Researchers say they discovered a technique for exploiting Visa contactless cards that could allow attackers to bypass certain a pair of anti-fraud “payment checks” that normally require a purchaser’s verification.
Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov successfully tested the exploit on five major banks in the U.K., according to a company blog post this week. The attack works regardless of the terminal used, and is effective outside of the U.S. as well, the researchers note.
In the U.K., contactless card transactions in excess of £30 will trigger an “I can’t do that” message, due to limitations that were put in place to prevent costly fraud. To complete flagged transactions, the payment terminals then require verification such as a PIN code or fingerprint authentication.
However, Positive Technologies found that these two checks can be bypassed by a device capable of conducting man-in-the-middle attacks, intercepting communications between payment cards and terminals and modifying to key data fields.
“First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means,” the company blog post explains. “This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.”
Positive Technologies warns that the exploit also works on mobile wallets like GPay, when a Visa card number is added to the wallet. “Here, it is even possible to fraudulently charge up to £30 without unlocking the phone,” the report states.
“Variations of staged fraud schemes have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world,” said a statement provided to SC Media by a Visa spokesperson. “Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent.”
“Contactless cards are very secure. The fact is, as the use of contactless cards has increased around the world, Visa’s global contactless fraud rate has declined by 33% between 2017 and 2018, and declined by 40% in Europe between 2017 and 2018,” the statement continues.