Contactless payment cards use a cryptoprocessor and RFID technology to perform secure transactions without a need to insert the card in a reader, even an NFC-equipped mobile device may also be used as a payment card. But there is a specified limits country-wise.
Contactless payment cards are meant to have a limit of £20 per purchase in UK, using which shoppers can buy things by simply tapping their card on a scanner, without having to type in a PIN. But exploiting a flaw in its protocol could allow cyber criminals to manipulate the cards to transfer up to $999,999.99 in foreign currency into a scammer's account.
Researchers on Wednesday at the 21st ACM Conference on Computer and Communications Security, detailed the attack which rely on a "rogue POS terminal" running on a mobile device that could be pre-set to a large amount of money, a wireless transfer of up to 999,999.99 units in any currency.
"With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions."
"By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved."
The good news is that the research team haven't tested how Visa's system reacted to a rush of foreign currency transfers, and whether it would flag them up as a possible fraud or not.
But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.
"Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system," Emms said.
In a report on the BBC, Visa Europe said that "we have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud" and that their research "does not take into account the multiple safeguards put into place throughout the Visa system", adding that it would be "very difficult to complete this type of transaction outside of a laboratory environment."
Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.