Vulnerability in Contactless Card Allows Bypassing of £30 Limit

Researchers from security company Positive Technologies have reported found a vulnerability in Visa contactless cards that could lead to your bank account being drained if your card fell into the wrong hands.

Device

The researchers developed a ‘skimming’ device which was able to intercept communications between a contactless card and payment terminal, thereby allowing the £30 spending limit per transaction to be bypassed without requiring the entry of a PIN number. The device was found to work with cards from five different UK banks. It has been reported that the hack would also work on cards and terminals outside the UK.

The device developed by the researchers, tells the card that verification is not required, even if the payment amount is greater than £30, and the device tells the terminal that verification has already been made, thereby allowing the user to potentially make purchases to an amount that could drain the victim’s bank account.

Visa

Visa is reported to have urged consumers to continue using their cards with confidence because the threat is not really scalable due to it coming from a device that has been made by researchers that is highly unlikely to be in real use anywhere by criminals at this point. Visa is also reported to have noted that although security threats are taken seriously, research tests of this kind have proven impractical for fraudsters to use in the real world, and Visa’s multi-layered security approach has kept rates at less than one-tenth of one per cent.

Contactless Fraud

Despite Visa’s views on this research, contactless fraud levels appear to be rising with (UK Finance figures) fraud on contactless cards and devices reported to have increased from £6.7 million in 2016 to £14 million in 2017, and with nearly £8.5 million was lost to contactless fraud in the first half of last year.

What Does This Mean For Your Business?

Even though this vulnerability was exploited by researchers who had developed a device and system that fraudsters are not known to be using, it still highlights the fact that it is possible to get around contactless card security and that Visa doesn’t appear to be asking issuers and acquirers to have any checks in place that could block payments without presenting the minimum verification.  Also, any of the random checks that terminals do carry out currently have to be set by the merchant. If fraudsters could get their hands on a similar device, banks and their customers could face damaging losses.

Some security commentators believe that bearing in mind the apparent rise in contactless fraud, issuing banks should also take more responsibility for security by adding their own security measures rather than simply relying on Visa’s protocol.