Researchers say they discovered a technique for exploiting Visa contactless cards that could allow attackers to bypass certain a pair of anti-fraud “payment checks” that normally require a purchaser’s verification.
Positive Technologies researchers Leigh-Anne Galloway and Tim Yunusov successfully tested the exploit on five major banks in the U.K., according to a company blog post this week. The attack works regardless of the terminal used, and is effective outside of the U.S. as well, the researchers note.
In the U.K., contactless card transactions in excess of £30 will trigger an “I can’t do that” message, due to limitations that were put in place to prevent costly fraud. To complete flagged transactions, the payment terminals then require verification such as a PIN code or fingerprint authentication.
However, Positive Technologies found that these two checks can be bypassed by a device capable of conducting man-in-the-middle attacks, intercepting communications between payment cards and terminals and modifying to key data fields.
“First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means,” the company blog post explains. “This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.”
Positive Technologies warns that the exploit also works on mobile wallets like GPay, when a Visa card number is added to the wallet. “Here, it is even possible to fraudulently charge up to £30 without unlocking the phone,” the report states.
SC has reached out to Positive Technologies and Visa for additional comment and reactions.
The post Flaws in Visa contactless cards allow for bypass of anti-fraud checks, researchers warn appeared first on SC Media.