Countless Visa customers may be at risk of fraud according to a recent discovery by cyber security experts.
Researchers found a flaw which could let hackers to bypass the verification limits on the company’s contactless cards.
Positive Technologies tested the tactic with five major UK banks and successfully bypassed the £30 ($36) maximum spend on cards, irrespective of the terminal.
They also found that this attack is possible outside of the UK, but didn’t specify which countries may also share the vulnerability.
Leigh-Anne Galloway and Tim Yunusov from the firm, based in London, say the attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment.
If a payment needs an additional cardholder verification, including payments over the £30 limit, cards will respond by saying ‘I can’t do that’.
Then the terminal uses country specific settings which demand that the card or mobile wallet provide additional verification from the cardholder.
That includes the entry of the card’s PIN or a fingerprint authentication via a smartphone app.
Positive Technologies found both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal.
Their gadget acts as a proxy and conducts what is known as a man in the middle (MITM) attack.
[…]
