Vulnerabilities Can Allow Hackers To Bypass £30 On Visa Contactless Limit

Security researchers have discovered flaws that could allow hackers to bypass the UK contactless verification limit of £30 on Visa contactless cards. The researchers, from Positive Technologies, tested the attack with five major UK banks, successfully bypassing the UK’s £30 limit (which is used to safeguard against fraudulent losses) on all tested Visa cards, irrespective of the card terminal. They also found that this attack is possible with cards and terminals outside of the UK.

Experts Comments

July 30, 2019
Laurie Mercer
Security Engineer
HackerOne
This attack allows contactless verification limits to be easily bypassed if an attacker has physical access to a card. To reduce the risk of being scammed, people should never let their cards go out of sight. If you notice that your card is missing, you should freeze your card using your banking mobile app immediately. For an additional layer of security, consider placing an RFID Jammer in your wallet, pocket or handbag. Banks are already in the process of implementing multi-factor.....Read More
This attack allows contactless verification limits to be easily bypassed if an attacker has physical access to a card. To reduce the risk of being scammed, people should never let their cards go out of sight. If you notice that your card is missing, you should freeze your card using your banking mobile app immediately. For an additional layer of security, consider placing an RFID Jammer in your wallet, pocket or handbag. Banks are already in the process of implementing multi-factor authentication for payments. This vulnerability puts more pressure to deploy Strong Customer Authentication (SCA) for non low value payments as soon as possible.  Read Less
July 30, 2019
Frederik Mennes
Director of Product Security
OneSpan
This attack requires the adversary to manipulate the data flow between the payment terminal and the payment card, which requires the them to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack. The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card. The extension should look as if it is a genuine part of the terminal, and this.....Read More
This attack requires the adversary to manipulate the data flow between the payment terminal and the payment card, which requires the them to be in very close proximity to both the terminal and payment card, which limits the scalability of the attack. The most practical way to implement the attack probably consists of adding an extension to the terminal that acts as a man-in-the-middle between the terminal and card. The extension should look as if it is a genuine part of the terminal, and this is similar to skimming attacks against magstripe-based payment cards, whereby a fake terminal is used to read the content of a card's magstripe. Banks, merchants and consumers should do the following to prevent this type of attack: Banks should analyse financial transactions for all payments that they process, and try to identify fraudulent transactions as much as possible Merchants should inspect their payment terminals regularly and make sure there are no extensions to it. Consumers should also look for strange additions to payment terminals. Consumers should keep their payment card in a screening wallet, so that it cannot be read inadvertently. They should also enable SMS notifications for new payments and contact their bank immediately if they notice a suspicious payment.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.