Cards Vulnerable to Fraudsters: Report
(Photo: Visa)

A newly discovered vulnerability in Visa's contactless payment cards could allow fraudsters to bypass the payment limit of £30 ($37) at a number of U.K.-based banks, according to researchers at the security firm Positive Technologies.

See Also: Managing the Risk of Ransomware in the Digital Supply Chain (eBook)

Although the researchers limited their tests to U.K. banks, the vulnerability apparently could be exploited in other countries as well, the researchers explain in a blog.

Researchers Leigh-Anne Galloway and Tim Yunusov say they were able to manipulate two data fields that are exchanged between the card and the terminal during a contactless payment. This was done by using a proxy machine that manipulates the transaction data between the card and the payment gateway, essentially creating a man-in-the-middle attack, the researchers report.

Proxy Attack

The researchers successfully tested a proxy machine with five U.K. banks, which they did not name. They discovered that the vulnerability is common to all Visa-issued contactless cards regardless of the bank and the locality of the person using the card, according to the blog.

"Positive Technologies tested the attack with five major U.K. banks, successfully bypassing the U.K. contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal," the researchers note.

The researchers say that an attack using the proxy machines can go through Google Pay by adding Visa to a digital wallet.

Contactless Cards

Visa recently estimated that in Europe, more than two-thirds of face-to-face transactions occur using contactless payments, and nearly 60 percent of the face-to-face transactions in Canada and the U.K uses this type of payment system.

In the U.S., contactless card transactions ae relatively rare, with only about 3 percent of cards falling into this category, CNBC reports.

In the U.K., card holders can make contactless card payments of up to £30 simply by waving their debit, credit or other smart cards over a handheld payment device reader. The technology also allows card holders to use devices such as a smartwatch and e-wallets for contactless payments via their mobile phones.

Tracking the Payment Gateway

For contactless payments over £30, U.K. banks require additional verification methods to complete a transaction, the researchers explain in their blog. For contactless transactions outside of the U.K., a country-specific verification processes, such as a PIN or fingerprint, are needed to complete the transaction.

But the Positive Technologies researchers note that both of these mechanisms can be bypassed by the proxy devices that enable a fraudster to conduct a man-in-the-middle attack, where the communication between the payment device and the card is altered.

For transactions over £30, the proxy device intercepts the communication data between the card and the payment gateway, which prevents the verification process by the card and also transmits a false message to the payment gateways stating that the verification process has been achieved through other means, the researcher says.

Positive Technologies did not immediately reply to Information Security Media Group’s request for comment. The researchers told

Although the threat is relatively new, it poses a big potential challenge to the banks, Galloway told Forbes. "While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers," she said.

A Visa spokesperson told Forbes that the non-availability of physical cards can limit the scope of the man-in-the-middle attacks described by the researchers because they require the use of a stolen contactless card for which the theft has not yet been reported.

"Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world," the Visa spokesperson added.

A spokesperson for Visa did not immediately reply to a request for comment, including on whether fraudsters have waged any attacks along the lines of what the researchers demonstrated.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.