Think that £30 limit on contactless payments is going to protect you from big thefts? Think again.
Security researchers have found a way to bypass that limit on Visa cards. Their hack, which isn’t limited to U.K. cards, could let opportunistic crooks drain accounts with a single tap, and they claim they don’t even need to steal the credit card. And little on Visa’s side is being done to address this fresh fraud threat.
Forbes let the researchers—Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies—try it out on a personal Visa card. They extracted three successful payments of £31 ($38). On their own cards they made contactless payments as high as £101, though it’s possible more could be stolen with just a tap.
Their hacks show how contactless fraud could get a lot worse. Typically, if a bank sees multiple £30 contactless payments, the card will cease to work, as fraud detection systems suspect it’s in the hands of a thief. But if it’s possible to make large transactions in one tap, the potential for significant frauds rises.
Card thieves can now make larger payments than they could before. But now, they don’t even need to steal the card. Criminals could, for instance, take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal). Or even more dastardly, it’s possible to take a payment reading from a credit card using a mobile phone, send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. For the hack to work, all the fraudsters need is to be close to their victim.
“So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” said Galloway.
There should be some limits on just how much a hacker could steal. Galloway said that while it may be that thieves could go much higher than the £101 they tested, into the hundreds or possibly thousands, fraud detection systems at the banks may be able to spot any wildly high transactions. “What we found is that actually, we can make reasonably high-value payments. So in the U.K., we’re able to make payments of £100 without any detection,” she added.
They’re still testing whether the hack would work elsewhere in the world, but Galloway confirmed it was not limited to a single country. The limit, of course, differs between nations. For instance, in the U.S., it’s considerably higher at $100.
No fix planned?
That doesn’t detract from the finding that the limit set on Visa cards can be broken. But Visa isn’t planning on updating its systems to deal with the hack. The financial industry giant argued that such a hack wouldn’t be likely to occur in the real world as the criminals would need to have their hands on the card and this doesn’t happen frequently. A spokesperson for the company went as far as to say that despite the research there wasn’t a security problem that needed addressing.
“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer,” a Visa spokesperson told Forbes, noting that Visa was continually working on improving its fraud detection tech. “Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world.”
Galloway disagreed that the fraudster would need to steal the card. As their tests showed, the hacker only needs to get close enough to the victim’s card for a short period of time to take a payment. This kind of “skimming” has long been proven possible, even if it relies on the card owner being caught unawares.
The Visa spokesperson also claimed that Visa’s global contactless fraud rate declined by 33% between 2017 and 2018 and in Europe by 40%. But data from UK Finance shows fraud using contactless caused £19.5 million of losses during 2018, up from £14 million in 2017. UK Finance did, however, note this was “low” in light of total spending of £69 billion over the same year. And neither UK finance nor Visa said they’d ever recorded a case of contactless fraud in which the card hadn’t been stolen.
How the contactless hack works
To carry out their hack, the researchers used a specialized piece of hardware to intercept and insert messages in the communications between the card and the reader. For instance, they could tell the card that verification—like a PIN—wasn’t needed, even though the requested amount was more than £30. They then told the terminal that verification has already been made by another means.
The researchers said these checks hadn’t been made mandatory by Visa, as they had been by its rivals. And as banks follow the guidelines laid out by Visa, it could be doing more to address the issue, Galloway said. Though Visa said that card issuers are ultimately responsible for validating transactions.
For the attack using two mobiles, Galloway explained that it was possible to use one smartphone to tap a card and effectively clone it for a short period. That first mobile takes what’s known as a “payment cryptogram” from the card. This is essentially a signature that is supposed to guarantee the authenticity of future payments. The cryptogram is sent to the second phone, which simulates the card as if it were making a mobile payment. The hackers can then go beyond the limit by doing the same interception attack as before.
Stephen Ridgway, cofounder and chief technology officer at cybersecurity startup th4ts3cur1ty.company, said that addressing such attacks at a technical level could be problematic. “There may be no ‘quick fix’ for this, even if the payment providers mandate authentication for payments over £30, if the card and reader are susceptible to a ‘man-in-the-middle’ attack that tricks the system into believing that authentication has already taken place,” he said.
As for what concerned cardholders can do to protect themselves, keeping cards physically secure is vital. For anyone worried about someone reading their card through their wallet, there are covers that can prevent such “skimming” from working. Ridgway said another cheap solution was to use a phone cover, as they often provide the same protection. And monitoring transactions could help consumers detect fraudulent transactions before banks do.
Improving bank security and fresh new regulation should also improve matters. Ridgway said that should contactless limit bypasses become common, it’s very likely that payment providers will quickly learn to recognize and block them. And incoming new EU rules could also prove a boon. From September 2019, banks will need to ensure a PIN is required once total contactless payments exceed a value of £130 or when five contactless transactions have been made in a day.
I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles, and in 2014 was handed Best News Story for a feature on US government harassment of security professionals. I like to hear from hackers who are breaking things for either fun or profit and researchers who’ve uncovered nasty things on the web. Tip me on Signal at 447837496820. I use WhatsApp and Treema too. Or you can email me at TBrewster@forbes.com, or firstname.lastname@example.org.