Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Report: A Flaw In Visa's Contactless Card Lets Anyone Charge It $999,999

Illustration for article titled Report: A Flaw In Visas Contactless Card Lets Anyone Charge It $999,999

Contactless credit cards are a hit in the UK. But a British research team has revealed a serious security flaw that allows anyone to charge up to $999,999.99 in foreign currency to a nearby card, even while it's still in a wallet or purse.

Advertisement

Contactless cards let you buy things without a pin, up to a certain limit (£20 in the UK), thanks to radio waves emitted from the card and picked up by a nearby terminal. But according to a team from Newcastle University, there's a serious security flaw in at least one major company's contactless system.

At the ACM Conference on Computer and Communications Security, which is going on this week in Arizona, the team explained how it's easy to set up a point-of-sale terminal using a phone, then create a transaction of up to $999,999.99. Crucially, the payment amount must be requested in foreign currency, otherwise the £20 limit will kick in. Here's a video of the lead author, Martin Emms, demonstrating the hack for the BBC.

Advertisement

"By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved,"said lEmms in a release about the study. "All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate."

Even if you use a contactless card, though, it's unlikely you'll see any million-dollar transactions popping up on your account any time soon. Emms says it's far more likely that criminals will use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade notice. A good reminder to keep an eye on your account, no matter how small the charge. [Newcastle University; BBC]

[Update] Visa Europe has commented on the research, saying there's no cause for concern:

We have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud. The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world. For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.

Advertisement

Lead image: LDprod

Share This Story

Get our newsletter

DISCUSSION

UnfriendlyMoose
UnfriendlyMoose

While this is extremely concerning, I am more concerned with the rising trend of card skimming devices being installed at ATMs and gas pumps around the country. Especially since a lot of gas pumps use a legitimate pending balance of around $100 before you fill up. If you're not careful some of those pending balances can become real charges.

I have now incorporated pulling on and searching for any external pieces of hardware near card readers and reviewing my bank account balance routinely. I recommend Simple, as they notify you of each charge, and are extremely helpful with removing suspicious/fraudulent charges.