Vulnerabilities in contactless card verification could let hackers bypass limits

Security researchers have discovered flaws that could allow hackers to bypass the UK contactless verification limit of £30 on Visa contactless cards. They have tested this technique with five UK banks and found it to be successful. 

According to research carried out by Positive Technologies, flaws in the payment system could enable criminals to bypass the payment limits on Visa contactless cards. Positive Technologies tested the attack with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal.

Researchers at the company, Leigh-Anne Galloway and Timur Yunusov, also found that this attack is possible with cards and terminals outside of the UK. The company said that these findings are significant because contactless payment verification limits are used to safeguard against fraudulent losses, which have been increasing in recent years. Both checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy and is known as a man in the middle (MITM) attack. First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.

They found that the attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone.

In response to SC requests for comment, Visa issued a company statement downplaying the hack and suggested it would not be practical for fraudsters to deploy, saying: “Variations of staged fraud schemes have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world. Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent”.

It went on to add:”Contactless cards are very secure. The fact is, as the use of contactless cards has increased around the world, Visa’s global contactless fraud rate has declined by 33 percent between 2017 and 2018, and declined by 40 percent in Europe between 2017 and 2018. Using the same secure technology as EMV® Chip, contactless cards are extremely effective in preventing counterfeit fraud by using a one-time use code that prevents compromised data from being re-used for fraud,” and concluded: “Consumers should continue to use their Visa cards with confidence.

According to UK Finance, fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. £8.4 million was lost to contactless fraud in the first half of 2018. 

The firm said that the discovery highlighted the importance of additional security from the issuing bank, who shouldn’t be reliant on Visa to provide a secure protocol for payments. Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks, said researchers.

“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” said Tim Yunusov, head of Banking Security for Positive Technologies. 

“While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”  

The researchers advised that contactless card users need to be vigilant in monitoring their bank account statements to catch fraud early and, if available with their bank, implement additional security measures such as payment verification limits and SMS notifications.  

“It falls to the customer and the bank to protect themselves,” said Leigh-Anne Galloway, head of Cyber Security Resilience at Positive Technologies.  

“While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.”

Frederik Mennes, director of product security at OneSpan, told SC Media UK that the attack requires the adversary to manipulate the data flow between the payment terminal and the payment card. 

“This requires the adversary to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack. The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card. The extension should look as if it is a genuine part of the terminal. This is similar to skimming attacks against magstripe-based payment cards, whereby a fake terminal is used to read the content of card’s magstripe,” he said. He added that banks should analyse financial transactions for all payments that they process and try to identify fraudulent transactions as much as possible. Merchants should inspect their payment terminals regularly and make sure there are no extensions to it. Consumers should also look for strange additions to payment terminals, he said.

Laurie Mercer, security engineer at HackerOne  adds: “To reduce the risk of being scammed, people should never let their cards go out of sight. If you notice that your card is missing, you should freeze your card using your banking mobile app immediately. For an additional layer of security, consider placing an RFID Jammer in your wallet, pocket or handbag.

“Banks are already in the process of implementing multi-factor authentication for payments. This vulnerability puts more pressure to deploy Strong Customer Authentication (SCA) for non low value payments as soon as possible.”