14 DAY TRIAL // Larger sums of money than the imposed restriction can be stolen from contactless Visa cards in the United Kingdom, using an Android phone that acts as a POS (point of sale) terminal.
In the UK, any transaction carried out with a contactless card has a limit set to ₤20 / €25 / $32 as a form of protection, but if the value is expressed in any other currency, the restriction is shaved off and any amount under one million units mark can be approved, provided that the money is available in the bank account.
Scanning the card is very quick
Researchers at Newcastle University found the error and demonstrated to the BBC how it could be exploited using nothing but an Android phone with an app that can read this type of cards.
The proof-of-concept showed that after entering the foreign currency amount for the transaction in the POS app on the phone, the transfer would be accepted in a very short while, after scanning the conctactless credit or debit card in the victim’s wallet.
Martin Emms, lead researcher on the project, told the BBC that the verification of the transaction does not occur on the payment processing terminal, but on the card itself, which would not give away the fraud.
An easy to imagine scenario is to have the transaction amount already set on the phone and then place it in the proximity of the victim’s card. This could be achieved without much difficulty in crowded places such as a public transportation.
Since contactless transactions do not require a PIN code from the owner in order to be accepted, the risk of fraud would be quite high. Crooks would not be hindered by the transaction limitation since they could run the scam on multiple victims in a single day.
Multiple security mechanisms protect against fraud
Visa has been alerted by the researchers about the flaw and did not exclude the possibility that such an attack could be conducted in the wild, although it would be very difficult to do it due to several protection mechanisms set up to prevent against fraud.
On the other hand, the researcher says that banks would have a tough time fighting against this sort of fraudulent activity.
The contactless card technology relies on a micro-controller with internal memory and an antenna for communicating transaction details to a payment processing unit.
These payments have been introduced for speed and convenience when having to make small purchases. In many countries, there is a limitation for the transaction amount since no identification is required.