Positive Technologies has today announced that researchers Leigh-Anne Galloway and Timur Yunusov have discovered flaws that allow hackers to bypass the payment limits on Visa contactless cards.
Positive Technologies tested the attack with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal. The researchers also found that this attack is possible with cards and terminals outside of the UK. These findings are significant because contactless payment verification limits are used to safeguard against fraudulent losses, which have been increasing in recent years.
The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer “I can’t do that,” which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone.
Positive Technologies found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy and is known to conduct man in the middle (MITM) attacks. First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.
The attack can also be done using mobile wallets such as GPay, where a Visa card has been added to the wallet. Here, it is even possible to fraudulently charge up to £30 without unlocking the phone.
According to UK Finance, fraud on contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. £8.4 million was lost to contactless fraud in the first half of 2018. Positive Technologies’ discovery highlights the importance of additional security from the issuing bank, who shouldn’t be reliant on Visa to provide a secure protocol for payments. Instead, issuers should have their own measures in place to detect and block this attack vector and other payment attacks.
“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” said Tim Yunusov, Head of Banking Security for Positive Technologies. “While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”
The researchers advise that contactless card users need to be vigilant in monitoring their bank account statements to catch fraud early and, if available with their bank, implement additional security measures such as payment verification limits and SMS notifications.
“It falls to the customer and the bank to protect themselves,” said Leigh-Anne Galloway, Head of Cyber Security Resilience at Positive Technologies. “While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.”
In response to Positive Technologies’ findings Frederik Mennes, director of product security at OneSpan commented;
“This attack requires the adversary to manipulate the data flow between the payment terminal and the payment card, which requires the them to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack. The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card. The extension should look as if it is a genuine part of the terminal, and this is similar to skimming attacks against magstripe-based payment cards, whereby a fake terminal is used to read the content of a card’s magstripe.
Banks, merchants and consumers should do the following to prevent this type of attack:
- Banks should analyse financial transactions for all payments that they process, and try to identify fraudulent transactions as much as possible
- Merchants should inspect their payment terminals regularly and make sure there are no extensions to it. Consumers should also look for strange additions to payment terminals.
- Consumers should keep their payment card in a screening wallet, so that it cannot be read inadvertently. They should also enable SMS notifications for new payments and contact their bank immediately if they notice a suspicious payment.”