To the horror of their customers, it’s been revealed Visa contactless cards are as hackable as online transactions. Not only can PIN verifications be bypassed by fraudsters, but they can also hack payment points to process payments that far exceed contactless limits, meaning criminals could process hundreds of euros worth of fraudulent transactions on stolen smart cards.
‘The EMV Standard: Break, Fix, Verify’ study, published on 31st August 2020, has highlighted a serious security risk in Visa’s contactless debit and credit card chips after discovering an authorisation flaw. The study reveals how easily criminals can override card readers by bypassing PIN verification at payment points, processing high-value fraudulent payments that can exceed set contactless limits without arousing suspicion.
Limitless? How the Visa PIN bypass works
The researchers from ETH Zurich University originally aimed to understand the weaknesses of the EMV (named after founders Europay, Mastercard and Visa), the smart chip which can be found on smartcards.
After analysing the processes of authentication for contactless cards, the team discovered startling flaws which leave contactless users open to limitless criminal attacks. To demonstrate the gravity of the security risk, which allows fraudsters to override set limits by providers when making fraudulent payments, the researches created their own cryptogram app:
The so-called ‘man-in-the-middle attacks’ only require two android mobile phones, a card payment reader, and a stolen credit or debit card with contactless capabilities.
The outermost devices are the real payment terminal and the victim’s contactless card. The phone near the payment termi- nal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over NFC.
Researchers David Basin, Ralf Sasse, and Jorge Toro tested their method on their own cards to prove how easy it is to process these payments. Highlighting the security issue, they explain:
“The attack consists in a modification of a card-produced data –the Transaction Cryptogram– before delivering it to the terminal. The terminal cannot detect this modification; only the bank can, yet only after the consumer/ criminal is long gone with the goods.”
The value of contactless fraud
Contactless fraud is not a new issue in Europe has been the subject of studies in recent years. For example, in the UK where contactless payments accounted for 31% of credit card transactions and 47% of debit card transactions, contactless fraud is surging. According to Action Fraud, “a total of £1.8 million was stolen by fraudsters from contactless users in 2018. This compared with £711,000 in 2017.” Through their research, the team from Zurich found EMV is used, and thus in danger of fraud, in over 9 billion debit and credit cards worldwide.
As merchants have increased their contactless limits to attract more cashless transactions following the outbreak of the coronavirus, the threat of the sophisticated criminal adopting technologies to fraud credit and debit cards will become ever greater.