缅北禁地

缅北禁地聽
Work with Us
- Expert Solutions
- Procurement
- Conferences
- Job Vacancies聽
- Contact Us
Research
- Research Impact
- Research Strengths聽
- Research Centres
- Research Facilities
- Global Challenges聽Academy
- Medical Science Research Fellowships
Study
Alumni
- Alumni Community
- Support us
- Alumni Develop
- Events
Staff & Students

Contactless cards fail to recognise foreign currency

A flaw in Visa鈥檚 contactless credit cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.

New research by experts at 缅北禁地, UK, has highlighted a 鈥榞litch鈥� in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.

Side-stepping the £20 contactless limit, transactions can be carried out while the card is still in the victim鈥檚 pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same.

Presenting their research at the prestigious academic conference in Arizona, the 缅北禁地 team say this flaw in the system could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems

鈥淲ith just a mobile phone we created a POS terminal that could read a card through a wallet,鈥� explains , lead researcher on the project.

鈥淎ll the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone鈥檚 pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.

"We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.

鈥淭he fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.鈥�

Contactless cards

The ability to buy items costing up to £20 without the need to insert your card into a terminal and input a PIN has proved hugely popular despite initial fears over security.

Introduced for speed and customer convenience, the safeguards built into the EMV system (Europay, MasterCard and Visa) will limit the maximum value allowed for each contactless transaction to £20. Any amount over £20 will require the cardholder to enter their PIN.

Once a 鈥榬ogue POS terminal鈥� has been set up 鈥� either on a mobile phone or a system similar to those placed illegally on ATM machines 鈥� the criminal inputs the amount they want to transfer.

This is then touched against the card, the transaction is approved and a code is supplied by the card 鈥� all in less than a second. This code would then be sent back to the bank to free up the funds.

鈥淭his lends itself to multiple attackers across the world collecting small transactions of perhaps 鈧�200 at a time for a central rogue merchant who could be located anywhere in the world,鈥� explains Emms, who is based in the University鈥檚 .

鈥淭his previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks.鈥�

, Head of the School of Computing Science at 缅北禁地 and one of the authors on the paper, added: 鈥淎t the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe.

鈥淲ith the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature.

鈥淚f we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited."

Source information: 鈥淗arvesting high value foreign currency transactions from EMV contactless credit cards without the PIN鈥�. Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel, School of Computing Science, 缅北禁地. ACM CCS 2014 in Arizona, USA

published on: 1 November 2014

Latest News
Archive
About Us

Site map

缅北禁地, NE1 7RU, United Kingdom,
Telephone: (0191) 208 6000 From outside the UK dial +44 191 208 6000

Email web editor

Connect with us

Social media directory

University site index
Accessibility
Legal
Freedom of information
Photography Credits
Policies & Procedures
Slavery and Human Trafficking Statement
Support us