Hackers can bypass £30 limit on Visa contactless cards, study finds

Hackers can bypass £30 limit on Visa contactless cards, study finds

Design flaws discovered in Visa's payments system for contactless cards could allow criminals to steal hundreds in a single tap.


LAS VEGAS, NV - OCTOBER 23: Guests tap to pay using contactless cards to support releif efforts during the Visa ID Intelligence launch party at Money 20/20 on October 23, 2017 in Las Vegas, Nevada. (Photo by Isaac Brekken/Getty Images for VISA Inc)

Image: Researchers have figured out how to bypass the £30 limit on contactless cards

Researchers have discovered that the £30 limit on Visa contactless cards can be bypassed, potentially enabling criminals to empty out victims' bank accounts without touching the card.
The team from Positive Technology tested the attack on cards provided by five major banks in the UK and successfully withdrew more than £30 each time, from accounts they had permission to target.

However, the researchers warn that the same flaws could be exploited by criminals who, thanks to contactless technology, could take a single large payment from a card without even touching it.
The hack itself uses a device which intercepts the communications between the card and the payment terminal, telling the card that no verification is needed and then telling the terminal that it has already been provided.
"This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification," the experts said.
Researcher Leigh-Anne Galloway explained to Forbes that the vulnerability in Visa's payments system could expose contactless card holders to an increased risk of fraud.
"It means if you found someone's card or if someone stole your card, they wouldn't have to know your PIN, they wouldn't have to impersonate your signature, and they could make a payment for a much higher value."

More from Science & Tech

Although banks have internal systems which flag up suspicious transactions, both Ms Galloway and her colleague Timur Yunusov found they were able to make payments of £100 without being detected.
According to UK Finance, contactless fraud increased from £6.7m in 2016 to £14m in 2017 and the trend appears to be continuing although more recent data is not available.

NEW YORK, NY - JANUARY 16: Visa showcases a contactless card authenticated through biometrics at the Visa Innovation Lab at the National Retail Federation's Big Show on January 16, 2018 in New York City. (Photo by Dave Kotinsky/Getty Images for Visa)
Image: Visa stated it did not expect the flaw would be widely exploited
Although the majority of fraud cases involved cards being used after being stolen or lost rather than "skimmed" or secretly charged while in the victim's pocket, the bypass would remove the £30 limit in both instances.
"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Mr Yunusov, who heads Positive's bank security team.
"While it's a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."
Visa told Forbes that it was not going to update its systems to address the hack, claiming that it was "not a scalable fraud" which it would expect to see criminals employ, but it did not dispute the existence of the vulnerability.
In a statement to Sky News, it said: "Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security. Consumers should continue to use their Visa cards with confidence."