London - Contactless debit cards – which are meant to have a spending cap of £20 (about R400) per purchase – could be manipulated to transfer thousands into a scammer’s account, experts say.
UK shoppers can buy sandwiches, bus tickets and other small items by simply tapping their card on a scanner at a till, without having to type in a PIN.
But the £20 limit on transactions can be bypassed by setting the scanners to use foreign currencies, security experts from Newcastle University have found.
It means transfers could – in theory – be authorised up to a value of 999,999.99 in dollars, euros or any foreign currency.
Thieves could rig a mobile phone to act like a scanner, allowing them to trigger transfers of cash from a bank account just by passing the phone over a wallet or purse containing the card, the researchers said.
Each contactless card contains a tiny aerial, which transmits an identification code to authorise payments.
A trial using a Visa card found it was possible to make transfers far in excess of the £20 limit.
Lead researcher Martin Emms said: “With just a mobile phone we created a point-of-sale terminal that could read a card through a wallet. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.
“It took less than a second for the transaction to be approved.”
Mr Emms, a cybercrime expert, said his team did not test how Visa’s system reacted to a rush of foreign currency transfers, and whether it would flag them up as a possible fraud. But he said: “Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system.”
He said banks’ payment protocols did not make clear how they would deal with such transfers, adding: “The fact that we can bypass the £20 limit makes this hack potentially very lucrative.
“All a criminal would need to do is set up somewhere like an airport or the London Underground, where the use of different currencies would appear legitimate.”
Professor Aad van Moorsel, the university’s head of computing science, said: “If we can find flaws in contactless payment, then [criminals] will be able to do that as well.”
Visa Europe said the findings did not take into account “multiple safeguards throughout the Visa system”, adding: “It would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”
It said the firm is updating its protection to require more card transactions to be authenticated online, making this kind of attack more difficult.
The UK Cards Association trade body said: “While this complex fraud may be theoretically feasible in a laboratory, it hasn’t been attempted in the real world and absolutely no money has ever been lost as a result.
“There are robust security checks in place at every single stage of a payment – by the retailer’s bank, the card scheme and the customer’s bank – which monitor, and stop, suspicious transactions. Consumers can be assured they are legally protected from any fraud losses and will never be out of pocket.
“Contactless cards are extremely safe – borne out by the negligible fraud losses of less than 1p for every £100 spent over the first half of 2014.” - Daily Mail