A British research group shows that it is possible to circumvent the 25-euro limit of contactless cards. For Visa, however, there are no real risks
Contactless credit cards from the Visa circuit may have security problems. This, at least, is what security researchers claim who, in collaboration with the British editorial office of Forbes, have managed to make payments even above 25 euros without entering a PIN.
In particular, the cards would be hackable through attacks “man in the middle”, which would allow to “withdraw” more money than the security threshold. According to experiments conducted “in the laboratory” by researchers, there is no limit to the amount that can be taken out of the card with this system and, therefore, the risk of fraud is very high. Moreover, although this fraud has been simulated in the UK, it is possible everywhere because it would be based on vulnerabilities inherent in the way contactless transactions take place. But, responding to Forbes, Visa believes there is no real danger to users and their contatcless cards and, as a result, no “fix” is planned.
How the contactless card scam works
To unlock PIN-less payments above €25 on contactless cards, researchers have used specially built hardware to intercept and modify communications between the card and the reader. For example, the card can be made to believe that verification, such as entering a PIN, is not necessary, even if the amount requested is over £30 (the scam was tried in England, but it works everywhere in the world). In this way, the card reader authorizes transactions of any amount.
It is also possible to use a smartphone to tap a card and clone it for a short time: the smartphone manages to intercept the so-called “payment cryptogram” from the card that guarantees the authenticity of future payments. The cryptogram can then be sent to a second phone, which simulates a mobile payment via the cloned card. Hackers can then go over the maximum amount by doing the same man-in-the-middle attack described earlier.
VISA: no real risk
A VISA spokesperson confirms the existence of this vulnerability in the circuit, but greatly downplays the risk to contactless cardholders: “A key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer. Additionally, the transaction must pass issuer validations and detection protocols. This is not a scalable fraud approach that we typically see criminals employ in the real world.”