Visa Europe has downplayed a new attack that could steal hundreds of thousands in foreign currency over the air from contactless credit cards.
The electronic robbery was devised by researchers at Newcastle University in the UK, but the banking giant claims the techniques used aren't feasible in the real world. The researchers' findings will be presented at the 21st ACM Conference on Computer and Communications Security in Arizona this week.
According to the academics, you can program a handheld gadget to act as a pay-by-wave shopping till, and then brush the device over a victim's pocket or bag to access their contactless Visa card by radio signals. The gadget can then exploit a flaw that allows the automatic clearance of wireless payments to the tune of up to 999,999.99 units of whatever currency is specified, we're told.
"With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet," said Martin Emms, lead researcher on the project.
"All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By presetting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."
How much the card will transfer depends on the currency choice of the attacker. In the UK, there's a £20 limit on each transaction, but there's no such cap on foreign currencies, we're told, so using non-sterling in Blighty will sidestep the protection. (Just don't use Zimbabwean dollars: a million of those would net just $2,763 or £1,730.)
"We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud," Emms noted.
"Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat. “The fact that we can bypass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.”
Visa says its backend systems will eventually see the payment from the card – and a request for a huge sum will set bells ringing instantly. But Emms suggests thieves could siphon off cash in small amounts at a time to slip under Visa's radar.
'A laboratory environment'
Visa Europe told The Register it spends €100m (£78m) a year on security, so it reckons it's pretty secure: five pence in every £100 of transactions through its servers is fraudulent, apparently. The findings from the Newcastle team have been reviewed, Visa said, and the financial giant considers the attack only replicable in a "laboratory environment."
"The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world," a Visa Europe spokesperson said.
"We are confident that our contactless system remains a safe, convenient way to pay."
One other takeaway from the research is that the security of contactless payment is definitely in the sights of researchers – and crooks.
"At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe," said the report's coauthor Professor Aad van Moorsel, head of Newcastle's School of Computing Science.
"With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature. If we can find flaws in contactless payment, then they will be able to do that as well." ®