Flaw In Visa’s Contactless Card Lets Anyone Charge It Upto $999,999

A potential flaw has been unravelled in Visa credit cards that could open up scope for a huge number of credit card frauds, in some cases do not even require stealing the card.

Convenience turns flaw

As a way of speeding up transactions, Visa allows its users to bypass the step of entering their PINs when making a transactions of amounts $20 or less.Researchers from Newcastle University have discovered serious flaw in this process . They discovered that this amount could be increased simply by converting the currency into a foreign one (GBP to USD or EURO). All an attacker needs to do is set up a rogue PoS (Point of sale) terminal.

“Once a ‘rogue POS terminal’ has been set up – either on a mobile phone or a system similar to those placed illegally on ATM machines – the criminal inputs the amount they want to transfer,” it has been explained.

The Process

The flaw utilises the fact that all validations and security authentications carried out locally on the card chip itself. So if one is able to forge the verifications here, then the system will not raise any flags when the transactions goes through it. All you need to do, is set up the rogue terminal on your mobile phone and then swipe someone’s credit card when they aren’t looking. Only caution to be taken here, is that the amount need to be specified in advance. In the tests conducted by the security researchers, it took less than a second for the transaction to be approved noted lead researcher Martin Emms.

Visa’s response

Visa has said in a statement that they aren’t bothered about this flaw since the researchers have only taken into account the step of swiping the card. They haven’t put to test any of the safeguards that Visa uses that aren’t brought to play at all in this flaw. Visa seems to right here, as the researchers  have admitted as much, admitting that they haven’t put the whole Visa payment and authentication system to test.

But they stand firm that this is a major flaw detected and demonstrated the flaw in a video on BBC.  At the ACM Conference on Computer and Communications Security, which is going on this week in Arizona, the team explained how it’s easy to set up a point-of-sale terminal using a phone, then create a transaction of up to $999,999.99. Crucially, the payment amount must be requested in foreign currency, otherwise the £20 limit will kick in. Here’s a video of the lead author, Martin Emms, demonstrating the hack for the BBC.

Resource : Newcastle University Research