Cracking the contactless code: Positive Technologies claims vulnerability

Cracking the contactless code: Positive Technologies claims vulnerability

Researchers at Positive Technologies claim to have discovered flaws that allow hackers to bypass the payment limits on Visa contactless cards.

The firm says that it tested the attack with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal.

The attack works by manipulating two data fields that are exchanged between the card and the terminal when additional verification is required for payments over £30.

The researchers achieved this by using a device that acts as a proxy to conduct a man in the middle attack, interrupting communication between the card and eftpos terminal. First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means.

Positive Technologies alleges that the attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.

According to UK Finance, fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. £8.4 million was lost to contactless fraud in the first half of 2018.

Tim Yunusov, head of banking security for Positive Technologies, says: “While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”

Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies says the discovery highlights the importance of additional security from the issuing bank, who shouldn’t be reliant on Visa to provide a secure protocol for payments. Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks.

"Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard," she says. "Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.

Visa pushes back against the claims of security vulenrability, stating: “Variations of staged fraud schemes have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world. Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent."

Comments: (2)

Craig Lawrance
Craig Lawrance - Starkspur Ltd - Chalfonts 30 July, 2019, 15:30Be the first to give this comment the thumbs up 0 likes

Fasciniating.  Or you could stick the card into your Apple Wallet, where limits magically disappear.

Ganesh Vaidyanathan
Ganesh Vaidyanathan - Self employed - Croydon 30 July, 2019, 17:51Be the first to give this comment the thumbs up 0 likes

That's because Apple Pay is a fully authenticated transaction by virtue of the user having to unlock the phone through biometrics. Same with Google Pay though most merchant terminals are not correctly programmed for this variation.