Hackers can bypass Visa's contactless spending limits

The researchers and Visa disagree on the severity of the threat presented by the hack

card and contactless reader

Researchers at Positive Technologies have discovered a way to bypass the 30 spending limit on contactless Visa cards, widening the potential for large payouts on stolen cards.

There are two security measures involved in a contactless card transaction that can be bypassed to enable a fraudster to siphon a much larger amount from a victim's card than before, without needing a PIN.

The first measure relates to a contactless card's default programming which won't allow it to complete transactions over 30. This can be bypassed, as can the measure on a terminal which requires additional verification such as a PIN or in the case of mobile wallets, through which this hack can also work, fingerprint identification.

The fraud is facilitated by a man in the middle (MITM) attack; hackers could just manipulate two data fields that are exchanged between the card and terminal. According to the researchers, this can be done using a device like a skimmer on an ATM.

"The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card," said Frederik Mennes, director of product security at OneSpan. "The extension should look as if it is a genuine part of the terminal, and this is similar to skimming attacks against magstripe-based payment cards, whereby a fake terminal is used to read the content of a card's magstripe."

Stealing a card the old fashioned way to then use on the attacker's own terminal would allow them to charge what they want to the card - a useful trick considering frequent 30 transactions will usually trigger a bank to freeze the card due to suspicious activity.

Visa disagrees with the researchers, saying the attackers must have physical access to the card to carry out the attack.

"One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer," said a Visa spokesperson to Forbes. "Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world."

Speaking to IT Pro, a Visa spokesperson took issue with the controlled environment in which the tests were carried out. The spokesperson pointed out that the research undertaken typically relies on physically stolen cards that have not yet been reported to the issuer, and the issuer not validating some cryptographic and transaction data elements or identifying this as an issue through traditional detection systems.

"Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world," said the spokesperson. "Visa's multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent.

"The device tells the card that verification is not necessary, even though the amount is greater than 30... [then] the device then tells the terminal that verification has already been made by another means," said Positive Technologies.

Visa facilitates the attacks by not requiring issuers or acquirers to have checks in place that block unverified transactions.

The attack vector isn't necessarily UK-specific, although it's where the hack was tested. Five major banks that issue Visa card were tested and all were found to be vulnerable to the hack. The hack has been proven to work in transactions over 100 and the limit isn't yet known.

"It falls to the customer and the bank to protect themselves," said Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies and researcher on the project. "While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise."

Contactless fraud is on the rise, according to UK Finance. Fraud from contactless cards and devices rose from 6.7 million in 2016 to 14 million in 2017 and 8.4 million was lost in the first half of 2018. People are advised to regularly check statements, and set up additional security measures such as SMS alerts.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020
Government agencies see misconfigured cloud services as top security threat
Security

Government agencies see misconfigured cloud services as top security threat

22 Oct 2020
Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020